SlideShare a Scribd company logo

DARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique

Chong-Kuan Chen
Chong-Kuan Chen

The document discusses automatic attack and defense techniques explored through DARPA's Cyber Grand Challenge (CGC) and DEFCON CTF competitions. It introduces CGC and covers topics like vulnerability discovery, fuzzing, symbolic/concolic execution, and software hardening. It describes CGC's qualification round in 2015 and final event in 2016, which was won by ForAllSecure/Mayhem. Various techniques used by competing teams are discussed, including AFL fuzzing, symbolic execution tools like S2E and Angr, and approaches that combined fuzzing and symbolic execution like Driller.

1 of 55
Downloaded 92 times
從DARPA CGC及DEFCON CTF探討自動攻防技術 C.K. Chen Twitter: Bletchley13 1
§  Introduction to CGC §  Automatic Vulnerability Discovery §  Fuzz §  Symbolic/Concolic Execution §  Symbolic-assist Fuzzing §  Software Hardeness §  Conclusion 2
§  The a prize competition organized by DARPA to make innovation for next generation technique §  2007 Urban Challenge §  2012 Robotics Challenge §  Cyber Grand Challenge §  The first full machine attack-defense CTF §  Focus on develop automatic attack-defense system 3
§  Start from 2014 §  Qualification round in June 3, 2015 4
5
§  6
Team Research CTF Enterprise CodeJitsu Berkeley BlueLotus Cyberhaven CSDS University of Idaho Deep Red Some CTF Player Raytheon disekt Different university disekt ForAllSecure CMU CyLab PPP ForAllSecure Shellphish UCSB Shellphish LastLine TECHx University of Virginia Some White Hack Students GrammaTech 7
§  CGC Final Event was held at DEF CON 2016 §  Final Winner – ForAllSecure/Mayhem §  Startup company ForAllSecure §  Most member come from PPP CTF Team §  Researcher from CMU CyLab §  Next day to the CGC, Mayhem competed with top human hackers in DEFCON CTF §  Mayhem get the last rank, but PPP win the game 8
9
§ Cyber Reasoning System §  Given Challenge Binary §  Given Other Team’s RCB, IDS §  Patch Binary §  IDS Rule §  POV – Exploit program CRS CB CB CB CB CB RCB CB CB IDS CB CB PCAP RCB IDS CFE POV 10
§  Modified Linux §  Customize ELF format §  only 7 syscalls §  terminate (exit) §  transmit (write) §  receive (read) §  fdwait (select) §  allocate (mmap) §  deallocate (munmap) §  Random §  no signal handling, no not-executable stack, no ASLR, … 11
§  Type 1 §  Hi-jack control flow §  Control EIP and one register §  Type 2 §  Information leak §  Leak information in the magic page 12
§  2016 CloudSec, HITCON駭客戰隊挑戰美國CGC天網機器⼈人, 探討AI ⾃自動攻防技術發展 §  KB.HITCON §  Cyber Grand Challenge 簡介 §  台灣駭客挑戰美國CGC天網機器⼈人專題系列報導 §  Let’s focus more on technique ! 13
§  Determine if the program has a vulnerability is undicidable §  Assume we have a Machine M that can detect any vulnerability in the program §  Halting Problem If M(P) has no bug: do_some_bug() Else: do_nothing() 14
§  If we have a execution trace, we can check if the bug appeared in this path §  To testing software complete, we need to traversal all the code inside the program §  Halting problem §  If we can run more trace, we can find more bug!! §  But we can still do something J 15
§  Automatic generate the input to make the program crash §  Not inspect into program semantic §  Generate input randomly, or some heuristic §  Coverage-based §  AFL, Peach, BFF 16
§  American Fuzzy Loop §  The easy-to-use fuzzer §  Efficiency §  low-level compile-time instrumentation §  Coverage-based Fuzzer §  Effective Mutation Strategy At least 4 team in CGC use AFL 17
§  How AFL do? 1.  Load user-supplied initial test cases into the queue 2.  Take next input file from the queue 3.  Attempt to trim the test case to the smallest size that doesn't alter the measured behavior of the program, 4.  Repeatedly mutate the file using a balanced and well-researched variety of traditional fuzzing strategies 5.  If any of the generated mutations resulted in a new state transition recorded by the instrumentation, add mutated output as a new entry in the queue. 6.  Go to 2. §  Binary fuzzer -> QEMU(emulator) support §  Good seed is important 18
§  Feed every thing in network PCAP into AFL §  Using AFL as first layer checker §  Check if the input is worth for deep analysis §  This instance would run through each of the incoming PCAP files and evaluate whether they brought anything "new" to the table. Building an Autonomous Cyber Battle System: Our Experience in DARPA's Cyber Grand Challenge 19
§  Most test falls into some high frequency path §  Strategy to find the low frequency path §  Energy §  The number of inputs to be generated from that seed §  Strategy §  low energy to seeds exercising high-frequency paths §  high energy to seeds exercising low-frequency paths §  AFLFast Paper published in §  ACM Conference on Computer and Communications Security §  Github §  https://github.com/mboehme/ aflfast 20
§  Murphy is the directed fuzzer based on AFL §  Most improvement is on the efficiency §  Binary-only instrument §  Maybe base on BAP 21
§  A mechanism to discover the code coverage §  Translate each instruction/code line into constraints §  Constraints: a formula define the operation functionality §  Collect all the constraints §  Solve when required condition is meet §  E.g. branch happened   22
1st 2nd 3rd 0 ebx = 0 1 ecx = 0 2 eax = 3 3 ebx = 3 ebx = 6 ebx = 9 4 ecx = 1 ecx = 2 ecx = 3 5 NE NE E 6 N N Y 7 Y Y 8 NE 9 N 0 mov ebx, 0 1 mov ecx, 0 2 mov eax, input 3 add ebx, eax 4 add ecx, 1 5 cmp ecx, 3 6 je final 7 jmp loop 8 cmp ebx, 15 9 je f1 f1 f2 23
1st 2nd 3rd 0 ebx_0 = 0 1 ecx_0 = 0 2 eax_0 = sym_0 3 ebx_1 = ebx_0+eax_0 ebx_2 = ebx_1+eax_0 ebx_3 = ebx_2+eax_0 4 ecx_1 = ecx_0+1 ecx_2 = ecx_1+1 ecx_3 = ecx_2+1 5 NE NE E 6 N N Y 7 Y Y 8 NE 9 N 24 0 mov ebx, 0 1 mov ecx, 0 2 mov eax, input 3 add ebx, eax 4 add ecx, 1 5 cmp ecx, 3 6 je final 7 jmp loop 8 cmp ebx, 15 9 je f1 f1 f2
§  Can we jump to final block when loop 3 times? 1st 2nd 3rd 0 ebx_0 = 0 1 ecx_0 = 0 2 eax_0 = sym_0 3 ebx_1 = ebx_0+eax_0 ebx_2 = ebx_1+eax_0 ebx_3 = ebx_2+eax_0 4 ecx_1 = ecx_0+1 ecx_2 = ecx_1+1 ecx_3 = ecx_2+1 5 NE NE E 25 0 mov ebx, 0 1 mov ecx, 0 2 mov eax, input 3 add ebx, eax 4 add ecx, 1 5 cmp ecx, 3 6 je final 7 jmp loop 8 cmp ebx, 15 9 je f1 f1 f2
