Binary Exploitation Index Purpose This branch covers memory-corruption vulnerabilities, exploit development, and the mitigation arms race at the binary level — the layer below web/API/cloud security where C, C++, unsafe-Rust, kernel, and JIT-compiler code lives. AD compromise terminates at Tier 0 (Identity and Active Directory); web compromise terminates at the database or the cloud control plane (Web Security); binary compromise terminates at the CPU's instruction pointer, which is why this branch is the deepest in the vault by ladder distance from the source code. Use Reference Registry — Binary Exploitation as the source of truth for references in this branch. Return to Cybersecurity Index for root navigation across branches. Before this branch: - Foundations (Phase 0). - C/C++ programming literacy. This branch assumes the reader can read C code, has a working mental model of stack frames and heap allocation, and is comfortable with a debugger (gdb / lldb / WinDbg). If not, work through the relevant sections of Practical Binary Analysis or OpenSecurityTraining's x86 / OS internals courses first. - Linux + x86-64 baseline. Most labs target Linux on x86-64. Concepts transfer to ARM/macOS/Windows with notational differences; aarch64 + macOS + Windows specifics are called out per-note. - Pair every offensive note with Detection Engineering thinking. Exploit research is fascinating; binary defenses are the half that ships the world's software. Branch positioning This branch sits in Phase 4 — Specialty tracks by roadmap-v2 classification: read it when binary-level work is part of your job context (vulnerability researcher, exploit developer, security engineer for low-level systems, CTF pwn-category competitor, security-tooling author, kernel maintainer). It is the most technically demanding branch in the vault — the prerequisites are real, and skipping them produces frustration rather than learning. See Phase 4 — Specialty Tracks for context (Track F). Recommended learning order First-pass core (4 notes — the branch's foundation) memory-corruption — the root concept and the 6-class taxonomy (stack overflow / heap overflow / use-after-free / double-free / out-of-bounds read / integer overflow). Read first; the rest of the branch is specializations of this note. stack-buffer-overflow — the canonical worked example of class 1. The deep-dive that introduces stack layout, return-address control, and the cost-stack of mitigations. exploit-mitigations — the defender-pair note. The 6-family mitigation landscape (stack canaries / DEP / ASLR / CFI / memory tagging / sandboxing) and the bypass class each family forces. Reading this after #2 makes the "modern exploitation requires a chain" claim concrete; reading it before #4 frames the technique #4 covers. rop-and-ret2libc — the technique deep-dive. Why DEP was the wrong mitigation, how chained code-reuse defeated it, the 5 variants (ret2libc / classic ROP / JOP-COP / SROP / data-only attacks), and why CET + PAC + CFI exist. Read in order. After all four, you have the offense/defense pair and the technique that defines modern exploitation. Every later note in the branch is a specialization of these four. Suggested future atomic notes (the branch's roadmap) The cluster mass that justifies opening this branch was 5 audited gap notes plus a deep future-work backlog. The Phase-4 entry conditions are met with the two starter notes; the depth-build below is the planned expansion. Memory-corruption sub-classes (one per row of the memory-corruption taxonomy): - heap-buffer-overflow-and-allocator-exploitation — class 2: ptmalloc / tcmalloc / mimalloc / segment heap. - use-after-free-and-dangling-pointers — class 3: the dominant browser-exploit primitive. - double-free-and-allocator-corruption — class 4: House-of-* lineage. - out-of-bounds-read-and-info-leaks — class 5: Heartbleed pattern, info-leak primitives. - integer-overflow-and-type-confusion — class 6: the canonical cause of allocation-size bugs. Exploitation techniques: - aslr-pie-and-info-leak-chains — defeating address-space layout randomization. - format-string-bugs — the canonical info-leak primitive paired with stack overflows. - off-by-one-and-frame-pointer-overwrite — the subtle stack-corruption variant. - got-and-plt-abuse — control-flow hijacking via dynamic-linking primitives. - srop-and-sigreturn-oriented-programming — the CET-bypassing successor to classic ROP. - jop-cop-and-data-only-attacks — the modern bypass classes for indirect-branch-protected systems. - stack-pivots-and-large-rop-chains — small-buffer / heap-located-chain patterns. - one-gadget-and-libc-shortcuts — practical exploit-development on the libc side. - pwntools-exploit-development-patterns — the toolkit practice note. Mitigations (deep dives below the top-level mitigation note): - stack-canaries-and-shadow-stacks — SSP + Intel CET shadow stack + ARM PAC. - arm-mte-and-memory-tagging — the hardware approach to memory safety. - control-flow-integrity-cfi — the indirect-branch protection layer. - cet-and-shadow-stacks-in-depth — the architectural defeat of pure ROP. - partitionalloc-and-miracleptr — allocator hardening case study. - meltdown-spectre-and-side-channel-mitigations — speculative-execution mitigation family. Reverse engineering and discovery: - elf-binary-format — the executable format every Linux exploitation note assumes. - reverse-engineering-loop — the iterative behavior-discovery methodology. - fuzzing-with-libfuzzer-and-afl — coverage-guided fuzzing. - sanitizers-asan-msan-ubsan — the runtime-detection toolkit. - dynamic-linking-and-got-plt — the modern dynamic-linker landscape. - symbolic-execution-and-angr — automated reasoning about binary control flow. Defender pair: - detect-memory-corruption-exploitation — the SOC / EDR-side playbook pair. Cross-links to other branches Windows Privilege Escalation — kernel memory corruption is one of the listed Windows privesc primitives; the branches intersect at kernel exploitation. AEAD and nonce misuse — memory corruption that leaks AEAD nonces destroys cryptographic security; the branches intersect at side-channel and key-extraction territory. EDR / process correlation — modern memory-corruption exploits leave EDR-visible signals; this is the defender-pair branch. Behavioral vs Signature Detection — exploitation detection is purely behavioral (control-flow anomalies, unusual VirtualProtect, ROP gadget patterns); there are no useful exploit signatures at the bug-class layer. CIA triad — memory corruption is usually an integrity breach enabling further breaches; the framing matters for incident classification. Attacker-Defender Duality — exploit research and mitigation engineering are the same field viewed from opposite chairs; the duality is especially clean in this branch. Branch maintenance notes Every note in this branch follows the 11-section atomic-note template. Modern binary exploitation requires composing multiple primitives across multiple mitigations. Notes should explicitly call out which mitigations defeat the simple version of an attack and what additional primitives are needed for the modern version. The defender pair for this branch lives substantially in Detection Engineering (process-tree behavior, ROP detection, VirtualProtect anomalies) and in this branch's own exploit-mitigations family (compile-time + hardware defenses). Branch was opened on 2026-05-11 with 2 starter notes after the GPT-30 audit identified the 5-note cluster mass. New binary-exploitation-specific notes land directly here. Source genealogy: this branch's primary sources are Practical Binary Analysis (Andriesse, No Starch 2018), LiveOverflow's binary exploitation playlist, Low Level YouTube channel, OpenSecurityTraining (especially the x86 / Intermediate x86 / RE courses), and Dayzerosec's vulnerability-research content. Future expansion: when the cluster of WebAssembly / JIT / VM-corruption notes reaches mass, a sibling cybersecurity/jit-and-vm-exploitation/ may split off. Similarly, kernel-specific exploitation may eventually warrant its own branch.