Hi SC-L,I figured the referenced dissertation below would be of some interest here. Interesting reading, IMHO.
Cheers, Ken van Wyk Begin forwarded message:
From: Ian Cook <i...@cymru.com> Date: September 27, 2009 5:06:51 AM EDTSubject: [1st NEWS] [DNB] Automatic Generation of Control Flow Hijacking, Exploits for Software VulnerabilitiesTitle: Automatic Generation of Control Flow Hijacking Exploits for Software Vulnerabilities Author: Sean Heelan Source: University of Oxford Date Published: 3rd September 2009 Excerpt: '.... Software bugs that result in memory corruption are a common and dangerous feature of systems developed in certain programming languages. Such bugs are security vulnerabilities if they can be leveraged by an attacker to trigger the execution of malicious code. Determining if such a possibility exists is a time consuming process and requires technical expertise in a number of areas. Often the only way to be sure that a bug is in fact exploitable by an attacker is to build a complete exploit. It is this process that we seek to automate. We present a novel algorithm that integrates data-flow analysis and a decision procedure with the aim of automatically building exploits. The exploits we generate are constructed to hijack the control flow of an application and redirect it to malicious code. Our algorithm is designed to build exploits for three common classes of security vulnerability; stack-based buffer overflows that corrupt a stored instruction pointer, buffer overflows that corrupt a function pointer, and buffer overflows that corrupt the destination address used by instructions that write to memory. For these vulnerability classes we present a system capable of generating functional exploits in the presence of complex arithmetic modification of inputs and arbitrary constraints. Exploits are generated using dynamic data-flow analysis in combination with a decision procedure. To the best of our knowledge the resulting implementation is the first to demonstrate exploit generation using such techniques. We illustrate its effectiveness on a number of benchmarks including a vulnerability in a large, real-world server application......' To read the complete article see: http://seanhn.files.wordpress.com/2009/09/thesis1.pdf For more Security News see: www.team-cymru.org/News www.team-cymru.org/News/secnews.rss The opinions expressed in the posted news items do not necessarily reflect the views of Team Cymru. The appearance of hyperlinks does not constitute endorsement by Team Cymru of an external Web site, or any commercial company, information, products or services contained therein. Dragon News Bytes is a Private and Restricted mailing list. To subscribe to this mailing list, please signup at https://cymru.com/mailman/listinfo/ians_dragon_newsbytes and then send an email to: outre...@cymru.com providing some personal background and two references, preferably from FIRST.ORG www.first.org/members/teams _ //` `\ _,-"\% // /``\`\ ~^~ >__^ |% // / } `\`\ Team Cymru ) )%// / } } }`\`\ Dragon News Bytes / (%/`/.\_/\_/\_/\`/ ( ` `-._` \ , ( \ _`-.__.- %> /_`\ \ `\ \." `-..- ` ``` /_/`"-=-``/_/ ``` ``` For more Security News see: www.team-cymru.org/News www.youtube.com/teamcymru http://twitter.com/teamcymru _____________________________________________________ Ian Cook Security Evangelist Team Cymru www.cymru.com/contact.html 'To communicate simply you must understand profoundly'
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________