§  Can we jump to final block when loop 3 times? ( = ecx_3 3) ( = ( + ecx_2 1 ) 3) ( = ( + (+ ecx_1 1 ) 1 ) 3) ( = ( + (+ (+ ecx_0 1) 1 ) 1 ) 3) and ( = ecx_0 0) SMT Solver SAT! This formula is satisfiable. 26 0 mov ebx, 0 1 mov ecx, 0 2 mov eax, input 3 add ebx, eax 4 add ecx, 1 5 cmp ecx, 3 6 je final 7 jmp loop 8 cmp ebx, 15 9 je f1 f1 f2
§  Convert instruction into constraints §  Add the branch constraint §  Solve the conatrint 27
§  Can we enter f1? 1st 2nd 3rd 0 ebx_0 = 0 1 ecx_0 = 0 2 eax_0 = sym_0 3 ebx_1 = ebx_0+eax_0 ebx_2 = ebx_1+eax_0 ebx_3 = ebx_2+eax_0 4 ecx_1 = ecx_0+1 ecx_2 = ecx_1+1 ecx_3 = ecx_2+1 5 NE NE E 6 N N Y 7 Y Y 8 NE 9 N 28 0 mov ebx, 0 1 mov ecx, 0 2 mov eax, input 3 add ebx, eax 4 add ecx, 1 5 cmp ecx, 3 6 je final 7 jmp loop 8 cmp ebx, 15 9 je f1 f1 f2
§  Number of possible path increasing exponentially §  In symbolic execution, every memory location is symbolize §  Too many symbole to solve §  Concolic Execution §  Only make the interesting memory symbolize §  Concrete value 29
§  Tracking related instructions only? 1st 2nd 3rd 0 ebx = 0 1 ecx = 0 2 eax = 3 3 ebx = 3 ebx = 6 ebx = 9 4 ecx = 1 ecx = 2 ecx = 3 5 NE NE E 6 N N Y 7 Y Y 8 NE 9 N 30 0 mov ebx, 0 1 mov ecx, 0 2 mov eax, input 3 add ebx, eax 4 add ecx, 1 5 cmp ecx, 3 6 je final 7 jmp loop 8 cmp ebx, 15 9 je f1 f1 f2
1st 2nd 3rd 0 ebx_0 = 0 1 ecx_0 = 0 2 eax_0 = sym_0 3 ebx_1 = ebx_0+eax_0 ebx_2 = ebx_1+eax_0 ebx_3 = ebx_2+eax_0 4 ecx_1 = 1 ecx_2 = 2 ecx_3 = 3 5 NE NE E 6 N N Y 7 Y Y 8 NE 9 N 31 0 mov ebx, 0 1 mov ecx, 0 2 mov eax, input 3 add ebx, eax 4 add ecx, 1 5 cmp ecx, 3 6 je final 7 jmp loop 8 cmp ebx, 15 9 je f1 f1 f2
§  Which input make us arrive f1? 1st 2nd 3rd 0 ebx_0 = 0 1 ecx_0 = 0 2 eax_0 = sym_0 3 ebx_1 = ebx_0+eax_ 0 ebx_2 = ebx_1+eax_ 0 ebx_3 = ebx_2+eax_ 0 4 ecx_1 = 1 ecx_2 = 2 ecx_3 = 3 5 NE NE E 6 N N Y 7 Y Y 8 NE 9 N ebx_3 + ebx_2 + ebx_1 + eax_0 eax_0 eax_0ebx_0 0 32
§  Which input make us arrive f1? Final ( = 15 (+ in ( + in (+ in 0) ) ) ) SMT Solver SAT! This formula is satisfiable when in = 5. ebx_3 + ebx_2 + ebx_1 + eax_0 eax_0 eax_0ebx_0 0 33
§  In-house symbolic execution engine, called Grace §  Path Priority §  “Grace to focus on unique and interesting inputs, rather than churning away at things that would likely lead down previously- explored paths” §  Symbolize authentication/random token §  Powerful static analysis Building an Autonomous Cyber Battle System: Our Experience in DARPA's Cyber Grand Challenge 34
§  Virtual Machine Symbolic Execution Framework - S2E §  Selective symbolic execution/Concolic Execution §  Execution consistency models §  state merging and prioritizing Whole System QEMU KLEEBinary LLVM 35
§  Angr §  Not only the symbolic execution engine, but a binary analysis framework §  http://angr.io/ “Cyber Grand Shellphish”, shellphish, DEFCON 24 36
§  binary-only symbolic execution §  Fast than S2E(whole system/LLVM), Angr(VEX Simulator) §  BAP-based binary instrument §  Veritesting §  A search strategy based on coverage §  Other feature §  fine-tuned process-based instrumentation and taint analysis §  access to an extensive set of tested x86 semantics §  several years of performance tuning for solvers (expression rewriting, caches, etc) §  path merging 37
§  One of most important technique we learn from CGC is “How to integrate efficiency fuzzer and sophisticated symbolic execution” 38
§  Driller §  Switch between fuzzer and symbolic execution §  Driller: Augmenting Fuzzing Through Selective Symbolic Execution §  Network and Distributed System Security Symposium 2016 39
§  sharing seeds between Mayhem and our custom AFL. §  Fuzzer §  If you have the good seed, it work better §  Symbolic find the good seed https://blog.forallsecure.com/2016/02/09/unleashing-mayhem/ 40
§  Seed sharing: fuzzer + S2E + traffic replay §  Path exploration §  S2E helps Fuzzer to break through some branches 41
§  Remind of AFL Gate-Keeper 42
§  DEP §  ASLR §  Stack Guard §  CFI §  Pointer Integrity §  Shadow Stack §  Binary Patch §  Input filter §  IDS 43
§  PS: Meyhem put most attention on attack, doing less on defense 44
§  Patcherex §  https://github.com/shellphish/patcherex §  QEMU 0 Day for anti-analysis “Cyber Grand Shellphish”, shellphish, DEFCON 24 45
§  Return pointer encryption §  Protect indirect calls/jmps §  Extended Malloc allocations §  Randomly shift the stack (ASLR) §  Clean uninitialized stack space 46
§  CFI: control flow integrity §  Shadow stacks §  Maintain a duplicate stack §  Once the return address difference from the one in shadow stack, then attack is detected §  DEP §  Randomization §  Data leakage defense 47
§  Control Flow Integrity https://www.trust.informatik.tu-darmstadt.de/research/projects/current- projects/control-flow-integrity/ 48
§ TechX achieve the first place about security § PEASOUP § Code Sonar Building an Autonomous Cyber Battle System: Our Experience in DARPA's Cyber Grand Challenge 49
§  The other important aspect is “how to integrate many system in large architecture” §  Handle with complicated system architecture §  Reliable is difficult §  Mayhem meets some problem and fails in half of the game 50
“Cyber Grand Shellphish”, shellphish, DEFCON 24 51
“Cyber Grand Challenge and CodeJitsu”, Chao Zhang 52
§  DARPA CGC Introduction §  Most team have research, CTF and enterprise support §  Automatic Vulnerability Discovery §  Fuzzer and Symbolic Execution are widely used technique in CGC §  How to integrate fuzzer and symbolic execution §  Engineering Power: Integration many different software system 53
§  https://cgc.darpa.mil/ §  https://www.cybergrandchallenge.com/ §  “DARPA’s Cyber Grand Challenge: Creating a League of Extra-Ordinary Machines”, Ben Price and Michael Zhivich, ACSAC §  “Rise of the Machines: Cyber Grand Challenge 及 DEFCON 24 CTF 决赛介绍”, MaskRay §  “Cyber Grand Challenge and CodeJitsu”, Chao Zhang §  https://www.youtube.com/watch?v=xfgGZq86iWk §  Reddit IamA Mayhem, the Hacking Machine that won DARPA‘s Cyber Grand Challenge. AMA! §  Unleashing the Mayhem CRS, ForAllSecure §  “Cyber Grand Shellphish”, shellphish, DEFCON 24 §  “The Cyber Grand Challenge”, GrammaTech Eric Rizzi §  “Hybrid Concolic Execution, Part 1 (Background)”, GrammaTech Ducson Nguyen §  “Hybrid Concolic Execution, Part 2”, GrammaTech Ducson Nguyen §  “Case Study: LEGIT_00004”, ForAllSecure 54
55
Ad

Recommended

Cgc2
Cgc2Cgc2
Cgc2
Chong-Kuan Chen
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one
Alexandre Moneger
 
