Acidus wrote:

In the automatic patch-based exploit generation problem, we are given two versions of the same program P and P' where P' fixes an unknown vulnerability in P. The goal is to generate an exploit for P for the vulnerability fixed in P'. More formally, we are given a safety policy F, and the programs P and P'. The purpose of F is to encode what constitutes an exploit. Our goal is to generate an input x such that F(P(x)) = unsafe, but F(P′(x)) = safe.

... ... !!!

There is something humbling about seeing hours work (reading the Microsoft security bulletin, using IDA and BinDiff, discovering the security changes, performing the needed "magic" like unicode evasion, no null's etc) reduced to a math equation.

Well well well....I've seen this discussed before, but never in an academic paper. I believe this paper to be dubious at best for multiple reasons, but I'll only list a few here

1) As they state in their first paragraph, it doesn't cover all threats, and I believe it covers less than they think
Proprietary network protocols, amongst other things

2) The times of generic exploit writing are coming to an end. Exploitation will be on a more application to application base.
ASLR, stack cookies, NX.

3) A PoC/Crash ISN'T an exploit in my opinion.
Botnets aren't formed on the concept of crashing IE.

4) Modern threats such as the Slammer worm have empirically demonstrated that once an exploit is available, most vulnerable hosts can be compromised in minutes [27]
Hello 2003, my name is 2008, it sure is a pleasure to meet you

RE: Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications