diff --git a/SUMMARY.md b/SUMMARY.md index 447263f..e94f29a 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -223,7 +223,7 @@ GitHub 地址:https://github.com/firmianay/CTF-All-In-One * [8.25 (State of) The Art of War: Offensive Techniques in Binary Analysis](doc/8.25_angr.md) * [8.26 Driller: Augmenting Fuzzing Through Selective Symbolic Execution](doc/8.26_driller.md) * [8.27 Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware](doc/8.27_firmalice.md) - * [8.28 Cross-Architecture Bug Search in Binary Executables](doc/8.28_cross_arch_bug_search.md) + * [8.28 Cross-Architecture Bug Search in Binary Executables](doc/8.28_cross_arch_bug.md) * [8.29 Dynamic Hooks: Hiding Control Flow Changes within Non-Control Data](doc/8.29_dynamic_hooks.md) * [8.30 Preventing brute force attacks against stack canary protection on networking servers](doc/8.30_prevent_brute_force_canary.md) * [8.31 WYSINWYX What You See Is Not What You eXecute](doc/8.31_wysinwyx.md) @@ -239,6 +239,7 @@ GitHub 地址:https://github.com/firmianay/CTF-All-In-One * [8.41 IntPatch: Automatically Fix Integer-Overflow-to-Buffer-Overflow Vulnerability at Compile-Time](doc/8.41_intpatch.md) * [8.42 Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software](doc/8.42_taintcheck.md) * [8.43 DTA++: Dynamic Taint Analysis with Targeted Control-Flow Propagation](doc/8.43_dta++.md) + * [8.44 Superset Disassembly: Statically Rewriting x86 Binaries Without Heuristics](doc/8.44_multiverse.md) * [九、附录](doc/9_appendix.md) * [9.1 更多 Linux 工具](doc/9.1_Linuxtools.md) * [9.2 更多 Windows 工具](doc/9.2_wintools.md) diff --git a/doc/5.3.1_angr.md b/doc/5.3.1_angr.md index 6d24ba1..3543278 100644 --- a/doc/5.3.1_angr.md +++ b/doc/5.3.1_angr.md @@ -8,7 +8,7 @@ - [求解器引擎](#求解器引擎) - [程序状态](#程序状态) - [模拟管理器](#模拟管理器) - - [VEX IR 翻译器](#vex-ir-翻译) + - [VEX IR 翻译器](#vex-ir-翻译器) - [扩展工具](#扩展工具) - [CTF 实例](#ctf-实例) - [参考资料](#参考资料) @@ -783,7 +783,7 @@ t1 'Ijk_Ret' ``` -到这里 angr 的核心概念就介绍得差不多了,更多更详细的内容还是推荐查看官方教程和 API 文档。 +到这里 angr 的核心概念就介绍得差不多了,更多更详细的内容还是推荐查看官方教程和 API 文档。另外在我的博客里有 angr 源码分析的笔记。 ## 扩展工具 diff --git a/doc/8.10_aeg.md b/doc/8.10_aeg.md index 512c724..4729623 100644 --- a/doc/8.10_aeg.md +++ b/doc/8.10_aeg.md @@ -1,6 +1,8 @@ # 8.10 AEG: Automatic Exploit Generation +论文:http://security.ece.cmu.edu/aeg/aeg-current.pdf + ## 简介 - 这篇论文向我们展示了如何将控制流劫持攻击的漏洞利用生成模型化为一个形式化验证问题。 - 提出了预处理符号执行,这是一种新的符号执行技术。 diff --git a/doc/8.11_aslp.md b/doc/8.11_aslp.md index 9131105..469a95b 100644 --- a/doc/8.11_aslp.md +++ b/doc/8.11_aslp.md @@ -1 +1,6 @@ # 8.11 Address Space Layout Permutation (ASLP): Towards Fine-Grained Randomization of Commodity Software + + +论文:https://www.acsac.org/2006/papers/44.pdf + +## 简介 diff --git a/doc/8.12_aslr_on_the_line.md b/doc/8.12_aslr_on_the_line.md index befa072..e6bdd63 100644 --- a/doc/8.12_aslr_on_the_line.md +++ b/doc/8.12_aslr_on_the_line.md @@ -1 +1,6 @@ # 8.12 ASLR on the Line: Practical Cache Attacks