million dollar baby · 2020-04-22 · - final event: defcon 24 - winning crs will also play against...
TRANSCRIPT
![Page 1: Million Dollar Baby · 2020-04-22 · - Final event: DEFCON 24 - Winning CRS will also play against humans! cybergrandchallenge.com / cgc.darpa.mil . Million Dollar Baby 10 CGC Rules](https://reader033.vdocument.in/reader033/viewer/2022053007/5f0acd887e708231d42d6ab3/html5/thumbnails/1.jpg)
Million Dollar Baby An ‘angr’y attempt at the Cyber Grand
ChallengeNick Stephens [email protected]
Insomni’hack / March 17th, 2016
![Page 2: Million Dollar Baby · 2020-04-22 · - Final event: DEFCON 24 - Winning CRS will also play against humans! cybergrandchallenge.com / cgc.darpa.mil . Million Dollar Baby 10 CGC Rules](https://reader033.vdocument.in/reader033/viewer/2022053007/5f0acd887e708231d42d6ab3/html5/thumbnails/2.jpg)
2Million Dollar Baby
Shellphish
- Who are we?- A team of security enthusiasts
- do research in System Security- play Capture the Flag competitions- released a couple of tools
![Page 3: Million Dollar Baby · 2020-04-22 · - Final event: DEFCON 24 - Winning CRS will also play against humans! cybergrandchallenge.com / cgc.darpa.mil . Million Dollar Baby 10 CGC Rules](https://reader033.vdocument.in/reader033/viewer/2022053007/5f0acd887e708231d42d6ab3/html5/thumbnails/3.jpg)
3Million Dollar Baby
Mini-primer: What’s a CTF?
- Security competition:- exploit a vulnerable service / website / cryptosystem- reverse a binary- …
- Different formats- Jeopardy ‒ Attack-Defense- Online ‒ Live- ...
- Basic idea: find the secret, submit to organizers, ... profit
![Page 4: Million Dollar Baby · 2020-04-22 · - Final event: DEFCON 24 - Winning CRS will also play against humans! cybergrandchallenge.com / cgc.darpa.mil . Million Dollar Baby 10 CGC Rules](https://reader033.vdocument.in/reader033/viewer/2022053007/5f0acd887e708231d42d6ab3/html5/thumbnails/4.jpg)
4Million Dollar Baby
Shellphish
![Page 5: Million Dollar Baby · 2020-04-22 · - Final event: DEFCON 24 - Winning CRS will also play against humans! cybergrandchallenge.com / cgc.darpa.mil . Million Dollar Baby 10 CGC Rules](https://reader033.vdocument.in/reader033/viewer/2022053007/5f0acd887e708231d42d6ab3/html5/thumbnails/5.jpg)
5Million Dollar Baby
Roadmap
● DARPA Cyber Grand Challenge (CGC)The (almost-)Million Dollar Baby
● Our Cyber Reasoning System (CRS)Fancy term for auto-playing a CTF
● Automated Vulnerability DiscoveryDriller
● Automated Vulnerability ExploitationHow it works
● Auto-exploitation demo using angrOpen-source binary analysis framework
![Page 6: Million Dollar Baby · 2020-04-22 · - Final event: DEFCON 24 - Winning CRS will also play against humans! cybergrandchallenge.com / cgc.darpa.mil . Million Dollar Baby 10 CGC Rules](https://reader033.vdocument.in/reader033/viewer/2022053007/5f0acd887e708231d42d6ab3/html5/thumbnails/6.jpg)
6Million Dollar Baby
Cyber Grand Challenge (CGC)- 2004: DARPA Grand Challenge
- Autonomous vehicles
![Page 7: Million Dollar Baby · 2020-04-22 · - Final event: DEFCON 24 - Winning CRS will also play against humans! cybergrandchallenge.com / cgc.darpa.mil . Million Dollar Baby 10 CGC Rules](https://reader033.vdocument.in/reader033/viewer/2022053007/5f0acd887e708231d42d6ab3/html5/thumbnails/7.jpg)
7Million Dollar Baby
Cyber Grand Challenge (CGC)- 2014: DARPA Cyber Grand Challenge
- Autonomous hacking!