Intro. to static analysis
Intro. to static analysisIntro. to static analysis
Intro. to static analysis
Chong-Kuan Chen
 
Power of linked list
Power of linked listPower of linked list
Power of linked list
Peter Hlavaty
 
[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes
[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes
[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes
CODE BLUE
 
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
CODE BLUE
 
How Safe is your Link ?
How Safe is your Link ?How Safe is your Link ?
How Safe is your Link ?
Peter Hlavaty
 
[COSCUP 2021] A trip about how I contribute to LLVM
[COSCUP 2021] A trip about how I contribute to LLVM[COSCUP 2021] A trip about how I contribute to LLVM
[COSCUP 2021] A trip about how I contribute to LLVM
Douglas Chen
 
Automatic tool for static analysis
Automatic tool for static analysisAutomatic tool for static analysis
Automatic tool for static analysis
Chong-Kuan Chen
 
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru OtsukaTake a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
CODE BLUE
 
Possibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented ProgrammingPossibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented Programming
kozossakai
 
Статический анализ кода в контексте SSDL
Статический анализ кода в контексте SSDLСтатический анализ кода в контексте SSDL
Статический анализ кода в контексте SSDL
Positive Hack Days
 
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Laterjohn-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later
Positive Hack Days
 
Racing with Droids
Racing with DroidsRacing with Droids
Racing with Droids
Peter Hlavaty
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
Peter Hlavaty
 
Hacking - high school intro
Hacking - high school introHacking - high school intro
Hacking - high school intro
Peter Hlavaty
 
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
Felipe Prado
 
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CanSecWest
 
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershellCSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CanSecWest
 
Guardians of your CODE
Guardians of your CODEGuardians of your CODE
Guardians of your CODE
Peter Hlavaty
 
Vulnerability desing patterns
Vulnerability desing patternsVulnerability desing patterns
Vulnerability desing patterns
Peter Hlavaty
 
不深不淺,帶你認識 LLVM (Found LLVM in your life)
不深不淺,帶你認識 LLVM (Found LLVM in your life)不深不淺,帶你認識 LLVM (Found LLVM in your life)
不深不淺,帶你認識 LLVM (Found LLVM in your life)
Douglas Chen
 
Course lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented ProgrammingCourse lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented Programming
Jonathan Salwan
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could Expect
Peter Hlavaty
 
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
CODE BLUE
 
Mining Branch-Time Scenarios From Execution Logs
Mining Branch-Time Scenarios From Execution LogsMining Branch-Time Scenarios From Execution Logs
Mining Branch-Time Scenarios From Execution Logs
Dirk Fahland
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
Japneet Singh
 
syzbot and the tale of million kernel bugs
syzbot and the tale of million kernel bugssyzbot and the tale of million kernel bugs
syzbot and the tale of million kernel bugs
Dmitry Vyukov
 
Symbolic Execution And KLEE
Symbolic Execution And KLEESymbolic Execution And KLEE
Symbolic Execution And KLEE
Shauvik Roy Choudhary, Ph.D.
 
Java Performance: Speedup your application with hardware counters
Java Performance: Speedup your application with hardware countersJava Performance: Speedup your application with hardware counters
Java Performance: Speedup your application with hardware counters
Sergey Kuksenko
 
Ad

More Related Content

What's hot (20)

Automatic tool for static analysis
Automatic tool for static analysisAutomatic tool for static analysis
Automatic tool for static analysis
Chong-Kuan Chen
 
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru OtsukaTake a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
CODE BLUE
 
Possibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented ProgrammingPossibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented Programming
kozossakai
 
Статический анализ кода в контексте SSDL
Статический анализ кода в контексте SSDLСтатический анализ кода в контексте SSDL
Статический анализ кода в контексте SSDL
Positive Hack Days
 
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Laterjohn-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later
Positive Hack Days
 
Racing with Droids
Racing with DroidsRacing with Droids
Racing with Droids
Peter Hlavaty
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
Peter Hlavaty
 
Hacking - high school intro
Hacking - high school introHacking - high school intro
Hacking - high school intro
Peter Hlavaty
 
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
Felipe Prado
 
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CanSecWest
 
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershellCSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CanSecWest
 
Guardians of your CODE
Guardians of your CODEGuardians of your CODE
Guardians of your CODE
Peter Hlavaty
 
Vulnerability desing patterns
Vulnerability desing patternsVulnerability desing patterns
Vulnerability desing patterns
Peter Hlavaty
 
不深不淺,帶你認識 LLVM (Found LLVM in your life)
不深不淺,帶你認識 LLVM (Found LLVM in your life)不深不淺,帶你認識 LLVM (Found LLVM in your life)
不深不淺,帶你認識 LLVM (Found LLVM in your life)
Douglas Chen
 
Course lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented ProgrammingCourse lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented Programming
Jonathan Salwan
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could Expect
Peter Hlavaty
 
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
CODE BLUE
 
Mining Branch-Time Scenarios From Execution Logs
Mining Branch-Time Scenarios From Execution LogsMining Branch-Time Scenarios From Execution Logs
Mining Branch-Time Scenarios From Execution Logs
Dirk Fahland
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
Japneet Singh
 
syzbot and the tale of million kernel bugs
syzbot and the tale of million kernel bugssyzbot and the tale of million kernel bugs
syzbot and the tale of million kernel bugs
Dmitry Vyukov
 
Automatic tool for static analysis
Automatic tool for static analysisAutomatic tool for static analysis
Automatic tool for static analysis
Chong-Kuan Chen
 
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru OtsukaTake a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
CODE BLUE
 
Possibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented ProgrammingPossibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented Programming
kozossakai
 
Статический анализ кода в контексте SSDL
Статический анализ кода в контексте SSDLСтатический анализ кода в контексте SSDL
Статический анализ кода в контексте SSDL
Positive Hack Days
 
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Laterjohn-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later
Positive Hack Days
 
Racing with Droids
Racing with DroidsRacing with Droids
Racing with Droids
Peter Hlavaty
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
Peter Hlavaty
 
Hacking - high school intro
Hacking - high school introHacking - high school intro
Hacking - high school intro
Peter Hlavaty
 
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
Felipe Prado
 
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CanSecWest
 
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershellCSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CanSecWest
 
Guardians of your CODE
Guardians of your CODEGuardians of your CODE
Guardians of your CODE
Peter Hlavaty
 
Vulnerability desing patterns
Vulnerability desing patternsVulnerability desing patterns
Vulnerability desing patterns
Peter Hlavaty
 
不深不淺,帶你認識 LLVM (Found LLVM in your life)
不深不淺,帶你認識 LLVM (Found LLVM in your life)不深不淺,帶你認識 LLVM (Found LLVM in your life)
不深不淺,帶你認識 LLVM (Found LLVM in your life)
Douglas Chen
 
Course lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented ProgrammingCourse lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented Programming
Jonathan Salwan
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could Expect
Peter Hlavaty
 
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
CODE BLUE
 
Mining Branch-Time Scenarios From Execution Logs
Mining Branch-Time Scenarios From Execution LogsMining Branch-Time Scenarios From Execution Logs
Mining Branch-Time Scenarios From Execution Logs
Dirk Fahland
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
Japneet Singh
 
syzbot and the tale of million kernel bugs
syzbot and the tale of million kernel bugssyzbot and the tale of million kernel bugs
syzbot and the tale of million kernel bugs
Dmitry Vyukov
 

Similar to DARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique (20)

Symbolic Execution And KLEE
Symbolic Execution And KLEESymbolic Execution And KLEE
Symbolic Execution And KLEE
Shauvik Roy Choudhary, Ph.D.
 
