Vulnerabilities and their mitigations

The list of browser mitigations —

Stack overruns

CWE-121: Stack-based Buffer Overflow


Nr URL Description Date Author OS/Arch Info
1 SafeSEH+SEHOP all-at-once bypass explotation method principles 10-01-2012 x90c Windows, x86-32 N/A
2 Enhancements to /GS in Visual Studio 11 26-01-2012 Dave Ladd Windows N/A
3 Stack Smashing: When Code Execution Becomes a Nightmare 06-07-2012 Wei Chen Windows, x86-32 CVE-2012-0124
4 The Stack Cookies Bypass on CVE-2012-0549 15-08-2012 Juan Vazquez Windows, x86-32 CVE-2012-0549

Kernel mode

Nr URL Description Date Author OS/Arch Info
1 Exploiting the otherwise non-exploitable: Windows Kernel-mode GS cookies subverted 11-01-2011 Mateusz ‘j00ru’ Jurczyk Windows, x86-32 CVE-2010-4398


Nr URL Description Date Author OS/Arch Info
1 Adventure with Stack Smashing Protector (SSP) 11-11-2013 Adam 'pi3' Zabrocki Linux N/A
2 Stack Smashing Protector 22-10-2014 ( - N/A

Heap overruns


Nr URL Description Date Author OS/Arch Info
1 A new way to bypass Windows heap protections 31-08-2005 Nicolas Falliere Windows XP SP2, x86-32 N/A
2 Preventing the exploitation of user mode heap corruption vulnerabilities 04-08-2009 swiat Windows N/A
3 Software Defense: mitigating heap corruption vulnerabilities 29-10-2013 swiat Windows N/A
4 Getting back determinism in the Low Fragmentation Heap 02-11-2014 Bruno Pujos Windows 8 N/A

Kernel mode

Nr URL Description Date Author OS/Arch Info
1 Safe Unlinking in the Kernel Pool 26-05-2012 swiat Windows N/A
2 Windows 8 and Safe Unlinking in NTDLL 14-07-2012 Note Windows N/A

Static buffer overflows

Nr URL Description Date Author OS/Arch Info
1 Self Protecting Global Offset Table (GOT) 24-04-2008 Chris Rohlf - N/A
2 RELRO: RELocation Read-Only 01-06-2011 Julian Cohen Linux N/A

Uninitialized data

Nr URL Description Date Author OS/Arch Info
1 Guarding against uninitialized class member pointers 08-03-2012 Thomas Garnier Windows N/A

Lifetime issues

Use-after-free, double-free bugs.

Nr URL Description Date Author OS/Arch Info
1 Is use-after-free exploitation dead? The new IE memory protector will tell you 16-06-2014 Zhenhua 'Eric' Liu Windows N/A
2 http://researchcenter.paloaltonetworks.c... Is It the Beginning of the End For Use-After-Free Exploitation? 16-06-2014 Tao Yan, Bo Qu, Royce Lu Windows N/A
3 Mitigating UAF Exploits with Delay Free for Internet Explorer 17-06-2014 Jack Tang Windows N/A
4 Isolated Heap & Friends - Object Allocation Hardening in Web Browsers 20-06-2014 - N/A
5 Isolated Heap for Internet Explorer Helps Mitigate UAF Exploits 01-07-2014 Jack Tang Windows N/A
6 Efficacy of MemoryProtection against use-after-free vulnerabilities 28-07-2014 Simon Zuckerbraun Windows N/A
7 Understanding IE’s New Exploit Mitigations: The Memory Protector and the Isolated Heap 29-08-2014 Mark Yason Windows N/A
8 USE-AFTER-FREE NOT DEAD IN INTERNET EXPLORER: PART 1 13-10-2014 k33nteam Windows 8.1 MS14-056
9 New directions in use-after-free mitigations 18-10-2014 HP Security Windows N/A
10 Windows 10 Sharpens Browser Security With Microsoft Edge 21-07-2015 Henry li Windows N/A
11 A Quick Look at the Flash Memory Protector 17-06-2016 yukichen - N/A


