A Dozen Years of Shellphish From DEFCON to the Cyber Grand Challenge

Similar documents
Modern Binary Exploitation Course Syllabus

Machine vs. Machine: Lessons from the First Year of Cyber Grand Challenge. Approved for Public Release, Distribution Unlimited

Exploiting nginx chunked overflow bug, the undisclosed attack vector

Exploiting Trustzone on Android

Leak Check Version 2.1 for Linux TM

I Control Your Code Attack Vectors Through the Eyes of Software-based Fault Isolation. Mathias Payer, ETH Zurich

Bypassing Memory Protections: The Future of Exploitation

Advanced Internet Security

MSc Computer Science Dissertation

Unix Security Technologies: Host Security Tools. Peter Markowsky <peterm[at]ccs.neu.edu>

Transparent Monitoring of a Process Self in a Virtual Environment

ASL IT SECURITY XTREME XPLOIT DEVELOPMENT

(State of) The Art of War: Offensive Techniques in Binary Analysis

Kernel Intrusion Detection System

protocol fuzzing past, present, future

EECS 354 Network Security. Introduction

Format string exploitation on windows Using Immunity Debugger / Python. By Abysssec Inc

Bug hunting. Vulnerability finding methods in Windows 32 environments compared. FX of Phenoelit

How To Protect Your Computer From Being Hacked By A Hacker (For A Fee)

Security & Exploitation

Bypassing Browser Memory Protections in Windows Vista

Guide for Designing Cyber Security Exercises

CS Computer Security Thirteenth topic: System attacks. defenses

Custom Penetration Testing

Performance Testing of a Cloud Service

Adaptive Cruise Control System Overview

Vulnerability Assessment and Penetration Testing

Exceptions in MIPS. know the exception mechanism in MIPS be able to write a simple exception handler for a MIPS machine

Defense in Depth: Protecting Against Zero-Day Attacks

HOW I MET YOUR MODEM EXPLOIT & TROJAN DEV FOR CONSUMER DSL DEVICES HACK IN THE BOX 2013 AMSTERDAM - PETER GEISSLER & STEVEN KETELAAR

Software security. Buffer overflow attacks SQL injections. Lecture 11 EIT060 Computer Security

Betriebssysteme KU Security

ERNW Newsletter 51 / September 2015

Hardware Assisted Virtualization

Enterprise-Class Virtualization with Open Source Technologies

An Introduction to Assembly Programming with the ARM 32-bit Processor Family

Notable Changes to NERC Reliability Standard CIP-010-3

CSC 2405: Computer Systems II

Valgrind BoF Ideas, new features and directions

Effects of Memory Randomization, Sanitization and Page Cache on Memory Deduplication

Unix Security Technologies. Pete Markowsky <peterm[at] ccs.neu.edu>

CSE331: Introduction to Networks and Security. Lecture 32 Fall 2004

Windows XP SP3 Registry Handling Buffer Overflow

Project: Simulated Encrypted File System (SEFS)

Compromise-as-a-Service

Jonathan Worthington Scarborough Linux User Group

telnetd exploit FreeBSD Telnetd Remote Exploit Für Compass Security AG Öffentliche Version 1.0 Januar 2012

BladeLogic Software-as-a- Service (SaaS) Solution. Help reduce operating cost, improve security compliance, strengthen cybersecurity posture

Open-source Versus Commercial Software: A Quantitative Comparison

1 Classical Universal Computer 3

Virtual Servers. Virtual machines. Virtualization. Design of IBM s VM. Virtual machine systems can give everyone the OS (and hardware) that they want.

Testing for Security

Social Engineering & How to Counteract Advanced Attacks. Ralph Massaro, VP of Sales Wombat Security Technologies, Inc.