Java Performance: Speedup your application with hardware counters
Java Performance: Speedup your application with hardware countersJava Performance: Speedup your application with hardware counters
Java Performance: Speedup your application with hardware counters
Sergey Kuksenko
 
Klee and angr
Klee and angrKlee and angr
Klee and angr
Wei-Bo Chen
 
Test Driven Development of A Static Code Analyzer
Test Driven Development of A Static Code AnalyzerTest Driven Development of A Static Code Analyzer
Test Driven Development of A Static Code Analyzer
Terry Yin
 
Code lifecycle in the jvm - TopConf Linz
Code lifecycle in the jvm - TopConf LinzCode lifecycle in the jvm - TopConf Linz
Code lifecycle in the jvm - TopConf Linz
Ivan Krylov
 
Symbolic Execution (introduction and hands-on)
Symbolic Execution (introduction and hands-on)Symbolic Execution (introduction and hands-on)
Symbolic Execution (introduction and hands-on)
Emilio Coppa
 
Solving Cross-Cutting Concerns in PHP - DutchPHP Conference 2016
Solving Cross-Cutting Concerns in PHP - DutchPHP Conference 2016 Solving Cross-Cutting Concerns in PHP - DutchPHP Conference 2016
Solving Cross-Cutting Concerns in PHP - DutchPHP Conference 2016
Alexander Lisachenko
 
Software Testing - Invited Lecture at UNSW Sydney
Software Testing - Invited Lecture at UNSW SydneySoftware Testing - Invited Lecture at UNSW Sydney
Software Testing - Invited Lecture at UNSW Sydney
julien.ponge
 
JUC Europe 2015: The Famous Cows of Cambridge: A Non-Standard Use Case for Je...
JUC Europe 2015: The Famous Cows of Cambridge: A Non-Standard Use Case for Je...JUC Europe 2015: The Famous Cows of Cambridge: A Non-Standard Use Case for Je...
JUC Europe 2015: The Famous Cows of Cambridge: A Non-Standard Use Case for Je...
CloudBees
 
Kernel Recipes 2019 - Formal modeling made easy
Kernel Recipes 2019 - Formal modeling made easyKernel Recipes 2019 - Formal modeling made easy
Kernel Recipes 2019 - Formal modeling made easy
Anne Nicolas
 
(automatic) Testing: from business to university and back
(automatic) Testing: from business to university and back(automatic) Testing: from business to university and back
(automatic) Testing: from business to university and back
David Rodenas
 
Inside the JVM - Follow the white rabbit!
Inside the JVM - Follow the white rabbit!Inside the JVM - Follow the white rabbit!
Inside the JVM - Follow the white rabbit!
Sylvain Wallez
 
Inside the JVM - Follow the white rabbit! / Breizh JUG
Inside the JVM - Follow the white rabbit! / Breizh JUGInside the JVM - Follow the white rabbit! / Breizh JUG
Inside the JVM - Follow the white rabbit! / Breizh JUG
Sylvain Wallez
 
FortranCon2020: Highly Parallel Fortran and OpenACC Directives
FortranCon2020: Highly Parallel Fortran and OpenACC DirectivesFortranCon2020: Highly Parallel Fortran and OpenACC Directives
FortranCon2020: Highly Parallel Fortran and OpenACC Directives
Jeff Larkin
 
XebiCon'16 : Server-Side Swift. Par Simone Civetta, Développeur iOS chez Xebia
XebiCon'16 : Server-Side Swift. Par Simone Civetta, Développeur iOS chez XebiaXebiCon'16 : Server-Side Swift. Par Simone Civetta, Développeur iOS chez Xebia
XebiCon'16 : Server-Side Swift. Par Simone Civetta, Développeur iOS chez Xebia
Publicis Sapient Engineering
 
200 Open Source Projects Later: Source Code Static Analysis Experience
200 Open Source Projects Later: Source Code Static Analysis Experience200 Open Source Projects Later: Source Code Static Analysis Experience
200 Open Source Projects Later: Source Code Static Analysis Experience
Andrey Karpov
 
Java Memory Model
Java Memory ModelJava Memory Model
Java Memory Model
Łukasz Koniecki
 
Code quality par Simone Civetta
Code quality par Simone CivettaCode quality par Simone Civetta
Code quality par Simone Civetta
CocoaHeads France
 
Prometheus as exposition format for eBPF programs running on Kubernetes
Prometheus as exposition format for eBPF programs running on KubernetesPrometheus as exposition format for eBPF programs running on Kubernetes
Prometheus as exposition format for eBPF programs running on Kubernetes
Leonardo Di Donato
 
Alexander Reelsen - Seccomp for Developers
Alexander Reelsen - Seccomp for DevelopersAlexander Reelsen - Seccomp for Developers
Alexander Reelsen - Seccomp for Developers
DevDay Dresden
 
Symbolic Execution And KLEE
Symbolic Execution And KLEESymbolic Execution And KLEE
Symbolic Execution And KLEE
Shauvik Roy Choudhary, Ph.D.
 
Java Performance: Speedup your application with hardware counters
Java Performance: Speedup your application with hardware countersJava Performance: Speedup your application with hardware counters
Java Performance: Speedup your application with hardware counters
Sergey Kuksenko
 
Klee and angr
Klee and angrKlee and angr
Klee and angr
Wei-Bo Chen
 
Test Driven Development of A Static Code Analyzer
Test Driven Development of A Static Code AnalyzerTest Driven Development of A Static Code Analyzer
Test Driven Development of A Static Code Analyzer
Terry Yin
 
Code lifecycle in the jvm - TopConf Linz
Code lifecycle in the jvm - TopConf LinzCode lifecycle in the jvm - TopConf Linz
Code lifecycle in the jvm - TopConf Linz
Ivan Krylov
 
Symbolic Execution (introduction and hands-on)
Symbolic Execution (introduction and hands-on)Symbolic Execution (introduction and hands-on)
Symbolic Execution (introduction and hands-on)
Emilio Coppa
 
Solving Cross-Cutting Concerns in PHP - DutchPHP Conference 2016
Solving Cross-Cutting Concerns in PHP - DutchPHP Conference 2016 Solving Cross-Cutting Concerns in PHP - DutchPHP Conference 2016
Solving Cross-Cutting Concerns in PHP - DutchPHP Conference 2016
Alexander Lisachenko
 
Software Testing - Invited Lecture at UNSW Sydney
Software Testing - Invited Lecture at UNSW SydneySoftware Testing - Invited Lecture at UNSW Sydney
Software Testing - Invited Lecture at UNSW Sydney
julien.ponge
 
JUC Europe 2015: The Famous Cows of Cambridge: A Non-Standard Use Case for Je...
JUC Europe 2015: The Famous Cows of Cambridge: A Non-Standard Use Case for Je...JUC Europe 2015: The Famous Cows of Cambridge: A Non-Standard Use Case for Je...
JUC Europe 2015: The Famous Cows of Cambridge: A Non-Standard Use Case for Je...
CloudBees
 
Kernel Recipes 2019 - Formal modeling made easy
Kernel Recipes 2019 - Formal modeling made easyKernel Recipes 2019 - Formal modeling made easy
Kernel Recipes 2019 - Formal modeling made easy
Anne Nicolas
 
(automatic) Testing: from business to university and back
(automatic) Testing: from business to university and back(automatic) Testing: from business to university and back
(automatic) Testing: from business to university and back
David Rodenas
 
Inside the JVM - Follow the white rabbit!
Inside the JVM - Follow the white rabbit!Inside the JVM - Follow the white rabbit!
Inside the JVM - Follow the white rabbit!
Sylvain Wallez
 
Inside the JVM - Follow the white rabbit! / Breizh JUG
Inside the JVM - Follow the white rabbit! / Breizh JUGInside the JVM - Follow the white rabbit! / Breizh JUG
Inside the JVM - Follow the white rabbit! / Breizh JUG
Sylvain Wallez
 
FortranCon2020: Highly Parallel Fortran and OpenACC Directives
FortranCon2020: Highly Parallel Fortran and OpenACC DirectivesFortranCon2020: Highly Parallel Fortran and OpenACC Directives
FortranCon2020: Highly Parallel Fortran and OpenACC Directives
Jeff Larkin
 
