Vulnerabilities and their mitigations

Stack overruns

CWE-121: Stack-based Buffer Overflow

Userland

Nr URL Description Date Author OS/Arch Info
1 http://seclists.org/fulldisclosure/2012/... SafeSEH+SEHOP all-at-once bypass explotation method principles 10-01-2012 x90c Windows, x86-32 N/A
2 http://blogs.msdn.com/b/sdl/archive/2012... Enhancements to /GS in Visual Studio 11 26-01-2012 Dave Ladd Windows N/A
3 https://community.rapid7.com/community/m... Stack Smashing: When Code Execution Becomes a Nightmare 06-07-2012 Wei Chen Windows, x86-32 CVE-2012-0124
4 https://community.rapid7.com/community/m... The Stack Cookies Bypass on CVE-2012-0549 15-08-2012 Juan Vazquez Windows, x86-32 CVE-2012-0549

Kernel mode

Nr URL Description Date Author OS/Arch Info
1 http://j00ru.vexillium.org/?p=690 Exploiting the otherwise non-exploitable: Windows Kernel-mode GS cookies subverted 11-01-2011 Mateusz ‘j00ru’ Jurczyk Windows, x86-32 CVE-2010-4398

General

Nr URL Description Date Author OS/Arch Info
1 http://site.pi3.com.pl/papers/ASSP.pdf Adventure with Stack Smashing Protector (SSP) 11-11-2013 Adam 'pi3' Zabrocki Linux N/A
2 http://wiki.osdev.org/Stack_Smashing_Protec... Stack Smashing Protector 22-10-2014 (osdev.org) - N/A

Heap overruns

https://cwe.mitre.org/data/definitions/122.html

Userland

Nr URL Description Date Author OS/Arch Info
1 http://www.symantec.com/connect/articles... A new way to bypass Windows heap protections 31-08-2005 Nicolas Falliere Windows XP SP2, x86-32 N/A
2 http://blogs.technet.com/b/srd/archive/2... Preventing the exploitation of user mode heap corruption vulnerabilities 04-08-2009 swiat Windows N/A
3 http://blogs.technet.com/b/srd/archive/2... Software Defense: mitigating heap corruption vulnerabilities 29-10-2013 swiat Windows N/A
4 http://blog.lse.epita.fr/articles/74-get... Getting back determinism in the Low Fragmentation Heap 02-11-2014 Bruno Pujos Windows 8 N/A

Kernel mode

Nr URL Description Date Author OS/Arch Info
1 http://blogs.technet.com/b/srd/archive/2... Safe Unlinking in the Kernel Pool 26-05-2012 swiat Windows N/A
2 http://www.inertiawar.com/unlink/ Windows 8 and Safe Unlinking in NTDLL 14-07-2012 Note Windows N/A

Static buffer overflows

Nr URL Description Date Author OS/Arch Info
1 http://em386.blogspot.com/2008/05/self-p... Self Protecting Global Offset Table (GOT) 24-04-2008 Chris Rohlf - N/A
2 http://isisblogs.poly.edu/2011/06/01/rel... RELRO: RELocation Read-Only 01-06-2011 Julian Cohen Linux N/A

Uninitialized data

https://cwe.mitre.org/data/definitions/824.html

Nr URL Description Date Author OS/Arch Info
1 http://blogs.msdn.com/b/sdl/archive/2012... Guarding against uninitialized class member pointers 08-03-2012 Thomas Garnier Windows N/A

Lifetime issues

https://cwe.mitre.org/data/definitions/416.html https://cwe.mitre.org/data/definitions/415.html

Use-after-free, double-free bugs.