Nr URL Description Date Author OS/Arch Info
1 Locking Down the Windows Kernel:Mitigating Null Pointer Exploitation 07-07-2011 Tarjei (kernelpool) Mandt Windows N/A

Integer bugs

Nr URL Description Date Author OS/Arch Info
1 Inside the Size Overflow Plugin 28-08-2012 ephox - N/A

Exploitation techniques and their mitigations

Return Oriented Exploitation

Nr URL Description Date Author OS/Arch Info
1 Frequently Asked Questions About RAP xx-xx-2016 ? Linux N/A

Hardenings and their bypasses

Address Space Layout Randomization (ASLR)


Nr URL Description Date Author OS/Arch Info
1 Attacking ASLR on Linux 2.6 27-05-2009 drraid Linux N/A
2 The Curious Case of VirtualAlloc, ASLR and an SDL 13-12-2011 Ollie Windows N/A
3 A look at ASLR in Android Ice Cream Sandwich 4.0 17-02-2012 Jon Oberheide Android N/A
4 A Partial Technique Against ASLR - Multiple O/Ss 02-03-2012 Ollie Windows, x86-32 N/A
5 Windows 8 ASLR Internals 04-12-2012 Artem Shishkin, Ilya Smith Windows 8 N/A
6 Attacking the Windows 7/8 Address Space Randomization 24-01-2013 kingcope Windows 7/8 N/A
7 ASLR Bypass Apocalypse in Recent Zero-Day Exploits 15-10-2013 Xiabo Chen Windows CVE-2013-0640, CVE-2013-0634, CVE-2013-3163, CVE-2013-1690, CVE-2013-1493
8 Differences Between ASLR on Windows and Linux 10-02-2014 Will Dormann Windows N/A
9 Bypass ASLR with partial EIP overwrite 30-06-2015 ly0n Windows CVE-2007-0038
10 Bypassing Windows ASLR in Microsoft Office using ActiveX controls 04-12-2015 Parvez Windows N/A
11, The AnC attack xx-xx-2017 VUSec - N/A

Kernel mode (KASLR)

Nr URL Description Date Author OS/Arch Info
1 Bypassing Windows 7 Kernel ASLR 11-10-2011 Stefan Le Berre Windows, x86-32 N/A
2 ASLR implementation in Linux Kernel 3.7 19-01-2013 Jonathan Salwan Linux N/A
3 KASLR: An Exercise in Cargo Cult Security 20-03-2013 spender - N/A
4 KASLR Bypass Mitigations in Windows 8.1 17-11-2013 Alex Ionescu Windows 8.1 N/A
5 TSX improves timing attacks against KASLR 27-10-2014 Rafal Wojtzcuk N/A N/A
6 The State of ASLR on Android Lollipop 11-05-2015 Daniel Micay Android 5.0.1 N/A
7 Exploiting a Linux Kernel Infoleak to bypass Linux kASLR 24-01-2016 Marco Grass Linux N/A
8 Breaking KASRL with micro architecture Part 1 20-02-2016 Anders Fogh - N/A


Nr URL Description Date Author OS/Arch Info
1 Silently Breaking ASLR In The Cloud 11-11-2015 Antonio Barresi, Kaveh Razavi, Mathias Payer, Thomas R. Gross VM

Data Execution Prevention (DEP)