Software Vulnerabilities

Virtualization System Vulnerability Discovery Framework. Speaker: Qinghao Tang Title:360 Marvel Team Leader

The Advantages of Block-Based Protocol Analysis for Security Testing

Oracle Solaris Studio Code Analyzer

Automated Repair of Binary and Assembly Programs for Cooperating Embedded Devices

OWASP Spain Barcelona 2014

Buffer Overflows. Code Security: Buffer Overflows. Buffer Overflows are everywhere. 13 Buffer Overflow 12 Nov 2015

Republic Polytechnic School of Information and Communications Technology C226 Operating System Concepts. Module Curriculum

X05. An Overview of Source Code Scanning Tools. Loulwa Salem. Las Vegas, NV. IBM Corporation IBM System p, AIX 5L & Linux Technical University

For a 64-bit system. I - Presentation Of The Shellcode

The Hacker Strategy. Dave Aitel Security Research

Computer Security SEGC-00 - Overview

Virtuozzo Virtualization SDK

EVTXtract. Recovering EVTX Records from Unallocated Space PRESENTED BY: Willi Ballenthin OCT 6, Mandiant Corporation. All rights reserved.

Fuzzing in Microsoft and FuzzGuru framework

Source Code Review Using Static Analysis Tools

64-Bit NASM Notes. Invoking 64-Bit NASM

Informatica e Sistemi in Tempo Reale

Outline. hardware components programming environments. installing Python executing Python code. decimal and binary notations running Sage

Xen and XenServer Storage Performance

Integrating VoltDB with Hadoop

Application Security Testing. Erez Metula (CISSP), Founder Application Security Expert

From SQL Injection to MIPS Overflows

A Catalogue of the Steiner Triple Systems of Order 19

How To Write Portable Programs In C

Peach Fuzzer Platform

Hacking your perimeter. Social-Engineering. Not everyone needs to use zero. David Kennedy (ReL1K) Twitter: Dave_ReL1K

Central Processing Unit Simulation Version v2.5 (July 2005) Charles André University Nice-Sophia Antipolis

A Comparative Study on Vega-HTTP & Popular Open-source Web-servers

Release Notes for Epilog for Windows Release Notes for Epilog for Windows v1.7/v1.8

Microsoft Research Windows Azure for Research Training

Keil C51 Cross Compiler

Operating System Components

COS 318: Operating Systems

CS3210: Crash consistency. Taesoo Kim

Transcription:

A Dozen Years of Shellphish From DEFCON to the Cyber Grand Challenge Antonio Bianchi antoniob@cs.ucsb.edu University of California, Santa Barbara HITCON Enterprise August 27th, 2015

Agenda Shellphish The DARPA Cyber Grand Challenge Shellphish s Cyber Reasoning System Automatic Vulnerability Discovery Angr Live demonstration! Towards the Cyber Grand Challenge Finals 3

Agenda Shellphish The DARPA Cyber Grand Challenge Shellphish s Cyber Reasoning System Automatic Vulnerability Discovery Angr Live demonstration! Towards the Cyber Grand Challenge Finals 4

Shellphish Who are we? a team of security enthusiasts do research in system security play Capture the Flag competitions 5

Shellphish Started (in 2004) at: SecLab: University of California, Santa Barbara 6

Shellphish expanded to: Northeastern University: Boston Eurecom: France... 7

CTF competitions Security competitions Different challenges exploit a vulnerable service exploit a vulnerable website reversing a binary Different formats Jeopardy Attack-Defense Online Live 8

Shellphish 9

Shellphish We do not only play CTFs We also organize them! UCSB ictf Attack-Defense format every year, since 2002! References: http://ictf.cs.ucsb.edu https://github.com/ucsb-seclab/ictf-framework Vigna, et al., "Ten years of ictf: The good, the bad, and the ugly." 3GSE, 2014. 10

Shellphish If you want to know more about Shellphish: Attend the talk of my colleague : Yan Shoshitaishvili Saturday, August 29th (14:20 15:10) HITCON Community 11

Agenda Shellphish The DARPA Cyber Grand Challenge Shellphish s Cyber Reasoning System Automatic Vulnerability Discovery Angr Live-demonstration! Towards the Cyber Grand Challenge Finals 12

Cyber Grand Challenge (CGC) 2004: 2014: DARPA Grand Cyber Challenge Grand Challenge Autonomous vehicles hacking! 13

