Dont Get Owned by Your Dependencies by Shravan Narayan (Strange Loop 2022)  @StrangeLoopConf
Dont Get Owned by Your Dependencies by Shravan Narayan (Strange Loop 2022)  @StrangeLoopConf
Strange Loop Conference | "Don't Get Owned by Your Dependencies" by Shravan Narayan (Strange Loop 2022) @StrangeLoopConf | Uploaded 1 year ago | Updated September 28 2023
Memory safety vulnerabilities in third party C libraries are a major source of zero-day attacks in today's applications. Several years ago our team began exploring a new approach to mitigate these attacks in Firefox, which relies on third party libraries for everything from media rendering to spell checking.

To accomplish this, we began migrating Firefox to an architecture where these libraries are run in lightweight in-memory sandboxes (based on WebAssembly). Firefox has been shipping with this new architecture since 2020.

In this talk, we discuss the key challenges we faced, such as: ensuring efficient sandboxing, retrofitting sandboxing without changing libraries, and most importantly, modifying applications originally written to trust libraries to be secure against attacks from (sandboxed) libraries. We will talk about RLBox, a new open source C++ framework that we developed to meet these challenges. We share some examples of our own experience applying RLBox in Firefox.

Shravan Narayan
Ph.D student, UC San Diego

Shravan Narayan is a PhD candidate at UC San Diego, advised by Deian Stefan. His research interests span security and systems. He is particularly interested in retrofitting security in large real-world systems like browsers. Shravan and his collaborators have won the Distinguished Paper Award at USENIX Security 2020, received an honorable mention at the NSA Best Scientific Cybersecurity Paper Competition, and won the applied research competition at CSAW 2020. His work is deployed in multiple real systems, including the Firefox browser.

