A. N. Fedotov, “Method for exploitability estimation of program bugs”, Proceedings of ISP RAS, 28:4 (2016), 137

Proceedings of the Institute for System Programming of the RAS

RUS ENG

JOURNALS PEOPLE ORGANISATIONS CONFERENCES SEMINARS VIDEO LIBRARY PACKAGE AMSBIB

JavaScript is disabled in your browser. Please switch it on to enable full functionality of the website

	General information
	Latest issue
	Archive

	Search papers
	Search references

	RSS
	Latest issue
	Current issues
	Archive issues
	What is RSS

Proceedings of ISP RAS:
Year:
Volume:
Issue:
Page:
	Find

Personal entry:
Login:
Password:
	Save password
	Enter
	Forgotten password?
	Register

Proceedings of the Institute for System Programming of the RAS, 2016, Volume 28, Issue 4, Pages 137–148
DOI: https://doi.org/10.15514/ISPRAS-2016-28(4)-8 (Mi tisp57)

This article is cited in 3 scientific papers (total in 3 papers)

Method for exploitability estimation of program bugs

A. N. Fedotov

Institute for System Programming of the Russian Academy of Sciences

Full-text PDF (483 kB) Citations (3)

References:

PDF

HTML

DOI: https://doi.org/10.15514/ISPRAS-2016-28(4)-8

Abstract: The method for exploitability estimation of program bugs is presented. Using this technique allows to prioritize software bugs that were found. Thus, it gives an opportunity for a developer to fix bugs, which are most security critical at first. The method is based on combining preliminary classification of program bugs and automatic exploit generation. Preliminary classification is used to filter non-exploitable software defects. For potentially exploitable bugs corresponding exploit generation algorithm is chosen. In case of a successful exploit generation the operability of exploit is checked in program emulator. There are various ways that used for finding software bugs. Fuzzing and dynamic symbolic execution are often used for this purpose. The main requirement for the use of the proposed method is an opportunity to get input data, which cause program to crash. The technique could be applied to program binaries and does not require debug information. Implementation of the method is a set of software tools, which are interconnected with control scripts. The preliminary classification method and automatic exploit generation method are implemented as stand-alone tools, and could be used separately. The technique was used to analyze 274 program crashes, which were obtained by fuzzing. The analysis managed to detect 13 exploitable bugs, for which successfully workable exploits were generated.

Keywords: vulnerability, buffer overflow, symbolic execution, exploit, binary code.

Bibliographic databases:

Document Type: Article

Language: Russian

Citation: A. N. Fedotov, “Method for exploitability estimation of program bugs”, Proceedings of ISP RAS, 28:4 (2016), 137–148

Citation in format AMSBIB

\Bibitem{Fed16}

\by A.~N.~Fedotov

\paper Method for exploitability estimation of program bugs

\jour Proceedings of ISP RAS

\yr 2016

\vol 28

\issue 4

\pages 137--148

\mathnet{http://mi.mathnet.ru/tisp57}

\crossref{https://doi.org/10.15514/ISPRAS-2016-28(4)-8}

\elib{https://elibrary.ru/item.asp?id=27174143}

Linking options:

https://www.mathnet.ru/eng/tisp57

https://www.mathnet.ru/eng/tisp/v28/i4/p137

This publication is cited in the following 3 articles:

Citing articles in Google Scholar: Russian citations, English citations
Related articles in Google Scholar: Russian articles, English articles

Proceedings of the Institute for System Programming of the RAS

Statistics & downloads:
Abstract page:	182
Full-text PDF :	123
References:	34

Что такое QR-код?

Registration to the website

Logotypes