The document discusses techniques from the DARPA Cyber Grand Challenge (CGC) and DEFCON CTF for developing automatic attack and defense systems, including fuzzing, symbolic/concolic execution, and software hardening. It provides an overview of the CGC competition format and challenges competitors to analyze binaries to discover vulnerabilities and generate exploits or patches. The competition was won by Team Mayhem from startup ForAllSecure, which utilized techniques like symbolic execution to analyze programs.
DARPA CGC and DEFCON CTF: Automatic Attack and Defense TechniqueChong-Kuan Chen
The document discusses automatic attack and defense techniques explored through DARPA's Cyber Grand Challenge (CGC) and DEFCON CTF competitions. It introduces CGC and covers topics like vulnerability discovery, fuzzing, symbolic/concolic execution, and software hardening. It describes CGC's qualification round in 2015 and final event in 2016, which was won by ForAllSecure/Mayhem. Various techniques used by competing teams are discussed, including AFL fuzzing, symbolic execution tools like S2E and Angr, and approaches that combined fuzzing and symbolic execution like Driller.
[COSCUP 2021] A trip about how I contribute to LLVMDouglas Chen
Douglas Chen presented on his contributions to LLVM. He discussed his motivation with CppNameLint and Clang-Tidy projects. He covered the workflows for Phabricator code reviews, building and testing code, and provided tips for contributors. He shared moments from his experience like design changes, invalid options, and how clang-tidy and tests work. He emphasized reading documentation and discussing with reviewers when facing issues.
Return oriented programming (ROP) allows an attacker to bypass address space layout randomization (ASLR) and data execution prevention (DEP). It works by identifying small "gadgets" in a program's code that end with a return instruction. These gadgets can be stitched together to perform operations or redirect execution flow. First, gadgets are found in the program using tools like ROPeMe or objdump. Useful gadgets include those that load registers from memory or call functions indirectly. The gadgets can then be chained to build ROP payloads that copy shellcode into memory and pivot the stack to execute it.
This document discusses Return Oriented Programming (ROP), which is a technique for exploiting software vulnerabilities to execute malicious code without injecting new code. It can be done by manipulating return addresses on the program stack to divert execution flow to existing code snippets ("gadgets") that perform the desired task when executed in sequence. The document covers the anatomy of the x86 stack, common ROP attack approaches like stack smashing and return-to-libc, how gadgets work by chaining neutral instructions, and various defenses such as stack canaries, non-executable memory, address space layout randomization, and position-independent executables.
This document discusses building a virtual platform for the OpenRISC architecture using SystemC and transaction-level modeling. It covers setting up the toolchain, writing test programs, and simulating the platform using event-driven or cycle-accurate simulation with Icarus Verilog or the Vorpsoc simulator. The virtual platform allows fast development and debugging of OpenRISC code without requiring physical hardware.
Alexey Sintsov- SDLC - try me to implementDefconRussia
This document discusses implementing security best practices within an agile software development lifecycle (SDLC). It recommends that security requirements and testing be integrated into each sprint or iteration. The security team would provide requirements, guides, tools, and training to development teams. They would conduct a final security review before software releases. DevOps practices could help automate security processes and configuration of cloud platforms. The overall approach is to distribute security responsibilities to development teams with support from the centralized security team.
**Return-oriented programming** bezeichnet eine gewiefte IT-Angriffstechnik, die im Prinzip eine Verallgemeinerung von *return-to-libc*-Attacken ist, welche wiederum zu den *stack buffer overflow exploits* gehören.
Wem das alles nichts sagt - keine Angst: Im Vortrag werden zunächst die Grundlagen von Puffer-Überläufen und deren Angriffspotential erläutert und einige historische Beispiele aufgezeigt, bevor schrittweise die Brücke zu **ROP** geschlagen wird. Zum Abschluss werden kurz einige Abwehrmaßnahmen vorgestellt und im Hinblick auf Umsetzbarkeit und Wirkungsgrad bewertet.
So die Demo-Götter es wollen, wird live u.A. ein Beispiel-Programm mithilfe von **ROP**-Tools gecrackt.
DARPA CGC and DEFCON CTF: Automatic Attack and Defense TechniqueChong-Kuan Chen
The document discusses automatic attack and defense techniques explored through DARPA's Cyber Grand Challenge (CGC) and DEFCON CTF competitions. It introduces CGC and covers topics like vulnerability discovery, fuzzing, symbolic/concolic execution, and software hardening. It describes CGC's qualification round in 2015 and final event in 2016, which was won by ForAllSecure/Mayhem. Various techniques used by competing teams are discussed, including AFL fuzzing, symbolic execution tools like S2E and Angr, and approaches that combined fuzzing and symbolic execution like Driller.
[COSCUP 2021] A trip about how I contribute to LLVMDouglas Chen
Douglas Chen presented on his contributions to LLVM. He discussed his motivation with CppNameLint and Clang-Tidy projects. He covered the workflows for Phabricator code reviews, building and testing code, and provided tips for contributors. He shared moments from his experience like design changes, invalid options, and how clang-tidy and tests work. He emphasized reading documentation and discussing with reviewers when facing issues.
Return oriented programming (ROP) allows an attacker to bypass address space layout randomization (ASLR) and data execution prevention (DEP). It works by identifying small "gadgets" in a program's code that end with a return instruction. These gadgets can be stitched together to perform operations or redirect execution flow. First, gadgets are found in the program using tools like ROPeMe or objdump. Useful gadgets include those that load registers from memory or call functions indirectly. The gadgets can then be chained to build ROP payloads that copy shellcode into memory and pivot the stack to execute it.
This document discusses Return Oriented Programming (ROP), which is a technique for exploiting software vulnerabilities to execute malicious code without injecting new code. It can be done by manipulating return addresses on the program stack to divert execution flow to existing code snippets ("gadgets") that perform the desired task when executed in sequence. The document covers the anatomy of the x86 stack, common ROP attack approaches like stack smashing and return-to-libc, how gadgets work by chaining neutral instructions, and various defenses such as stack canaries, non-executable memory, address space layout randomization, and position-independent executables.