------ Sponsored by: ------

Stream is the # 1 Chat API for custom messaging apps. Activate your free 30-day trial to explore Stream Chat.
Dont Get Owned by Your Dependencies by Shravan Narayan (Strange Loop 2022) @StrangeLoopConfHow to Avoid Safety Hazards when using Closures in Scala by Philipp Haller (Strange Loop 2022) @StrangeLoopConfAvoiding the Pitfalls of Autoscaling with Constant Work by David Grizzanti (Strange Loop 2022) @StrangeLoopConfIntroducing the HandAxe Collections Pattern Language by Maurice Rabb (Strange Loop 2022) @StrangeLoopConfPolymorphism Unbound by Bruce Eckel (Strange Loop 2022) @StrangeLoopConfThe Lemniscate by Ann Johnson, Charles Comstock @StrangeLoopConfThere Are No Shortcuts in Organizing, but Technology Sure Does Help by Vicki Crosson, Shane Moore @StrangeLoopConfDiagrammar: Simply Make Interactive Diagrams by Pontus Granström (Strange Loop 2022) @StrangeLoopConfSniffing the Metaverse by Benjamin Cabé (Strange Loop 2022) @StrangeLoopConfModern B-Tree techniques by Dmitrii Dolgov (Strange Loop 2022) @StrangeLoopConfThe Education of a Civic Technologist by Alex Allain (Strange Loop 2022) @StrangeLoopConfReviving 1990s Digital Dress-Up Dolls with Smooch by Libby Horacek (Strange Loop 2022) @StrangeLoopConfKalDB: A cloud native log search platform by Suman Karumuri (Strange Loop 2022) @StrangeLoopConfThe Evolution of a Planetary-scale Distributed Database by Kevin Scaldeferri (Strange Loop 2022) @StrangeLoopConfData Driven Investigation in Defense of Human Rights by Christo Buschek (Strange Loop 2022) @StrangeLoopConfInteractive Debugging and Testing Support for Deep Learning by Tianyi Zhang @StrangeLoopConfFinding Bugs in Deep Learning Programs by Foutse Khomh @StrangeLoopConfHow to Recommend Tools for Finding and Fixing Software Errors by Chris Brown @StrangeLoopConfHow Automated Tools Can Communicate Effective Strategies for Fixing Bugs by Justin Smith @StrangeLoopConfIts Not You, Its the API: Automatically Avoiding API Misuses by Sarah Nadi @StrangeLoopConfChoose Wisely: Code Smells in Automatically Generated Code by Joanna Cecilia da Silva Santos @StrangeLoopConfOne Thousand and One Stories: a Large-scale Survey of Software Refactoring by Mohamed Wiem Mkaouer @StrangeLoopConfIts Like Coding in the Dark: the Need for Learning Culture in Engineering Teams - Catherine Hicks @StrangeLoopConfMachine Learning for Developer Productivity by Satish Chandra (Strange Loop 2022) @StrangeLoopConfDemystifying Privacy Preserving Computing by Tejas Chopra (Strange Loop 2022) @StrangeLoopConfOf JavaScript Ahead-Of-Time Compilation Performance by Manuel Serrano (Strange Loop 2022) @StrangeLoopConfTime Travel Debugging JavaScript Applications by Cecelia Martinez (Strange Loop 2022) @StrangeLoopConfAVIF: Creating a new image format in the open by Jon Bauman (Strange Loop 2022) @StrangeLoopConfIf only I owned my data: Architecting decentralized data by Katharine Jarmul, Nimisha Asthagiri @StrangeLoopConfBlueprints for a Universal Reasoning Machine by Zenna Tavares (Strange Loop 2022) @StrangeLoopConfArt you can make by spying on yourself with your phone by Kate Hollenbach (Strange Loop 2022) @StrangeLoopConfDisaster Recovery Options running Apache Kafka in Kubernetes by Geetha Anne (Strange Loop 2022) @StrangeLoopConfAn IPC Language For The Whole Operating System by Ian McKellar (Strange Loop 2022) @StrangeLoopConfMonad I Love You Now Get Out Of My Type System by Gjeta Gjyshinca (Strange Loop 2022) @StrangeLoopConfHow live music is evolving in a post pandemic world by Ben Michel (Strange Loop 2022) @StrangeLoopConfFormally Verifying Everybodys Cryptography by Mike Dodds, Joey Dodds (Strange Loop 2022) @StrangeLoopConfHodor: Detecting and Addressing Overload in LinkedIn Microservices by Bryan Barkley @StrangeLoopConfA Hipster History of CORS by Devdatta Akhawe (Strange Loop 2022) @StrangeLoopConfThe Skip Ratchet by Brooklyn Zelenka (Strange Loop 2022) @StrangeLoopConfHedy: A Gradual programming language by Felienne Hermans (Strange Loop 2022) @StrangeLoopConfLevel Up Your Machine Learning Lifecycle by Yaqi Chen (Strange Loop 2022) @StrangeLoopConfWhat We Learned Dissecting the Worlds Most Popular Containers by Ayse Kaya (Strange Loop 2022) @StrangeLoopConfBeyond Blockchain: Convergent Consensus by Mike Anderson (Strange Loop 2022) @StrangeLoopConfPowering Spotifys Audio Personalization Platform by Josh Baer (Strange Loop 2022) @StrangeLoopConfThe Vera C. Rubin Observatory Legacy Survey of Space and Time by Andrés Plazas Malagón @StrangeLoopConfLiveViewJS is the anti-SPA library for reactive app development in NodeJS and Deno by Donnie Flood @StrangeLoopConfIn the Land of the Sizing, the One-Partition Kafka Topic is King by Ricardo Ferreira @StrangeLoopConfFormal Modeling and Analysis of Distributed Systems by Ankush Desai (Strange Loop 2022) @StrangeLoopConfResillient Microservices without the Chaos by Christopher Meiklejohn (Strange Loop 2022) @StrangeLoopConfWorkflows, a new abstraction for distributed systems by Dominik Tornow (Strange Loop 2022) @StrangeLoopConf

"Don't Get Owned by Your Dependencies" by Shravan Narayan (Strange Loop 2022) @StrangeLoopConf