Nr URL Description Date Author OS/Arch Info
1 x86-64 buffer overflow exploits and the borrowed code chunks 28-09-2005 Sebastian Krahmer Linux x86-64 N/A
2 Bypassing Windows Hardware-enforced Data Execution Prevention 02-10-2005 Matt (skape) Miller Windows, x86-32 OSVDB-875
3 The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) xx-10-2007 Hovav Shacham x86 N/A
4 Bypassing hardware based DEP on Windows Server 2003 SP2 10-06-2009 David Kennedy Windows, x86-32 N/A
5 DEP bypass with SetProcessDEPPolicy() 09-12-2009 Bernardo Damele Windows, x86-32 N/A
6 DEP and Heap Sprays 17-12-2009 Lurene Grenier Windows N/A
7 A gentle introduction to return-oriented programming 12-03-2010 Tim Kornau x86 N/A
8 Exploitation With WriteProcessMemory()/Yet Another DEP Trick xx-03-2010 Spencer Pratt Windows N/A
9 A little return oriented exploitation on Windows x86 (Part 1) 12-04-2010 Stephen Fewer Windows, x86-32 CVE-2010-0838
10 A little return oriented exploitation on Windows x86 (Part 2) 16-04-2010 Stephen Fewer Windows, x86-32 N/A
11 Advanced Return-Oriented Exploit 05-05-2010 funkyG Linux, x86-32 N/A
12 Exploit writing tutorial part 10 : Chaining DEP with ROP – the Rubik’s[TM] Cube 16-06-2010 corelanc0d3r Windows, x86-32 N/A
13 The so called Return Oriented Programming... 21-06-2010 Nicolas Waisman Windows, x86-32 N/A
14 OSX ROP Exploit – EvoCam Case Study 06-07-2010 muts Mac OSVDB-65043
15 Payload already inside: data reuse for rop exploits 28-07-2010 longld Linux x86 N/A
16 Simple Mac ret2libc exploit (x86) 05-10-2010 longld Mac, x86-32 N/A
17 Defeating Windows 8 ROP Mitigation 21-09-2011 Dan Rosenberg Windows 8 N/A
18 Man vs. ROP - Overcoming Adversity One Gadget at a Time 14-11-2011 Matt Graeber Windows, x86-32 N/A
19 Advanced Generic ROP chain for Windows 8 16-11-2011 Le Manh Tung Windows 8 CVE-2011-0065
20 Measure Twice, Cut Once 01-12-2011 Accuvant LABS R&D Team Windows N/A
21 Introduction to return oriented programming (ROP) 28-05-2013 Alex Reece Linux N/A
22 W^X policy violation affecting all Windows drivers compiled in Visual Studio 2013 and previous 03-09-2015 Graham Sutherland Windows N/A
23 W^X JIT-code enabled in Firefox 29-12-2015 jandem - N/A
24 The Return of the JIT (Part 1) 13-07-2017 Rh0 - CVE-2017-5375, CVE-2017-5400
24 The Return of the JIT (Part 2) 17-07-2017 Rh0 - CVE-2017-5375, CVE-2017-5400

Return-Oriented-Programming (ROP) mitigations

Nr URL Description Date Author OS/Arch Info
1 Security Mitigations for Return-Oriented Programming Attacks 20-08-2010 Piotr Bania Windows N/A
2 Defeating Windows 8 ROP Mitigation 19-12-2012 c0decstuff Windows 8 N/A
3 Research Spotlight: ROPMEMU - A Framework for the Analysis of Complex Code-Reuse Attacks 01-06-2016 Mariano Graziano - N/A

Export Address Table Access Filtering (EAF)

Nr URL Description Date Author OS/Arch Info
1 Bypassing EMET’s EAF with custom shellcode using kernel pointer 19-12-2011 Parvez Windows, x86-32 CVE-2010-3654
2 BYPASSING EMET Export Address Table Access Filtering feature 19-01-2012 Piotr Bania Windows, x86-32 N/A
3 Reversing EMET's EAF (and a couple of curious findings...) 20-03-2014 giulia Windows N/A
4 An Theoretical Approach to Getting Around EMET's EAF Protection 18-01-2015 tekwizz Windows N/A