Nr URL Description Date Author OS/Arch Info
1 http://blog.fortinet.com/post/is-use-aft... Is use-after-free exploitation dead? The new IE memory protector will tell you 16-06-2014 Zhenhua 'Eric' Liu Windows N/A
2 http://researchcenter.paloaltonetworks.c... Is It the Beginning of the End For Use-After-Free Exploitation? 16-06-2014 Tao Yan, Bo Qu, Royce Lu Windows N/A
3 http://blog.trendmicro.com/trendlabs-sec... Mitigating UAF Exploits with Delay Free for Internet Explorer 17-06-2014 Jack Tang Windows N/A
4 https://labs.mwrinfosecurity.com/blog/20... Isolated Heap & Friends - Object Allocation Hardening in Web Browsers 20-06-2014 mwrinfosecurity.com - N/A
5 http://blog.trendmicro.com/trendlabs-sec... Isolated Heap for Internet Explorer Helps Mitigate UAF Exploits 01-07-2014 Jack Tang Windows N/A
6 http://h30499.www3.hp.com/t5/HP-Security... Efficacy of MemoryProtection against use-after-free vulnerabilities 28-07-2014 Simon Zuckerbraun Windows N/A
7 http://securityintelligence.com/understa... Understanding IE’s New Exploit Mitigations: The Memory Protector and the Isolated Heap 29-08-2014 Mark Yason Windows N/A
8 https://web.archive.org/web/201411020020... USE-AFTER-FREE NOT DEAD IN INTERNET EXPLORER: PART 1 13-10-2014 k33nteam Windows 8.1 MS14-056
9 http://h30499.www3.hp.com/hpeb/attachmen... New directions in use-after-free mitigations 18-10-2014 HP Security Windows N/A
10 http://blog.trendmicro.com/trendlabs-sec... Windows 10 Sharpens Browser Security With Microsoft Edge 21-07-2015 Henry li Windows N/A
11 http://blogs.360.cn/360safe/2016/06/17/a... A Quick Look at the Flash Memory Protector 17-06-2016 yukichen - N/A

NULL-pointer

https://cwe.mitre.org/data/definitions/476.html

Nr URL Description Date Author OS/Arch Info
1 https://web.archive.org/web/201209131910... Locking Down the Windows Kernel:Mitigating Null Pointer Exploitation 07-07-2011 Tarjei (kernelpool) Mandt Windows N/A

Integer bugs

https://cwe.mitre.org/data/definitions/189.html

Nr URL Description Date Author OS/Arch Info
1 http://forums.grsecurity.net/viewtopic.p... Inside the Size Overflow Plugin 28-08-2012 ephox - N/A

Exploitation techniques and their mitigations

Return Oriented Exploitation

Nr URL Description Date Author OS/Arch Info
1 https://grsecurity.net/rap_faq.php Frequently Asked Questions About RAP xx-xx-2016 ? Linux N/A

Hardenings and their bypasses

Address Space Layout Randomization (ASLR)

Userland

Nr URL Description Date Author OS/Arch Info
1 https://web.archive.org/web/201001020008... Attacking ASLR on Linux 2.6 27-05-2009 drraid Linux N/A
2 http://recxltd.blogspot.com/2011/12/curi... The Curious Case of VirtualAlloc, ASLR and an SDL 13-12-2011 Ollie Windows N/A
3 http://blog.duosecurity.com/2012/02/a-lo... A look at ASLR in Android Ice Cream Sandwich 4.0 17-02-2012 Jon Oberheide Android N/A
4 http://recxltd.blogspot.com/2012/03/part... A Partial Technique Against ASLR - Multiple O/Ss 02-03-2012 Ollie Windows, x86-32 N/A
5 http://blog.ptsecurity.com/2012/12/windo... Windows 8 ASLR Internals 04-12-2012 Artem Shishkin, Ilya Smith Windows 8 N/A
6 http://kingcope.wordpress.com/2013/01/24... Attacking the Windows 7/8 Address Space Randomization 24-01-2013 kingcope Windows 7/8 N/A
7 http://www.fireeye.com/blog/technical/cy... ASLR Bypass Apocalypse in Recent Zero-Day Exploits 15-10-2013 Xiabo Chen Windows CVE-2013-0640, CVE-2013-0634, CVE-2013-3163, CVE-2013-1690, CVE-2013-1493
8 https://www.cert.org/blogs/certcc/post.c... Differences Between ASLR on Windows and Linux 10-02-2014 Will Dormann Windows N/A
9 http://ly0n.me/2015/07/30/bypass-aslr-wi... Bypass ASLR with partial EIP overwrite 30-06-2015 ly0n Windows CVE-2007-0038
10 http://www.greyhathacker.net/?p=894 Bypassing Windows ASLR in Microsoft Office using ActiveX controls 04-12-2015 Parvez Windows N/A
11 https://www.vusec.net/projects/anc/, http://www.cs.vu.nl/~herbertb/download/p... The AnC attack xx-xx-2017 VUSec - N/A

