Taint Nobody Got Time for Crash Analysis
- Type
- Slides
- Tags
- bug hunting
- Authors
- Richard Johnson
- Event
- REcon 2013
- Indexed on
- Sep 18, 2014
- URL
- http://recon.cx/2013/slides/Recon2013-Richard%20Johnson-Taint%20Nobody%20Got%20Time%20for%20Crash%20Analysis%20-%20slides.pdf
- File name
- Recon2013-Richard%20Johnson-Taint%20Nobody%20Got%20Time%20for%20Crash%20Analysis%20-%20slides.pdf
- File size
- 1.2 MB
- MD5
- 2f22f127f244193880490ad5b9efbe15
- SHA1
- 7216901b83106877e9bfcd393b3d9d4d98b971ec
The last decade has seen a large focus on vulnerability discovery automation with various methods of fuzzing and input generation, however little has been said about crash analysis or triage. This talk will discuss a powerful toolchain for crash analysis that incorporates the best available approaches for automated reasoning about memory access violation exceptions and overcomes limitations in currently available tools such as !exploitable and crashwrangler. In particular, we will discuss three key areas: dynamic taint analysis to track areas of memory that are influenced by user-controlled data, forward and backward taint slicing to isolate input bytes that lead to the crashing state, and finally forward symbolic execution to determine if the input can be modified to reach an alternate state giving more control over the execution of the program. In other words, our system will isolate the input bytes causing the crash and try to determine if your ReadAV can actually be turned into a WriteAV or code execution.
About us
Secdocs is a project aimed to index high-quality IT security and hacking documents. These are fetched from multiple data sources: events, conferences and generally from interwebs.
Statistics
Serving 8166 documents and 531.0 GB of hacking knowledge, indexed from 2419 authors from 163 security conferences.
Contribute
To support this site and keep it alive, you can click on the buttons below. Any help is really appreciated! This service is provided for free, but real money is needed to pay bills.
