Ben HawkesAug 23, 2023

How can you show that a bug is exploitable without actually writing an exploit? Exploit equivalence classes. https://blog.isosceles.com/exploit-equivalence-classes/

This post shares a model based on the set theory concept of "equivalence classes" that can help security researchers and vulnerability triage teams assess and communicate the exploitability of bugs in a consistent way.

Exploit Equivalence Classes

A long time ago I went to a small university in New Zealand to get a math degree. It was one of those things that happened mostly through inertia -- like most kids I knew, I wasn't super interested in studying. I signed up for a bunch of classes, but

Isosceles Blog
Show threadLee Holmes Aug 23, 2023
@hawkes Great discussion. There are lots of common terms for higher-level equivalence classes of vulnerabilities (i.e.: Use After Free, Buffer Overflow, Arbitrary Code Execution) that are equivalence classes to specific bugs. Would be interesting to see what a taxonomy might look like for exploitation.
Show threadBen Hawkes
@Lee_Holmes Yeah, I think the key is that different bugs in the same bug class can have quite different exploitation properties. Like you can have a UAF where all you get for the "use" is a super-benign read of a bit-field or something, but then others can be directly used to hijack control flow through a vtable or something. They're definitely not "equivalent" in terms of exploitability, despite being in the same bug class. I probably should have made that point clearer in the post now that I think about it...
Aug 23, 2023 at 8:07pmWeb