Kernel mode (KASLR)

Nr URL Description Date Author OS/Arch Info
1 https://dl.packetstormsecurity.net/pap... Bypassing Windows 7 Kernel ASLR 11-10-2011 Stefan Le Berre Windows, x86-32 N/A
2 http://shell-storm.org/blog/ASLR-impleme... ASLR implementation in Linux Kernel 3.7 19-01-2013 Jonathan Salwan Linux N/A
3 http://forums.grsecurity.net/viewtopic.p... KASLR: An Exercise in Cargo Cult Security 20-03-2013 spender - N/A
4 http://www.alex-ionescu.com/?p=82 KASLR Bypass Mitigations in Windows 8.1 17-11-2013 Alex Ionescu Windows 8.1 N/A
5 http://labs.bromium.com/2014/10/27/tsx-i... TSX improves timing attacks against KASLR 27-10-2014 Rafal Wojtzcuk N/A N/A
6 https://copperhead.co/2015/05/11/aslr-an... The State of ASLR on Android Lollipop 11-05-2015 Daniel Micay Android 5.0.1 N/A
7 https://marcograss.github.io/security/li... Exploiting a Linux Kernel Infoleak to bypass Linux kASLR 24-01-2016 Marco Grass Linux N/A
8 http://dreamsofastone.blogspot.de/2016/... Breaking KASRL with micro architecture Part 1 20-02-2016 Anders Fogh - N/A

General

Nr URL Description Date Author OS/Arch Info
1 https://www.blackhat.com/docs/eu-15/mate Silently Breaking ASLR In The Cloud 11-11-2015 Antonio Barresi, Kaveh Razavi, Mathias Payer, Thomas R. Gross VM

Data Execution Prevention (DEP)

Nr URL Description Date Author OS/Arch Info
1 https://docs.google.com/viewer?a=v&pid=e... x86-64 buffer overflow exploits and the borrowed code chunks 28-09-2005 Sebastian Krahmer Linux x86-64 N/A
2 http://www.uninformed.org/?v=2&a=4 Bypassing Windows Hardware-enforced Data Execution Prevention 02-10-2005 Matt (skape) Miller Windows, x86-32 OSVDB-875
3 http://cseweb.ucsd.edu/~hovav/papers/s07... The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) xx-10-2007 Hovav Shacham x86 N/A
4 http://www.packetstormsecurity.org/paper... Bypassing hardware based DEP on Windows Server 2003 SP2 10-06-2009 David Kennedy Windows, x86-32 N/A
5 http://bernardodamele.blogspot.com/2009/... DEP bypass with SetProcessDEPPolicy() 09-12-2009 Bernardo Damele Windows, x86-32 N/A
6 http://vrt-blog.snort.org/2009/12/dep-an... DEP and Heap Sprays 17-12-2009 Lurene Grenier Windows N/A
7 http://blog.zynamics.com/2010/03/12/a-ge... A gentle introduction to return-oriented programming 12-03-2010 Tim Kornau x86 N/A
8 http://archives.neohapsis.com/archives/f... Exploitation With WriteProcessMemory()/Yet Another DEP Trick xx-03-2010 Spencer Pratt Windows N/A
9 http://blog.harmonysecurity.com/2010/04/... A little return oriented exploitation on Windows x86 (Part 1) 12-04-2010 Stephen Fewer Windows, x86-32 CVE-2010-0838
10 http://blog.harmonysecurity.com/2010/04/... A little return oriented exploitation on Windows x86 (Part 2) 16-04-2010 Stephen Fewer Windows, x86-32 N/A
11 https://web.archive.org/web/201207070114... Advanced Return-Oriented Exploit 05-05-2010 funkyG Linux, x86-32 N/A
12 http://www.corelan.be:8800/index.php/201... Exploit writing tutorial part 10 : Chaining DEP with ROP – the Rubik’s[TM] Cube 16-06-2010 corelanc0d3r Windows, x86-32 N/A
13 http://eticanicomana.blogspot.com/2010/0... The so called Return Oriented Programming... 21-06-2010 Nicolas Waisman Windows, x86-32 N/A
14 http://www.exploit-db.com/osx-rop-exploi... OSX ROP Exploit – EvoCam Case Study 06-07-2010 muts Mac OSVDB-65043
15 http://repository.root-me.org/Exploit... Payload already inside: data reuse for rop exploits 28-07-2010 longld Linux x86 N/A
16 http://www.vnsecurity.net/research/2010/... Simple Mac ret2libc exploit (x86) 05-10-2010 longld Mac, x86-32 N/A
17 http://vulnfactory.org/blog/2011/09/21/d... Defeating Windows 8 ROP Mitigation 21-09-2011 Dan Rosenberg Windows 8 N/A
18 http://www.exploit-monday.com/2011/11/ma... Man vs. ROP - Overcoming Adversity One Gadget at a Time 14-11-2011 Matt Graeber Windows, x86-32 N/A
19 https://web.archive.org/web/201201200400... Advanced Generic ROP chain for Windows 8 16-11-2011 Le Manh Tung Windows 8 CVE-2011-0065
20 http://www.accuvant.com/blog/2011/12/01/... Measure Twice, Cut Once 01-12-2011 Accuvant LABS R&D Team Windows N/A
21 http://codearcana.com/posts/2013/05/28/i... Introduction to return oriented programming (ROP) 28-05-2013 Alex Reece Linux N/A
22 https://codeinsecurity.wordpress.com/201... W^X policy violation affecting all Windows drivers compiled in Visual Studio 2013 and previous 03-09-2015 Graham Sutherland Windows N/A
23 https://jandemooij.nl/blog/2015/12/29/wx... W^X JIT-code enabled in Firefox 29-12-2015 jandem - N/A
24 https://rh0dev.github.io/blog/2017/the-r... The Return of the JIT (Part 1) 13-07-2017 Rh0 - CVE-2017-5375, CVE-2017-5400
24 https://rh0dev.github.io/blog/2017/the-r... The Return of the JIT (Part 2) 17-07-2017 Rh0 - CVE-2017-5375, CVE-2017-5400