XebiCon'16 : Server-Side Swift. Par Simone Civetta, Développeur iOS chez Xebia
XebiCon'16 : Server-Side Swift. Par Simone Civetta, Développeur iOS chez XebiaXebiCon'16 : Server-Side Swift. Par Simone Civetta, Développeur iOS chez Xebia
XebiCon'16 : Server-Side Swift. Par Simone Civetta, Développeur iOS chez Xebia
Publicis Sapient Engineering
 
200 Open Source Projects Later: Source Code Static Analysis Experience
200 Open Source Projects Later: Source Code Static Analysis Experience200 Open Source Projects Later: Source Code Static Analysis Experience
200 Open Source Projects Later: Source Code Static Analysis Experience
Andrey Karpov
 
Java Memory Model
Java Memory ModelJava Memory Model
Java Memory Model
Łukasz Koniecki
 
Code quality par Simone Civetta
Code quality par Simone CivettaCode quality par Simone Civetta
Code quality par Simone Civetta
CocoaHeads France
 
Prometheus as exposition format for eBPF programs running on Kubernetes
Prometheus as exposition format for eBPF programs running on KubernetesPrometheus as exposition format for eBPF programs running on Kubernetes
Prometheus as exposition format for eBPF programs running on Kubernetes
Leonardo Di Donato
 
Alexander Reelsen - Seccomp for Developers
Alexander Reelsen - Seccomp for DevelopersAlexander Reelsen - Seccomp for Developers
Alexander Reelsen - Seccomp for Developers
DevDay Dresden
 
Ad

More from Chong-Kuan Chen (14)

Compilation and Execution
Compilation and ExecutionCompilation and Execution
Compilation and Execution
Chong-Kuan Chen
 
Oram And Secure Computation
Oram And Secure ComputationOram And Secure Computation
Oram And Secure Computation
Chong-Kuan Chen
 
Mem forensic
Mem forensicMem forensic
Mem forensic
Chong-Kuan Chen
 
Addios!
Addios!Addios!
Addios!
Chong-Kuan Chen
 
Security events in 2014
Security events in 2014Security events in 2014
Security events in 2014
Chong-Kuan Chen
 
Android Application Security
Android Application SecurityAndroid Application Security
Android Application Security
Chong-Kuan Chen
 
Android system security
Android system securityAndroid system security
Android system security
Chong-Kuan Chen
 
HITCON CTF 2014 BambooFox 解題心得分享
HITCON CTF 2014 BambooFox 解題心得分享HITCON CTF 2014 BambooFox 解題心得分享
HITCON CTF 2014 BambooFox 解題心得分享
Chong-Kuan Chen
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Chong-Kuan Chen
 
Become A Security Master
Become A Security MasterBecome A Security Master
Become A Security Master
Chong-Kuan Chen
 
Malware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning PerspectiveMalware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning Perspective
Chong-Kuan Chen
 
Malware collection and analysis
Malware collection and analysisMalware collection and analysis
Malware collection and analysis
Chong-Kuan Chen
 
Malware classification and detection
Malware classification and detectionMalware classification and detection
Malware classification and detection
Chong-Kuan Chen
 
2012 S&P Paper Reading Session1
2012 S&P Paper Reading Session12012 S&P Paper Reading Session1
2012 S&P Paper Reading Session1
Chong-Kuan Chen
 
Compilation and Execution
Compilation and ExecutionCompilation and Execution
Compilation and Execution
Chong-Kuan Chen
 
Oram And Secure Computation
Oram And Secure ComputationOram And Secure Computation
Oram And Secure Computation
Chong-Kuan Chen
 
Mem forensic
Mem forensicMem forensic
Mem forensic
Chong-Kuan Chen
 
Addios!
Addios!Addios!
Addios!
Chong-Kuan Chen
 
Security events in 2014
Security events in 2014Security events in 2014
Security events in 2014
Chong-Kuan Chen
 
Android Application Security
Android Application SecurityAndroid Application Security
Android Application Security
Chong-Kuan Chen
 
Android system security
Android system securityAndroid system security
Android system security
Chong-Kuan Chen
 
HITCON CTF 2014 BambooFox 解題心得分享
HITCON CTF 2014 BambooFox 解題心得分享HITCON CTF 2014 BambooFox 解題心得分享
HITCON CTF 2014 BambooFox 解題心得分享
Chong-Kuan Chen
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Chong-Kuan Chen
 
Become A Security Master
Become A Security MasterBecome A Security Master
Become A Security Master
Chong-Kuan Chen
 
Malware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning PerspectiveMalware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning Perspective
Chong-Kuan Chen
 
Malware collection and analysis
Malware collection and analysisMalware collection and analysis
Malware collection and analysis
Chong-Kuan Chen
 
Malware classification and detection
Malware classification and detectionMalware classification and detection
Malware classification and detection
Chong-Kuan Chen
 
2012 S&P Paper Reading Session1
2012 S&P Paper Reading Session12012 S&P Paper Reading Session1
2012 S&P Paper Reading Session1
Chong-Kuan Chen
 
Ad

Recently uploaded (20)

DSP and MV the Color image processing.ppt
DSP and MV the Color image processing.pptDSP and MV the Color image processing.ppt
DSP and MV the Color image processing.ppt
HafizAhamed8
 
Structural Response of Reinforced Self-Compacting Concrete Deep Beam Using Fi...
Structural Response of Reinforced Self-Compacting Concrete Deep Beam Using Fi...Structural Response of Reinforced Self-Compacting Concrete Deep Beam Using Fi...
Structural Response of Reinforced Self-Compacting Concrete Deep Beam Using Fi...
Journal of Soft Computing in Civil Engineering
 
Raish Khanji GTU 8th sem Internship Report.pdf
Raish Khanji GTU 8th sem Internship Report.pdfRaish Khanji GTU 8th sem Internship Report.pdf
Raish Khanji GTU 8th sem Internship Report.pdf
RaishKhanji
 
15th International Conference on Computer Science, Engineering and Applicatio...
15th International Conference on Computer Science, Engineering and Applicatio...15th International Conference on Computer Science, Engineering and Applicatio...
15th International Conference on Computer Science, Engineering and Applicatio...
IJCSES Journal
 
International Journal of Distributed and Parallel systems (IJDPS)
International Journal of Distributed and Parallel systems (IJDPS)International Journal of Distributed and Parallel systems (IJDPS)
International Journal of Distributed and Parallel systems (IJDPS)
samueljackson3773
 
Explainable-Artificial-Intelligence-XAI-A-Deep-Dive (1).pptx
Explainable-Artificial-Intelligence-XAI-A-Deep-Dive (1).pptxExplainable-Artificial-Intelligence-XAI-A-Deep-Dive (1).pptx
Explainable-Artificial-Intelligence-XAI-A-Deep-Dive (1).pptx
MahaveerVPandit
 
211421893-M-Tech-CIVIL-Structural-Engineering-pdf.pdf
211421893-M-Tech-CIVIL-Structural-Engineering-pdf.pdf211421893-M-Tech-CIVIL-Structural-Engineering-pdf.pdf
211421893-M-Tech-CIVIL-Structural-Engineering-pdf.pdf
inmishra17121973
 
ELectronics Boards & Product Testing_Shiju.pdf
ELectronics Boards & Product Testing_Shiju.pdfELectronics Boards & Product Testing_Shiju.pdf
ELectronics Boards & Product Testing_Shiju.pdf
Shiju Jacob
 
five-year-soluhhhhhhhhhhhhhhhhhtions.pdf
five-year-soluhhhhhhhhhhhhhhhhhtions.pdffive-year-soluhhhhhhhhhhhhhhhhhtions.pdf
five-year-soluhhhhhhhhhhhhhhhhhtions.pdf
AdityaSharma944496
 
