The automatic exploit generation challenge we address is given a program, automatically find security-critical bugs and generate exploits. Our approach uses a novel formal verification technique called preconditioned symbolic execution to make automatic exploit generation more scalable to real-world programs than without it. We implemented our techniques in a system called AEG, which we use to automatically generate 16 exploits for 14 open-source projects. Two of the generated exploits are against previously unknown vulnerabilities.
They don't explain in the videos how an ordinary user is able to get a root shell via the exploit. Do all of the examples require a binary to be setuid in order to work?
Yes, in control flow hijacking exploits like these ones, you make a given process execute external code (typically a shellcode, i.e. a small piece of code which launches a shell). Any code executed this way runs with the UID of the original process, so a setuid root program is needed to get a root shell.
Leading paragraph on the abstract:
The automatic exploit generation challenge we address is given a program, automatically find security-critical bugs and generate exploits. Our approach uses a novel formal verification technique called preconditioned symbolic execution to make automatic exploit generation more scalable to real-world programs than without it. We implemented our techniques in a system called AEG, which we use to automatically generate 16 exploits for 14 open-source projects. Two of the generated exploits are against previously unknown vulnerabilities.
They have a pretty sweet video of some runs.