Return-Oriented-Programming (ROP) mitigations

Nr URL Description Date Author OS/Arch Info
1 http://www.kryptoslogic.com/download/ROP... Security Mitigations for Return-Oriented Programming Attacks 20-08-2010 Piotr Bania Windows N/A
2 http://c0decstuff.blogspot.com.es/2012/1... Defeating Windows 8 ROP Mitigation 19-12-2012 c0decstuff Windows 8 N/A
3 http://blog.talosintelligence.com/2016/0... Research Spotlight: ROPMEMU - A Framework for the Analysis of Complex Code-Reuse Attacks 01-06-2016 Mariano Graziano - N/A

Export Address Table Access Filtering (EAF)

Nr URL Description Date Author OS/Arch Info
1 http://www.greyhathacker.net/?p=483 Bypassing EMET’s EAF with custom shellcode using kernel pointer 19-12-2011 Parvez Windows, x86-32 CVE-2010-3654
2 http://piotrbania.com/all/articles/anti_... BYPASSING EMET Export Address Table Access Filtering feature 19-01-2012 Piotr Bania Windows, x86-32 N/A
3 http://scrammed.blogspot.de/2014/03/reve... Reversing EMET's EAF (and a couple of curious findings...) 20-03-2014 giulia Windows N/A
4 http://tekwizz123.blogspot.de/2015/01/by... An Theoretical Approach to Getting Around EMET's EAF Protection 18-01-2015 tekwizz Windows N/A