![Page 8: Million Dollar Baby · 2020-04-22 · - Final event: DEFCON 24 - Winning CRS will also play against humans! cybergrandchallenge.com / cgc.darpa.mil . Million Dollar Baby 10 CGC Rules](https://reader033.vdocument.in/reader033/viewer/2022053007/5f0acd887e708231d42d6ab3/html5/thumbnails/8.jpg)
8Million Dollar Baby
Cyber Grand Challenge (CGC)
- Qualification event: ONLINE- ~70 teams → 7 qualified teams- $750k per team
- Final event: DEFCON 24- Winning CRS will also play against humans!
cybergrandchallenge.com / cgc.darpa.mil
![Page 9: Million Dollar Baby · 2020-04-22 · - Final event: DEFCON 24 - Winning CRS will also play against humans! cybergrandchallenge.com / cgc.darpa.mil . Million Dollar Baby 10 CGC Rules](https://reader033.vdocument.in/reader033/viewer/2022053007/5f0acd887e708231d42d6ab3/html5/thumbnails/9.jpg)
![Page 10: Million Dollar Baby · 2020-04-22 · - Final event: DEFCON 24 - Winning CRS will also play against humans! cybergrandchallenge.com / cgc.darpa.mil . Million Dollar Baby 10 CGC Rules](https://reader033.vdocument.in/reader033/viewer/2022053007/5f0acd887e708231d42d6ab3/html5/thumbnails/10.jpg)
10Million Dollar Baby
CGC Rules
- Attack-Defense CTF- Solving security challenges → Developing a system that
solves security challenges
- Develop a system that automatically- Exploits vulnerabilities- Removes vulnerabilities
- No human intervention
![Page 11: Million Dollar Baby · 2020-04-22 · - Final event: DEFCON 24 - Winning CRS will also play against humans! cybergrandchallenge.com / cgc.darpa.mil . Million Dollar Baby 10 CGC Rules](https://reader033.vdocument.in/reader033/viewer/2022053007/5f0acd887e708231d42d6ab3/html5/thumbnails/11.jpg)
11Million Dollar Baby
CGC ‒ Rules
- Exploits- “getting a flag” (how? where?)- For the quals: exploit = crash- For the finals: exploit = demonstrate PC control
- Defend- int main() { return 0; }
- Functionality checks- SIGSEGV => exit(0)
- No easy “out-of-band” error handling- QEMU-style interpreter: interrupts => exit(0)
- Performance cost (CPU, memory, file size)
![Page 12: Million Dollar Baby · 2020-04-22 · - Final event: DEFCON 24 - Winning CRS will also play against humans! cybergrandchallenge.com / cgc.darpa.mil . Million Dollar Baby 10 CGC Rules](https://reader033.vdocument.in/reader033/viewer/2022053007/5f0acd887e708231d42d6ab3/html5/thumbnails/12.jpg)
12Million Dollar Baby
CGC Final Round Exploits
Type 1 Type 2
control arbitrary register
control program counter
leak arbitrary memory
![Page 13: Million Dollar Baby · 2020-04-22 · - Final event: DEFCON 24 - Winning CRS will also play against humans! cybergrandchallenge.com / cgc.darpa.mil . Million Dollar Baby 10 CGC Rules](https://reader033.vdocument.in/reader033/viewer/2022053007/5f0acd887e708231d42d6ab3/html5/thumbnails/13.jpg)
13Million Dollar Baby
CGC Qualification Event ‒ Rules
- Basic idea:- Real(istic) programs- No “extra” complications
![Page 14: Million Dollar Baby · 2020-04-22 · - Final event: DEFCON 24 - Winning CRS will also play against humans! cybergrandchallenge.com / cgc.darpa.mil . Million Dollar Baby 10 CGC Rules](https://reader033.vdocument.in/reader033/viewer/2022053007/5f0acd887e708231d42d6ab3/html5/thumbnails/14.jpg)
14Million Dollar Baby
CGC Qualification Event ‒ Rules
- Architecture: Intel x86, 32-bit
- OS: DECREE- Linux-like, but with 7 syscalls only
- transmit / receive / fdwait (≈ select)- allocate / deallocate (even executable!)- random- _terminate
- no signals, threads, shared memory
