Did I find 1k bugs or 1 bug 1k times? Is this a vuln or a random crash? No one pays for crashes.
-
-
-
@berendjanwever is evaluating 2500 crashes per day on major browsers. This yields about 1 vuln per month. For a sample, check#DailyBug. -
Dumb fuzzing yields poor results on browsers today.
@berendjanwever's fuzzers understand the DOM and coordinate to find complex interactions -
MemGC in IE made 90% of his use-after-free bugs practically unexploitable. "This took a bite out of my income."
-
MemGC is not a cure-all. A few UAFs are still exploitable. He's also finding type confusion, out of bounds reads/writes. UAFs are declining.
-
BugID automatically performs common crash analysis steps. Goal was make more $ by reporting faster to bounty programs.
-
BugID is a wrapper around CDB on Windows. It is similar to !exploitable but with more useful output. !exploitable was never useful for him.
-
BugID reports contain lots of raw data plus a human readable summary.pic.twitter.com/eYIdJ7ej79
-
BugID detects 1st and 2nd chance exceptions. Then asks, what kind of bug causes this kind of exception?pic.twitter.com/dQ1Ihlkijg
-
Needed a method to identify unique bugs. Encodes where, what, and how into a "bug id." Attempts to resolve differences in 32/64-bit builds.pic.twitter.com/IDV6LRwCmD
-
Stages of BugID development: 1. Run tests unattended 2. Don't waste time on known issues 3. Filter by type (filter non-issues) 4. Print $$$
-
If symbols are available, BugID tries to look up location in Chrome/Firefox src code. Grades UAFs by estimated control of allocations. Neat!
-
BugID tracks distance between AVs and poison values to estimate control. Works for every bug type. Encoded on "bug id hash", easy to grep.pic.twitter.com/u5370K9VC4
-
He's collected data on BugID FPs over the last year. Short time between UAF was a typical FP. FNs using BugID are very low.
-
tl;dr Uses WinDBG, Page Heap for UAF. Relies heavily on symbols. Call stack hash and bug type for id. No src req'd, easy to deploy.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.