Salvato in:
Dettagli Bibliografici
Autori principali: Nguyen, Minh-Luân, Levillain, Olivier, Malka, Julien, Zacchiroli, Stefano, Zimmermann, Théo
Natura: Preprint
Pubblicazione: 2026
Soggetti:
Accesso online:https://arxiv.org/abs/2606.00625
Tags: Aggiungi Tag
Nessun Tag, puoi essere il primo ad aggiungerne!!
_version_ 1866916070518947840
author Nguyen, Minh-Luân
Levillain, Olivier
Malka, Julien
Zacchiroli, Stefano
Zimmermann, Théo
author_facet Nguyen, Minh-Luân
Levillain, Olivier
Malka, Julien
Zacchiroli, Stefano
Zimmermann, Théo
contents Reproducing software vulnerabilities is fundamental to security researchers, open-source maintainers, and educators. Yet, vulnerabilities remain hard to reproduce today, and even when they can be reproduced, recreating a software environment where the vulnerability can be exploited becomes harder and harder over time. We present NICE, the NIx CvE reproduction framework, which uses declarative recipes to build and automatically validate vulnerable environments. In NICE, a reproduced CVE comprises one or more NixOS virtual machine configurations, a scripted exploitation scenario, and machine-checkable assertions that provide factual evidence of exploitation. This design facilitates sharing, validation, review, and long-term reproducibility. We evaluate NICE on 19 diverse real-world CVEs spanning multiple CWE categories, attack vectors, and target types (user-space, system software, kernel, and graphical applications). We show that NICE allows to produce concise recipes and integration tests that reproduce vulnerable environments and provide proofs of exploitation. NICE is applicable to security education and training (e.g., creating cyber ranges), but also to vulnerability reporting, where its reproducibility and reviewability properties can make reports easier to audit and verify.
format Preprint
id arxiv_https___arxiv_org_abs_2606_00625
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle NICE: A Framework for Declarative and Machine-Checkable Vulnerability Reproduction
Nguyen, Minh-Luân
Levillain, Olivier
Malka, Julien
Zacchiroli, Stefano
Zimmermann, Théo
Cryptography and Security
Reproducing software vulnerabilities is fundamental to security researchers, open-source maintainers, and educators. Yet, vulnerabilities remain hard to reproduce today, and even when they can be reproduced, recreating a software environment where the vulnerability can be exploited becomes harder and harder over time. We present NICE, the NIx CvE reproduction framework, which uses declarative recipes to build and automatically validate vulnerable environments. In NICE, a reproduced CVE comprises one or more NixOS virtual machine configurations, a scripted exploitation scenario, and machine-checkable assertions that provide factual evidence of exploitation. This design facilitates sharing, validation, review, and long-term reproducibility. We evaluate NICE on 19 diverse real-world CVEs spanning multiple CWE categories, attack vectors, and target types (user-space, system software, kernel, and graphical applications). We show that NICE allows to produce concise recipes and integration tests that reproduce vulnerable environments and provide proofs of exploitation. NICE is applicable to security education and training (e.g., creating cyber ranges), but also to vulnerability reporting, where its reproducibility and reviewability properties can make reports easier to audit and verify.
title NICE: A Framework for Declarative and Machine-Checkable Vulnerability Reproduction
topic Cryptography and Security
url https://arxiv.org/abs/2606.00625