Skip to content
  • Home Home Home, current page.
  • Moments Moments Moments, current page.

Saved searches

  • Remove
  • In this conversation
    Verified accountProtected Tweets @
Suggested users
  • Verified accountProtected Tweets @
  • Verified accountProtected Tweets @
  • Language: English
    • Bahasa Indonesia
    • Bahasa Melayu
    • Català
    • Čeština
    • Dansk
    • Deutsch
    • English UK
    • Español
    • Filipino
    • Français
    • Hrvatski
    • Italiano
    • Magyar
    • Nederlands
    • Norsk
    • Polski
    • Português
    • Română
    • Slovenčina
    • Suomi
    • Svenska
    • Tiếng Việt
    • Türkçe
    • Ελληνικά
    • Български език
    • Русский
    • Српски
    • Українська мова
    • עִבְרִית
    • العربية
    • فارسی
    • मराठी
    • हिन्दी
    • বাংলা
    • ગુજરાતી
    • தமிழ்
    • ಕನ್ನಡ
    • ภาษาไทย
    • 한국어
    • 日本語
    • 简体中文
    • 繁體中文
  • Have an account? Log in
    Have an account?
    · Forgot password?

    New to Twitter?
    Sign up
JohnLaTwC's profile
John Lambert
John Lambert
John Lambert
@JohnLaTwC

Tweets

John Lambert

@JohnLaTwC

Distinguished Engineer, Microsoft Threat Intelligence Center, johnla(AT)http://microsoft.com , **BEWARE There are Tech Support Scams that use my name **

Redmond WA
linkedin.com/in/johnjlambert
Joined October 2010

Tweets

  • © 2022 Twitter
  • About
  • Help Center
  • Terms
  • Privacy policy
  • Cookies
  • Ads info
Dismiss
Previous
Next

Go to a person's profile

Saved searches

  • Remove
  • In this conversation
    Verified accountProtected Tweets @
Suggested users
  • Verified accountProtected Tweets @
  • Verified accountProtected Tweets @

Promote this Tweet

Block

  • Tweet with a location

    You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more

    Your lists

    Create a new list


    Under 100 characters, optional

    Privacy

    Copy link to Tweet

    Embed this Tweet

    Embed this Video

    Add this Tweet to your website by copying the code below. Learn more

    Add this video to your website by copying the code below. Learn more

    Hmm, there was a problem reaching the server.

    By embedding Twitter content in your website or app, you are agreeing to the Twitter Developer Agreement and Developer Policy.

    Preview

    Why you're seeing this ad

    Log in to Twitter

    · Forgot password?
    Don't have an account? Sign up »

    Sign up for Twitter

    Not on Twitter? Sign up, tune into the things you care about, and get updates as they happen.

    Sign up
    Have an account? Log in »

    Two-way (sending and receiving) short codes:

    Country Code For customers of
    United States 40404 (any)
    Canada 21212 (any)
    United Kingdom 86444 Vodafone, Orange, 3, O2
    Brazil 40404 Nextel, TIM
    Haiti 40404 Digicel, Voila
    Ireland 51210 Vodafone, O2
    India 53000 Bharti Airtel, Videocon, Reliance
    Indonesia 89887 AXIS, 3, Telkomsel, Indosat, XL Axiata
    Italy 4880804 Wind
    3424486444 Vodafone
    » See SMS short codes for other countries

    Confirmation

     

    Welcome home!

    This timeline is where you’ll spend most of your time, getting instant updates about what matters to you.

    Tweets not working for you?

    Hover over the profile pic and click the Following button to unfollow any account.

    Say a lot with a little

    When you see a Tweet you love, tap the heart — it lets the person who wrote it know you shared the love.

    Spread the word

    The fastest way to share someone else’s Tweet with your followers is with a Retweet. Tap the icon to send it instantly.

    Join the conversation

    Add your thoughts about any Tweet with a Reply. Find a topic you’re passionate about, and jump right in.

    Learn the latest

    Get instant insight into what people are talking about now.

    Get more of what you love

    Follow more accounts to get instant updates about topics you care about.

    Find what's happening

    See the latest conversations about any topic instantly.

    Never miss a Moment

    Catch up instantly on the best stories happening as they unfold.