- “Bring Your Own Defense” approach (and pay for it)- Not even “the usual”: stack is executable, no ASLR, …
![Page 15: Million Dollar Baby · 2020-04-22 · - Final event: DEFCON 24 - Winning CRS will also play against humans! cybergrandchallenge.com / cgc.darpa.mil . Million Dollar Baby 10 CGC Rules](https://reader033.vdocument.in/reader033/viewer/2022053007/5f0acd887e708231d42d6ab3/html5/thumbnails/15.jpg)
15Million Dollar Baby
Roadmap
● DARPA Cyber Grand Challenge (CGC)The (almost-)Million Dollar Baby
● Our Cyber Reasoning System (CRS)Fancy term for auto-playing a CTF
● Automated Vulnerability DiscoveryDriller
● Automated Vulnerability ExploitationHow it works
● Auto-exploitation demo using angrOpen-source binary analysis framework
![Page 16: Million Dollar Baby · 2020-04-22 · - Final event: DEFCON 24 - Winning CRS will also play against humans! cybergrandchallenge.com / cgc.darpa.mil . Million Dollar Baby 10 CGC Rules](https://reader033.vdocument.in/reader033/viewer/2022053007/5f0acd887e708231d42d6ab3/html5/thumbnails/16.jpg)
16Million Dollar Baby
Shellphish CRS
vulnerable binary
patched binary
exploit
CyberReasoning
System
![Page 17: Million Dollar Baby · 2020-04-22 · - Final event: DEFCON 24 - Winning CRS will also play against humans! cybergrandchallenge.com / cgc.darpa.mil . Million Dollar Baby 10 CGC Rules](https://reader033.vdocument.in/reader033/viewer/2022053007/5f0acd887e708231d42d6ab3/html5/thumbnails/17.jpg)
17Million Dollar Baby
Shellphish CRS
vulnerablebinary
proposedpatches
crashes
AutomaticTesting
exploit
patchedbinary
AutomaticVulnerability
Finding
AutomaticVulnerabilityPatching
AutomaticExploitation
proposedexploits
![Page 18: Million Dollar Baby · 2020-04-22 · - Final event: DEFCON 24 - Winning CRS will also play against humans! cybergrandchallenge.com / cgc.darpa.mil . Million Dollar Baby 10 CGC Rules](https://reader033.vdocument.in/reader033/viewer/2022053007/5f0acd887e708231d42d6ab3/html5/thumbnails/18.jpg)
18Million Dollar Baby
Roadmap
● DARPA Cyber Grand Challenge (CGC)The (almost-)Million Dollar Baby
● Our Cyber Reasoning System (CRS)Fancy term for auto-playing a CTF
● Automated Vulnerability DiscoveryDriller
● Automated Vulnerability ExploitationHow it works
● Auto-exploitation demo using angrOpen-source binary analysis framework
![Page 19: Million Dollar Baby · 2020-04-22 · - Final event: DEFCON 24 - Winning CRS will also play against humans! cybergrandchallenge.com / cgc.darpa.mil . Million Dollar Baby 10 CGC Rules](https://reader033.vdocument.in/reader033/viewer/2022053007/5f0acd887e708231d42d6ab3/html5/thumbnails/19.jpg)
19Million Dollar Baby
Quals Approach to Finding Bugs
Fuzz a binary
… and …
Symbolically explore a binary
6
![Page 20: Million Dollar Baby · 2020-04-22 · - Final event: DEFCON 24 - Winning CRS will also play against humans! cybergrandchallenge.com / cgc.darpa.mil . Million Dollar Baby 10 CGC Rules](https://reader033.vdocument.in/reader033/viewer/2022053007/5f0acd887e708231d42d6ab3/html5/thumbnails/20.jpg)
20Million Dollar Baby
Finding bugs
Fuzzing
![Page 21: Million Dollar Baby · 2020-04-22 · - Final event: DEFCON 24 - Winning CRS will also play against humans! cybergrandchallenge.com / cgc.darpa.mil . Million Dollar Baby 10 CGC Rules](https://reader033.vdocument.in/reader033/viewer/2022053007/5f0acd887e708231d42d6ab3/html5/thumbnails/21.jpg)
x = int(input())if x > 10:
if x < 100:print "You win!"
else:print "You lose!"
else:print "You lose!"
