Download - HITCON X Playground - CRAX
CRAXAn Automatic Exploit Generating System
Lance Chen
Software Quality Laboratory, NCTU
Aug 21, 2014
Disclaimer
CRAX is not my personal project,but built by many members of the SQLab.
About me
Lance Chen
▶ MS in Computer Scienceand Engineering Instituteof NCTU
▶ A System and NetworkAdministrator in NCTUCSCC for four years
About SQLab
▶ Advisor: Prof. Shih-kun Huang▶ Current members:
▶ Ph.D student * 2▶ MS student * 8
▶ Central Idea: Bugs are Backdoors
How do you feel?
Figure 1: A) Rage
Figure 2: B) Excited...
Figure 3: A) Rage Figure 4: B) Excited...
Unclear relation between input and crashes
Symbolic Execution
x : X
PC : true
x : X
PC : X ≥ 0
x : X
PC : X < 0
x : X y : X+100
PC : (X ≥ 0) ∧ (X+100 = 2011)
x : X y : X+100
PC : (X ≥ 0) ∧ (X+100 ≠ 2011)
x : X y : X+100
PC : (X < 0) ∧ (X+100 = 2011)
x : X y : X+100
PC : (X < 0) ∧ (X+100 ≠ 2011)
Infeasible!
S2E
http://s2e.epfl.ch/
X86 Instructions
(32-bit)
TCG IRs
LLVM IRs (bitcode)
X86 Instructions
(64-bit)
KLEE (Symbolic execution)
CPU (Concrete execution)
QEMU
Exploit Generating Progress
▶ Symbolic data propagating and constraintscollecting
▶ process crashed and symbolic eip detected▶ Reasoning out exploit
Exploit Generating Progress
Exploit Generating Progress
Exploit Generating Progress
Exploit Generating Progress
Exploit Generating Progress
Exploit Generating Progress
Exploit Generating Progress
Exploit Generating Progress
Exploit Generating Progress
Exploit Generating Progress
Exploit Generating Progress
Exploit Generating Progress
Exploit Generating Progress
MUST Live Demo
Good ol’ 90s - return to stack
FancyˆHˆHˆHˆHˆH protections
▶ ASLR▶ Non-executable stack
ROP for CRAX
Work In Progress
Questions?