This document discusses binary vulnerabilities and methods for identifying and exploiting them. It covers topics like stack overflows, heap overflows, integer overflows, and pointer vulnerabilities. It also discusses vulnerability metrics, identifiers, and tools that can be used for analysis like fuzzers, symbolic execution, and decompilers. Exploitation techniques like bypassing protections and transferring control are also mentioned.
2. vulnerability
● Binary, Logic, Web
● Why vulnerabilities is so interesting?
● Why we need patched our OS? (project MIT)
● Math models for vulnerabilities
● Lang without vulnerabilities
2
3. Metrics
● CVSS
● LPE/RCE
● User/Kernel space
● Probability (0-100%)
3
5. Web vulnerabilities (not here)
● Cross Site Scripting (XSS)
● Injection Flaws (SQLi)
● Malicious File Execution (RFI)
● Insecure Direct Object Reference
● Cross Site Request Forgery (CSRF)
● Information Leakage and Improper Error Handling
● Broken Authentication and Session Management
● Failure to Restrict URL Access
5
6. Logic vulnerabilities
● Int rand(){return 4;}
● Client decide if authorization successful or not
● [Ch-ch-ch-ch-ching!!! $60,000] [117226] [117230] Critical CVE-2011-3046:
UXSS and bad history navigation. Credit to Sergey Glazunov.
● GNU C library dynamic linker $ORIGIN expansion Vulnerability
Tavis Ormandy.
6
27. RE vs tester
● Tester:
- QA: look at and spit on the ceiling
- Functional: Performance and Optimization,
take part in development loop.
● RE: exception, bug, disasm and another crap.
27
34. Real World
● Browser = ~ 4*10^9 insns
● Not code-based method.
● Not input-based method.
● Only human-based test-case: cross_fuzz
34
35. The potential vulnerability.
● Static – very bad (~0.1%).
● Dynamic (taint, symbolic execution) – bad
(~2%).
● Dynamic (fuzzing, debugger) – not bad (~5%).
35