Let's fuzz it!
1 ⇒ "You lose!"593 ⇒ "You lose!"183 ⇒ "You lose!"4 ⇒ "You lose!"498 ⇒ "You lose!"
21
48 ⇒ "You win!"
![Page 22: Million Dollar Baby · 2020-04-22 · - Final event: DEFCON 24 - Winning CRS will also play against humans! cybergrandchallenge.com / cgc.darpa.mil . Million Dollar Baby 10 CGC Rules](https://reader033.vdocument.in/reader033/viewer/2022053007/5f0acd887e708231d42d6ab3/html5/thumbnails/22.jpg)
22Million Dollar Baby
Catching Bugs
- Monitors program for crashes
![Page 23: Million Dollar Baby · 2020-04-22 · - Final event: DEFCON 24 - Winning CRS will also play against humans! cybergrandchallenge.com / cgc.darpa.mil . Million Dollar Baby 10 CGC Rules](https://reader033.vdocument.in/reader033/viewer/2022053007/5f0acd887e708231d42d6ab3/html5/thumbnails/23.jpg)
x = int(input())if x > 10:
if x^2 == 152399025:print "You win!"
else:print "You lose!"
else:print "You lose!"
Let's fuzz it! 1 ⇒ "You lose!"
593 ⇒ "You lose!"183 ⇒ "You lose!"4 ⇒ "You lose!"498 ⇒ "You lose!"42 ⇒ "You lose!"3 ⇒ "You lose!"
23
……….
57 ⇒ "You lose!"
![Page 24: Million Dollar Baby · 2020-04-22 · - Final event: DEFCON 24 - Winning CRS will also play against humans! cybergrandchallenge.com / cgc.darpa.mil . Million Dollar Baby 10 CGC Rules](https://reader033.vdocument.in/reader033/viewer/2022053007/5f0acd887e708231d42d6ab3/html5/thumbnails/24.jpg)
24Million Dollar Baby
Finding bugs
Symbolic Execution
![Page 25: Million Dollar Baby · 2020-04-22 · - Final event: DEFCON 24 - Winning CRS will also play against humans! cybergrandchallenge.com / cgc.darpa.mil . Million Dollar Baby 10 CGC Rules](https://reader033.vdocument.in/reader033/viewer/2022053007/5f0acd887e708231d42d6ab3/html5/thumbnails/25.jpg)
x = input()if x >= 10:
if x % 1337 == 0:print "You win!"
else:print "You lose!"
else:print "You lose!"
???
x < 10 x >= 10
x >= 10x % 1337 != 0
x >= 10x % 1337 == 0
![Page 26: Million Dollar Baby · 2020-04-22 · - Final event: DEFCON 24 - Winning CRS will also play against humans! cybergrandchallenge.com / cgc.darpa.mil . Million Dollar Baby 10 CGC Rules](https://reader033.vdocument.in/reader033/viewer/2022053007/5f0acd887e708231d42d6ab3/html5/thumbnails/26.jpg)
x = input()if x >= 10:
if x % 1337 == 0:print "You win!"
else:print "You lose!"
else:print "You lose!"
???
x < 10 x >= 10
x >= 10x % 1337 != 0
x >= 10x % 1337 == 0
1337
![Page 27: Million Dollar Baby · 2020-04-22 · - Final event: DEFCON 24 - Winning CRS will also play against humans! cybergrandchallenge.com / cgc.darpa.mil . Million Dollar Baby 10 CGC Rules](https://reader033.vdocument.in/reader033/viewer/2022053007/5f0acd887e708231d42d6ab3/html5/thumbnails/27.jpg)
27Million Dollar Baby
Catching Bugs
- Checks each state for safety violations- symbolic program counter- writes/reads from symbolic address
![Page 28: Million Dollar Baby · 2020-04-22 · - Final event: DEFCON 24 - Winning CRS will also play against humans! cybergrandchallenge.com / cgc.darpa.mil . Million Dollar Baby 10 CGC Rules](https://reader033.vdocument.in/reader033/viewer/2022053007/5f0acd887e708231d42d6ab3/html5/thumbnails/28.jpg)
x = input()
def recurse(x, depth): if depth == 2000: return 0 else: r = 0; if x[depth] == “B”: r = 1 return r + recurse(x[depth], depth)
if recurse(x, 0) == 1: print “You win!”else: print “You lose!”