Cyber Grand Challenge (CGC) Started in 2014 Qualification event: June 3rd, 2015, online ~70 teams 7 qualified teams Final event: August 4th, 2016 @ DEFCON (Las Vegas) 14

CGC Rules Attack-Defense CTF No human intervention Develops a system that automatically Exploit vulnerabilities in binaries Patch binaries, removing the vulnerabilities 15

CGC Qualification Event Rules Every team has to: Generate exploits an input to a binary the binary crashes (invalid memory access) encoded as a list of recv/send/ operations Patch binaries fix the vulnerabilities preserve the original binary s functionality performance impact is evaluated CPU time, memory consumption, disk space 16

CGC Qualification Event Rules Architecture: Intel x86, 32bit Operating System: DECREE Linux-like only 7 syscalls terminate (exit) transmit (write) receive (read) fdwait (select) allocate (mmap) deallocate (munmap) random no signal handling, no not-executable stack, no ASLR, DECREE VM standard Linux ELF binaries CGC binaries 17

Agenda Shellphish The DARPA Cyber Grand Challenge Shellphish s Cyber Reasoning System Automatic Vulnerability Discovery Angr Live demonstration! Towards the Cyber Grand Challenge Finals 18

Shellphish CRS exploit vulnerable binary Cyber Reasoning System patched binary 19

Shellphish CRS Automatic Vulnerability Finding proposed exploits Shellphish CRS exploit vulnerable binary Automatic Patching proposed patches Automatic Testing patched binary 20

Agenda Shellphish The DARPA Cyber Grand Challenge Shellphish s Cyber Reasoning System Automatic Vulnerability Discovery Angr Live demonstration! Towards the Cyber Grand Challenge Finals 21

Automatic Vulnerability Discovery How do I crash a binary? How do I trigger a condition X in a binary? Dynamic Analysis/Fuzzing Symbolic Execution 22

Dynamic Analysis/Fuzzing How do I trigger the condition: You win! is printed? x = int(input()) if x >= 10: if x < 100: print "You win!" else: print "You lose!" else: print "You lose!" 23

Dynamic Analysis/Fuzzing How do I trigger the condition: You win! is printed? x = int(input()) if x >= 10: if x < 100: print "You win!" else: print "You lose!" else: print "You lose!" Try 1 You lose! Try 2 You lose! Try 10 You win! 24

Dynamic Analysis/Fuzzing How do I trigger the condition: You win! is printed? x = int(input()) if x >= 10: if x == 123456789012: print "You win!" else: print "You lose!" else: print "You lose!" 25

Symbolic Execution Interpret the binary code, using symbolic variables for user-input x = int(input()) if x >= 10: if x < 100: print "You win!" else: print "You lose!" else: print "You lose!" State A Variables x =??? Constraints {} 26

Symbolic Execution Follow all feasible paths, tracking "constraints" on variables x = int(input()) if x >= 10: if x < 100: print "You win!" else: print "You lose!" else: print "You lose!" State AA Variables x =??? State A Variables x =??? Constraints {} State AB Variables x =??? Constraints {x >= 10} Constraints {x < 10} 27

Symbolic Execution Follow all feasible paths, tracking "constraints" on variables x = int(input()) if x >= 10: if x < 100: print "You win!" else: print "You lose!" else: print "You lose!" State AA Variables x =??? Constraints {x >= 10} State AB Variables x =??? Constraints {x < 10} 28

Symbolic Execution Follow all feasible paths, tracking "constraints" on variables x = int(input()) if x >= 10: if x < 100: print "You win!" else: print "You lose!" else: print "You lose!" State AA Variables x =??? Constraints {x >= 10} 29

Symbolic Execution Follow all feasible paths, tracking "constraints" on variables x = int(input()) if x >= 10: if x < 100: print "You win!" else: print "You lose!" else: print "You lose!" State AAA State AA Variables x =??? Constraints {x >= 10} State AAB Variables x =??? Constraints {x >= 10, x < 100} Variables x =??? Constraints {x >= 10, x >= 100} 30