This document discusses building a virtual platform for the OpenRISC architecture using SystemC and transaction-level modeling. It covers setting up the toolchain, writing test programs, and simulating the platform using event-driven or cycle-accurate simulation with Icarus Verilog or the Vorpsoc simulator. The virtual platform allows fast development and debugging of OpenRISC code without requiring physical hardware.
Alexey Sintsov- SDLC - try me to implementDefconRussia
This document discusses implementing security best practices within an agile software development lifecycle (SDLC). It recommends that security requirements and testing be integrated into each sprint or iteration. The security team would provide requirements, guides, tools, and training to development teams. They would conduct a final security review before software releases. DevOps practices could help automate security processes and configuration of cloud platforms. The overall approach is to distribute security responsibilities to development teams with support from the centralized security team.
**Return-oriented programming** bezeichnet eine gewiefte IT-Angriffstechnik, die im Prinzip eine Verallgemeinerung von *return-to-libc*-Attacken ist, welche wiederum zu den *stack buffer overflow exploits* gehören.
Wem das alles nichts sagt - keine Angst: Im Vortrag werden zunächst die Grundlagen von Puffer-Überläufen und deren Angriffspotential erläutert und einige historische Beispiele aufgezeigt, bevor schrittweise die Brücke zu **ROP** geschlagen wird. Zum Abschluss werden kurz einige Abwehrmaßnahmen vorgestellt und im Hinblick auf Umsetzbarkeit und Wirkungsgrad bewertet.
So die Demo-Götter es wollen, wird live u.A. ein Beispiel-Programm mithilfe von **ROP**-Tools gecrackt.
Processor Verification Using Open Source Tools and the GCC Regression Test SuiteDVClub
The document summarizes a case study using open source tools to verify the OpenRISC 1200 processor implementation against its reference architectural simulation using the GCC regression test suite. Key aspects included:
1) Using the 53,000+ test GCC regression test suite to verify the SystemC design model against the reference Or1ksim architectural simulator.
2) Initial results found errors in both the RTL implementation and Or1ksim reference model, helping to improve both.
3) Connecting the GNU Debugger to drive the SystemC model via a remote serial protocol server, allowing the GCC regression tests to be used for verification.
Course lecture - An introduction to the Return Oriented ProgrammingJonathan Salwan
This document provides an introduction and overview of Return Oriented Programming (ROP). It discusses classical stack overflow attacks and the mitigations put in place like Address Space Layout Randomization (ASLR) and No eXecute (NX) bit. It then introduces ROP as a technique to bypass these mitigations by chaining small snippets of existing code, called gadgets, to perform malicious tasks without injecting code. Several tools for finding gadgets are presented, and an example exploitation of the CVE-2011-1938 vulnerability is discussed to demonstrate ROP in practice. The document concludes with discussing mitigations against ROP and some related research topics.
XCon 2014 => http://xcon.xfocus.org/
In the past was quite common to exploit heap / pool manager vulnerabilities attacking its internal linked structures. However current memory management improve a lot and at current date it is quite ineffective to attack heap in this way. But still those techniques come into hand when we start to looking at linked structures widespread throughout kernel that are unfortunately not hardened enough.
In this presentation we will examine power of these vulnerabilities by famous example “CVE – 2013 - 3660”. Showing bypass on ‘lazy’ assertions of _LIST_ENTRY, present exploitation after party and teleport to kernel.
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CanSecWest
The document discusses techniques for bypassing Control Flow Guard (CFG) protections on Windows. It begins by introducing the author and their background in security research. It then outlines several potential attack surfaces for bypassing CFG, including using functions like VirtualAlloc and VirtualProtect that can mark memory as valid call targets, writing return addresses, and leveraging indirect calls without CFG checks. The document analyzes six CFG bypass vulnerabilities found by the author in Microsoft Edge and Chakra, and provides details on exploitation methods. It concludes by discussing improvements to harden CFG protections further.
Dive into ROP - a quick introduction to Return Oriented ProgrammingSaumil Shah
The document introduces Return Oriented Programming (ROP) and its core concepts. It discusses how Data Execution Prevention (DEP) prevents execution of injected shellcode by marking the stack and heap as non-executable. ROP overcomes this by chaining together small snippets of existing code (called "gadgets") in libraries and binaries to achieve arbitrary code execution. This is done by creating fake stack frames and controlling the instruction pointer (EIP) to return to addresses of gadgets. An example demonstrates overflowing a function and making it return to another function by placing a fake stack frame.
syzbot and the tale of million kernel bugsDmitry Vyukov
The root cause of most software exploits is bugs. Hardening, mitigations and containers are important, but they can't protect a system with thousands of bugs. In this presentation, Dmitry Vyukov will review the current [sad] situation with Linux kernel bugs and security implications based on their experience testing kernel for the past 3 years; overview a set of bug finding tools they are developing (syzbot, syzkaller, KASAN, KMSAN, KTSAN); and discuss problems and areas that require community help to improve the situation.
As @nicowaisman mentioned in his talk Aleatory Persistent Threat, old school heap specific exploiting is dying. And with each windows SP or new version, is harder to attack heap itself. Heap management adapt quickly and include new mittigation techniques. But sometimes is better to rethink the idea of mittigation and do this technique properly even half version of it will cover all known heap exploit techniques…
Ведущий: Иван Ёлкин
Ведущий фаст-трека расскажет об опыте внедрения Static Analysis Security Tool в QIWI, о сложностях, с которыми сталкивались разработчики. Писать «костыли» или рефакторить код? Что делать, когда мнения клиента и разработчика расходятся? Поведает, сколько строк кода пришлось прочитать и написать до и после запуска сканера, и предложит краткий обзор найденных и упущенных уязвимостей.
This document discusses buffer overflow attacks. It begins with an overview of the topics that will be covered, including vulnerabilities, exploits, and buffer overflows. It then provides definitions for key terms and describes different types of memory corruption vulnerabilities. The bulk of the document focuses on stack-based buffer overflows, explaining how they work by overwriting the return address on the stack to point to injected shellcode. It includes diagrams of stack layout and function prologue and epilogue. The document concludes with a demonstration of a buffer overflow and discusses some mitigations like stack cookies and ASLR.