???
x[d] == “B”x[d] != “B”
![Page 29: Million Dollar Baby · 2020-04-22 · - Final event: DEFCON 24 - Winning CRS will also play against humans! cybergrandchallenge.com / cgc.darpa.mil . Million Dollar Baby 10 CGC Rules](https://reader033.vdocument.in/reader033/viewer/2022053007/5f0acd887e708231d42d6ab3/html5/thumbnails/29.jpg)
29Million Dollar Baby
Quals Performance
Symbolic Execution (angr): 16
Fuzzing (AFL): 37
Total: 44 / 12837
16
… need something better
![Page 30: Million Dollar Baby · 2020-04-22 · - Final event: DEFCON 24 - Winning CRS will also play against humans! cybergrandchallenge.com / cgc.darpa.mil . Million Dollar Baby 10 CGC Rules](https://reader033.vdocument.in/reader033/viewer/2022053007/5f0acd887e708231d42d6ab3/html5/thumbnails/30.jpg)
30Million Dollar Baby
Driller
Driller: Augmenting Fuzzing through Selective Symbolic Execution
NDSS 2016
![Page 31: Million Dollar Baby · 2020-04-22 · - Final event: DEFCON 24 - Winning CRS will also play against humans! cybergrandchallenge.com / cgc.darpa.mil . Million Dollar Baby 10 CGC Rules](https://reader033.vdocument.in/reader033/viewer/2022053007/5f0acd887e708231d42d6ab3/html5/thumbnails/31.jpg)
31Million Dollar Baby
Different Approaches
Fuzzing- Good at finding
solutions for general conditions
- Bad at finding solutions for specific conditions
Symbolic Execution- Good at finding
solutions for specific conditions
- Spends too much time iterating over general conditions
![Page 32: Million Dollar Baby · 2020-04-22 · - Final event: DEFCON 24 - Winning CRS will also play against humans! cybergrandchallenge.com / cgc.darpa.mil . Million Dollar Baby 10 CGC Rules](https://reader033.vdocument.in/reader033/viewer/2022053007/5f0acd887e708231d42d6ab3/html5/thumbnails/32.jpg)
32Million Dollar Baby
Fuzzing vs. Symbolic Execution
Fuzzing Wins Symbolic Execution Wins
x = input()
def recurse(x, depth): if depth == 2000: return 0 else: r = 0; if x[depth] == “B”: r = 1 return r + recurse(x[depth], depth)
if recurse(x, 0) == 1: print “You win!”
x = int(input())if x >= 10:
if x^2 == 152399025:print "You win!"
else:print "You lose!"
else:print "You lose!"