on the MMU + + +论文:https://www.cs.vu.nl/~giuffrida/papers/anc-ndss-2017.pdf + +## 简介 diff --git a/doc/8.13_reverse_engineering.md b/doc/8.13_reverse_engineering.md index b82008f..177a9ce 100644 --- a/doc/8.13_reverse_engineering.md +++ b/doc/8.13_reverse_engineering.md @@ -1,6 +1,8 @@ # 8.13 New Frontiers of Reverse Engineering +论文:http://reversingproject.info/project_repository/reversing_references/pdf/new_frontiers_of_reverse_engineering.pdf + ## What is your take-away message from this paper? This paper briefly presents an overview of the field of reverse engineering, reviews main achievements and areas of application, and highlights key open research issues for the future. diff --git a/doc/8.14_detecting_memory_allocators.md b/doc/8.14_detecting_memory_allocators.md index fcdf0d5..6ab90dd 100644 --- a/doc/8.14_detecting_memory_allocators.md +++ b/doc/8.14_detecting_memory_allocators.md @@ -1 +1,6 @@ # 8.14 Who Allocated My Memory? Detecting Custom Memory Allocators in C Binaries + + +论文:https://www.cs.vu.nl/~herbertb/papers/membrush_wcre13.pdf + +## 简介 diff --git a/doc/8.15_emu_vs_real.md b/doc/8.15_emu_vs_real.md index 8397375..d0ee817 100644 --- a/doc/8.15_emu_vs_real.md +++ b/doc/8.15_emu_vs_real.md @@ -1,6 +1,8 @@ # 8.15 EMULATOR vs REAL PHONE: Android Malware Detection Using Machine Learning +论文:https://pure.qub.ac.uk/portal/files/127232616/IWSPA_codaspy_2017.pdf + ## What is your take-away message from this paper? The authors present an investigation of machine learning based malware detection using dynamic analysis on real devices. diff --git a/doc/8.16_dynalog.md b/doc/8.16_dynalog.md index b4aea48..957e41b 100644 --- a/doc/8.16_dynalog.md +++ b/doc/8.16_dynalog.md @@ -1,6 +1,8 @@ # 8.16 DynaLog: An automated dynamic analysis framework for characterizing Android applications +论文:https://pure.qub.ac.uk/portal/files/93998809/DynaLog_2016.pdf + ## What is your take-away message from this paper? The authors presented DynaLog, a framework that enable automated mass dynamic analysis of applications in order to characterize them for analysis and potential detection of malicious behaviour. diff --git a/doc/8.17_actual_permissions.md b/doc/8.17_actual_permissions.md index 64b10a5..2264976 100644 --- a/doc/8.17_actual_permissions.md +++ b/doc/8.17_actual_permissions.md @@ -1,6 +1,8 @@ # 8.17 A Static Android Malware Detection Based on Actual Used Permissions Combination and API Calls +论文:http://waset.org/publications/10005499 + ## What is your take-away message from this paper? The paper put forward a machine learning detection method that based on the actually used Permissions Combination and API calls. diff --git a/doc/8.18_malware_markov.md b/doc/8.18_malware_markov.md index 6009977..a2cc5c7 100644 --- a/doc/8.18_malware_markov.md +++ b/doc/8.18_malware_markov.md @@ -1,6 +1,8 @@ # 8.18 MaMaDroid: Detecting Android malware by building Markov chains of