Control Flow Integrity / Control Flow Guard

Nr URL Description Date Author OS/Arch Info
1 Visual Studio 2015 Preview: Work-in-Progress Security Feature 08-12-2014 Jim Hogg Windows N/A
2 Exploring Control Flow Guard in Windows 10 30-01-2015 Jack Tang Windows 10 N/A
3 Exploiting CVE-2015-0311, Part II: Bypassing Control Flow Guard on Windows 8.1 Update 3 25-03-2015 Francisco Falcón Windows 8.1
4 Exploring Control Flow Guard in Windows 10 xx-05-2015 Jack Tang Windows N/A
5 Control-Flow Integrity: Principles, Implementations, and Applications 11-07-2015 Martın Abadi, Mihai Budiu, Ulfar Erlingsson, Jay Ligatti - N/A
6 An interesting detail about Control Flow Guard 28-09-2015 Rafal Wojtczuk Windows N/A
7 Use Chakra engine again to bypass CFG 04-01-2016 exp-sky Windows N/A
8 Microsoft’s June Patch Kills Potential CFG Bypass 16-06-2016 Bing Sun Windows N/A
9 Let’s talk about CFI: clang edition 17-10-2016 Artem Dinaburg - N/A
10 CHAKRA JIT CFG BYPASS 14-12-2016 Theori Windows MS16-119
11 Bypassing Control Flow Guard in Windows 10 16-01-2017 Morten Schenk Windows N/A
12 Bypassing Control Flow Guard in Windows 10 - Part II 23-01-2017 Morten Schenk Windows N/A
13 Close, but No Cigar: On the Effectiveness of Intel's CET Against Code Reuse Attacks 12-06-2017 PaX Team - N/A

Mitigations Against Use-After-Free

Nr URL Description Date Author OS/Arch Info
1 Abusing Silent Mitigations: Understanding weaknesses within Internet Explorer’s Isolated Heap and MemoryProtection 19-06-2015 Abdul-Aziz Hariri, Simon Zuckerbraun, Brian Gorenc Windows N/A
2 Dude, where’s my heap? 15-06-2015 Ivan Fratric Windows N/A

Arbitrary Code Guard

Nr URL Description Date Author OS/Arch Info
1 Microsoft Edge: ACG bypass using DuplicateHandle 16-06-2017 Ivan Fratric Windows N/A

Return Flow Guard

Nr URL Description Date Author OS/Arch Info
1 Return Flow Guard 02-11-2016 TenCent Windows N/A
2 Close, but No Cigar: On the Effectiveness of Intel's CET Against Code Reuse Attacks 12-06-2016 PaX Team - N/A

Information Leak Mitigations

Nr URL Description Date Author OS/Arch Info
1 Memory disclosure mitigations in CopperheadOS 20-09-2016 Daniel Micay CopperheadOS N/A