Valgrind overview: runtime memory checker and a bit more aka использование #v...Minsk Linux User Group
Sergei Trofimovich «Valgrind overview: runtime memory checker and a bit more aka использование #valgrind на селе»
Доклад на майской линуксовке MLUG 2013
Possibility of arbitrary code execution by Step-Oriented Programmingkozossakai
Step-Oriented Programming (SOP) allows executing arbitrary code on embedded systems by repeating step execution and changing the program counter value. A debugger communicates with a target system's stub using the Remote Serial Protocol to read/write memory and registers, enabling full control via simple commands if the connection is compromised. SOP constructs code by combining pieces of existing machine code and executes it without needing to directly inject new code. Therefore attacks are possible even if execution from data areas is prevented. The presentation will demonstrate this attack principle and results from actual experimentation.
The document describes various tools and processes that enable developer support and process automation, including continuous integration, code formatting, change tracking, testing, code reviews, analysis, bug tracking, search, and editing. It discusses how these tools improve code quality, prevent bugs, aid collaboration, and help manage large changes.
HIS 2015: Prof. Ian Phillips - Stronger than its weakest linkAdaCore
The document discusses computing systems and the technologies that enable them. It notes that computing today involves many cooperating technologies, including digital electronics, software, memory, optics, analog electronics, sensors, mechanics, displays and more. It emphasizes that these diverse technologies must work seamlessly together to enhance human capabilities. The document also highlights how reuse of technologies and components is necessary for businesses to be competitive and deliver products to consumers affordably. While commercial systems rely on reuse of potentially undependable components, the document argues that probabilistically, today's systems are functional and dependable enough to satisfy billions of customers per year.
syzkaller is an unsupervised, coverage-guided Linux syscall fuzzer.
The presentation covers basic of operation of the fuzzer, gives tutorial on how to run it and how to extend it to fuzz new drivers.
Search for Vulnerabilities Using Static Code AnalysisAndrey Karpov
Vulnerabilities are the same things as common errors. Why do we distinguish them? Do this, if you want to earn more money. CWE - Common Weakness Enumeration. CVE - Common Vulnerabilities and Exposures. Now using Valgrind you're searching not for a memory leak, but for a denial of service.
Android applications are an interesting target for
reverse engineering. They are written in Java, which is tradi-
tionally good to decompile and are executed by Google’s custom
Java virtual machine, making them interesting to study. In this
paper we present the basic methods and approaches as well as
the necessary tools to reverse engineer Android applications. We
discuss how to change Android applications and show alternative
approaches including man-in-the-middle attacks and automation.
Kernel vulnerabilities was commonly used to obtain admin privileges, and main rule was to stay in kernel as small time as possible! But nowdays even when you get admin / root then current operating systems are sometimes too restrictive. And that made kernel exploitation nice vector for installing to kernel mode!
In this talk we will examine steps from CPL3 to CPL0, including some nice tricks, and we end up with developing kernel mode drivers.
This document provides an overview of hacking and computer security concepts such as programming, hacking, vulnerabilities, exploitation, tools, and competitions. It defines key terms like hacking, vulnerability, and exploitation. It recommends programming languages and tools for reversing like Visual Studio, Vim, and Bokken. It also lists computer security competitions and references for learning more. The document aims to introduce someone new to computer security and provide resources to progress their skills.
Mitigating overflows using defense in-depth. What can your compiler do for you?Javier Tallón
Defense-in-depth is based on the principle that, while no security is perfect, the presence of many independent layers of defense will geometrically increase an attacker's difficulty in breaking through the walls and slowing them down to the point where the effort to carry out an attack is not worthwhile. Each layer multiplies the effects of the previous layer. If the outer wall deters 90% of attacks, and the inner walls deter 90% of attacks, then in combination they deter 99% of attacks. Defense-in-depth defense techniques place core assets behind varied and individually effective layers of security, each of which must be circumvented for an attack to succeed.
There are many options provided by your compiler that can help you mitigate known attacks such as buffer overflow without touching a single line of code. In this presentation, we will take a historical look at the mitigations proposed over time by cybersecurity researchers, and how they have been violated, forcing the development of new and ingenious countermeasures.
In order to prevent exploiting mistakes, introduced in developing process, are continuously implemented various security mitigations & hardening on application level and in operating system level as well.
Even when those mitigations highly increase difficulty of exploitation of common bugs in software / core, you should not rely solely on them. And it can help to know background and limits of those techniques, which protect your software directly or indirectly.
In this talk we will take a look at some of helpful mitigations & features introduces past years (x64 address space, SMAP & SMEP, CFG, ...) focusing from kernel point of view. Its benefits, and weak points same time.
Using the new extended Berkley Packet Filter capabilities in Linux to the improve performance of auditing security relevant kernel events around network, file and process actions.
Pragmatic Optimization in Modern Programming - Demystifying the CompilerMarina Kolpakova
This document discusses compiler optimizations. It begins with an outline of topics including compilation trajectory, intermediate languages, optimization levels, and optimization techniques. It then provides more details on each phase of compilation, how compilers use intermediate representations to perform optimizations, and specific optimizations like common subexpression elimination, constant propagation, and instruction scheduling.
Processor Verification Using Open Source Tools and the GCC Regression Test SuiteDVClub
The document summarizes a case study using open source tools to verify the OpenRISC 1200 processor implementation against its reference architectural simulation using the GCC regression test suite. Key aspects included:
1) Using the 53,000+ test GCC regression test suite to verify the SystemC design model against the reference Or1ksim architectural simulator.
2) Initial results found errors in both the RTL implementation and Or1ksim reference model, helping to improve both.
3) Connecting the GNU Debugger to drive the SystemC model via a remote serial protocol server, allowing the GCC regression tests to be used for verification.