behavioral models +论文:http://discovery.ucl.ac.uk/1532047/1/Stringhini_mamadroid.pdf + ## What is your take-away message from this paper? This paper presented an Android malware detection system based on modeling the sequences of API calls as Markov chains. diff --git a/doc/8.19_droidnative.md b/doc/8.19_droidnative.md index dc82c8a..9bb367d 100644 --- a/doc/8.19_droidnative.md +++ b/doc/8.19_droidnative.md @@ -1,6 +1,8 @@ # 8.19 DroidNative: Semantic-Based Detection of Android Native Code Malware +论文:http://pages.cs.wisc.edu/~vrastogi/static/papers/aqrcr17.pdf + ## What is your take-away message from this paper? The paper proposed DroidNative for detection of both bytecode and native code Android malware variants. diff --git a/doc/8.1_ret2libc_without_calls.md b/doc/8.1_ret2libc_without_calls.md index 890f92a..b6bf655 100644 --- a/doc/8.1_ret2libc_without_calls.md +++ b/doc/8.1_ret2libc_without_calls.md @@ -1,6 +1,8 @@ # 8.1 The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) +论文:https://hovav.net/ucsd/dist/geometry.pdf + ## 简介 论文提出了一种 return-into-libc 的攻击方法,以对抗针对传统代码注入攻击的防御技术(W⊕X)。它不会调用到完整的函数,而是通过将一些被称作 gadgets 的指令片段组合在一起,形成指令序列,以达到任意代码执行的效果。这一技术为返回导向编程(Return-Oriented Programming)奠定了基础。 diff --git a/doc/8.20_droidanalytics.md b/doc/8.20_droidanalytics.md index ff18986..edd658d 100644 --- a/doc/8.20_droidanalytics.md +++ b/doc/8.20_droidanalytics.md @@ -1,6 +1,8 @@ # 8.20 DroidAnalytics: A Signature Based Analytic System to Collect, Extract, Analyze and Associate Android Malware +论文:https://www.cse.cuhk.edu.hk/~cslui/PUBLICATION/TRUST13DROIDANALYTICS.pdf + ## What is your take-away message from this paper? The authors present DroidAnalytics, an Android malware analytic system for malware collection, signature generation, information retrieval, and malware association based on similarity score. Furthermore, DroidAnalytics can efficiently detect zero-day repackaged malware. diff --git a/doc/8.21_tracing_to_detect_spraying.md b/doc/8.21_tracing_to_detect_spraying.md index 9a9fcd8..9d40522 100644 --- a/doc/8.21_tracing_to_detect_spraying.md +++ b/doc/8.21_tracing_to_detect_spraying.md @@ -1 +1,6 @@ # 8.21 Micro-Virtualization Memory Tracing to Detect and Prevent Spraying Attacks + + +论文:https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_cristalli.pdf + +## 简介 diff --git a/doc/8.22_memory_checking.md b/doc/8.22_memory_checking.md index 5fd8f66..e13d1c6 100644 --- a/doc/8.22_memory_checking.md +++ b/doc/8.22_memory_checking.md @@ -1 +1,6 @@ # 8.22 Practical Memory Checking With Dr. Memory + + +论文:http://groups.csail.mit.edu/commit/papers/2011/bruening-cgo11-drmemory.pdf + +## 简介 diff --git a/doc/8.23_current_anti-rop.md b/doc/8.23_current_anti-rop.md index 07dcb2c..d187531 100644 --- a/doc/8.23_current_anti-rop.md +++ b/doc/8.23_current_anti-rop.md @@ -1 +1,6 @@ # 8.23 Evaluating the Effectiveness of Current Anti-ROP Defenses + + +论文:https://www.syssec.rub.de/media/emma/veroeffentlichungen/2014/05/09/TR-HGI-2014-001_1_1.pdf + +## 简介 diff --git a/doc/8.24_runtime_re-randomization.md b/doc/8.24_runtime_re-randomization.md index c09e770..51d49d3 100644 --- a/doc/8.24_runtime_re-randomization.md +++ b/doc/8.24_runtime_re-randomization.md @@ -1 +1,6 @@ # 8.24 How to Make ASLR Win the Clone Wars: Runtime Re-Randomization + + +论文:https://www.cs.umd.edu/class/fall2017/cmsc818O/papers/aslr-clone-wars.pdf + +## 简介 diff --git a/doc/8.25_angr.md b/doc/8.25_angr.md index d1252d0..b40723f 100644 --- a/doc/8.25_angr.md +++ b/doc/8.25_angr.md @@ -1,5 +1,8 @@ # 8.25 (State of) The Art of War: Offensive Techniques in Binary Analysis + +论文:https://www.cs.ucsb.edu/~vigna/publications/2016_SP_angrSoK.pdf + ## 简介 这篇文章提出了一个二进制分析框架,并实现了许多现有的分析技术。通过将这些技术系统化地实现,可以让其他研究人员直接利用并开发新的技术。此外,在统一框架中实现这些技术可以更直接地进行比较,并确定各自的优缺点。 diff --git a/doc/8.26_driller.md b/doc/8.26_driller.md index 0c682a7..0125458 100644 --- a/doc/8.26_driller.md +++ b/doc/8.26_driller.md @@ -1,6 +1,8 @@ # 8.26 Driller: Augmenting Fuzzing Through Selective Symbolic Execution +论文:http://cs.ucsb.edu/~chris/research/doc/ndss16_driller.pdf + ## 简介 这篇文章提出了 Driller,这是一种混合漏洞挖掘工具,它以互补的方式将模糊测试和选择性混合执行结合起来,以发现隐藏更深的漏洞。模糊测试用于探索程序空间的不同区间,并使用混合执行来生成满足不同区间的输入。 diff --git a/doc/8.27_firmalice.md b/doc/8.27_firmalice.md index 82eb7a2..ccf676c 100644 --- a/doc/8.27_firmalice.md +++ b/doc/8.27_firmalice.md @@ -1,6 +1,8 @@ # 8.27 Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware +论文:https://seclab.cs.ucsb.edu/media/uploads/papers/firmalice.pdf + ## 简介 这篇文章提出了 Firmalice,一种二进制分析框架,以支持对嵌入式设备上所运行的固件进行分析。Firmalice 构建在符号执行引擎之上,并且提供了程序切片之类的技术来提高其可扩展性。此外,Firmalice 构建了一种新型的认证旁路漏洞模型,基于攻击者的能力来确定执行特权操作所需要的输入。 diff --git a/doc/8.28_cross_arch_bug.md b/doc/8.28_cross_arch_bug.md new file mode 100644 index 0000000..543b39c --- /dev/null +++ b/doc/8.28_cross_arch_bug.md @@ -0,0 +1,10 @@ +# 8.28 Cross-Architecture Bug Search in Binary Executables + + +论文:https://christian-rossow.de/publications/crossarch-ieee2015.pdf + +## 简介 + +## 方法 + +## 实现 diff --git a/doc/8.28_cross_arch_bug_search.md b/doc/8.28_cross_arch_bug_search.md deleted file mode 100644 index 9eb875d..0000000 --- a/doc/8.28_cross_arch_bug_search.md +++ /dev/null @@ -1 +0,0 @@ -# 8.28 Cross-Architecture Bug Search in Binary Executables diff --git a/doc/8.29_dynamic_hooks.md b/doc/8.29_dynamic_hooks.md index 61bda77..f744735 100644 --- a/doc/8.29_dynamic_hooks.md +++ b/doc/8.29_dynamic_hooks.md @@ -1 +1,6 @@ # 8.29 Dynamic Hooks: Hiding Control Flow Changes within Non-Control Data + + +论文:https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-vogl.pdf + +## 简介 diff --git a/doc/8.2_rop_without_ret.md b/doc/8.2_rop_without_ret.md index 0d03396..810ed01 100644 --- a/doc/8.2_rop_without_ret.md +++ b/doc/8.2_rop_without_ret.md @@ -1,6 +1,8 @@ # 8.2 Return-Oriented Programming without Returns +论文:https://www2.cs.uic.edu/~s/papers/noret_ccs2010/noret_ccs2010.pdf + ## 简介 论文提出了一种不依赖于使用 return 指令的 ROP 技术。