hitcon x playground - crax
DESCRIPTION
CRAX stands for CRash analysis for Automatic eXploit generation. CRAX aims at generating software exploit automatically by analyzing software crashes with symbolic execution. CRAX is not only focusing on Linux/Windows applications, but also taking steps to web techniques (XSS and SQL injection) and mobile platform (Android) hacking.TRANSCRIPT
![Page 1: HITCON X Playground - CRAX](https://reader038.vdocument.in/reader038/viewer/2022102600/547e532db479598e508b4b70/html5/thumbnails/1.jpg)
CRAXAn Automatic Exploit Generating System
Lance Chen
Software Quality Laboratory, NCTU
Aug 21, 2014
![Page 2: HITCON X Playground - CRAX](https://reader038.vdocument.in/reader038/viewer/2022102600/547e532db479598e508b4b70/html5/thumbnails/2.jpg)
Disclaimer
CRAX is not my personal project,but built by many members of the SQLab.
![Page 3: HITCON X Playground - CRAX](https://reader038.vdocument.in/reader038/viewer/2022102600/547e532db479598e508b4b70/html5/thumbnails/3.jpg)
About me
Lance Chen
▶ MS in Computer Scienceand Engineering Instituteof NCTU
▶ A System and NetworkAdministrator in NCTUCSCC for four years
![Page 4: HITCON X Playground - CRAX](https://reader038.vdocument.in/reader038/viewer/2022102600/547e532db479598e508b4b70/html5/thumbnails/4.jpg)
About SQLab
▶ Advisor: Prof. Shih-kun Huang▶ Current members:
▶ Ph.D student * 2▶ MS student * 8
▶ Central Idea: Bugs are Backdoors
![Page 5: HITCON X Playground - CRAX](https://reader038.vdocument.in/reader038/viewer/2022102600/547e532db479598e508b4b70/html5/thumbnails/5.jpg)
How do you feel?
![Page 6: HITCON X Playground - CRAX](https://reader038.vdocument.in/reader038/viewer/2022102600/547e532db479598e508b4b70/html5/thumbnails/6.jpg)
Figure 1: A) Rage
![Page 7: HITCON X Playground - CRAX](https://reader038.vdocument.in/reader038/viewer/2022102600/547e532db479598e508b4b70/html5/thumbnails/7.jpg)
Figure 2: B) Excited...
![Page 8: HITCON X Playground - CRAX](https://reader038.vdocument.in/reader038/viewer/2022102600/547e532db479598e508b4b70/html5/thumbnails/8.jpg)
Figure 3: A) Rage Figure 4: B) Excited...
![Page 9: HITCON X Playground - CRAX](https://reader038.vdocument.in/reader038/viewer/2022102600/547e532db479598e508b4b70/html5/thumbnails/9.jpg)
Unclear relation between input and crashes
![Page 10: HITCON X Playground - CRAX](https://reader038.vdocument.in/reader038/viewer/2022102600/547e532db479598e508b4b70/html5/thumbnails/10.jpg)
Symbolic Execution
x : X
PC : true
x : X
PC : X ≥ 0
x : X
PC : X < 0
x : X y : X+100
PC : (X ≥ 0) ∧ (X+100 = 2011)
x : X y : X+100
PC : (X ≥ 0) ∧ (X+100 ≠ 2011)
x : X y : X+100
PC : (X < 0) ∧ (X+100 = 2011)
x : X y : X+100
PC : (X < 0) ∧ (X+100 ≠ 2011)
Infeasible!