Course lecture - An introduction to the Return Oriented ProgrammingJonathan Salwan
This document provides an introduction and overview of Return Oriented Programming (ROP). It discusses classical stack overflow attacks and the mitigations put in place like Address Space Layout Randomization (ASLR) and No eXecute (NX) bit. It then introduces ROP as a technique to bypass these mitigations by chaining small snippets of existing code, called gadgets, to perform malicious tasks without injecting code. Several tools for finding gadgets are presented, and an example exploitation of the CVE-2011-1938 vulnerability is discussed to demonstrate ROP in practice. The document concludes with discussing mitigations against ROP and some related research topics.
XCon 2014 => http://xcon.xfocus.org/
In the past was quite common to exploit heap / pool manager vulnerabilities attacking its internal linked structures. However current memory management improve a lot and at current date it is quite ineffective to attack heap in this way. But still those techniques come into hand when we start to looking at linked structures widespread throughout kernel that are unfortunately not hardened enough.
In this presentation we will examine power of these vulnerabilities by famous example “CVE – 2013 - 3660”. Showing bypass on ‘lazy’ assertions of _LIST_ENTRY, present exploitation after party and teleport to kernel.
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CanSecWest
The document discusses techniques for bypassing Control Flow Guard (CFG) protections on Windows. It begins by introducing the author and their background in security research. It then outlines several potential attack surfaces for bypassing CFG, including using functions like VirtualAlloc and VirtualProtect that can mark memory as valid call targets, writing return addresses, and leveraging indirect calls without CFG checks. The document analyzes six CFG bypass vulnerabilities found by the author in Microsoft Edge and Chakra, and provides details on exploitation methods. It concludes by discussing improvements to harden CFG protections further.
Dive into ROP - a quick introduction to Return Oriented ProgrammingSaumil Shah
The document introduces Return Oriented Programming (ROP) and its core concepts. It discusses how Data Execution Prevention (DEP) prevents execution of injected shellcode by marking the stack and heap as non-executable. ROP overcomes this by chaining together small snippets of existing code (called "gadgets") in libraries and binaries to achieve arbitrary code execution. This is done by creating fake stack frames and controlling the instruction pointer (EIP) to return to addresses of gadgets. An example demonstrates overflowing a function and making it return to another function by placing a fake stack frame.
syzbot and the tale of million kernel bugsDmitry Vyukov
The root cause of most software exploits is bugs. Hardening, mitigations and containers are important, but they can't protect a system with thousands of bugs. In this presentation, Dmitry Vyukov will review the current [sad] situation with Linux kernel bugs and security implications based on their experience testing kernel for the past 3 years; overview a set of bug finding tools they are developing (syzbot, syzkaller, KASAN, KMSAN, KTSAN); and discuss problems and areas that require community help to improve the situation.
As @nicowaisman mentioned in his talk Aleatory Persistent Threat, old school heap specific exploiting is dying. And with each windows SP or new version, is harder to attack heap itself. Heap management adapt quickly and include new mittigation techniques. But sometimes is better to rethink the idea of mittigation and do this technique properly even half version of it will cover all known heap exploit techniques…
Ведущий: Иван Ёлкин
Ведущий фаст-трека расскажет об опыте внедрения Static Analysis Security Tool в QIWI, о сложностях, с которыми сталкивались разработчики. Писать «костыли» или рефакторить код? Что делать, когда мнения клиента и разработчика расходятся? Поведает, сколько строк кода пришлось прочитать и написать до и после запуска сканера, и предложит краткий обзор найденных и упущенных уязвимостей.
This document discusses buffer overflow attacks. It begins with an overview of the topics that will be covered, including vulnerabilities, exploits, and buffer overflows. It then provides definitions for key terms and describes different types of memory corruption vulnerabilities. The bulk of the document focuses on stack-based buffer overflows, explaining how they work by overwriting the return address on the stack to point to injected shellcode. It includes diagrams of stack layout and function prologue and epilogue. The document concludes with a demonstration of a buffer overflow and discusses some mitigations like stack cookies and ASLR.
Valgrind overview: runtime memory checker and a bit more aka использование #v...Minsk Linux User Group
Sergei Trofimovich «Valgrind overview: runtime memory checker and a bit more aka использование #valgrind на селе»
Доклад на майской линуксовке MLUG 2013
Possibility of arbitrary code execution by Step-Oriented Programmingkozossakai
Step-Oriented Programming (SOP) allows executing arbitrary code on embedded systems by repeating step execution and changing the program counter value. A debugger communicates with a target system's stub using the Remote Serial Protocol to read/write memory and registers, enabling full control via simple commands if the connection is compromised. SOP constructs code by combining pieces of existing machine code and executes it without needing to directly inject new code. Therefore attacks are possible even if execution from data areas is prevented. The presentation will demonstrate this attack principle and results from actual experimentation.
The document describes various tools and processes that enable developer support and process automation, including continuous integration, code formatting, change tracking, testing, code reviews, analysis, bug tracking, search, and editing. It discusses how these tools improve code quality, prevent bugs, aid collaboration, and help manage large changes.
HIS 2015: Prof. Ian Phillips - Stronger than its weakest linkAdaCore
The document discusses computing systems and the technologies that enable them. It notes that computing today involves many cooperating technologies, including digital electronics, software, memory, optics, analog electronics, sensors, mechanics, displays and more. It emphasizes that these diverse technologies must work seamlessly together to enhance human capabilities. The document also highlights how reuse of technologies and components is necessary for businesses to be competitive and deliver products to consumers affordably. While commercial systems rely on reuse of potentially undependable components, the document argues that probabilistically, today's systems are functional and dependable enough to satisfy billions of customers per year.
syzkaller is an unsupervised, coverage-guided Linux syscall fuzzer.
The presentation covers basic of operation of the fuzzer, gives tutorial on how to run it and how to extend it to fuzz new drivers.
Search for Vulnerabilities Using Static Code AnalysisAndrey Karpov
Vulnerabilities are the same things as common errors. Why do we distinguish them? Do this, if you want to earn more money. CWE - Common Weakness Enumeration. CVE - Common Vulnerabilities and Exposures. Now using Valgrind you're searching not for a memory leak, but for a denial of service.