Smart_Storage_Systems_Production_Engineering.pptx
Smart_Storage_Systems_Production_Engineering.pptxSmart_Storage_Systems_Production_Engineering.pptx
Smart_Storage_Systems_Production_Engineering.pptx
rushikeshnavghare94
 
Compiler Design Unit1 PPT Phases of Compiler.pptx
Compiler Design Unit1 PPT Phases of Compiler.pptxCompiler Design Unit1 PPT Phases of Compiler.pptx
Compiler Design Unit1 PPT Phases of Compiler.pptx
RushaliDeshmukh2
 
fluke dealers in bangalore..............
fluke dealers in bangalore..............fluke dealers in bangalore..............
fluke dealers in bangalore..............
Haresh Vaswani
 
theory-slides-for react for beginners.pptx
theory-slides-for react for beginners.pptxtheory-slides-for react for beginners.pptx
theory-slides-for react for beginners.pptx
sanchezvanessa7896
 
Development of MLR, ANN and ANFIS Models for Estimation of PCUs at Different ...
Development of MLR, ANN and ANFIS Models for Estimation of PCUs at Different ...Development of MLR, ANN and ANFIS Models for Estimation of PCUs at Different ...
Development of MLR, ANN and ANFIS Models for Estimation of PCUs at Different ...
Journal of Soft Computing in Civil Engineering
 
QA/QC Manager (Quality management Expert)
QA/QC Manager (Quality management Expert)QA/QC Manager (Quality management Expert)
QA/QC Manager (Quality management Expert)
rccbatchplant
 
Reagent dosing (Bredel) presentation.pptx
Reagent dosing (Bredel) presentation.pptxReagent dosing (Bredel) presentation.pptx
Reagent dosing (Bredel) presentation.pptx
AlejandroOdio
 
Introduction to Zoomlion Earthmoving.pptx
Introduction to Zoomlion Earthmoving.pptxIntroduction to Zoomlion Earthmoving.pptx
Introduction to Zoomlion Earthmoving.pptx
AS1920
 
AI-assisted Software Testing (3-hours tutorial)
AI-assisted Software Testing (3-hours tutorial)AI-assisted Software Testing (3-hours tutorial)
AI-assisted Software Testing (3-hours tutorial)
Vəhid Gəruslu
 
MAQUINARIA MINAS CEMA 6th Edition (1).pdf
MAQUINARIA MINAS CEMA 6th Edition (1).pdfMAQUINARIA MINAS CEMA 6th Edition (1).pdf
MAQUINARIA MINAS CEMA 6th Edition (1).pdf
ssuser562df4
 
Metal alkyne complexes.pptx in chemistry
Metal alkyne complexes.pptx in chemistryMetal alkyne complexes.pptx in chemistry
Metal alkyne complexes.pptx in chemistry
mee23nu
 
DSP and MV the Color image processing.ppt
DSP and MV the Color image processing.pptDSP and MV the Color image processing.ppt
DSP and MV the Color image processing.ppt
HafizAhamed8
 
Structural Response of Reinforced Self-Compacting Concrete Deep Beam Using Fi...
Structural Response of Reinforced Self-Compacting Concrete Deep Beam Using Fi...Structural Response of Reinforced Self-Compacting Concrete Deep Beam Using Fi...
Structural Response of Reinforced Self-Compacting Concrete Deep Beam Using Fi...
Journal of Soft Computing in Civil Engineering
 
Raish Khanji GTU 8th sem Internship Report.pdf
Raish Khanji GTU 8th sem Internship Report.pdfRaish Khanji GTU 8th sem Internship Report.pdf
Raish Khanji GTU 8th sem Internship Report.pdf
RaishKhanji
 
15th International Conference on Computer Science, Engineering and Applicatio...
15th International Conference on Computer Science, Engineering and Applicatio...15th International Conference on Computer Science, Engineering and Applicatio...
15th International Conference on Computer Science, Engineering and Applicatio...
IJCSES Journal
 
International Journal of Distributed and Parallel systems (IJDPS)
International Journal of Distributed and Parallel systems (IJDPS)International Journal of Distributed and Parallel systems (IJDPS)
International Journal of Distributed and Parallel systems (IJDPS)
samueljackson3773
 
Explainable-Artificial-Intelligence-XAI-A-Deep-Dive (1).pptx
Explainable-Artificial-Intelligence-XAI-A-Deep-Dive (1).pptxExplainable-Artificial-Intelligence-XAI-A-Deep-Dive (1).pptx
Explainable-Artificial-Intelligence-XAI-A-Deep-Dive (1).pptx
MahaveerVPandit
 
211421893-M-Tech-CIVIL-Structural-Engineering-pdf.pdf
211421893-M-Tech-CIVIL-Structural-Engineering-pdf.pdf211421893-M-Tech-CIVIL-Structural-Engineering-pdf.pdf
211421893-M-Tech-CIVIL-Structural-Engineering-pdf.pdf
inmishra17121973
 
ELectronics Boards & Product Testing_Shiju.pdf
ELectronics Boards & Product Testing_Shiju.pdfELectronics Boards & Product Testing_Shiju.pdf
ELectronics Boards & Product Testing_Shiju.pdf
Shiju Jacob
 
five-year-soluhhhhhhhhhhhhhhhhhtions.pdf
five-year-soluhhhhhhhhhhhhhhhhhtions.pdffive-year-soluhhhhhhhhhhhhhhhhhtions.pdf
five-year-soluhhhhhhhhhhhhhhhhhtions.pdf
AdityaSharma944496
 
Smart_Storage_Systems_Production_Engineering.pptx
Smart_Storage_Systems_Production_Engineering.pptxSmart_Storage_Systems_Production_Engineering.pptx
Smart_Storage_Systems_Production_Engineering.pptx
rushikeshnavghare94
 
Compiler Design Unit1 PPT Phases of Compiler.pptx
Compiler Design Unit1 PPT Phases of Compiler.pptxCompiler Design Unit1 PPT Phases of Compiler.pptx
Compiler Design Unit1 PPT Phases of Compiler.pptx
RushaliDeshmukh2
 
fluke dealers in bangalore..............
fluke dealers in bangalore..............fluke dealers in bangalore..............
fluke dealers in bangalore..............
Haresh Vaswani
 
theory-slides-for react for beginners.pptx
theory-slides-for react for beginners.pptxtheory-slides-for react for beginners.pptx
theory-slides-for react for beginners.pptx
sanchezvanessa7896
 
Development of MLR, ANN and ANFIS Models for Estimation of PCUs at Different ...
Development of MLR, ANN and ANFIS Models for Estimation of PCUs at Different ...Development of MLR, ANN and ANFIS Models for Estimation of PCUs at Different ...
Development of MLR, ANN and ANFIS Models for Estimation of PCUs at Different ...
Journal of Soft Computing in Civil Engineering
 
QA/QC Manager (Quality management Expert)
QA/QC Manager (Quality management Expert)QA/QC Manager (Quality management Expert)
QA/QC Manager (Quality management Expert)
rccbatchplant
 
Reagent dosing (Bredel) presentation.pptx
Reagent dosing (Bredel) presentation.pptxReagent dosing (Bredel) presentation.pptx
Reagent dosing (Bredel) presentation.pptx
AlejandroOdio
 
Introduction to Zoomlion Earthmoving.pptx
Introduction to Zoomlion Earthmoving.pptxIntroduction to Zoomlion Earthmoving.pptx
Introduction to Zoomlion Earthmoving.pptx
AS1920
 
AI-assisted Software Testing (3-hours tutorial)
AI-assisted Software Testing (3-hours tutorial)AI-assisted Software Testing (3-hours tutorial)
AI-assisted Software Testing (3-hours tutorial)
Vəhid Gəruslu
 
MAQUINARIA MINAS CEMA 6th Edition (1).pdf
MAQUINARIA MINAS CEMA 6th Edition (1).pdfMAQUINARIA MINAS CEMA 6th Edition (1).pdf
MAQUINARIA MINAS CEMA 6th Edition (1).pdf
ssuser562df4
 
