I am employed as a Principal Security Architect at Adobe at the time I published this article. All opinions
are my own.
The world’s economy relies heavily on C/C++ applications, yet a staggering 70% of CVEs affecting these applications are due to memory safety flaws. Rewriting all code in memory-safe languages is infeasible, necessitating smarter approaches. In this talk, you’ll learn about a simplified threat model to guide efforts, how adversaries search for memory safety flaws, and multiple strategies to incrementally reduce risk. You’ll also hear war stories about successfully driving change, providing you with practical insights to enhance your own security efforts.
This talk is a toolkit:
- a prioritization model to target the riskiest areas of your code bases
- an overview of fuzzing, sandboxing and rewriting to get you started on the technical aspects
- a guide how to drive large-scale technical change across an enterprise
Materials:
- slide deck: Memory Safety Strategies and Techniques - InfoSecWorld 2024.pdf
- recording: Youtube - Memory Safety for large C/C++ code bases (extended version, not a live InfoSec World recording)