Android applications are an interesting target for
reverse engineering. They are written in Java, which is tradi-
tionally good to decompile and are executed by Google’s custom
Java virtual machine, making them interesting to study. In this
paper we present the basic methods and approaches as well as
the necessary tools to reverse engineer Android applications. We
discuss how to change Android applications and show alternative
approaches including man-in-the-middle attacks and automation.
Kernel vulnerabilities was commonly used to obtain admin privileges, and main rule was to stay in kernel as small time as possible! But nowdays even when you get admin / root then current operating systems are sometimes too restrictive. And that made kernel exploitation nice vector for installing to kernel mode!
In this talk we will examine steps from CPL3 to CPL0, including some nice tricks, and we end up with developing kernel mode drivers.
This document provides an overview of hacking and computer security concepts such as programming, hacking, vulnerabilities, exploitation, tools, and competitions. It defines key terms like hacking, vulnerability, and exploitation. It recommends programming languages and tools for reversing like Visual Studio, Vim, and Bokken. It also lists computer security competitions and references for learning more. The document aims to introduce someone new to computer security and provide resources to progress their skills.
Mitigating overflows using defense in-depth. What can your compiler do for you?Javier Tallón
Defense-in-depth is based on the principle that, while no security is perfect, the presence of many independent layers of defense will geometrically increase an attacker's difficulty in breaking through the walls and slowing them down to the point where the effort to carry out an attack is not worthwhile. Each layer multiplies the effects of the previous layer. If the outer wall deters 90% of attacks, and the inner walls deter 90% of attacks, then in combination they deter 99% of attacks. Defense-in-depth defense techniques place core assets behind varied and individually effective layers of security, each of which must be circumvented for an attack to succeed.
There are many options provided by your compiler that can help you mitigate known attacks such as buffer overflow without touching a single line of code. In this presentation, we will take a historical look at the mitigations proposed over time by cybersecurity researchers, and how they have been violated, forcing the development of new and ingenious countermeasures.
In order to prevent exploiting mistakes, introduced in developing process, are continuously implemented various security mitigations & hardening on application level and in operating system level as well.
Even when those mitigations highly increase difficulty of exploitation of common bugs in software / core, you should not rely solely on them. And it can help to know background and limits of those techniques, which protect your software directly or indirectly.
In this talk we will take a look at some of helpful mitigations & features introduces past years (x64 address space, SMAP & SMEP, CFG, ...) focusing from kernel point of view. Its benefits, and weak points same time.
Using the new extended Berkley Packet Filter capabilities in Linux to the improve performance of auditing security relevant kernel events around network, file and process actions.
Pragmatic Optimization in Modern Programming - Demystifying the CompilerMarina Kolpakova
This document discusses compiler optimizations. It begins with an outline of topics including compilation trajectory, intermediate languages, optimization levels, and optimization techniques. It then provides more details on each phase of compilation, how compilers use intermediate representations to perform optimizations, and specific optimizations like common subexpression elimination, constant propagation, and instruction scheduling.
These slides contain an introduction to Symbolic execution and an introduction to KLEE.
I made this for a small demo/intro for my research group's meeting.
Cray XT Porting, Scaling, and Optimization Best PracticesJeff Larkin
The document discusses optimization best practices for Cray XT systems. It covers choosing compilers and compiler flags, profiling and debugging codes at scale with hardware performance counters and CrayPAT tools, optimizing communication with MPI by using techniques like pre-posting receives and reducing collectives, and optimizing I/O. The document emphasizes testing optimizations on the number of nodes the application will actually run on.
This document provides an overview of the eMIPS project, which allows for dynamically extensible processors using an FPGA. The eMIPS processor extends itself at runtime using extensions that are safe for multi-user operating systems. Applications include speeding up execution with application-specific CPUs, monitoring software in real-time, loadable debugging support, and loading/unloading peripherals and processor cores dynamically. The document describes the eMIPS workstation, binaries with hardware acceleration, assertion-based verification, extensible peripherals and tools like an extensible debugger. It also covers using hardware extensions to optimize the instruction set architecture, and the Giano real-time simulation framework.
This document discusses porting, scaling, and optimizing applications on Cray XT systems. It covers topics such as choosing compilers, profiling and debugging applications at scale, understanding CPU affinity, and improvements in the Cray Message Passing Toolkit (MPT). The document provides guidance on leveraging different compilers, collecting performance data using hardware counters and CrayPAT, understanding MPI process binding, and enhancements in MPT 4.0 related to MPI standards support and communication optimizations.
How Triton can help to reverse virtual machine based software protectionsJonathan Salwan
The first part of the talk is going to be an introduction to the Triton framework to expose its components and to explain how they work together. Then, the second part will include demonstrations on how it's possible to reverse virtual machine based protections using taint analysis, symbolic execution, SMT simplifications and LLVM-IR optimizations.
Modern CPUs use various techniques to improve performance such as instruction pipelining, cache memory, superscalar execution, out-of-order execution, speculative execution, and branch prediction. However, these optimizations can introduce security vulnerabilities like Spectre and Meltdown attacks which exploit side effects of speculative execution in the CPU cache to leak secret data from memory. Speculative execution may process instructions early before branch resolution, potentially loading secret data into the cache where an attacker can detect it using precise timing measurements. While fixes have been developed, fully mitigating these issues remains an ongoing challenge for CPU architecture.
Georgy Nosenko - An introduction to the use SMT solvers for software securityDefconRussia
The document discusses how SMT solvers can be used for software security applications such as bug hunting, exploit generation, protection analysis, and malware analysis by modeling portions of code or algorithms as logical formulas that can then be analyzed using an SMT solver to prove properties or generate inputs. It provides examples of how SMT solvers have been used to find integer overflows, help with program verification, and aid in defeating simple hashing algorithms.
Linux Kernel, tested by the Linux-version of PVS-StudioPVS-Studio
Since the release of the publicly available Linux-version of PVS-Studio, it was just a matter of time until we would recheck the Linux kernel. It is quite a challenge for any static code analyzer to check a project written by professionals from all around the world, used by people in various fields, which is regularly checked and tested by different tools. So, what errors did we manage to find in such conditions?