Symbolic Execution Concretize the constraints on the symbolic variables x = int(input()) if x >= 10: if x < 100: print "You win!" else: print "You lose!" else: print "You lose!" State AAA Variables x =??? Constraints {x >= 10, x < 100} State AAA Concretization Variables x = 99 31

Symbolic Execution How did we use Symbolic Execution for CGC? We used the symbolic execution engine of Angr: a binary analysis platform developed at UCSB 32

Symbolic Execution How did we use Symbolic Execution for CGC? Symbolically execute the binaries checking if one of these two conditions is true Memory accesses outside allocated regions Unconstrained instruction pointer (e.g., controlled by user input) We used the symbolic execution engine of Angr: a binary analysis platform developed at UCSB 33

Symbolic Execution How did we use Symbolic Execution for CGC? Symbolically execute the binaries checking if one of these two conditions is true Memory accesses outside allocated regions Unconstrained instruction pointer (e.g., controlled by user input) We used the symbolic execution engine of Angr: the binary analysis platform developed at UCSB 34

Agenda Shellphish The DARPA Cyber Grand Challenge Shellphish s Cyber Reasoning System Automatic Vulnerability Discovery Angr Live demonstration! Towards the Cyber Grand Challenge Finals 35

Angr Binary analysis platform, developed at UCSB Open-source: https://github.com/angr (please star it!) Written in Python! installable with one single command! interactive shell (using IPython) Architecture independent x86 (ELF, CGC, PE), amd64, mips, mips64, arm, aarch64, ppc, ppc64 36

Angr Demonstration CADET_00001 37

Angr Demonstration CADET_00001 38

Angr Demonstration CADET_00001: a classic buffer overflow int check(){ char string[64]; receive_delim(0, string, 128, '\n') //check if the string is palindrome //... } return result; 39

Angr Demonstration CADET_00001: a classic buffer overflow import angr p = angr.project("cadet_00001") pg = p.factory.path_group(immutable=false, save_uncontsrained=true) while len(pg.unconstrained)==0: pg.step() crash_state = pg.unconstrained[0].state crash_state.posix.dumps(0) 40

Angr Demonstration CADET_00001: triggering the Easter Egg #define EASTEREGG "\n\neaster EGG!\n\n" //the caret character ( ^ ) triggers the Easter Egg if(string[0] == '^'){ transmit_all(1,easteregg, sizeof(easteregg)-1) } 41

Angr Demonstration CADET_00001: triggering the Easter Egg 42

Angr Demonstration CADET_00001: triggering the Easter Egg import angr p = angr.project("cadet_00001") pg = p.factory.path_group(immutable=false) pg.explore(find=0x804833e) pg.found[0].state.posix.dumps(0) 43

Agenda Shellphish The DARPA Cyber Grand Challenge Shellphish s Cyber Reasoning System Automatic Vulnerability Discovery Angr Live-demonstration! Towards the Cyber Grand Challenge Finals 44

CGC Quals Results 7 teams passed the qualification phase Shellphish is one of them! :-) We exploited 44 binaries out of 131 Every qualified team received 750,000$! 45

CGC Finals The system will need to be 100% automated no possibility of bug fixing after competition s start Partially different rules An exploit needs to set a specific register to a specific value leak data from a specific memory region we need to implement more realistic exploits Angr automatic ROP-chain builder! Network-level monitoring and defenses 46

CGC Finals Every team will have access to a cluster of: 1280 cores 16 TB of RAM 128 TB of storage 47

CGC Finals Money prices! First place: 2,000,000$ Second place: 1,000,000$ Third place: 750,000$ The winning team will compete against human teams at DEFCON CTF Finals :-) 48

Shellphish CGC Team 49

That s all folks! Questions? References: this presentation: http://goo.gl/3ulxra angr: https://github.com/angr/angr HITCON Community talk: Saturday, August 29th (14:20 15:10) emails: antoniob@cs.ucsb.edu yans@cs.ucsb.edu 50

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information