Attacker Control and Bug Prioritization
Guilhem Lacombe, Sébastien Bardin
TL;DR
The paper tackles the need for fine-grained bug prioritization by formalizing attacker control over vulnerability parameters through Domains of Control (DoC) and introducing Shrink and Split to extract DoC from path constraints. It defines a spectrum of control metrics—Weak Control, Strong Control, Quantitative Control, and Weighted Quantitative Control—to capture threat-model nuances and uses a binary-level symbolic execution framework for scalable analysis. Empirical results on real-world and Magma-based benchmarks show that DoC-based scoring provides more precise exploitability assessments than CVSS or plain quantitative information flow, enabling clearer prioritization and even correcting prior human judgments. The work thus advances automated, end-to-end exploitability evaluation with practical implications for prioritization pipelines and security tooling.
Abstract
As bug-finding methods improve, bug-fixing capabilities are exceeded, resulting in an accumulation of potential vulnerabilities. There is thus a need for efficient and precise bug prioritization based on exploitability. In this work, we explore the notion of control of an attacker over a vulnerability's parameters, which is an often overlooked factor of exploitability. We show that taint as well as straightforward qualitative and quantitative notions of control are not enough to effectively differentiate vulnerabilities. Instead, we propose to focus analysis on feasible value sets, which we call domains of control, in order to better take into account threat models and expert insight. Our new Shrink and Split algorithm efficiently extracts domains of control from path constraints obtained with symbolic execution and renders them in an easily processed, human-readable form. This in turn allows to automatically compute more complex control metrics, such as weighted Quantitative Control, which factors in the varying threat levels of different values. Experiments show that our method is both efficient and precise. In particular, it is the only one able to distinguish between vulnerabilities such as cve-2019-14192 and cve-2022-30552, while revealing a mistake in the human evaluation of cve-2022-30790. The high degree of automation of our tool also brings us closer to a fully-automated evaluation pipeline.