On chip crosstalk_avoidance_codec_design_using_fibonaccibharath naidu
This document describes the design and implementation of an efficient codec using a forbidden pattern free (FPF) and Fibonacci-based number system (FNS) for bus encoding. It discusses the specification of generating a 32-bit Fibonacci series and detecting forbidden patterns like 101 and 010. The codec consists of an encoder that encodes data using the FPF-FNS approach and a decoder that decodes the encoded data. Simulation results show that this codec design increases speed by over 2.5 times compared to traditional approaches by avoiding crosstalk and glitches through the use of the Fibonacci encoding scheme and forbidden pattern detection.
Grow and Shrink - Dynamically Extending the Ruby VM StackKeitaSugiyama1
This document summarizes a presentation about dynamically extending the Ruby VM stack. It discusses two methods for extending the stacks - stretching and chaining. Stretching grows the stacks upwards when they reach the maximum size, while chaining implements the call stack as a linked list so only the internal stack needs growing. The implementation aims to make stack extensions safe and efficient for development by prohibiting access to old stacks and frequently triggering extensions for testing. Benchmarks show chaining has lower execution time than stretching but is still slower than the default implementation due to overhead from moving stacks and indirect access. Initial stack size has little effect on performance. The goal is to reduce memory usage through dynamic stack sizing.
[CCC-28c3] Post Memory Corruption Memory AnalysisMoabi.com
The document summarizes the Post Memory Corruption Memory Analysis (PMCMA) tool. PMCMA allows finding and testing exploitation scenarios resulting from invalid memory accesses. It provides a roadmap to exploitation without generating exploit code. The tool analyzes programs after crashes to overwrite memory locations in forked processes and test impact on execution flow.
TiReX is a tiled regular expression matching architecture developed by researchers at Politecnico di Milano. It uses a customized instruction set architecture implemented on an FPGA to compile regular expressions into low-level instructions and execute them in parallel across multiple processor cores. Evaluation shows it can match regular expressions over 37 times faster than software and over 100 times faster than a desktop CPU. The multi-core design allows flexible matching of multiple regular expressions over data in parallel.
Porting is a Delicate Matter: Checking Far Manager under LinuxPVS-Studio
Far Manager, which takes over from Norton Commander, created back in the times of DOS, is one of the most popular file managers on Microsoft Windows. Far Manager facilitates the file system management (file creation, editing, viewing, copying, moving, search, and deletion) and provides means to extend the standard feature set (handling of the network, archives, backup copies, and so on). Far Manager was recently ported to Linux, and there is currently an alpha version available. The PVS-Studio team couldn't ignore that event and miss the opportunity to test the quality of the ported code.
Direct Code Execution - LinuxCon Japan 2014Hajime Tazaki
Direct Code Execution (DCE) is a userspace kernel network stack that allows running real network stack code in a single process. DCE provides a testing platform that enables reproducible testing, fine-grained parameter tuning, and a development framework for network protocols. It achieves this through a virtualization core layer that runs multiple network nodes within a single process, a kernel layer that replaces the kernel with a shared library, and a POSIX layer that redirects system calls to the kernel library. This allows full control and observability for testing and debugging the network stack.
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"Yulia Tsisyk
Сегодня на .NET-конференциях мы все чаще мы слышим про WinDBG, но в тоже время он все еще остается в стороне среди .NET-разработчиков, считается крайне специфичным и даже ненужным инструментом.
В докладе мы попробуем привнести альтернативный взгляд. Покажем как выстроить процесс сбора дампов, их анализа и исправления, встроить его в жизненный цикл разработки вашего приложения, сделав неотъемлемой частью для диагностики как рядовых, так и уникальных случаев. Затем рассмотрим группы основных проблем (deadlocks, out of memory, access violation, logical errors, etc.), которые могут произойти с вашим приложением, и инструменты для их анализа. И, конечно же, разберем примеры каждой из проблем, которые встретились нам на практике в наших продуктах, в коде .NET и WPF:
— Как при помощи флэшки «повесить» WPF-приложение?
— Безопасно ли вызывать DateTime.Now?
и другие жизненные ситуации.
Moscow .Net Meetup #4·14 ноября 2016
This document discusses adding a new pass to the BOLT binary optimizer. It begins with an overview of the BOLT pipeline and intermediate representation. It then provides an example of adding a simple peephole optimization rule. The document outlines various techniques for debugging and testing new passes, such as triaging crashes with a bisection script, printing analysis results, and dumping functions to files. It concludes with notes on implementing a new pass by inheriting from the BinaryFunctionPass class and integrating it into the pass manager to run on whole programs in parallel.
The document discusses the process from compiling source code to executing a program. It covers preprocessing, compilation, assembly, linking, and the ELF file format. Preprocessing handles macros and conditionals. Compilation translates to assembly code. Assembly generates machine code. Linking combines object files and resolves symbols statically or dynamically using libraries. The ELF file format organizes machine code and data into sections in the executable.
Yao's Garbled Circuit protocol allows two parties to jointly compute a function on their private inputs without revealing the inputs. The document discusses how to construct an encrypted AND gate as part of a garbled circuit to hide the parties' inputs. It also describes optimizations like TinyGarble that adapt hardware synthesis techniques to generate compact sequential garbled circuits in order to improve scalability for secure computation. Finally, it mentions oblivious RAM techniques like dummy accesses that aim to hide the access pattern to outsourced data storage and prevent frequency analysis attacks.
The document discusses volatility and memory forensics. It covers topics like how volatility works on different operating systems like Linux and Windows, acquiring memory dumps, analyzing memory structures like page tables and processes, dealing with semantic gaps in raw memory, plugin development, and investigating various artifacts in memory related to authentication, passwords, encryption, and applications. The document provides information on memory forensics techniques and how volatility is used as an open-source memory forensics framework.