Control Flow Integrity / Control Flow Guard

Nr URL Description Date Author OS/Arch Info
1 http://blogs.msdn.com/b/vcblog/archive/2... Visual Studio 2015 Preview: Work-in-Progress Security Feature 08-12-2014 Jim Hogg Windows N/A
2 http://blog.trendmicro.com/trendlabs-sec... Exploring Control Flow Guard in Windows 10 30-01-2015 Jack Tang Windows 10 N/A
3 https://blog.coresecurity.com/2015/03/25/... Exploiting CVE-2015-0311, Part II: Bypassing Control Flow Guard on Windows 8.1 Update 3 25-03-2015 Francisco Falcón Windows 8.1 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0311
4 http://sjc1-te-ftp.trendmicro.com/assets/wp... Exploring Control Flow Guard in Windows 10 xx-05-2015 Jack Tang Windows N/A
5 http://research.microsoft.com/pubs/64250/cc... Control-Flow Integrity: Principles, Implementations, and Applications 11-07-2015 Martın Abadi, Mihai Budiu, Ulfar Erlingsson, Jay Ligatti - N/A
6 http://labs.bromium.com/2015/09/28/an-int... An interesting detail about Control Flow Guard 28-09-2015 Rafal Wojtczuk Windows N/A
7 http://xlab.tencent.com/en/2016/01/04/use... Use Chakra engine again to bypass CFG 04-01-2016 exp-sky Windows N/A
8 https://securingtomorrow.mcafee.com/mcafe... Microsoft’s June Patch Kills Potential CFG Bypass 16-06-2016 Bing Sun Windows N/A
9 https://blog.trailofbits.com/2016/10/17/l... Let’s talk about CFI: clang edition 17-10-2016 Artem Dinaburg - N/A
10 http://theori.io/research/chakra-jit-cfg-... CHAKRA JIT CFG BYPASS 14-12-2016 Theori Windows MS16-119
11 https://improsec.com/blog//bypassing-cont... Bypassing Control Flow Guard in Windows 10 16-01-2017 Morten Schenk Windows N/A
12 https://improsec.com/blog//bypassing-cont... Bypassing Control Flow Guard in Windows 10 - Part II 23-01-2017 Morten Schenk Windows N/A
13 https://forums.grsecurity.net/viewtopic.p... Close, but No Cigar: On the Effectiveness of Intel's CET Against Code Reuse Attacks 12-06-2017 PaX Team - N/A

Mitigations Against Use-After-Free

Nr URL Description Date Author OS/Arch Info
1 http://h30499.www3.hp.com/hpeb/attachments/... Abusing Silent Mitigations: Understanding weaknesses within Internet Explorer’s Isolated Heap and MemoryProtection 19-06-2015 Abdul-Aziz Hariri, Simon Zuckerbraun, Brian Gorenc Windows N/A
2 http://googleprojectzero.blogspot.de/2015/0... Dude, where’s my heap? 15-06-2015 Ivan Fratric Windows N/A

Arbitrary Code Guard

Nr URL Description Date Author OS/Arch Info
1 https://bugs.chromium.org/p/project-zero... Microsoft Edge: ACG bypass using DuplicateHandle 16-06-2017 Ivan Fratric Windows N/A

Return Flow Guard

Nr URL Description Date Author OS/Arch Info
1 http://xlab.tencent.com/en/2016/11/02/re... Return Flow Guard 02-11-2016 TenCent Windows N/A
2 https://forums.grsecurity.net/viewtopic.... Close, but No Cigar: On the Effectiveness of Intel's CET Against Code Reuse Attacks 12-06-2016 PaX Team - N/A

Information Leak Mitigations

Nr URL Description Date Author OS/Arch Info
1 https://copperhead.co/blog/2016/09/20/me... Memory disclosure mitigations in CopperheadOS 20-09-2016 Daniel Micay CopperheadOS N/A

