Proceedings of the Institute for System Programming of the RAS
RUS  ENG    JOURNALS   PEOPLE   ORGANISATIONS   CONFERENCES   SEMINARS   VIDEO LIBRARY   PACKAGE AMSBIB  
General information
Latest issue
Archive

Search papers
Search references

RSS
Latest issue
Current issues
Archive issues
What is RSS


Proceedings of ISP RAS:
Year:
Volume:
Issue:
Page:
Find




Personal entry:
Login:
Password:
Save password
Enter
Forgotten password?
Register

Proceedings of the Institute for System Programming of the RAS, 2016, Volume 28, Issue 5, Pages 73–92
DOI: https://doi.org/10.15514/ISPRAS-2016-28(5)-4 (Mi tisp68) 		 
This article is cited in 7 scientific papers (total in 7 papers)

Software defect severity estimation in presence of modern defense mechanisms

A. N. Fedotova, V. A. Padaryanba, V. V. Kaushana, Sh. F. Kurmangaleeva, A. V. Vishnyakova, A. R. Nurmukhametova

a Institute for System Programming of the Russian Academy of Sciences
b Lomonosov Moscow State University
Full-text PDF (852 kB) Citations (7)
References:
PDF
HTML
DOI: https://doi.org/10.15514/ISPRAS-2016-28(5)-4
Abstract: This paper introduces a refined method for automated exploitability evaluation of found program bugs. During security development lifecycle a significant number of crashes is detected in programs. Because of limited resources, bug fixing is time consuming and needs prioritization. It should be the matter of highest priority to fix exploitable bugs. Automated exploit generation technique is used to solve this problem in practice. Generated exploit confirms the presence of a critical vulnerability. However, state-of-the-art publications omit modern defense mechanisms preventing exploitation. It results in lowering of an evaluation quality. This paper considers modern vulnerability exploitation prevention mechanisms. An evaluation of their prevalence and efficiency is also presented. The method can be applied to program binaries and doesn't require any debug information. Proposed method is based on symbolic interpretation of traces obtained by a full-system emulator. Our method can demonstrate a real exploitability for stack buffer overflow vulnerability with write-what-where condition even when DEP, ASLR, and “canary” operate together. The implemented method capabilities were shown on model examples and real programs.
Keywords: critical vulnerability, binary code, symbolic execution.
Funding agency Grant number
Russian Foundation for Basic Research 16-29-09632
The paper was supported by RFBR grant #16-29-09632
Bibliographic databases:
Document Type: Article
Language: Russian
Citation: A. N. Fedotov, V. A. Padaryan, V. V. Kaushan, Sh. F. Kurmangaleev, A. V. Vishnyakov, A. R. Nurmukhametov, “Software defect severity estimation in presence of modern defense mechanisms”, Proceedings of ISP RAS, 28:5 (2016), 73–92
Citation in format AMSBIB
\Bibitem{FedPadKau16}
\by A.~N.~Fedotov, V.~A.~Padaryan, V.~V.~Kaushan, Sh.~F.~Kurmangaleev, A.~V.~Vishnyakov, A.~R.~Nurmukhametov
\paper Software defect severity estimation in presence of modern defense mechanisms
\jour Proceedings of ISP RAS
\yr 2016
\vol 28
\issue 5
\pages 73--92
\mathnet{http://mi.mathnet.ru/tisp68}
\crossref{https://doi.org/10.15514/ISPRAS-2016-28(5)-4}
\elib{https://elibrary.ru/item.asp?id=27679151}
Linking options:
  • https://www.mathnet.ru/eng/tisp68
  • https://www.mathnet.ru/eng/tisp/v28/i5/p73
    • This publication is cited in the following 7 articles:
    Citing articles in Google Scholar: Russian citations, English citations
    Related articles in Google Scholar: Russian articles, English articles
    		Proceedings of the Institute for System Programming of the RAS
    Statistics & downloads:
    Abstract page:210
    Full-text PDF :108
    References:45
     
      Contact us:
    		  Terms of Use  Registration to the website  Logotypes © Steklov Mathematical Institute RAS, 2025