Full Report
Memory corruption vulnerabilities are 60%-70% of the issues exploited in the wild. There are many other classes of bugs so why are these so popular? This is what the article tackles. Ironically, it's the simplest way to do it. It all comes down to how expressive and unconstrained memory corruption vulnerabilities are. The usage of system() runs attacker controlled input on a computer, giving us lots of freedom. In the case of memory corruption, it's the same; we can create our own path with the infinite space of a weird machine. This expressive nature is really only offered with a few bug classes. With a simple logic bug, like an authorization issue, it is limited in nature. It has much more defined capabilities. Things like MTE and movement towards memory safe languages like Golang and Python are making memory corruption bugs harder and harder to exploit though. The author does make a distinction between memory corruption and memory unsafety. Memory corruption is commonly the effect of a memory unsafe bug. They reference a type confusion bug leading to memory corruption as an example. The author believes that true memory corruption vulnerabilities, like page table management in the kernel, will stay around but memory unsafety bugs will start to die. At the end of the day, memory corruption vulnerabilities are still likely to be used. They provide huge capabilities that cannot be paralleled. Additionally, they are easily abstractable. If I find an arbitrary read/write primitive, I can hide away the details to this with an API of sorts to continue using my exploits. This does not work well with logic bugs most of the time. Overall, a good post on why we like memory corruption vulnerabilities so much! It creates reusable primitives in an environment that can be repeated. Other bugs can't provide the same things, making them harder to find and harder to exploit for real gain.
Analysis Summary
# Vulnerability: Persistent Dominance of Memory Corruption in Exploit Chains
## CVE Details
- **CVE ID**: Not a report for a single vulnerability, but references **CVE-2024-2887** (a Pwn2Own winning bug) as a key example.
- **CVSS Score**: 8.8 (High) - *Estimated based on CVE-2024-2887.*
- **CWE**: CWE-119 (Memory Corruption), CWE-843 (Type Confusion), CWE-703 (Logic Errors).
## Affected Systems
- **Products**: End-user platforms/products (Browsers, Kernels, Mobile OS).
- **Versions**: Broadly impacts software written in memory-unsafe languages (C/C++) and systems utilizing JIT (Just-In-Time) compilation or page table management.
- **Configurations**: Systems where attackers seek to traverse isolated execution contexts (exploit chains).
## Vulnerability Description
The article provides a high-level analysis of why memory corruption remains the preferred primitive for attackers. It distinguishes between **root causes** (Memory Unsafety/Logic Bugs) and **effects** (Memory Corruption).
- **Technical Mechanism**: Memory corruption allows an attacker to transition a program from its Intended Finite State Machine (IFSM) to a "weird state."
- **The "Weird Machine"**: By triggering memory corruption, the attacker bypasses the software’s programmed constraints and operates directly on the CPU's state space ($2^n$). This creates a "Strongly Connected Component" where the attacker can reach nearly any state, effectively achieving arbitrary code execution.
## Exploitation
- **Status**: Exploited in the wild (represents 60-70% of observed 0-days).
- **Complexity**: High (Modern mitigations like MTE and memory-safe languages increase the difficulty of finding these primitives).
- **Attack Vector**: Network / Local (Depending on the specific bug in the chain).
## Impact
- **Confidentiality**: Total (Arbitrary read primitives).
- **Integrity**: Total (Arbitrary write primitives/Code execution).
- **Availability**: Total (System crashes or total hijack).
## Remediation
### Patches
- Transitioning to memory-safe languages (Golang, Rust, Python) to eliminate the "root cause" of memory unsafety.
- Vendor-specific security updates for browsers (Chrome/V8) and kernels.
### Workarounds
- **Hardware-Assisted Mitigations**: Deployment of Memory Tagging Extensions (MTE) to increase the cost and complexity of exploitation.
- **Sandboxing**: Limiting the impact of a successful memory corruption primitive by isolating execution environments.
## Detection
- **Indicators of Compromise**: Unexpected crashes (SIGSEGV), unusual page table modifications, or process execution through shellcode/JIT regions.
- **Detection methods**: Bound checking, Control Flow Integrity (CFI), and using tools to monitor for "weird machine" behaviors that deviate from the IFSM.
## References
- Microsoft MSRC Trends: [https://github.com/Microsoft/MSRC-Security-Research/blob/master/presentations/2019_02_BlueHatIL/2019_01%20-%20BlueHatIL%20-%20Trends%2C%20challenge%2C%20and%20shifts%20in%20software%20vulnerability%20mitigation.pdf]
- Google Project Zero 0-day Analysis: [https://googleprojectzero.blogspot.com/2022/04/the-more-you-know-more-you-know-you.html]
- CVE-2024-2887 Technical Breakdown: [https://www.zerodayinitiative.com/blog/2024/5/2/cve-2024-2887-a-pwn2own-winning-bug-in-google-chrome]
- Halvar Flake - Limiting Weird Machines: [https://docs.google.com/presentation/d/1V_4ZO9fFOO1PZQTNODu2XarcXhlZTGaktBwc4EAHjL8/edit]