Multiple mitigations discussed

Userland

Nr URL Description Date Author OS/Arch Info
1 http://www.azimuthsecurity.com/resources/... Bypassing Browser Memory Protections 07-08-2008 Alex Sotirov, Mark Dowd Windows, x86-32 N/A
2 https://www.blackhat.com/presentations/b... Buffer overflows on linux-x86-64 22-01-2009 Hagen Fritsch Linux, x86-64 N/A
3 http://www.corelan.be/index.php/200... Exploit writing tutorial part 6 : Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR 12-09-2009 corelanc0d3r Windows, x86-32 CVE-2006-6199
4 https://docs.google.com/viewer?a=v&pid=e... Bypassing ASLR and DEP under Windows 17-06-2010 mr_me Windows, x86-32 N/A
5 https://labs.mwrinfosecurity.com/blog/2010... Assessing the Tux Strength: Part 1 - Userspace Memory Protection 29-07-2010 ? Linux N/A
6 http://blogs.technet.com/b/srd/archive/2... On the effectiveness of DEP and ASLR 08-12-2010 swiat Windows N/A
7 http://msdn.microsoft.com/en-us/library/... Windows ISV Software Security Defenses xx-12-2010 Michael Howard, Matt Miller, John Lambert, Matt Thomlinson Windows N/A
8 http://www.secfence.com/whitepapers/Whit... Bypassing ASLR/DEP 25-09-2011 Vinay Katoch Windows, x86-32 CVE-2011-0065
9 http://www.microsoft.com/download/en/det... Mitigating Software Vulnerabilities 12-07-2011 Matt Miller, Time Burrell, Michael Howard Windows N/A
10 http://forums.grsecurity.net/viewtopic.p... Recent Advances: How We Learn From Exploits 15-02-2012 spender Linux N/A
11 http://blogs.msdn.com/b/ie/archive/2012/... Enhanced Memory Protections in IE10 13-03-2012 Forbes Higman Windows N/A
12 http://esec-lab.sogeti.com/post/Bypassin... Bypassing ASLR and DEP on Adobe Reader X 22-06-2012 guillaume Windows, x86-32 N/A
13 http://security.stackexchange.com/questi... How do ASLR and DEP work? 12-08-2012 polynomial - N/A
14 http://blogs.technet.com/b/srd/archive/2... Software defense: safe unlinking and reference count hardening 06-11-2013 swiat Windows N/A
15 http://bromiumlabs.files.wordpress.com/2... BYPASSING EMET 4.1 xx-02-2014 Jares DeMott Windows N/A
16 http://www.contextis.com/resources/blog/... Bypassing Windows 8.1 Mitigations using Unsafe COM Objects 15-06-2014 James Forshaw Windows 8.1 N/A
17 http://www.offensive-security.com/vulnde... Disarming Enhanced Mitigation Experience Toolkit 01-07-2014 offensive-security.com Windows N/A
18 https://www.offensive-security.com/vulnd... Disarming EMET v5.0 29-09-2014 offensive-security.com Windows CVE-2012-1876
19 https://www.offensive-security.com/vulnd... Disarming and Bypassing EMET 5.1 18-11-2014 Blogpost offensive-security.com N/A
20 http://casual-scrutiny.blogspot.in/2015/... Defeating EMET 5.2 Protections 15-03-2015 r41p41 Windows N/A
21 http://casual-scrutiny.blogspot.in/2015/... Defeating EMET 5.2 Protections (2) 21-03-2015 r41p41 Windows N/A
22 http://int3pids.blogspot.de/2015/04/conf... Confidence 2015 Teaser: Quarantine Write-Up (pwn 500) 30-04-2015 Eloi Sanfelix Linux N/A
23 http://googleprojectzero.blogspot.com/20... Significant Flash exploit mitigations are live in v18.0.0.209 16-07-2015 Mark Brand, Chris Evans - N/A
24 https://www.endgame.com/blog/adobe-flash... Adobe Flash Vulnerability CVE-2015-7663 and Mitigating Exploits xx-xx-2015 Cody Pierce - CVE-2015-7663
25 https://duo.com/assets/pdf/WoW64-Bypassi... WoW64 and So Can You - Bypassing EMET With a Single Instruction xx-xx-2015 Darren Kemp, Mikhail Davidov Windows N/A
26 http://xlab.tencent.com/en/2015/12/09/by... Bypass DEP and CFG using JIT compiler in Chakra engine 09-12-2015 tombkeeper Windows N/A
27 http://casual-scrutiny.blogspot.de/2016/... CVE-2015-2545 ITW EMET Evasion 04-02-2016 r41p41 Windows CVE-2015-2545
28 https://www.fireeye.com/blog/threat-rese... USING EMET TO DISABLE EMET 23-02-2016 Abdulellah Alsaheel , Raghav Pande Windows N/A