Multiple mitigations discussed


Nr URL Description Date Author OS/Arch Info
1 Bypassing Browser Memory Protections 07-08-2008 Alex Sotirov, Mark Dowd Windows, x86-32 N/A
2 Buffer overflows on linux-x86-64 22-01-2009 Hagen Fritsch Linux, x86-64 N/A
3 Exploit writing tutorial part 6 : Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR 12-09-2009 corelanc0d3r Windows, x86-32 CVE-2006-6199
4 Bypassing ASLR and DEP under Windows 17-06-2010 mr_me Windows, x86-32 N/A
5 Assessing the Tux Strength: Part 1 - Userspace Memory Protection 29-07-2010 ? Linux N/A
6 On the effectiveness of DEP and ASLR 08-12-2010 swiat Windows N/A
7 Windows ISV Software Security Defenses xx-12-2010 Michael Howard, Matt Miller, John Lambert, Matt Thomlinson Windows N/A
8 Bypassing ASLR/DEP 25-09-2011 Vinay Katoch Windows, x86-32 CVE-2011-0065
9 Mitigating Software Vulnerabilities 12-07-2011 Matt Miller, Time Burrell, Michael Howard Windows N/A
10 Recent Advances: How We Learn From Exploits 15-02-2012 spender Linux N/A
11 Enhanced Memory Protections in IE10 13-03-2012 Forbes Higman Windows N/A
12 Bypassing ASLR and DEP on Adobe Reader X 22-06-2012 guillaume Windows, x86-32 N/A
13 How do ASLR and DEP work? 12-08-2012 polynomial - N/A
14 Software defense: safe unlinking and reference count hardening 06-11-2013 swiat Windows N/A
15 BYPASSING EMET 4.1 xx-02-2014 Jares DeMott Windows N/A
16 Bypassing Windows 8.1 Mitigations using Unsafe COM Objects 15-06-2014 James Forshaw Windows 8.1 N/A
17 Disarming Enhanced Mitigation Experience Toolkit 01-07-2014 Windows N/A
18 Disarming EMET v5.0 29-09-2014 Windows CVE-2012-1876
19 Disarming and Bypassing EMET 5.1 18-11-2014 Blogpost N/A
20 Defeating EMET 5.2 Protections 15-03-2015 r41p41 Windows N/A
21 Defeating EMET 5.2 Protections (2) 21-03-2015 r41p41 Windows N/A
22 Confidence 2015 Teaser: Quarantine Write-Up (pwn 500) 30-04-2015 Eloi Sanfelix Linux N/A
23 Significant Flash exploit mitigations are live in v18.0.0.209 16-07-2015 Mark Brand, Chris Evans - N/A
24 Adobe Flash Vulnerability CVE-2015-7663 and Mitigating Exploits xx-xx-2015 Cody Pierce - CVE-2015-7663
25 WoW64 and So Can You - Bypassing EMET With a Single Instruction xx-xx-2015 Darren Kemp, Mikhail Davidov Windows N/A
26 Bypass DEP and CFG using JIT compiler in Chakra engine 09-12-2015 tombkeeper Windows N/A
27 CVE-2015-2545 ITW EMET Evasion 04-02-2016 r41p41 Windows CVE-2015-2545
28 USING EMET TO DISABLE EMET 23-02-2016 Abdulellah Alsaheel , Raghav Pande Windows N/A

Kernel mode

Nr URL Description Date Author OS/Arch Info
1 FreeBSD kernel exploitation mitigations 26-04-2010 Patroklos (argp) Argyroudis FreeBSD N/A
2 Assessing the Tux Strength: Part 2 - Into the Kernel 02-09-2010 Radoslaw Madej Linux N/A
3 Security/Features - Ubuntu Wiki 17-02-2011 Linux N/A
4 Protecting the Core: Kernel Exploitation Mitigations 18-03-2011 Patroklos (argp) Argyroudis, Dimitris Glynos FreeBSD N/A
5 Guarding against re-use of stale object references 24-04-2012 Doug Cavit Windows N/A
6 Exploit Mitigations in Android Jelly Bean 4.1 16-07-2012 Jon Oberheide Android N/A
7 New Exploit Protections in Android 4.1 19-07-2012 Shawn Webb Android N/A
8 EMET 3.5 Tech Preview leverages security mitigations from the BlueHat Prize 24-07-2012 swiat Windows N/A
9 Technical Analysis of the Top BlueHat Prize Submissions 26-07-2012 swiat Windows N/A
10 Recent ARM security improvements 18-02-2013 spender ARM N/A
11 EMET 4.1 Uncovered 18-11-2013 0xdabbad00 Windows N/A
12 Software defense: mitigating common exploitation techniques 11-12-2013 swiat Windows N/A
13 Windows 8 Kernel Memory Protections Bypass 15-08-2014 Jérémy (__x86) Fetiveau Windows 8 N/A
14 One-Bit To Rule Them All: Bypassing Windows’ 10 Protections using a Single Bit 10-02-2015 Udi Yavo Windows CVE-2015-0057
15 Emerging Defense in Android Kernel 01-06-2017 James Fang Android N/A


Nr URL Description Date Author OS/Arch Info
1 A Buffer Overflow Study - Attacks & Defenses 2002 Pierre-Alain FAYOLLE, Vincent GLAUME Linux N/A
2 Native Client: A Sandbox for Portable, Untrusted x86 Native Code 2009 Bennet Yee, David Sehr, Gregory Dardyk, J. Bradley Chen, Robert Muth, Tavis Ormandy, Shiki Okasaka, Neha Narula, and Nicholas Fullagar - N/A
3 An Evaluation of the Effectiveness of EMET 5.1 At Protecting Everyday Applications Against Targeted Attacks 2015 Grant Willcox Windows N/A
4 PayloadRestrictions 05-09-2017 deroko Windows 10 N/A

