Did I find 1k bugs or 1 bug 1k times? Is this a vuln or a random crash? No one pays for crashes.
-
-
If symbols are available, BugID tries to look up location in Chrome/Firefox src code. Grades UAFs by estimated control of allocations. Neat!
-
BugID tracks distance between AVs and poison values to estimate control. Works for every bug type. Encoded on "bug id hash", easy to grep.pic.twitter.com/u5370K9VC4
-
He's collected data on BugID FPs over the last year. Short time between UAF was a typical FP. FNs using BugID are very low.
-
tl;dr Uses WinDBG, Page Heap for UAF. Relies heavily on symbols. Call stack hash and bug type for id. No src req'd, easy to deploy.
End of conversation
New conversation -
-
-
Find (exploitable) bugs, stack paper.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.