Nginx

All work stated in this blogpost, including the porting of AIxCC Nginx to CHERI and the analysis of CPVs were done solely by me, but I based my port on the existing Nginx CHERI port. I’d like to thank Prof Robert Watson for providing extensive reviews of the contents of this blogpost. I wrote this post a long time ago but I never had the chance to publish it. Someone pinged me and I decided to finally make this publicly available. This is a bit different to my other blogposts: it has a more academic tone and has a focus on CHERI. The analysis of temporal safety bugs is repeated in my other blogpost, the difference being that the focus of this blogpost is CHERI (a hardware memory safety mitigation, see more details at https://cheri-alliance.org/). ...

This blog post will analyse the exploitability of the temporal safety vulnerabilities in Nginx AIxCC. AIxCC is a DARPA competition to find vulnerabilities in codebases using AI. The competitors are not looking for 0-days but rather intentionally added vulnerabilities in existing codebases. One of them was Nginx in the semifinals, which already took place. In this blog post, I will have a different focus on whether these added vulnerabilities can be exploited to achieve more than just crashes. ...