This document summarizes three papers related to data compression and network security. The first paper studies how improper implementation of data decompression in network services can enable denial-of-service attacks. It identifies 12 categories of flaws and evaluates popular services finding 10 vulnerabilities. The second paper proposes the Bohatei system to improve defense against DDoS attacks using SDN/NFV. It presents a hierarchical decomposition approach and proactive tag-based steering. The third paper examines data compression as a source of security issues, studying past attacks like zip bombs and analyzing pitfalls in design, implementation, specification and configuration of compression in network services.
This document summarizes several major security events that occurred in 2014, including large DDOS attacks against gaming companies and a Hong Kong voting system, as well as the discovery of vulnerabilities and malware. The Hong Kong DDOS attack reached 300 Gbps using reflection techniques like NTP amplification and involved a coordinated attack from botnets, floods, and other vectors. The document also discusses growing security issues involving the Internet of Things, including vulnerabilities found in routers and devices like IP cameras that can enable remote access, as well as malware targeting point-of-sale systems and the potential use of IoT devices in botnets.
This document discusses tools for static analysis of files, including ClamAV and YARA. ClamAV is an open-source antivirus engine that uses signatures to detect malware. Signatures can include strings, hashes, and byte patterns. YARA allows for more flexible identification of malware through rules that can detect strings, regular expressions, and byte patterns. Examples of ClamAV and YARA signatures are provided.
This document provides an introduction to static analysis techniques for malware analysis. It begins with an overview of static analysis and the information that can be gleaned without executing code, such as file structure, binary code, related modules, and suspicious strings. Common Linux tools for static analysis like strings, file, hexdump, and objdump are introduced. Disassembly, the process of converting binary machine code to assembly code, is explained. Reverse engineering disassembled code back into C code involves understanding variables, data movement, arithmetic, control flow, functions, and calling conventions. The document concludes by introducing IDA Pro as a popular disassembler and decompiler tool for static analysis.
This document discusses program security for Android apps. It begins with an introduction of the speaker and covers topics like Android architecture, app threat models, app components like activities and intents, data storage security, cryptography, injection attacks, and reverse engineering defenses. The document provides examples of real security issues from apps like LinkedIn and Pandora and offers tips to defend against various threats like improper data handling, insecure communication, and client-side injection.
This document summarizes security threats and attacks on the Android system. It outlines the Android threat model and discusses attacks from computers, firmware, NFC, Bluetooth, and malicious apps. Specific attack vectors are described, such as exploiting update mechanisms, customization vulnerabilities, and speech recognition from gyroscope data. Countermeasures like updating apps and closing unused services are recommended for users. Developers are advised to follow basic security practices like code reviews and penetration testing.
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisChong-Kuan Chen
This document discusses building a transparent sandbox for malware analysis using virtual machines (VMs). It describes how malware can detect security utilities running in the same VM environment. The document proposes monitoring malware behavior from outside the VM using virtual machine introspection techniques on emulation-based and virtualization-based VMs. It also discusses using behavior comparison across multiple VM systems to detect malware that checks for virtual machine environments.
Malware Detection - A Machine Learning PerspectiveChong-Kuan Chen
This document discusses machine learning approaches for malware detection. It notes that millions of new malware are created each year, making it difficult for signature-based antivirus software to keep up. Machine learning is presented as a potential solution by automatically constructing models to detect malware based on training data. However, the quality of the training data and features is critical, as machine learning risks producing garbage outputs from garbage inputs. Different machine learning algorithms and evaluation benchmarks are also discussed.
This document discusses malware collection and analysis conducted at the DSNSLab at NCTU. It introduces the lab director, Professor Xie Zhiping, and outlines the lab's research areas including malware analysis, virtual machines, digital forensics, and network security. It then provides an overview of the Secmap platform for automated malware analysis and collection. Methods of malware collection discussed include disk forensics, web crawling, shared repositories, email, and honeypots.
The document discusses automatic malware clustering and detection. It covers the current state of antivirus classification, which relies primarily on signature-based methods. Automatic malware clustering aims to recognize known malware to filter it out and focus on new threats. The clustering process typically involves malware analysis, feature extraction, and clustering algorithms. Inconsistent labeling of malware families by different antivirus vendors poses challenges. The document advocates improving classification by describing the full malware lifecycle.
This document summarizes three papers presented at an S&P 2012 security conference session on system security. The first paper proposes a framework to eliminate backdoors from response-computable authentication systems. The second paper discusses replacing the standard program loader with a secure loader to prevent attacks on software-based fault isolation. The third paper presents a technique called ReDebug for finding unpatched code clones in entire OS distributions.
Software Engineering and Project Management - Introduction, Modeling Concepts...Prakhyath Rai
Introduction, Modeling Concepts and Class Modeling: What is Object orientation? What is OO development? OO Themes; Evidence for usefulness of OO development; OO modeling history. Modeling
as Design technique: Modeling, abstraction, The Three models. Class Modeling: Object and Class Concept, Link and associations concepts, Generalization and Inheritance, A sample class model, Navigation of class models, and UML diagrams
Building the Analysis Models: Requirement Analysis, Analysis Model Approaches, Data modeling Concepts, Object Oriented Analysis, Scenario-Based Modeling, Flow-Oriented Modeling, class Based Modeling, Creating a Behavioral Model.
Prediction of Electrical Energy Efficiency Using Information on Consumer's Ac...PriyankaKilaniya
Energy efficiency has been important since the latter part of the last century. The main object of this survey is to determine the energy efficiency knowledge among consumers. Two separate districts in Bangladesh are selected to conduct the survey on households and showrooms about the energy and seller also. The survey uses the data to find some regression equations from which it is easy to predict energy efficiency knowledge. The data is analyzed and calculated based on five important criteria. The initial target was to find some factors that help predict a person's energy efficiency knowledge. From the survey, it is found that the energy efficiency awareness among the people of our country is very low. Relationships between household energy use behaviors are estimated using a unique dataset of about 40 households and 20 showrooms in Bangladesh's Chapainawabganj and Bagerhat districts. Knowledge of energy consumption and energy efficiency technology options is found to be associated with household use of energy conservation practices. Household characteristics also influence household energy use behavior. Younger household cohorts are more likely to adopt energy-efficient technologies and energy conservation practices and place primary importance on energy saving for environmental reasons. Education also influences attitudes toward energy conservation in Bangladesh. Low-education households indicate they primarily save electricity for the environment while high-education households indicate they are motivated by environmental concerns.
