Now starting BugID with @berendjanwever at @InfiltrateCon #youkillityoueatitpic.twitter.com/oZouw4H2jE
You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more
@berendjanwever is evaluating 2500 crashes per day on major browsers. This yields about 1 vuln per month. For a sample, check #DailyBug.
Dumb fuzzing yields poor results on browsers today. @berendjanwever's fuzzers understand the DOM and coordinate to find complex interactions
MemGC in IE made 90% of his use-after-free bugs practically unexploitable. "This took a bite out of my income."
MemGC is not a cure-all. A few UAFs are still exploitable. He's also finding type confusion, out of bounds reads/writes. UAFs are declining.
BugID automatically performs common crash analysis steps. Goal was make more $ by reporting faster to bounty programs.
BugID is a wrapper around CDB on Windows. It is similar to !exploitable but with more useful output. !exploitable was never useful for him.
BugID reports contain lots of raw data plus a human readable summary.pic.twitter.com/eYIdJ7ej79
BugID detects 1st and 2nd chance exceptions. Then asks, what kind of bug causes this kind of exception?pic.twitter.com/dQ1Ihlkijg
Needed a method to identify unique bugs. Encodes where, what, and how into a "bug id." Attempts to resolve differences in 32/64-bit builds.pic.twitter.com/IDV6LRwCmD
Stages of BugID development: 1. Run tests unattended 2. Don't waste time on known issues 3. Filter by type (filter non-issues) 4. Print $$$
If symbols are available, BugID tries to look up location in Chrome/Firefox src code. Grades UAFs by estimated control of allocations. Neat!
BugID tracks distance between AVs and poison values to estimate control. Works for every bug type. Encoded on "bug id hash", easy to grep.pic.twitter.com/u5370K9VC4
He's collected data on BugID FPs over the last year. Short time between UAF was a typical FP. FNs using BugID are very low.
tl;dr Uses WinDBG, Page Heap for UAF. Relies heavily on symbols. Call stack hash and bug type for id. No src req'd, easy to deploy.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.