From Chaos to Control: A Modern Approach to UAF Attack Detection
Nader Ammari
BSides Seattle 2026 · Day 1 · Track 1
Mari, a product security researcher at Microsoft and co-director at the University of Montreal, presented a three-year research project developing a novel dynamic detection method for **use-after-free (UAF)** vulnerabilities. The approach instruments target binaries using Frida, hooks all deallocation functions, scans thread stacks for dangling pointers, confirms their stability over time, and unwinds the stack to identify which functions own those pointers. The method was demonstrated against custom test binaries and Chromium, where it was scaled to monitor tens of thousands of free symbols simultaneously, with AI-generated HTML used to trigger deallocation behaviors.
AI review
Original vulnerability research presenting a novel UAF detection method that instruments binaries via Frida, hooks deallocators, scans thread stacks for dangling pointers, and unwinds the stack to identify owning functions. Successfully demonstrated against Chromium at scale (46K+ free symbols) with one confirmed true positive. The candid disclosure of the two-year-old assumption flaw (ownership transfer) and the angr-based forward strategy show genuine research integrity. This is real VR work with a path to CVEs.