Next Article in Journal
Progressive Feature Reconstruction and Fusion to Accelerate MRI Imaging: Exploring Insights across Low, Mid, and High-Order Dimensions
Next Article in Special Issue
Multi-Relation Extraction for Cybersecurity Based on Ontology Rule-Enhanced Prompt Learning
Previous Article in Journal
A Light-Weighted Machine Learning Approach to Channel Estimation for New-Radio Systems
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Electronics
Volume 12
Issue 23
10.3390/electronics12234741
Review Report
electronics-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
Article
Peer-Review Record

Fine-Grained Modeling of ROP Vulnerability Exploitation Process under Stack Overflow Based on Petri Nets

Electronics 2023, 12(23), 4741; https://doi.org/10.3390/electronics12234741
by Liumei Zhang 1,*, Wei Zhang 1, Yichuan Wang 2,3, Bowen Xia 1 and Yu Han 2
Reviewer 1: Anonymous
Reviewer 2: Anonymous
Electronics 2023, 12(23), 4741; https://doi.org/10.3390/electronics12234741
Submission received: 23 October 2023 / Revised: 17 November 2023 / Accepted: 21 November 2023 / Published: 22 November 2023
(This article belongs to the Special Issue New Insights in Cybersecurity of Information Systems)

Round 1

Reviewer 1 Report

Comments and Suggestions for Authors

The paper introduces an innovative approach to modeling and analyzing stack buffer overflow vulnerabilities using Petri Nets, demonstrating promising results in terms of simulation and effectiveness, particularly in cases with Position Independent Executable (PIE) protection. These findings may have implications for improving vulnerability detection and mitigation techniques. However, there are minor issues with the paper, including the following:

- Some tools and software packages that are not widely known require citations (e.g., CTF and CVE programs and Zeratool), as well as brief descriptions when first mentioned. A couple of sentences introducing Zeratool are warranted, especially since it was used as a vulnerability exploitation tool.

- It is important to discuss the limitations of the methodology used in this study and the results of the study. This helps provide a well-rounded view of the research and its potential constraints.

- There are language problems related to sentence structure and awkward expressions (e.g., "Although fuzz testing techniques have helped us automate the discovery of program vulnerabilities..."). There are typos throughout the paper (e.g., "Liu Z[25] et al."). Furthermore, there are inconsistencies in capitalization, such as "Ret" versus "ret." Abbreviations should be defined when first introduced (e.g., CTF and ROP). When introducing terms like "ret to libc" and "ret to csu," please provide brief explanations or definitions for these terms within the text or in a glossary or acronym list. 

Comments on the Quality of English Language

Please refer to my earlier feedback regarding English language issues.

Author Response

Please see the attachment.

Author Response File: Author Response.pdf

Reviewer 2 Report

Comments and Suggestions for Authors

1.       The list of references is outdated. Just two publications are found of the last two years. Moreover, one of these publications is conference proceedings. Journal publications are advised to be cited. More journal publications of the last two years are needed.

2.        we introduce the stack buffer overflow vulnerability”. You are advised to write “we consider the stack buffer overflow vulnerability

3.       “There are solutions [9–13] specifically tailored to heap-related vulnerabilities and those [14–17] designed for addressing format string vulnerabilities.” You have to consider the relation of the mentioned vulnerabilities to the buffer overflow that it is usually stack-based rather than heap-based.

4.       Review of related is a very short. No research achievements in the field of buffer overflow are revealed. Moreover, this section includes background information on Petri nets, which is not recommended to be present here.

5.       on the ret to libc and ret to csu vulnerability exploitation methods.” The references are recommended for this statement.

6.       from various exploitation methods”. Could you name and cite these exploitation methods?

7.       Tina tool”. Reference is needed.

8.       Sections Three and Four” must be “Sections 3 and 4”.

9.       “angr framework, and dynamic analysis is carried out using radare2.”. References are needed.

10.   “which can be found on CTFTime”. Reference is needed.

11.   I did not find an evidence for the following statement of the abstract “This method provides a reference for rapidly constructing exploitation implementations.” in the body of the manuscript.

Comments on the Quality of English Language

Minor editing of English language is required

Author Response

Please see the attachment.

Author Response File: Author Response.pdf

Round 2

Reviewer 2 Report

Comments and Suggestions for Authors

1.       “HUANG, J.z.; HU, J.s.; LIAO, Y.; CHAI, R.w. Detection method of program buffer overflow based on Petri Net. Journal of Computer Applications 2005, 25, 1219.”

a.       You have broken consistency of the presentation of the references, since the surnames of the authors are presented in capital letters.

b.       The publication is outdated. You are advised not to cite this publication.

Comments on the Quality of English Language

Minor editing of English language is required

Author Response

Please see the attachment.

Author Response File: Author Response.pdf

Back to TopTop