Expedia: from software bug to customer service nightmare, a modern Odyssey
> Instead of keeping an account and my data private, Expedia created a fake account. Instead of deleting the fake account, Expedia deleted both accounts. Instead of reactivating the account I had to create a new account. Instead of adding points to the new account, Expedia deleted the new account again. After 30+ interactions over two months with the massively incompetent support, I lost about 10,000 points, my status, but received $75 and 3000 points (about $100 total) in compensation. Go Expdia!
The Fuzzing Hype-Train: How Random Testing Triggers Thousands of Crashes
> Despite massive efforts, finding and reproducing bugs is incredibly hard. Fuzzing is an efficient way of discovering security critical bugs by triggering exceptions such as crashes, memory corruption, or assertion failures automatically (or with a little help) and comes with a witness (proof of the vulnerability) that allows developers to reproduce the bug and fix it.
Automating data-only attacks through Block Oriented Programming (BOP)
> With the rise of strong control-flow defenses such as Control-Flow Integrity (CFI), attackers will increasingly resort to data-only attacks that can be equally powerful. Earlier research demonstrated that data-only attacks can be as devastating as control-flow hijacking attacks. So far, constructing data-only attacks was cumbersome and required deep manual analysis. We introduce the idea of Block-Oriented Programming (BOP) where, based on a C-like programming language and the help of constraint solving, we automatically synthesize data-only exploits that run arbitrary payloads on host programs.
A journey on evaluating Control-Flow Integrity (CFI): LLVM-CFI versus RAP
> This post started out of the need to provide a little more clarification after a long and heated discussions on Twitter (initial discussion and follow up) about the origins of Control-Flow Integrity (CFI), the contributions of academia, and the precision, performance, and compatibility of different existing implementations.
> CFI is a stop the exploit defense that protects the control-flow of processes in the presence of memory corruption. The threat model assumes that an attacker can modify (read, write, update) all of the address space according to the read/write permissions of the corresponding pages. The mitigation restricts execution to valid control flows by checking the targets of indirect control flow transfers (indirect calls and indirect jumps on the forward edge or function returns on the backward edge).
Panel “Exploit Mitigations: Completeness and Effectiveness versus Performance”
> As part of ESSoS ‘17 we have organized a joint ESSoS/DIMVA panel on exploit mitigations, discussing the past, present, and future of mitigations. If we look at the statistics of reported memory corruptions we see an upward trend in number of reported vulnerabilities. Given the success of contests such as pwn2own one might conclude that mitigations have not been effective while in fact, exploitation has become much harder and costly through the development of mitigations.