Kernel mode

Nr URL Description Date Author OS/Arch Info
1 http://sysc.tl/2010/04/26/kernel-exploit... FreeBSD kernel exploitation mitigations 26-04-2010 Patroklos (argp) Argyroudis FreeBSD N/A
2 https://web.archive.org/web/201112171438... Assessing the Tux Strength: Part 2 - Into the Kernel 02-09-2010 Radoslaw Madej Linux N/A
3 https://wiki.ubuntu.com/Security/Feature... Security/Features - Ubuntu Wiki 17-02-2011 ubuntu.com Linux N/A
4 http://census.gr/media/bheu-2011-wp.pdf Protecting the Core: Kernel Exploitation Mitigations 18-03-2011 Patroklos (argp) Argyroudis, Dimitris Glynos FreeBSD N/A
5 http://blogs.msdn.com/b/sdl/archive/2012... Guarding against re-use of stale object references 24-04-2012 Doug Cavit Windows N/A
6 https://blog.duosecurity.com/2012/07/exp... Exploit Mitigations in Android Jelly Bean 4.1 16-07-2012 Jon Oberheide Android N/A
7 http://0xfeedface.org/blog/lattera/2012-... New Exploit Protections in Android 4.1 19-07-2012 Shawn Webb Android N/A
8 http://blogs.technet.com/b/srd/archive/2... EMET 3.5 Tech Preview leverages security mitigations from the BlueHat Prize 24-07-2012 swiat Windows N/A
9 http://blogs.technet.com/b/srd/archive/2... Technical Analysis of the Top BlueHat Prize Submissions 26-07-2012 swiat Windows N/A
10 http://forums.grsecurity.net/viewtopic.p... Recent ARM security improvements 18-02-2013 spender ARM N/A
11 http://0xdabbad00.com/wp-content/uploads... EMET 4.1 Uncovered 18-11-2013 0xdabbad00 Windows N/A
12 http://blogs.technet.com/b/srd/archive/2... Software defense: mitigating common exploitation techniques 11-12-2013 swiat Windows N/A
13 https://labs.mwrinfosecurity.com/blog/20... Windows 8 Kernel Memory Protections Bypass 15-08-2014 Jérémy (__x86) Fetiveau Windows 8 N/A
14 http://breakingmalware.com/vulnerabiliti... One-Bit To Rule Them All: Bypassing Windows’ 10 Protections using a Single Bit 10-02-2015 Udi Yavo Windows CVE-2015-0057
15 http://keenlab.tencent.com/en/2016/06/01... Emerging Defense in Android Kernel 01-06-2017 James Fang Android N/A

General

Nr URL Description Date Author OS/Arch Info
1 http://www.freeinfosociety.com/media/pdf/2708.pdf A Buffer Overflow Study - Attacks & Defenses 2002 Pierre-Alain FAYOLLE, Vincent GLAUME Linux N/A
2 https://static.googleusercontent.com/medi... Native Client: A Sandbox for Portable, Untrusted x86 Native Code 2009 Bennet Yee, David Sehr, Gregory Dardyk, J. Bradley Chen, Robert Muth, Tavis Ormandy, Shiki Okasaka, Neha Narula, and Nicholas Fullagar - N/A
3 https://drive.google.com/file/d/0B5pT4hU_... An Evaluation of the Effectiveness of EMET 5.1 At Protecting Everyday Applications Against Targeted Attacks 2015 Grant Willcox Windows N/A
4 https://github.com/deroko/payloadrestrict... PayloadRestrictions 05-09-2017 deroko Windows 10 N/A

Hardware-based mitigations

Nr URL Description Date Author OS/Arch Info
1 https://web.archive.org/web/201201200727... Beat SMEP on Linux with Return-Oriented Programming 09-11-2011 falk3n Linux, x86-64 N/A
2 http://forums.grsecurity.net/viewtopic.p... Supervisor Mode Access Prevention 07-09-2012 Pax Team - N/A
3 http://blog.ptsecurity.com/2012/09/intel... Intel SMEP overview and partial bypass on Windows 8 17-09-2012 Artem Shishkin Windows 8 N/A
4 http://www.cyvera.com/the-case-for-smep-... THE CASE FOR SMEP – EXPLOITING A KERNEL VULNERABILITY 20-09-2013 Gal Badishi Windowx XP, x86-32 N/A
5 http://hypervsir.blogspot.de/2014/10/i... Introduction to Processor Hardware Security Features in x86 & ARM Architectures 06-05-2014 Anababa x86, ARM N/A
6 http://atredispartners.blogspot.de/2014/... Here Be Dragons: Vulnerabilities in TrustZone 15-08-2014 Nathan Keltner ARM N/A
7 https://www.nccgroup.com/en/blog/2015/01... Intel® Software Guard Extensions (SGX): A Researcher’s Primer 05-01-2015 Ollie Whitehouse - N/A
8 https://www.nccgroup.trust/uk/about-us/n... Xen SMEP (and SMAP) bypass 09-04-2015 Aaron Adams XEN N/A
9 http://www.alex-ionescu.com/Enclave%20Su... Intel SGX Enclave Support in Windows 10 Fall Update (Threshold 2) 08-11-2015 Alex Ionescu Windows 10 N/A
10 https://blogs.msdn.microsoft.com/vcblog/... Visual Studio 2015 Update 1: New Experimental Feature – MPX 20-01-2016 Jim Hogg Windows N/A