    John Lambert‏ @JohnLaTwC 8 Feb 2019

    Story time. This one is about a feature in Windows called ASLR.

    11:37 AM - 8 Feb 2019
    • 734 Retweets
    • 1,844 Likes
    • Devansh Aashutosh Baskota xpl0izn Abrar Khan 🇮🇳 CoolPsycho Justine mq:// Prianna Ahsan Nathan "M"🎈 Maynes
    36 replies 734 retweets 1,844 likes
      1. New conversation
      2. John Lambert‏ @JohnLaTwC 8 Feb 2019

        It was 2005. We were working on Windows Vista. Most remember it as the release with the maligned User Account Control feature. For us in Trustworthy Computing it was the first full Windows cycle where we could apply all the security engineering tools we had from start to finish.

        2 replies 18 retweets 153 likes
        Show this thread
      3. John Lambert‏ @JohnLaTwC 8 Feb 2019

        Efforts such as fuzzing file parsers, scrubbing the code of ‘banned APIs’ across millions of lines of code, fixing masses of potential bugs from static analysis, and driving initiatives to deal with newly discovered ‘diseases’ like mismatched container COM instantiation.

        1 reply 1 retweet 90 likes
        Show this thread
      4. John Lambert‏ @JohnLaTwC 8 Feb 2019

        We hired the most spectacular group of researchers I’ve seen assembled from NGS, iSEC Partners, IOActive, and n.runs, gave them source code, access to Windows engineers, and told to hack without boundaries. My words to them in an early meeting were “you are here to blow sh*t up”

        3 replies 23 retweets 211 likes
        Show this thread
      5. John Lambert‏ @JohnLaTwC 8 Feb 2019

        A quieter effort was going on to shore up our memory safety mitigations. Mitigations touch the holiest of holies in the OS: the compiler, the memory manager, the loader. Areas you just don’t mess with late in an OS release.

        1 reply 1 retweet 81 likes
        Show this thread
      6. John Lambert‏ @JohnLaTwC 8 Feb 2019

        The breathing room created by hardware Data Execute Protection we added in XP SP2 was gone. Exploits were using return to libc attacks and taking advantage of the fact that much of the memory layout in a Windows process was predictable.

        1 reply 4 retweets 80 likes
        Show this thread
      7. John Lambert‏ @JohnLaTwC 8 Feb 2019

        This was a feature. A lot of work went in to carefully laying out memory so commonly loaded DLLs would never ‘collide’ and require the OS to relocate them at load time. The performance saving across every boot, every process load, on every PC was massive.

        1 reply 4 retweets 92 likes
        Show this thread
      8. John Lambert‏ @JohnLaTwC 8 Feb 2019

        And we needed to undo that work to build a new defense—Address Space Layout Randomization or ASLR. ASLR would scramble the location of loaded modules and other process structures. However, it was late in the release, crazy late, to contemplate a change of this magnitude.

        2 replies 4 retweets 95 likes
        Show this thread
      9. John Lambert‏ @JohnLaTwC 8 Feb 2019

        We had a few things in our favor. The feature was championed by @MattT_Cyber. Sometimes things happen because the right person says they need to happen. This was one of those features and Matt was one of those people.

        1 reply 3 retweets 87 likes
        Show this thread
      10. John Lambert‏ @JohnLaTwC 8 Feb 2019

        Our Exec VP, Jim Allchin, wanted it. Ever since Blaster, he pushed the team to contemplate big security “sledgehammers” instead of just fighting bugs in “hand to hand combat”. Host firewall on by default in XPSP2, hardware DEP support, and now ASLR.

        3 replies 5 retweets 98 likes
        Show this thread
      11. John Lambert‏ @JohnLaTwC 8 Feb 2019

        Brian Valentine, who oversaw Windows development, recalled a @bluehat talk by @hdmoore where he showed these tables that Metasploit had for identifying code gadgets in consistent locations across OS and service packs. “Will this break that?” It would and that was enough for him.

        3 replies 4 retweets 82 likes
        Show this thread
      12. John Lambert‏ @JohnLaTwC 8 Feb 2019

        Sponsorship was there but could we pull it off? A crucial moment arrived when the developer responsible for the memory manager, Landy Wang, finished up his backlog of work and got a free moment to consider it. It was a complex change and would it have the desired payoff?

