I have a bad feeling about this

[Rich Kulawiec <rsk () gsp org>]

        Automatic Patch-Based Exploit Generation
        http://www.cs.cmu.edu/~dbrumley/pubs/apeg.html

        "The automatic patch-based exploit generation problem is: given a
        program P and a patched version of the program P', automatically
        generate an exploit for the potentially unknown vulnerability
        present in P but fixed in P'. In this paper, we propose techniques
        for automatic patch-based exploit generation, and show that our
        techniques can automatically generate exploits for vulnerable
        programs based upon patches provided via Windows Update."

That part doesn't bother me: my response to Microsoft products is to
quote Zathras: "This...is wrong tool.  Never use this."

The part that bothers me is that if they're right, and having only skimmed
the paper, I offer no opinion on that yet, then it seems to me that this
technique may work on other systems.

---Rsk
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.