; --------------------------------------------------------------------- ; To submit, log into grace.umd.edu and use the following command: ; /submit 2017 fall ENEE 657 0101 11 exploit_generation.bib ; --------------------------------------------------------------------- ; Required Readings @INPROCEEDINGS{ Brumley2008, title = {{Automatic patch-based exploit generation is possible: Techniques and implications}}, author = {Brumley, David and Poosankam, Pongsin and Song, Dawn and Zheng, Jiang}, booktitle = {Proceedings - IEEE Symposium on Security and Privacy}, year = {2008}, abstract = {The automatic patch-based exploit generation problem is: given a program P and a patched version of the program P', automatically generate an exploit for the potentially unknown vulnerability present in P but fixed in P'. In this paper, we propose techniques for automatic patch-based exploit generation, and show that our techniques can automatically generate exploits for 5 Microsoft programs based upon patches provided via Windows Update. Although our techniques may not work in all cases, a fundamental tenant of security is to conservatively estimate the capabilities of attackers. Thus, our results indicate that automatic patch-based exploit generation should be considered practical. One important security implication of our results is that current patch distribution schemes which stagger patch distribution over long time periods, such as Windows Update, may allow attackers who receive the patch first to compromise the significant fraction of vulnerable hosts who have not yet received the patch.}, doi = {10.1109/SP.2008.17}, isbn = {9780769531687}, pages = {143--157}, pmid = {3952}, issn = {10816011}, studentfirstname ={}, studentlastname ={}, summary = {}, contribution1 ={}, contribution2 ={}, contribution3 ={}, contribution4 ={}, contribution5 ={}, weakness1 = {}, weakness2 = {}, weakness3 = {}, weakness4 = {}, weakness5 = {}, interesting = {high/med/low}, opinions = {}, } @INPROCEEDINGS{ song2007infeasibility, title = {On the infeasibility of modeling polymorphic shellcode}, author = {Song, Yingbo and Locasto, Michael E and Stavrou, Angelos and Keromytis, Angelos D and Stolfo, Salvatore J}, booktitle = {Proceedings of the 14th ACM conference on Computer and communications security}, pages = {541--551}, organization = {ACM}, year = {2007}, studentfirstname ={}, studentlastname ={}, summary = {}, contribution1 ={}, contribution2 ={}, contribution3 ={}, contribution4 ={}, contribution5 ={}, weakness1 = {}, weakness2 = {}, weakness3 = {}, weakness4 = {}, weakness5 = {}, interesting = {high/med/low}, opinions = {}, } ; BibTex cross-references (don't add anything here)