104,768 research outputs found
Analyzing the Gadgets Towards a Metric to Measure Gadget Quality
Current low-level exploits often rely on code-reuse, whereby short sections
of code (gadgets) are chained together into a coherent exploit that can be
executed without the need to inject any code. Several protection mechanisms
attempt to eliminate this attack vector by applying code transformations to
reduce the number of available gadgets. Nevertheless, it has emerged that the
residual gadgets can still be sufficient to conduct a successful attack.
Crucially, the lack of a common metric for "gadget quality" hinders the
effective comparison of current mitigations. This work proposes four metrics
that assign scores to a set of gadgets, measuring quality, usefulness, and
practicality. We apply these metrics to binaries produced when compiling
programs for architectures implementing Intel's recent MPX CPU extensions. Our
results demonstrate a 17% increase in useful gadgets in MPX binaries, and a
decrease in side-effects and preconditions, making them better suited for ROP
attacks.Comment: International Symposium on Engineering Secure Software and Systems,
Apr 2016, London, United Kingdo
Cinematic experience, film space, and the child’s world
This is the full published version of this article as first published in the Canadian Journal of Film Studies, 2010, 19 (2) 82-98.
http://www.filmstudies.ca/journal/cjfs/archives/articles/kuhn_cinematic_experience_film_space_childs_worl
Mayall:a framework for desktop JavaScript auditing and post-exploitation analysis
Writing desktop applications in JavaScript offers developers the opportunity to write cross-platform applications with cutting edge capabilities. However in doing so, they are potentially submitting their code to a number of unsanctioned modifications from malicious actors. Electron is one such JavaScript application framework which facilitates this multi-platform out-the-box paradigm and is based upon the Node.js JavaScript runtime --- an increasingly popular server-side technology. In bringing this technology to the client-side environment, previously unrealized risks are exposed to users due to the powerful system programming interface that Node.js exposes. In a concerted effort to highlight previously unexposed risks in these rapidly expanding frameworks, this paper presents the Mayall Framework, an extensible toolkit aimed at JavaScript security auditing and post-exploitation analysis. The paper also exposes fifteen highly popular Electron applications and demonstrates that two thirds of applications were found to be using known vulnerable elements with high CVSS scores. Moreover, this paper discloses a wide-reaching and overlooked vulnerability within the Electron Framework which is a direct byproduct of shipping the runtime unaltered with each application, allowing malicious actors to modify source code and inject covert malware inside verified and signed applications without restriction. Finally, a number of injection vectors are explored and appropriate remediations are proposed
Between a Rock and a Hard Place
The perception of the WTO is currently one of an organisation in crisis. Yet, appraisal varies regarding its extent and seriousness: Is it merely a rough time or are we standing on the edge of destruction? The article will trace developments inside as well as outside the WTO in order to assess the magnitude of the crisis. It will be argued that while certain developments inside the organisation, when seen in accumulation would already warrant serious attention, only together with developments taking place outside of the WTO, the two strands of developments unfold their full potential for the crisis. The overall situation renders the WTO in a difficult position, as it is currently unable to adapt to these challenges, while keeping calm and carrying on might similarly further the crisis. While States might improve and further develop their trade relations in bi- and plurilateral agreements, it is only the WTO that reflects and stands for the multilateral post (cold) war order
- …