![Page 33: Million Dollar Baby · 2020-04-22 · - Final event: DEFCON 24 - Winning CRS will also play against humans! cybergrandchallenge.com / cgc.darpa.mil . Million Dollar Baby 10 CGC Rules](https://reader033.vdocument.in/reader033/viewer/2022053007/5f0acd887e708231d42d6ab3/html5/thumbnails/33.jpg)
33Million Dollar Baby
Fuzzing
good at finding solutions for general input
Symbolic Execution
good at find solutions for specific input
The Goal
![Page 34: Million Dollar Baby · 2020-04-22 · - Final event: DEFCON 24 - Winning CRS will also play against humans! cybergrandchallenge.com / cgc.darpa.mil . Million Dollar Baby 10 CGC Rules](https://reader033.vdocument.in/reader033/viewer/2022053007/5f0acd887e708231d42d6ab3/html5/thumbnails/34.jpg)
34Million Dollar Baby
American Fuzzy Lop + angr
AFL
- state-of-the-art instrumented fuzzer
- path uniqueness tracking
- genetic mutations
- open source
angr
- binary analysis platform
- implements symbolic execution engine
- works on binary code
- available on github
![Page 35: Million Dollar Baby · 2020-04-22 · - Final event: DEFCON 24 - Winning CRS will also play against humans! cybergrandchallenge.com / cgc.darpa.mil . Million Dollar Baby 10 CGC Rules](https://reader033.vdocument.in/reader033/viewer/2022053007/5f0acd887e708231d42d6ab3/html5/thumbnails/35.jpg)
35Million Dollar Baby
Combining the Two (High-level)
Test Cases
Control Flow Graph
![Page 36: Million Dollar Baby · 2020-04-22 · - Final event: DEFCON 24 - Winning CRS will also play against humans! cybergrandchallenge.com / cgc.darpa.mil . Million Dollar Baby 10 CGC Rules](https://reader033.vdocument.in/reader033/viewer/2022053007/5f0acd887e708231d42d6ab3/html5/thumbnails/36.jpg)
36Million Dollar Baby
Combining the Two
“Y”
“X”
Test Cases
“Cheap” fuzzing coverage
Control Flow Graph
![Page 37: Million Dollar Baby · 2020-04-22 · - Final event: DEFCON 24 - Winning CRS will also play against humans! cybergrandchallenge.com / cgc.darpa.mil . Million Dollar Baby 10 CGC Rules](https://reader033.vdocument.in/reader033/viewer/2022053007/5f0acd887e708231d42d6ab3/html5/thumbnails/37.jpg)
37Million Dollar Baby
Combining the Two
“Y”
“X”
Test Cases
“Cheap” fuzzing coverage
Tracing via Symbolic Execution
!
Control Flow Graph
Reachable?
![Page 38: Million Dollar Baby · 2020-04-22 · - Final event: DEFCON 24 - Winning CRS will also play against humans! cybergrandchallenge.com / cgc.darpa.mil . Million Dollar Baby 10 CGC Rules](https://reader033.vdocument.in/reader033/viewer/2022053007/5f0acd887e708231d42d6ab3/html5/thumbnails/38.jpg)
38Million Dollar Baby
Combining the Two
“Y”
“X”
Test Cases
“Cheap” fuzzing coverage
Tracing via Symbolic Execution
“MAGIC”
New test cases generated
Control Flow Graph
Synthesized!
![Page 39: Million Dollar Baby · 2020-04-22 · - Final event: DEFCON 24 - Winning CRS will also play against humans! cybergrandchallenge.com / cgc.darpa.mil . Million Dollar Baby 10 CGC Rules](https://reader033.vdocument.in/reader033/viewer/2022053007/5f0acd887e708231d42d6ab3/html5/thumbnails/39.jpg)
39Million Dollar Baby
Combining the Two
“Y”
“X”
Test Cases
“Cheap” fuzzing coverage
Tracing via Symbolic Execution
“MAGIC”
New test cases generated “MAGICY”
Control Flow Graph
Towards completer code coverage!