Metal alkyne complexes.pptx in chemistry
Metal alkyne complexes.pptx in chemistryMetal alkyne complexes.pptx in chemistry
Metal alkyne complexes.pptx in chemistry
mee23nu
 

DARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique

  • 2. §  Introduction to CGC §  Automatic Vulnerability Discovery §  Fuzz §  Symbolic/Concolic Execution §  Symbolic-assist Fuzzing §  Software Hardeness §  Conclusion 2
  • 3. §  The a prize competition organized by DARPA to make innovation for next generation technique §  2007 Urban Challenge §  2012 Robotics Challenge §  Cyber Grand Challenge §  The first full machine attack-defense CTF §  Focus on develop automatic attack-defense system 3
  • 4. §  Start from 2014 §  Qualification round in June 3, 2015 4
  • 5. 5
  • 7. Team Research CTF Enterprise CodeJitsu Berkeley BlueLotus Cyberhaven CSDS University of Idaho Deep Red Some CTF Player Raytheon disekt Different university disekt ForAllSecure CMU CyLab PPP ForAllSecure Shellphish UCSB Shellphish LastLine TECHx University of Virginia Some White Hack Students GrammaTech 7
  • 8. §  CGC Final Event was held at DEF CON 2016 §  Final Winner – ForAllSecure/Mayhem §  Startup company ForAllSecure §  Most member come from PPP CTF Team §  Researcher from CMU CyLab §  Next day to the CGC, Mayhem competed with top human hackers in DEFCON CTF §  Mayhem get the last rank, but PPP win the game 8
  • 9. 9
  • 10. § Cyber Reasoning System §  Given Challenge Binary §  Given Other Team’s RCB, IDS §  Patch Binary §  IDS Rule §  POV – Exploit program CRS CB CB CB CB CB RCB CB CB IDS CB CB PCAP RCB IDS CFE POV 10
  • 11. §  Modified Linux §  Customize ELF format §  only 7 syscalls §  terminate (exit) §  transmit (write) §  receive (read) §  fdwait (select) §  allocate (mmap) §  deallocate (munmap) §  Random §  no signal handling, no not-executable stack, no ASLR, … 11
  • 12. §  Type 1 §  Hi-jack control flow §  Control EIP and one register §  Type 2 §  Information leak §  Leak information in the magic page 12
  • 13. §  2016 CloudSec, HITCON駭客戰隊挑戰美國CGC天網機器⼈人, 探討AI ⾃自動攻防技術發展 §  KB.HITCON §  Cyber Grand Challenge 簡介 §  台灣駭客挑戰美國CGC天網機器⼈人專題系列報導 §  Let’s focus more on technique ! 13
  • 14. §  Determine if the program has a vulnerability is undicidable §  Assume we have a Machine M that can detect any vulnerability in the program §  Halting Problem If M(P) has no bug: do_some_bug() Else: do_nothing() 14
  • 15. §  If we have a execution trace, we can check if the bug appeared in this path §  To testing software complete, we need to traversal all the code inside the program §  Halting problem §  If we can run more trace, we can find more bug!! §  But we can still do something J 15
  • 16. §  Automatic generate the input to make the program crash §  Not inspect into program semantic §  Generate input randomly, or some heuristic §  Coverage-based §  AFL, Peach, BFF 16
  • 17. §  American Fuzzy Loop §  The easy-to-use fuzzer §  Efficiency §  low-level compile-time instrumentation §  Coverage-based Fuzzer §  Effective Mutation Strategy At least 4 team in CGC use AFL 17
  • 18. §  How AFL do? 1.  Load user-supplied initial test cases into the queue 2.  Take next input file from the queue 3.  Attempt to trim the test case to the smallest size that doesn't alter the measured behavior of the program, 4.  Repeatedly mutate the file using a balanced and well-researched variety of traditional fuzzing strategies 5.  If any of the generated mutations resulted in a new state transition recorded by the instrumentation, add mutated output as a new entry in the queue. 6.  Go to 2. §  Binary fuzzer -> QEMU(emulator) support §  Good seed is important 18
  • 19. §  Feed every thing in network PCAP into AFL §  Using AFL as first layer checker §  Check if the input is worth for deep analysis §  This instance would run through each of the incoming PCAP files and evaluate whether they brought anything "new" to the table. Building an Autonomous Cyber Battle System: Our Experience in DARPA's Cyber Grand Challenge 19
  • 20. §  Most test falls into some high frequency path §  Strategy to find the low frequency path §  Energy §  The number of inputs to be generated from that seed §  Strategy §  low energy to seeds exercising high-frequency paths §  high energy to seeds exercising low-frequency paths §  AFLFast Paper published in §  ACM Conference on Computer and Communications Security §  Github §  https://github.com/mboehme/ aflfast 20
  • 21. §  Murphy is the directed fuzzer based on AFL §  Most improvement is on the efficiency §  Binary-only instrument §  Maybe base on BAP 21
  • 22. §  A mechanism to discover the code coverage §  Translate each instruction/code line into constraints §  Constraints: a formula define the operation functionality §  Collect all the constraints §  Solve when required condition is meet §  E.g. branch happened   22
  • 23. 1st 2nd 3rd 0 ebx = 0 1 ecx = 0 2 eax = 3 3 ebx = 3 ebx = 6 ebx = 9 4 ecx = 1 ecx = 2 ecx = 3 5 NE NE E 6 N N Y 7 Y Y 8 NE 9 N 0 mov ebx, 0 1 mov ecx, 0 2 mov eax, input 3 add ebx, eax 4 add ecx, 1 5 cmp ecx, 3 6 je final 7 jmp loop 8 cmp ebx, 15 9 je f1 f1 f2 23
  • 24. 1st 2nd 3rd 0 ebx_0 = 0 1 ecx_0 = 0 2 eax_0 = sym_0 3 ebx_1 = ebx_0+eax_0 ebx_2 = ebx_1+eax_0 ebx_3 = ebx_2+eax_0 4 ecx_1 = ecx_0+1 ecx_2 = ecx_1+1 ecx_3 = ecx_2+1 5 NE NE E 6 N N Y 7 Y Y 8 NE 9 N 24 0 mov ebx, 0 1 mov ecx, 0 2 mov eax, input 3 add ebx, eax 4 add ecx, 1 5 cmp ecx, 3 6 je final 7 jmp loop 8 cmp ebx, 15 9 je f1 f1 f2
  • 25. §  Can we jump to final block when loop 3 times? 1st 2nd 3rd 0 ebx_0 = 0 1 ecx_0 = 0 2 eax_0 = sym_0 3 ebx_1 = ebx_0+eax_0 ebx_2 = ebx_1+eax_0 ebx_3 = ebx_2+eax_0 4 ecx_1 = ecx_0+1 ecx_2 = ecx_1+1 ecx_3 = ecx_2+1 5 NE NE E 25 0 mov ebx, 0 1 mov ecx, 0 2 mov eax, input 3 add ebx, eax 4 add ecx, 1 5 cmp ecx, 3 6 je final 7 jmp loop 8 cmp ebx, 15 9 je f1 f1 f2
  • 26. §  Can we jump to final block when loop 3 times? ( = ecx_3 3) ( = ( + ecx_2 1 ) 3) ( = ( + (+ ecx_1 1 ) 1 ) 3) ( = ( + (+ (+ ecx_0 1) 1 ) 1 ) 3) and ( = ecx_0 0) SMT Solver SAT! This formula is satisfiable. 26 0 mov ebx, 0 1 mov ecx, 0 2 mov eax, input 3 add ebx, eax 4 add ecx, 1 5 cmp ecx, 3 6 je final 7 jmp loop 8 cmp ebx, 15 9 je f1 f1 f2