        1 reply 0 retweets 69 likes
        Show this thread
      13. John Lambert‏ @JohnLaTwC 8 Feb 2019

        He turned to a trusted engineer, Neill Clift, and privately asked if it was worth doing. Neill gave it a nod. I remember Landy doing an initial prototype over a weekend. Suddenly we were in the game.

        3 replies 3 retweets 81 likes
        Show this thread
      14. John Lambert‏ @JohnLaTwC 8 Feb 2019

        A boatload of work remained to make it truly viable with contributions across the company: - Architecture and Development: LandyW, ArunKi, RichardS, BryanT - Security Analysis: NeillC, NiGoel, MichalCh, SergFo - AppCompat Analysis: RobKenny, RPaige, TBaxter

        2 replies 1 retweet 81 likes
        Show this thread
      15. John Lambert‏ @JohnLaTwC 8 Feb 2019

        Needless to say, it happened. We pondered how to announce it. Since ASLR was a feature that security researchers would notice, we decided to introduce it at a researcher conference. The year before I attended Ph Neutral put on by the legendary Phenoelit group in Germany.

        1 reply 0 retweets 70 likes
        Show this thread
      16. John Lambert‏ @JohnLaTwC 8 Feb 2019

        @window took me around and introduced me to people at the con. Sometimes people are right where they need to be. Microsoft needed @window and she brought down walls between Microsoft and the researcher community. This conference was the right spot. I flew to Berlin.

        1 reply 3 retweets 95 likes
        Show this thread
      17. John Lambert‏ @JohnLaTwC 8 Feb 2019

        In 2006 Microsoft was very controversial in security circles. Showing up as the representative of the “evil empire” in a den of security researchers dedicated to finding our flaws and revealing them to a seeming clueless corporate behemoth was enough to give anyone pause

        2 replies 2 retweets 74 likes
        Show this thread
      18. John Lambert‏ @JohnLaTwC 8 Feb 2019

        I entered the room to give my presentation. The room filled up. Completely up. People were sitting on the floor, standing along the walls, hovering in the doorway. There was an electricity in the air--the room was finally going to hear from a Microsoft insider on our efforts.

        1 reply 0 retweets 68 likes
        Show this thread
      19. John Lambert‏ @JohnLaTwC 8 Feb 2019

        Would people be hostile? Interrupt and challenge me? There were plenty of reasons for the crowd to be cynical. I had no idea how this was going to go. I had prepared a very technical presentation because I that’s how I thought to best respect the audience.

        1 reply 3 retweets 65 likes
        Show this thread
      20. John Lambert‏ @JohnLaTwC 8 Feb 2019

        FX (@41414141) came up to the front and introduced me. Then he did something I’ll never forget. Seeming on the spur of the moment, he didn’t join the audience and instead sat next to me by the podium.

        2 replies 8 retweets 162 likes
        Show this thread
      21. John Lambert‏ @JohnLaTwC 8 Feb 2019

        It was a small thing in some ways, but it meant the world to me. His presence next to me seemed to suggest to the room “he is a guest here and we will treat him with respect”.

        4 replies 10 retweets 181 likes
        Show this thread
      22. John Lambert‏ @JohnLaTwC 8 Feb 2019

        To feel like an outsider and have the ultimate insider in his forum make sure you will be treated right is one of the kindest gestures I’ve ever received. I completed my presentation and found the subsequent hallway conversations thrilling.

        2 replies 7 retweets 204 likes
        Show this thread
      23. John Lambert‏ @JohnLaTwC 8 Feb 2019

        I later delivered the same brief at Blackhat (https://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Lambert.pdf …). As time went on, the value of ASLR diminished but I remember most the human moments that brought together an unlikely cast working on the messy hairball of security, enduring headwinds and advancing forward.

        3 replies 7 retweets 271 likes
        Show this thread
      24. End of conversation

    Loading seems to be taking a while.

    Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.

      Promoted Tweet

      false

      • © 2022 Twitter
      • About
      • Help Center
      • Terms
      • Privacy policy
      • Cookies
      • Ads info