![Page 40: Million Dollar Baby · 2020-04-22 · - Final event: DEFCON 24 - Winning CRS will also play against humans! cybergrandchallenge.com / cgc.darpa.mil . Million Dollar Baby 10 CGC Rules](https://reader033.vdocument.in/reader033/viewer/2022053007/5f0acd887e708231d42d6ab3/html5/thumbnails/40.jpg)
40Million Dollar Baby
Binary Crashes per Technique
Symbolic Execution (angr) - 16
Fuzzing (AFL) - 68 total
68
16S & F Shared - 13 total
71 / 128 binaries
CGC Fuzzer Optimizations
![Page 41: Million Dollar Baby · 2020-04-22 · - Final event: DEFCON 24 - Winning CRS will also play against humans! cybergrandchallenge.com / cgc.darpa.mil . Million Dollar Baby 10 CGC Rules](https://reader033.vdocument.in/reader033/viewer/2022053007/5f0acd887e708231d42d6ab3/html5/thumbnails/41.jpg)
41Million Dollar Baby
Driller Results
68
16
77Symbolic Execution (angr) - 16
Fuzzing (AFL) - 68 total
S & F Shared - 13 total
Driller - 77 total
77 / 128 binaries
Binary Crashes per Technique
![Page 42: Million Dollar Baby · 2020-04-22 · - Final event: DEFCON 24 - Winning CRS will also play against humans! cybergrandchallenge.com / cgc.darpa.mil . Million Dollar Baby 10 CGC Rules](https://reader033.vdocument.in/reader033/viewer/2022053007/5f0acd887e708231d42d6ab3/html5/thumbnails/42.jpg)
symbolic executionfuzzing
Distribution of Transitions Found as Iterations of Symbolic Execution and Fuzzing
![Page 43: Million Dollar Baby · 2020-04-22 · - Final event: DEFCON 24 - Winning CRS will also play against humans! cybergrandchallenge.com / cgc.darpa.mil . Million Dollar Baby 10 CGC Rules](https://reader033.vdocument.in/reader033/viewer/2022053007/5f0acd887e708231d42d6ab3/html5/thumbnails/43.jpg)
43Million Dollar Baby
Roadmap
● DARPA Cyber Grand Challenge (CGC)The (almost-)Million Dollar Baby
● Our Cyber Reasoning System (CRS)Fancy term for auto-playing a CTF
● Automated Vulnerability DiscoveryDriller
● Automated Vulnerability ExploitationHow it works
● Auto-exploitation demo using angrOpen-source binary analysis framework
![Page 44: Million Dollar Baby · 2020-04-22 · - Final event: DEFCON 24 - Winning CRS will also play against humans! cybergrandchallenge.com / cgc.darpa.mil . Million Dollar Baby 10 CGC Rules](https://reader033.vdocument.in/reader033/viewer/2022053007/5f0acd887e708231d42d6ab3/html5/thumbnails/44.jpg)
44Million Dollar Baby
Previous Work
- Automatic Generation of Control Flow Hijacking Exploits …- Sean Heelan
- AEG: Automatic Exploit Generation- Thanassis Avgerinos, CMU
- Unleashing MAYHEM on Binary Code- Sang Kil Cha, CMU
- Q: Exploit Hardening Made Easy- Edward J. Schwartz, CMU
- More work being done by Julien Vanegue, as far as I know still largely theoretical at this point
![Page 45: Million Dollar Baby · 2020-04-22 · - Final event: DEFCON 24 - Winning CRS will also play against humans! cybergrandchallenge.com / cgc.darpa.mil . Million Dollar Baby 10 CGC Rules](https://reader033.vdocument.in/reader033/viewer/2022053007/5f0acd887e708231d42d6ab3/html5/thumbnails/45.jpg)
45Million Dollar Baby
Auto Exploitation - Simplified
- Find a path with safety violations
- Exploit it
![Page 46: Million Dollar Baby · 2020-04-22 · - Final event: DEFCON 24 - Winning CRS will also play against humans! cybergrandchallenge.com / cgc.darpa.mil . Million Dollar Baby 10 CGC Rules](https://reader033.vdocument.in/reader033/viewer/2022053007/5f0acd887e708231d42d6ab3/html5/thumbnails/46.jpg)
46Million Dollar Baby
Auto Exploitation - Simplified
typedef struct component {char name[32];int (*do_something)(int arg);
} comp_t;
comp_t *initialize_component(char *cmp_name) {int i = 0;struct component *cmp;
cmp = malloc(sizeof(struct component));cmp->do_something = sample_func;
while (*cmp_name)cmp->name[i++] = *cmp_name++;
cmp->name[i] = ‘\0’;return cmp;
}x = get_input();cmp = initialize_component(x);cmp->do_something(1);
HEAP
char name[32];
int (*do_something)(int arg)
Symbolic Byte[0]‘\0’
&sample_func
Symbolic Byte[0]Symbolic Byte[1]‘\0’
Symbolic Byte[0]Symbolic Byte[1]Symbolic Byte[2]‘\0’
Symbolic Byte[0]Symbolic Byte[1]Symbolic Byte[2]Symbolic Byte[3]Symbolic Byte[4]Symbolic Byte[5]Symbolic Byte[6]Symbolic Byte[7]...
