if you think about it all exploitable memory corruption is a special class of type confusion. UaF -> type confusion with free chunk, overflow -> lets you write data of one kind into data of another, and double free -> uaf -> type confusion
-
-
Replying to @qwertyoruiopz
you don't always need type confusion. e.g. https://bugs.chromium.org/p/project-zero/issues/detail?id=808 … : use-after-free leading to being able to write to a readonly file. or you could also abuse it to write to a writable file of another process. type confusion is a common way to exploit UAF, but not the only one
2 replies 9 retweets 19 likes -
Replying to @tehjh @qwertyoruiopz
I think it helps to distinguish between bug classes and exploit classes here. "type confusion" is both a bug class and an exploit class; so you can take a bug that has bug class UAF, but exploit it as a type confusion
1 reply 0 retweets 5 likes -
Replying to @tehjh @qwertyoruiopz
(I also think that many "UAF" bugs aren't really "UAF", because many of them can technically be triggered without ever reaching the free() - so the bug class is something like "improper concurrency" or "pointer-use-after-invalidation", even though the exploit class is often UAF)
1 reply 0 retweets 1 like -
Replying to @tehjh @qwertyoruiopz
Classifying in terms of memory safety flaws and memory safety violations is another way to think about it, e.g. a flaw gives rise to an initial violation which can then give rise to other violations. Some past taxonomy musings here starting on slide 8ish, https://github.com/Microsoft/MSRC-Security-Research/blob/master/presentations/2012_10_Breakpoint/BreakPoint2012_Miller_Modeling_the_exploitation_and_mitigation_of_memory_safety_vulnerabilities.pdf …
1 reply 0 retweets 7 likes -
UAF can also be conceptualized as an instance of uninitialized use, where the first step in exploitation is transitioning to an initialized state before the use (whether by directly controlling memory content or not)
1 reply 0 retweets 2 likes -
Replying to @epakskape @qwertyoruiopz
I don't like "uninitialized", but I vaguely agree - except that I think the type of flaw should be defined more widely, such that it captures not just uninitialized objects, but objects that have transitioned into another state in general
1 reply 0 retweets 2 likes
e.g. accessing an object that is in the process of being destroyed, or using a page as a pagetable after it has changed to a user-writable page
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.