Fine-Grained Modeling of ROP Vulnerability Exploitation Process under Stack Overflow Based on Petri Nets
Round 1
Reviewer 1 Report
Comments and Suggestions for AuthorsThe paper introduces an innovative approach to modeling and analyzing stack buffer overflow vulnerabilities using Petri Nets, demonstrating promising results in terms of simulation and effectiveness, particularly in cases with Position Independent Executable (PIE) protection. These findings may have implications for improving vulnerability detection and mitigation techniques. However, there are minor issues with the paper, including the following:
- Some tools and software packages that are not widely known require citations (e.g., CTF and CVE programs and Zeratool), as well as brief descriptions when first mentioned. A couple of sentences introducing Zeratool are warranted, especially since it was used as a vulnerability exploitation tool.
- It is important to discuss the limitations of the methodology used in this study and the results of the study. This helps provide a well-rounded view of the research and its potential constraints.
- There are language problems related to sentence structure and awkward expressions (e.g., "Although fuzz testing techniques have helped us automate the discovery of program vulnerabilities..."). There are typos throughout the paper (e.g., "Liu Z[25] et al."). Furthermore, there are inconsistencies in capitalization, such as "Ret" versus "ret." Abbreviations should be defined when first introduced (e.g., CTF and ROP). When introducing terms like "ret to libc" and "ret to csu," please provide brief explanations or definitions for these terms within the text or in a glossary or acronym list.
Comments on the Quality of English LanguagePlease refer to my earlier feedback regarding English language issues.
Author Response
Please see the attachment.
Author Response File: Author Response.pdf
Reviewer 2 Report
Comments and Suggestions for Authors1. The list of references is outdated. Just two publications are found of the last two years. Moreover, one of these publications is conference proceedings. Journal publications are advised to be cited. More journal publications of the last two years are needed.
2. “we introduce the stack buffer overflow vulnerability”. You are advised to write “we consider the stack buffer overflow vulnerability”
3. “There are solutions [9–13] specifically tailored to heap-related vulnerabilities and those [14–17] designed for addressing format string vulnerabilities.” You have to consider the relation of the mentioned vulnerabilities to the buffer overflow that it is usually stack-based rather than heap-based.
4. Review of related is a very short. No research achievements in the field of buffer overflow are revealed. Moreover, this section includes background information on Petri nets, which is not recommended to be present here.
5. “on the ret to libc and ret to csu vulnerability exploitation methods.” The references are recommended for this statement.
6. “from various exploitation methods”. Could you name and cite these exploitation methods?
7. “Tina tool”. Reference is needed.
8. “Sections Three and Four” must be “Sections 3 and 4”.
9. “angr framework, and dynamic analysis is carried out using radare2.”. References are needed.
10. “which can be found on CTFTime”. Reference is needed.
11. I did not find an evidence for the following statement of the abstract “This method provides a reference for rapidly constructing exploitation implementations.” in the body of the manuscript.
Comments on the Quality of English LanguageMinor editing of English language is required
Author Response
Please see the attachment.
Author Response File: Author Response.pdf
Round 2
Reviewer 2 Report
Comments and Suggestions for Authors1. “HUANG, J.z.; HU, J.s.; LIAO, Y.; CHAI, R.w. Detection method of program buffer overflow based on Petri Net. Journal of Computer Applications 2005, 25, 1219.”
a. You have broken consistency of the presentation of the references, since the surnames of the authors are presented in capital letters.
b. The publication is outdated. You are advised not to cite this publication.
Comments on the Quality of English LanguageMinor editing of English language is required
Author Response
Please see the attachment.
Author Response File: Author Response.pdf