430 research outputs found
Detecting Exploit Primitives Automatically for Heap Vulnerabilities on Binary Programs
Automated Exploit Generation (AEG) is a well-known difficult task, especially
for heap vulnerabilities. Previous works first detected heap vulnerabilities
and then searched for exploitable states by using symbolic execution and
fuzzing techniques on binary programs. However, it is not always easy to
discovery bugs using fuzzing or symbolic technologies and solvable for internal
overflow of heap objects. In this paper, we present a solution DEPA to detect
exploit primitives based on primitive-crucial-behavior model for heap
vulnerabilities. The core of DEPA contains two novel techniques, 1)
primitive-crucial-behavior identification through pointer dependence analysis,
and 2) exploit primitive determination method which includes triggering both
vulnerabilities and exploit primitives. We evaluate DEPA on eleven real-world
CTF(capture the flag) programs with heap vulnerabilities and DEPA can discovery
arbitrary write and arbitrary jump exploit primitives for ten programs except
for program multi-heap. Results showed that primitive-crucial-behavior
identification and determining exploit primitives are accurate and effective by
using our approach. In addition, DEPA is superior to the state-of-the-art tools
in determining exploit primitives for the heap object internal overflowComment: 11 pages 9 figure
Bridging the Gap: A Survey and Classification of Research-Informed Ethical Hacking Tools
The majority of Ethical Hacking (EH) tools utilised in penetration testing are developed by practitioners within the industry or underground communities. Similarly, academic researchers have also contributed to developing security tools. However, there appears to be limited awareness among practitioners of academic contributions in this domain, creating a significant gap between industry and academia’s contributions to EH tools. This research paper aims to survey the current state of EH academic research, primarily focusing on research-informed security tools. We categorise these tools into process-based frameworks (such as PTES and Mitre ATT&CK) and knowledge-based frameworks (such as CyBOK and ACM CCS). This classification provides a comprehensive overview of novel, research-informed tools, considering their functionality and application areas. The analysis covers licensing, release dates, source code availability, development activity, and peer review status, providing valuable insights into the current state of research in this field
SafeBet: Secure, Simple, and Fast Speculative Execution
Spectre attacks exploit microprocessor speculative execution to read and
transmit forbidden data outside the attacker's trust domain and sandbox. Recent
hardware schemes allow potentially-unsafe speculative accesses but prevent the
secret's transmission by delaying most access-dependent instructions even in
the predominantly-common, no-attack case, which incurs performance loss and
hardware complexity. Instead, we propose SafeBet which allows only, and does
not delay most, safe accesses, achieving both security and high performance.
SafeBet is based on the key observation that speculatively accessing a
destination location is safe if the location's access by the same static trust
domain has been committed previously; and potentially unsafe, otherwise. We
extend this observation to handle inter trust-domain code and data
interactions. SafeBet employs the Speculative Memory Access Control Table
(SMACT) to track non-speculative trust domain code region-destination pairs.
Disallowed accesses wait until reaching commit to trigger well-known replay,
with virtually no change to the pipeline. Software simulations using SpecCPU
benchmarks show that SafeBet uses an 8.3-KB SMACT per core to perform within 6%
on average (63% at worst) of the unsafe baseline behind which NDA-restrictive,
a previous scheme of security and hardware complexity comparable to SafeBet's,
lags by 83% on average
- …