Hardware-based mitigations

Nr URL Description Date Author OS/Arch Info
1 Beat SMEP on Linux with Return-Oriented Programming 09-11-2011 falk3n Linux, x86-64 N/A
2 Supervisor Mode Access Prevention 07-09-2012 Pax Team - N/A
3 Intel SMEP overview and partial bypass on Windows 8 17-09-2012 Artem Shishkin Windows 8 N/A
5 Introduction to Processor Hardware Security Features in x86 & ARM Architectures 06-05-2014 Anababa x86, ARM N/A
6 Here Be Dragons: Vulnerabilities in TrustZone 15-08-2014 Nathan Keltner ARM N/A
7 Intel® Software Guard Extensions (SGX): A Researcher’s Primer 05-01-2015 Ollie Whitehouse - N/A
8 Xen SMEP (and SMAP) bypass 09-04-2015 Aaron Adams XEN N/A
9 Intel SGX Enclave Support in Windows 10 Fall Update (Threshold 2) 08-11-2015 Alex Ionescu Windows 10 N/A
10 Visual Studio 2015 Update 1: New Experimental Feature – MPX 20-01-2016 Jim Hogg Windows N/A

Specific mitigations

Nr URL Description Date Author OS/Arch Info
1 Microsoft Windows 8.1 Kernel Patch Protection Analysis & Attack Vectors 17-08-2014 Mark Ermolov, Artem Shishkin Windows 8.1 N/A
2 The Windows 8.1 Kernel Patch Protection 24-08-2014 Andrea Allievi Windows 8.1 N/A
3 Using ASAN as a protection 25-09-2014 Chris Evans - N/A
4 Mitigations Available for the DRAM Row Hammer Vulnerability 09-03-2015 Omar Santos - N/A
5 Three bypasses and a fix for one of Flash's Vector.<*> mitigations 19-08-2015 Chris Evans - N/A
6 Linux Kernel BPF JIT Spraying 03-05-2016 spender Linux N/A
7 PaX: reference count overflow mitigation can be bypassed on x86 by racing 27-06-2016 jannh Linux N/A
8 Breaking the Chain 29-11-2016 James Forshaw Windows N/A

Other exploitation obstacles

Non-compiler, OS, or hardware enforced exploitation difficulties.

Nr URL Description Date Author OS/Arch Info
1 Exploit writing tutorial part 7 : Unicode – from 0×00410041 to calc 06-11-2009 corelanc0d3r Windows, x86-32 OSVDB-66912
2 Windows Buffer Overflow Tutorial: Dealing with Character Translation 17-01-2010 Stephen Bradshaw Windows, x86-32 OSVDB-59772
3 Ken Ward Zipper Stack BOF 0day – a not so typical SEH exploit 18-03-2010 corelanc0d3r Windows, x86-32 OSVDB-63125
4 Exploiting Ken Ward Zipper : Taking advantage of payload conversion 27-03-2010 Tutorial Windows, x86-32 N/A
5 QuickZip Stack BOF 0day: a box of chocolates (2 parts) 27-03-2010 corelanc0d3r Windows, x86-32 N/A
6 Unicode, the magic of exploiting 0×00410041 29-05-2010 mr_me Windows, x86-32 CVE-2009-2225
7 Winamp 5.58 from Denial of Service to Code Execution 20-10-2010 muts Windows, x86-32 OSVDB-68645
8 Winamp 5.58 from Denial of Service to Code Execution Part 2 02-11-2010 muts Windows, x86-32 OSVDB-68645
9 Metasploit Bounty – the Good, the Bad and the Ugly 27-07-2011 Lincoln Windows, x86-32 OSVDB-72817

results matching ""

    No results matching ""