if you think about it all exploitable memory corruption is a special class of type confusion. UaF -> type confusion with free chunk, overflow -> lets you write data of one kind into data of another, and double free -> uaf -> type confusion
-
-
(I also think that many "UAF" bugs aren't really "UAF", because many of them can technically be triggered without ever reaching the free() - so the bug class is something like "improper concurrency" or "pointer-use-after-invalidation", even though the exploit class is often UAF)
-
Classifying in terms of memory safety flaws and memory safety violations is another way to think about it, e.g. a flaw gives rise to an initial violation which can then give rise to other violations. Some past taxonomy musings here starting on slide 8ish, https://github.com/Microsoft/MSRC-Security-Research/blob/master/presentations/2012_10_Breakpoint/BreakPoint2012_Miller_Modeling_the_exploitation_and_mitigation_of_memory_safety_vulnerabilities.pdf …
- 3 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.