这种攻击方法是在 libc 中找到一些特定的指令序列,来替代 return 指令,完成和 return 同样的工作。这些指令具备图灵完备性,已经在 (x86)Linux 和 (ARM)Android 中被证实。 diff --git a/doc/8.30_prevent_brute_force_canary.md b/doc/8.30_prevent_brute_force_canary.md index 5af97a0..5ccb728 100644 --- a/doc/8.30_prevent_brute_force_canary.md +++ b/doc/8.30_prevent_brute_force_canary.md @@ -1 +1,6 @@ # 8.30 Preventing brute force attacks against stack canary protection on networking servers + + +论文:http://hmarco.org/data/Preventing_brute_force_attacks_against_stack_canary_protection_on_networking_servers.pdf + +## 简介 diff --git a/doc/8.31_wysinwyx.md b/doc/8.31_wysinwyx.md index eb0473d..21ba4b0 100644 --- a/doc/8.31_wysinwyx.md +++ b/doc/8.31_wysinwyx.md @@ -1 +1,6 @@ # 8.31 WYSINWYX What You See Is Not What You eXecute + + +论文:http://research.cs.wisc.edu/wpis/papers/wysinwyx.final.pdf + +## 简介 diff --git a/doc/8.32_mayhem.md b/doc/8.32_mayhem.md index 4ee7987..959f76f 100644 --- a/doc/8.32_mayhem.md +++ b/doc/8.32_mayhem.md @@ -1 +1,6 @@ # 8.32 Unleashing MAYHEM on Binary Code + + +论文:http://www.cse.psu.edu/~trj1/cse597-s13/docs/binary_mayhem_oakland_12.pdf + +## 简介 diff --git a/doc/8.33_ucklee.md b/doc/8.33_ucklee.md index e2b250e..02d842b 100644 --- a/doc/8.33_ucklee.md +++ b/doc/8.33_ucklee.md @@ -1 +1,6 @@ # 8.33 Under-Constrained Symbolic Execution: Correctness Checking for Real Code + + +论文:https://cseweb.ucsd.edu/~dstefan/cse291-winter18/papers/ucklee.pdf + +## 简介 diff --git a/doc/8.34_veritesting.md b/doc/8.34_veritesting.md index 9815a8f..56010c6 100644 --- a/doc/8.34_veritesting.md +++ b/doc/8.34_veritesting.md @@ -1 +1,6 @@ # 8.34 Enhancing Symbolic Execution with Veritesting + + +论文:https://users.ece.cmu.edu/~aavgerin/papers/veritesting-icse-2014.pdf + +## 简介 diff --git a/doc/8.35_q.md b/doc/8.35_q.md index 47c3f16..69ae7c6 100644 --- a/doc/8.35_q.md +++ b/doc/8.35_q.md @@ -1 +1,6 @@ # 8.35 Q: Exploit Hardening Made Easy + + +论文:http://static.usenix.org/legacy/events/sec11/tech/full_papers/Schwartz.pdf + +## 简介 diff --git a/doc/8.36_survey_symbolic_execution.md b/doc/8.36_survey_symbolic_execution.md index 6e16998..9c5e41a 100644 --- a/doc/8.36_survey_symbolic_execution.md +++ b/doc/8.36_survey_symbolic_execution.md @@ -1 +1,6 @@ # 8.36 A Survey of Symbolic Execution Techniques + + +论文:http://season-lab.github.io/papers/survey-symbolic-execution-preprint-CSUR18.pdf + +## 简介 diff --git a/doc/8.37_cute.md b/doc/8.37_cute.md index eb6e0e9..6154b7c 100644 --- a/doc/8.37_cute.md +++ b/doc/8.37_cute.md @@ -1 +1,6 @@ # 8.37 CUTE: A Concolic Unit Testing Engine for C + + +论文:http://mir.cs.illinois.edu/marinov/publications/SenETAL05CUTE.pdf + +## 简介 diff --git a/doc/8.38_tainteraser.md b/doc/8.38_tainteraser.md index bc57f1b..720813f 100644 --- a/doc/8.38_tainteraser.md +++ b/doc/8.38_tainteraser.md @@ -1 +1,6 @@ # 8.38 TaintEraser: Protecting Sensitive