  • 27. §  Convert instruction into constraints §  Add the branch constraint §  Solve the conatrint 27
  • 28. §  Can we enter f1? 1st 2nd 3rd 0 ebx_0 = 0 1 ecx_0 = 0 2 eax_0 = sym_0 3 ebx_1 = ebx_0+eax_0 ebx_2 = ebx_1+eax_0 ebx_3 = ebx_2+eax_0 4 ecx_1 = ecx_0+1 ecx_2 = ecx_1+1 ecx_3 = ecx_2+1 5 NE NE E 6 N N Y 7 Y Y 8 NE 9 N 28 0 mov ebx, 0 1 mov ecx, 0 2 mov eax, input 3 add ebx, eax 4 add ecx, 1 5 cmp ecx, 3 6 je final 7 jmp loop 8 cmp ebx, 15 9 je f1 f1 f2
  • 29. §  Number of possible path increasing exponentially §  In symbolic execution, every memory location is symbolize §  Too many symbole to solve §  Concolic Execution §  Only make the interesting memory symbolize §  Concrete value 29
  • 30. §  Tracking related instructions only? 1st 2nd 3rd 0 ebx = 0 1 ecx = 0 2 eax = 3 3 ebx = 3 ebx = 6 ebx = 9 4 ecx = 1 ecx = 2 ecx = 3 5 NE NE E 6 N N Y 7 Y Y 8 NE 9 N 30 0 mov ebx, 0 1 mov ecx, 0 2 mov eax, input 3 add ebx, eax 4 add ecx, 1 5 cmp ecx, 3 6 je final 7 jmp loop 8 cmp ebx, 15 9 je f1 f1 f2
  • 31. 1st 2nd 3rd 0 ebx_0 = 0 1 ecx_0 = 0 2 eax_0 = sym_0 3 ebx_1 = ebx_0+eax_0 ebx_2 = ebx_1+eax_0 ebx_3 = ebx_2+eax_0 4 ecx_1 = 1 ecx_2 = 2 ecx_3 = 3 5 NE NE E 6 N N Y 7 Y Y 8 NE 9 N 31 0 mov ebx, 0 1 mov ecx, 0 2 mov eax, input 3 add ebx, eax 4 add ecx, 1 5 cmp ecx, 3 6 je final 7 jmp loop 8 cmp ebx, 15 9 je f1 f1 f2
  • 32. §  Which input make us arrive f1? 1st 2nd 3rd 0 ebx_0 = 0 1 ecx_0 = 0 2 eax_0 = sym_0 3 ebx_1 = ebx_0+eax_ 0 ebx_2 = ebx_1+eax_ 0 ebx_3 = ebx_2+eax_ 0 4 ecx_1 = 1 ecx_2 = 2 ecx_3 = 3 5 NE NE E 6 N N Y 7 Y Y 8 NE 9 N ebx_3 + ebx_2 + ebx_1 + eax_0 eax_0 eax_0ebx_0 0 32
  • 33. §  Which input make us arrive f1? Final ( = 15 (+ in ( + in (+ in 0) ) ) ) SMT Solver SAT! This formula is satisfiable when in = 5. ebx_3 + ebx_2 + ebx_1 + eax_0 eax_0 eax_0ebx_0 0 33
  • 34. §  In-house symbolic execution engine, called Grace §  Path Priority §  “Grace to focus on unique and interesting inputs, rather than churning away at things that would likely lead down previously- explored paths” §  Symbolize authentication/random token §  Powerful static analysis Building an Autonomous Cyber Battle System: Our Experience in DARPA's Cyber Grand Challenge 34
  • 35. §  Virtual Machine Symbolic Execution Framework - S2E §  Selective symbolic execution/Concolic Execution §  Execution consistency models §  state merging and prioritizing Whole System QEMU KLEEBinary LLVM 35
  • 36. §  Angr §  Not only the symbolic execution engine, but a binary analysis framework §  http://angr.io/ “Cyber Grand Shellphish”, shellphish, DEFCON 24 36
  • 37. §  binary-only symbolic execution §  Fast than S2E(whole system/LLVM), Angr(VEX Simulator) §  BAP-based binary instrument §  Veritesting §  A search strategy based on coverage §  Other feature §  fine-tuned process-based instrumentation and taint analysis §  access to an extensive set of tested x86 semantics §  several years of performance tuning for solvers (expression rewriting, caches, etc) §  path merging 37
  • 38. §  One of most important technique we learn from CGC is “How to integrate efficiency fuzzer and sophisticated symbolic execution” 38
  • 39. §  Driller §  Switch between fuzzer and symbolic execution §  Driller: Augmenting Fuzzing Through Selective Symbolic Execution §  Network and Distributed System Security Symposium 2016 39
  • 40. §  sharing seeds between Mayhem and our custom AFL. §  Fuzzer §  If you have the good seed, it work better §  Symbolic find the good seed https://blog.forallsecure.com/2016/02/09/unleashing-mayhem/ 40
  • 41. §  Seed sharing: fuzzer + S2E + traffic replay §  Path exploration §  S2E helps Fuzzer to break through some branches 41
  • 42. §  Remind of AFL Gate-Keeper 42
  • 43. §  DEP §  ASLR §  Stack Guard §  CFI §  Pointer Integrity §  Shadow Stack §  Binary Patch §  Input filter §  IDS 43
  • 44. §  PS: Meyhem put most attention on attack, doing less on defense 44
  • 45. §  Patcherex §  https://github.com/shellphish/patcherex §  QEMU 0 Day for anti-analysis “Cyber Grand Shellphish”, shellphish, DEFCON 24 45
  • 46. §  Return pointer encryption §  Protect indirect calls/jmps §  Extended Malloc allocations §  Randomly shift the stack (ASLR) §  Clean uninitialized stack space 46
  • 47. §  CFI: control flow integrity §  Shadow stacks §  Maintain a duplicate stack §  Once the return address difference from the one in shadow stack, then attack is detected §  DEP §  Randomization §  Data leakage defense 47
  • 48. §  Control Flow Integrity https://www.trust.informatik.tu-darmstadt.de/research/projects/current- projects/control-flow-integrity/ 48
  • 49. § TechX achieve the first place about security § PEASOUP § Code Sonar Building an Autonomous Cyber Battle System: Our Experience in DARPA's Cyber Grand Challenge 49
  • 50. §  The other important aspect is “how to integrate many system in large architecture” §  Handle with complicated system architecture §  Reliable is difficult §  Mayhem meets some problem and fails in half of the game 50
  • 51. “Cyber Grand Shellphish”, shellphish, DEFCON 24 51
  • 52. “Cyber Grand Challenge and CodeJitsu”, Chao Zhang 52
  • 53. §  DARPA CGC Introduction §  Most team have research, CTF and enterprise support §  Automatic Vulnerability Discovery §  Fuzzer and Symbolic Execution are widely used technique in CGC §  How to integrate fuzzer and symbolic execution §  Engineering Power: Integration many different software system 53
  • 54. §  https://cgc.darpa.mil/ §  https://www.cybergrandchallenge.com/ §  “DARPA’s Cyber Grand Challenge: Creating a League of Extra-Ordinary Machines”, Ben Price and Michael Zhivich, ACSAC §  “Rise of the Machines: Cyber Grand Challenge 及 DEFCON 24 CTF 决赛介绍”, MaskRay §  “Cyber Grand Challenge and CodeJitsu”, Chao Zhang §  https://www.youtube.com/watch?v=xfgGZq86iWk §  Reddit IamA Mayhem, the Hacking Machine that won DARPA‘s Cyber Grand Challenge. AMA! §  Unleashing the Mayhem CRS, ForAllSecure §  “Cyber Grand Shellphish”, shellphish, DEFCON 24 §  “The Cyber Grand Challenge”, GrammaTech Eric Rizzi §  “Hybrid Concolic Execution, Part 1 (Background)”, GrammaTech Ducson Nguyen §  “Hybrid Concolic Execution, Part 2”, GrammaTech Ducson Nguyen §  “Case Study: LEGIT_00004”, ForAllSecure 54
  • 55. 55