Symbolic Byte[32] …Symbolic Byte[36]
‘\0’
call <symbolic byte[36:32]>
![Page 47: Million Dollar Baby · 2020-04-22 · - Final event: DEFCON 24 - Winning CRS will also play against humans! cybergrandchallenge.com / cgc.darpa.mil . Million Dollar Baby 10 CGC Rules](https://reader033.vdocument.in/reader033/viewer/2022053007/5f0acd887e708231d42d6ab3/html5/thumbnails/47.jpg)
47Million Dollar Baby
Auto Exploitation - Simplified
Turning the state into an exploited state
angr
assert state.se.symbolic(state.regs.pc)
Constrain buffer to contain our shellcode
angr
buf_addr = find_symbolic_buffer(state, len(shellcode))mem = state.memory.load(buf_addr, len(shellcode))state.add_constraints(mem == state.se.bvv(shellcode))
find_symbolic_buffer is not included in the angr project, but an implementation of this will be shown in the demo
![Page 48: Million Dollar Baby · 2020-04-22 · - Final event: DEFCON 24 - Winning CRS will also play against humans! cybergrandchallenge.com / cgc.darpa.mil . Million Dollar Baby 10 CGC Rules](https://reader033.vdocument.in/reader033/viewer/2022053007/5f0acd887e708231d42d6ab3/html5/thumbnails/48.jpg)
48Million Dollar Baby
Auto Exploitation - Simplified
Constrain PC to point to the buffer
angr
state.se.add_constraints(state.regs.pc == buf_addr)
Synthesize!
angr
exploit = state.posix.dumps(0)
![Page 49: Million Dollar Baby · 2020-04-22 · - Final event: DEFCON 24 - Winning CRS will also play against humans! cybergrandchallenge.com / cgc.darpa.mil . Million Dollar Baby 10 CGC Rules](https://reader033.vdocument.in/reader033/viewer/2022053007/5f0acd887e708231d42d6ab3/html5/thumbnails/49.jpg)
49Million Dollar Baby
Vulnerable Symbolic State (PC hijack)
Auto Exploitation - Simplified
+ Constraints to make PC point to shellcode
Exploit
Constraints to add shellcode to the address space
![Page 50: Million Dollar Baby · 2020-04-22 · - Final event: DEFCON 24 - Winning CRS will also play against humans! cybergrandchallenge.com / cgc.darpa.mil . Million Dollar Baby 10 CGC Rules](https://reader033.vdocument.in/reader033/viewer/2022053007/5f0acd887e708231d42d6ab3/html5/thumbnails/50.jpg)
50Million Dollar Baby
Auto Exploitation - Advances
- ROP chain generation and ROP placement (angrop)- state-aware ROP
- Write primitives and Read primitives
- Forced leaking
- Shellcode distribution
![Page 51: Million Dollar Baby · 2020-04-22 · - Final event: DEFCON 24 - Winning CRS will also play against humans! cybergrandchallenge.com / cgc.darpa.mil . Million Dollar Baby 10 CGC Rules](https://reader033.vdocument.in/reader033/viewer/2022053007/5f0acd887e708231d42d6ab3/html5/thumbnails/51.jpg)
51Million Dollar Baby
Roadmap
● DARPA Cyber Grand Challenge (CGC)The (almost-)Million Dollar Baby
● Our Cyber Reasoning System (CRS)Fancy term for auto-playing a CTF
● Automated Vulnerability DiscoveryDriller
● Automated Vulnerability ExploitationHow it works
● Auto-exploitation demo using angrOpen-source binary analysis framework
![Page 52: Million Dollar Baby · 2020-04-22 · - Final event: DEFCON 24 - Winning CRS will also play against humans! cybergrandchallenge.com / cgc.darpa.mil . Million Dollar Baby 10 CGC Rules](https://reader033.vdocument.in/reader033/viewer/2022053007/5f0acd887e708231d42d6ab3/html5/thumbnails/52.jpg)
52Million Dollar Baby
Demo
Available at:
https://github.com/angr/angr-doc/
examples/insomnihack_aeg