![Page 11: HITCON X Playground - CRAX](https://reader038.vdocument.in/reader038/viewer/2022102600/547e532db479598e508b4b70/html5/thumbnails/11.jpg)
S2E
http://s2e.epfl.ch/
X86 Instructions
(32-bit)
TCG IRs
LLVM IRs (bitcode)
X86 Instructions
(64-bit)
KLEE (Symbolic execution)
CPU (Concrete execution)
QEMU
![Page 12: HITCON X Playground - CRAX](https://reader038.vdocument.in/reader038/viewer/2022102600/547e532db479598e508b4b70/html5/thumbnails/12.jpg)
Exploit Generating Progress
▶ Symbolic data propagating and constraintscollecting
▶ process crashed and symbolic eip detected▶ Reasoning out exploit
![Page 13: HITCON X Playground - CRAX](https://reader038.vdocument.in/reader038/viewer/2022102600/547e532db479598e508b4b70/html5/thumbnails/13.jpg)
Exploit Generating Progress
![Page 14: HITCON X Playground - CRAX](https://reader038.vdocument.in/reader038/viewer/2022102600/547e532db479598e508b4b70/html5/thumbnails/14.jpg)
Exploit Generating Progress
![Page 15: HITCON X Playground - CRAX](https://reader038.vdocument.in/reader038/viewer/2022102600/547e532db479598e508b4b70/html5/thumbnails/15.jpg)
Exploit Generating Progress
![Page 16: HITCON X Playground - CRAX](https://reader038.vdocument.in/reader038/viewer/2022102600/547e532db479598e508b4b70/html5/thumbnails/16.jpg)
Exploit Generating Progress
![Page 17: HITCON X Playground - CRAX](https://reader038.vdocument.in/reader038/viewer/2022102600/547e532db479598e508b4b70/html5/thumbnails/17.jpg)
Exploit Generating Progress
![Page 18: HITCON X Playground - CRAX](https://reader038.vdocument.in/reader038/viewer/2022102600/547e532db479598e508b4b70/html5/thumbnails/18.jpg)
Exploit Generating Progress
![Page 19: HITCON X Playground - CRAX](https://reader038.vdocument.in/reader038/viewer/2022102600/547e532db479598e508b4b70/html5/thumbnails/19.jpg)
Exploit Generating Progress
![Page 20: HITCON X Playground - CRAX](https://reader038.vdocument.in/reader038/viewer/2022102600/547e532db479598e508b4b70/html5/thumbnails/20.jpg)
Exploit Generating Progress
![Page 21: HITCON X Playground - CRAX](https://reader038.vdocument.in/reader038/viewer/2022102600/547e532db479598e508b4b70/html5/thumbnails/21.jpg)
Exploit Generating Progress
![Page 22: HITCON X Playground - CRAX](https://reader038.vdocument.in/reader038/viewer/2022102600/547e532db479598e508b4b70/html5/thumbnails/22.jpg)
Exploit Generating Progress
![Page 23: HITCON X Playground - CRAX](https://reader038.vdocument.in/reader038/viewer/2022102600/547e532db479598e508b4b70/html5/thumbnails/23.jpg)
Exploit Generating Progress
![Page 24: HITCON X Playground - CRAX](https://reader038.vdocument.in/reader038/viewer/2022102600/547e532db479598e508b4b70/html5/thumbnails/24.jpg)
Exploit Generating Progress
![Page 25: HITCON X Playground - CRAX](https://reader038.vdocument.in/reader038/viewer/2022102600/547e532db479598e508b4b70/html5/thumbnails/25.jpg)
Exploit Generating Progress
![Page 26: HITCON X Playground - CRAX](https://reader038.vdocument.in/reader038/viewer/2022102600/547e532db479598e508b4b70/html5/thumbnails/26.jpg)
MUST Live Demo
![Page 27: HITCON X Playground - CRAX](https://reader038.vdocument.in/reader038/viewer/2022102600/547e532db479598e508b4b70/html5/thumbnails/27.jpg)
Good ol’ 90s - return to stack
![Page 28: HITCON X Playground - CRAX](https://reader038.vdocument.in/reader038/viewer/2022102600/547e532db479598e508b4b70/html5/thumbnails/28.jpg)
FancyˆHˆHˆHˆHˆH protections
▶ ASLR▶ Non-executable stack
![Page 29: HITCON X Playground - CRAX](https://reader038.vdocument.in/reader038/viewer/2022102600/547e532db479598e508b4b70/html5/thumbnails/29.jpg)
ROP for CRAX
Work In Progress
![Page 30: HITCON X Playground - CRAX](https://reader038.vdocument.in/reader038/viewer/2022102600/547e532db479598e508b4b70/html5/thumbnails/30.jpg)
Questions?