Data Leaks Using Application-Level Taint Tracking + + +论文:http://people.eecs.berkeley.edu/~dawnsong/papers/2011%20tainteraser%20p142-zhu.pdf + +## 简介 diff --git a/doc/8.39_dart.md b/doc/8.39_dart.md index 5467412..eb9287a 100644 --- a/doc/8.39_dart.md +++ b/doc/8.39_dart.md @@ -1 +1,6 @@ # 8.39 DART: Directed Automated Random Testing + + +论文:https://web.eecs.umich.edu/~weimerw/2011-6610/reading/p213-godefroid.pdf + +## 简介 diff --git a/doc/8.3_rop_rootkits.md b/doc/8.3_rop_rootkits.md index 74d593a..c66f18e 100644 --- a/doc/8.3_rop_rootkits.md +++ b/doc/8.3_rop_rootkits.md @@ -1,6 +1,8 @@ # 8.3 Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms +论文:https://www.usenix.org/legacy/event/sec09/tech/full_papers/hund.pdf + ## 简介 本论文设计并实现了一个能够自动化构建 ROP 指令序列的攻击系统。由于系统使用的指令序列来自内核已有的代码,而不需要进行代码注入,所以能够绕过内核代码完整性保护机制。 diff --git a/doc/8.40_exe.md b/doc/8.40_exe.md index 8f62e5e..8817605 100644 --- a/doc/8.40_exe.md +++ b/doc/8.40_exe.md @@ -1 +1,6 @@ # 8.40 EXE: Automatically Generating Inputs of Death + + +论文:https://web.stanford.edu/~engler/exe-ccs-06.pdf + +## 简介 diff --git a/doc/8.41_intpatch.md b/doc/8.41_intpatch.md index 13f0a2d..b391c7c 100644 --- a/doc/8.41_intpatch.md +++ b/doc/8.41_intpatch.md @@ -1 +1,6 @@ # 8.41 IntPatch: Automatically Fix Integer-Overflow-to-Buffer-Overflow Vulnerability at Compile-Time + + +论文:https://llvm.org/pubs/2010-09-ESORICS-FixOverflows.pdf + +## 简介 diff --git a/doc/8.42_taintcheck.md b/doc/8.42_taintcheck.md index e3f38f4..1ca31b3 100644 --- a/doc/8.42_taintcheck.md +++ b/doc/8.42_taintcheck.md @@ -1 +1,6 @@ # 8.42 Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software + + +论文:http://valgrind.org/docs/newsome2005.pdf + +## 简介 diff --git a/doc/8.43_dta++.md b/doc/8.43_dta++.md index 541e943..1458631 100644 --- a/doc/8.43_dta++.md +++ b/doc/8.43_dta++.md @@ -1 +1,6 @@ # 8.43 DTA++: Dynamic Taint Analysis with Targeted Control-Flow Propagation + + +论文:http://bitblaze.cs.berkeley.edu/papers/dta%2B%2B-ndss11.pdf + +## 简介 diff --git a/doc/8.44_multiverse.md b/doc/8.44_multiverse.md new file mode 100644 index 0000000..40e30fd --- /dev/null +++ b/doc/8.44_multiverse.md @@ -0,0 +1,6 @@ +# 8.44 Superset Disassembly: Statically Rewriting x86 Binaries Without Heuristics + + +http://wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2018/02/ndss2018_05A-4_Bauman_paper.pdf + +## 简介 diff --git a/doc/8.4_ropdefender.md b/doc/8.4_ropdefender.md index 297e4f3..6a737b5 100644 --- a/doc/8.4_ropdefender.md +++ b/doc/8.4_ropdefender.md @@ -1,6 +1,8 @@ # 8.4 ROPdefender: A Detection Tool to Defend Against Return-Oriented Programming Attacks +论文:https://www.ei.ruhr-uni-bochum.de/media/trust/veroeffentlichungen/2010/12/14/HGI-TR-2010-001.pdf + ## 简介 论文设计并实现了工具 ROPdefender,可以动态地检测传统的 ROP 攻击(基于return指令)。ROPdefender 可以由用户来执行,而不依赖于源码、调试信息等在现实中很难获得的信息。 