Specific mitigations

Nr URL Description Date Author OS/Arch Info
1 http://blog.ptsecurity.com/2014/09/micro... Microsoft Windows 8.1 Kernel Patch Protection Analysis & Attack Vectors 17-08-2014 Mark Ermolov, Artem Shishkin Windows 8.1 N/A
2 http://vrt-blog.snort.org/2014/08/the-wi... The Windows 8.1 Kernel Patch Protection 24-08-2014 Andrea Allievi Windows 8.1 N/A
3 http://scarybeastsecurity.blogspot.de/20... Using ASAN as a protection 25-09-2014 Chris Evans - N/A
4 http://blogs.cisco.com/security/mitigati... Mitigations Available for the DRAM Row Hammer Vulnerability 09-03-2015 Omar Santos - N/A
5 http://googleprojectzero.blogspot.de/201... Three bypasses and a fix for one of Flash's Vector.<*> mitigations 19-08-2015 Chris Evans - N/A
6 https://forums.grsecurity.net/viewtopic.... Linux Kernel BPF JIT Spraying 03-05-2016 spender Linux N/A
7 https://bugs.chromium.org/p/project-zero... PaX: reference count overflow mitigation can be bypassed on x86 by racing 27-06-2016 jannh Linux N/A
8 https://googleprojectzero.blogspot.de/20... Breaking the Chain 29-11-2016 James Forshaw Windows N/A

Other exploitation obstacles

Non-compiler, OS, or hardware enforced exploitation difficulties.

Nr URL Description Date Author OS/Arch Info
1 http://www.corelan.be/index.php/200... Exploit writing tutorial part 7 : Unicode – from 0×00410041 to calc 06-11-2009 corelanc0d3r Windows, x86-32 OSVDB-66912
2 http://grey-corner.blogspot.com/2010/01/... Windows Buffer Overflow Tutorial: Dealing with Character Translation 17-01-2010 Stephen Bradshaw Windows, x86-32 OSVDB-59772
3 https://web.archive.org/web/201104170711... Ken Ward Zipper Stack BOF 0day – a not so typical SEH exploit 18-03-2010 corelanc0d3r Windows, x86-32 OSVDB-63125
4 http://www.corelan.be/index.php/201... Exploiting Ken Ward Zipper : Taking advantage of payload conversion 27-03-2010 Tutorial Windows, x86-32 N/A
5 http://www.corelan.be/index.php/201... QuickZip Stack BOF 0day: a box of chocolates (2 parts) 27-03-2010 corelanc0d3r Windows, x86-32 N/A
6 https://docs.google.com/viewer?a=v&pid=e... Unicode, the magic of exploiting 0×00410041 29-05-2010 mr_me Windows, x86-32 CVE-2009-2225
7 http://www.exploit-db.com/winamp-5-58-fr... Winamp 5.58 from Denial of Service to Code Execution 20-10-2010 muts Windows, x86-32 OSVDB-68645
8 http://www.exploit-db.com/winamp-exploit... Winamp 5.58 from Denial of Service to Code Execution Part 2 02-11-2010 muts Windows, x86-32 OSVDB-68645
9 https://www.corelan.be/index.php/2011/07... Metasploit Bounty – the Good, the Bad and the Ugly 27-07-2011 Lincoln Windows, x86-32 OSVDB-72817

results matching ""

    No results matching ""