diff --git a/doc/8.5_dop.md b/doc/8.5_dop.md index b0c769a..4e5af27 100644 --- a/doc/8.5_dop.md +++ b/doc/8.5_dop.md @@ -1,4 +1,6 @@ # 8.5 Data-Oriented Programming: On the Expressiveness of Non-Control Data Attacks +论文:https://www.comp.nus.edu.sg/~shweta24/publications/dop_oakland16.pdf + ## 简介 diff --git a/doc/8.6_brop.md b/doc/8.6_brop.md index e9170f8..82b16d9 100644 --- a/doc/8.6_brop.md +++ b/doc/8.6_brop.md @@ -1 +1,6 @@ # 8.6 Hacking Blind + + +论文:http://www.scs.stanford.edu/~sorbo/brop/bittau-brop.pdf + +## 简介 diff --git a/doc/8.7_jit-rop_defenses.md b/doc/8.7_jit-rop_defenses.md index bcd6946..9da8452 100644 --- a/doc/8.7_jit-rop_defenses.md +++ b/doc/8.7_jit-rop_defenses.md @@ -1 +1,6 @@ # 8.7 What Cannot Be Read, Cannot Be Leveraged? Revisiting Assumptions of JIT-ROP Defenses + + +论文:https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_maisuradze.pdf + +## 简介 diff --git a/doc/8.8_dta_and_fse.md b/doc/8.8_dta_and_fse.md index 44d769a..bbd0799 100644 --- a/doc/8.8_dta_and_fse.md +++ b/doc/8.8_dta_and_fse.md @@ -1 +1,6 @@ # 8.8 All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution (but might have been afraid to ask) + + +论文:https://users.ece.cmu.edu/~aavgerin/papers/Oakland10.pdf + +## 简介 diff --git a/doc/8.9_symbolic_execution.md b/doc/8.9_symbolic_execution.md index 75df036..5b04c83 100644 --- a/doc/8.9_symbolic_execution.md +++ b/doc/8.9_symbolic_execution.md @@ -1,6 +1,8 @@ # 8.9 Symbolic Execution for Software Testing: Three Decades Later +论文:https://people.eecs.berkeley.edu/~ksen/papers/cacm13.pdf + ## 简介 近几年符号执行因其在生成高覆盖率的测试用例和发现复杂软件漏洞的有效性再次受人关注。这篇文章对现代符号执行技术进行了概述,讨论了这些技术在路径探索,约束求解和内存建模方面面临的主要挑战,并讨论了几个主要从作者自己的工作中获得的解决方案。 diff --git a/doc/8_academic.md b/doc/8_academic.md index 58f19d0..dd4c2ba 100644 --- a/doc/8_academic.md +++ b/doc/8_academic.md @@ -30,7 +30,7 @@ * [8.25 (State of) The Art of War: Offensive Techniques in Binary Analysis](8.25_angr.md) * [8.26 Driller: Augmenting Fuzzing Through Selective Symbolic Execution](8.26_driller.md) * [8.27 Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware](8.27_firmalice.md) -* [8.28 Cross-Architecture Bug Search in Binary Executables](8.28_cross_arch_bug_search.md) +* [8.28 Cross-Architecture Bug Search in Binary Executables](8.28_cross_arch_bug.md) * [8.29 Dynamic Hooks: Hiding Control Flow Changes within Non-Control Data](8.29_dynamic_hooks.md) * [8.30 Preventing brute force attacks against stack canary protection on networking servers](8.30_prevent_brute_force_canary.md) * [8.31 WYSINWYX What You See Is Not What You eXecute](8.31_wysinwyx.md) @@ -46,3 +46,4 @@ * [8.41 IntPatch: Automatically Fix Integer-Overflow-to-Buffer-Overflow Vulnerability at Compile-Time](8.41_intpatch.md) * [8.42 Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software](8.42_taintcheck.md) * [8.43 DTA++: Dynamic Taint Analysis with Targeted Control-Flow Propagation](8.43_dta++.md) +* [8.44 Superset Disassembly: Statically Rewriting x86 Binaries Without Heuristics](8.44_multiverse.md)