Applications of artificial Intelligence in Mechanical Engineering.pdfAtif Razi
Historically, mechanical engineering has relied heavily on human expertise and empirical methods to solve complex problems. With the introduction of computer-aided design (CAD) and finite element analysis (FEA), the field took its first steps towards digitization. These tools allowed engineers to simulate and analyze mechanical systems with greater accuracy and efficiency. However, the sheer volume of data generated by modern engineering systems and the increasing complexity of these systems have necessitated more advanced analytical tools, paving the way for AI.
AI offers the capability to process vast amounts of data, identify patterns, and make predictions with a level of speed and accuracy unattainable by traditional methods. This has profound implications for mechanical engineering, enabling more efficient design processes, predictive maintenance strategies, and optimized manufacturing operations. AI-driven tools can learn from historical data, adapt to new information, and continuously improve their performance, making them invaluable in tackling the multifaceted challenges of modern mechanical engineering.
Home security is of paramount importance in today's world, where we rely more on technology, home
security is crucial. Using technology to make homes safer and easier to control from anywhere is
important. Home security is important for the occupant’s safety. In this paper, we came up with a low cost,
AI based model home security system. The system has a user-friendly interface, allowing users to start
model training and face detection with simple keyboard commands. Our goal is to introduce an innovative
home security system using facial recognition technology. Unlike traditional systems, this system trains
and saves images of friends and family members. The system scans this folder to recognize familiar faces
and provides real-time monitoring. If an unfamiliar face is detected, it promptly sends an email alert,
ensuring a proactive response to potential security threats.
Use PyCharm for remote debugging of WSL on a Windo cf5c162d672e4e58b4dde5d797...shadow0702a
This document serves as a comprehensive step-by-step guide on how to effectively use PyCharm for remote debugging of the Windows Subsystem for Linux (WSL) on a local Windows machine. It meticulously outlines several critical steps in the process, starting with the crucial task of enabling permissions, followed by the installation and configuration of WSL.
The guide then proceeds to explain how to set up the SSH service within the WSL environment, an integral part of the process. Alongside this, it also provides detailed instructions on how to modify the inbound rules of the Windows firewall to facilitate the process, ensuring that there are no connectivity issues that could potentially hinder the debugging process.
The document further emphasizes on the importance of checking the connection between the Windows and WSL environments, providing instructions on how to ensure that the connection is optimal and ready for remote debugging.
It also offers an in-depth guide on how to configure the WSL interpreter and files within the PyCharm environment. This is essential for ensuring that the debugging process is set up correctly and that the program can be run effectively within the WSL terminal.
Additionally, the document provides guidance on how to set up breakpoints for debugging, a fundamental aspect of the debugging process which allows the developer to stop the execution of their code at certain points and inspect their program at those stages.
Finally, the document concludes by providing a link to a reference blog. This blog offers additional information and guidance on configuring the remote Python interpreter in PyCharm, providing the reader with a well-rounded understanding of the process.
Mechatronics is a multidisciplinary field that refers to the skill sets needed in the contemporary, advanced automated manufacturing industry. At the intersection of mechanics, electronics, and computing, mechatronics specialists create simpler, smarter systems. Mechatronics is an essential foundation for the expected growth in automation and manufacturing.
Mechatronics deals with robotics, control systems, and electro-mechanical systems.
Tools & Techniques for Commissioning and Maintaining PV Systems W-Animations ...Transcat
Join us for this solutions-based webinar on the tools and techniques for commissioning and maintaining PV Systems. In this session, we'll review the process of building and maintaining a solar array, starting with installation and commissioning, then reviewing operations and maintenance of the system. This course will review insulation resistance testing, I-V curve testing, earth-bond continuity, ground resistance testing, performance tests, visual inspections, ground and arc fault testing procedures, and power quality analysis.
Fluke Solar Application Specialist Will White is presenting on this engaging topic:
Will has worked in the renewable energy industry since 2005, first as an installer for a small east coast solar integrator before adding sales, design, and project management to his skillset. In 2022, Will joined Fluke as a solar application specialist, where he supports their renewable energy testing equipment like IV-curve tracers, electrical meters, and thermal imaging cameras. Experienced in wind power, solar thermal, energy storage, and all scales of PV, Will has primarily focused on residential and small commercial systems. He is passionate about implementing high-quality, code-compliant installation techniques.
Null Bangalore | Pentesters Approach to AWS IAMDivyanshu
#Abstract:
- Learn more about the real-world methods for auditing AWS IAM (Identity and Access Management) as a pentester. So let us proceed with a brief discussion of IAM as well as some typical misconfigurations and their potential exploits in order to reinforce the understanding of IAM security best practices.
- Gain actionable insights into AWS IAM policies and roles, using hands on approach.
#Prerequisites:
- Basic understanding of AWS services and architecture
- Familiarity with cloud security concepts
- Experience using the AWS Management Console or AWS CLI.
- For hands on lab create account on [killercoda.com](https://killercoda.com/cloudsecurity-scenario/)
# Scenario Covered:
- Basics of IAM in AWS
- Implementing IAM Policies with Least Privilege to Manage S3 Bucket
- Objective: Create an S3 bucket with least privilege IAM policy and validate access.
- Steps:
- Create S3 bucket.
- Attach least privilege policy to IAM user.
- Validate access.
- Exploiting IAM PassRole Misconfiguration
-Allows a user to pass a specific IAM role to an AWS service (ec2), typically used for service access delegation. Then exploit PassRole Misconfiguration granting unauthorized access to sensitive resources.
- Objective: Demonstrate how a PassRole misconfiguration can grant unauthorized access.
- Steps:
- Allow user to pass IAM role to EC2.
- Exploit misconfiguration for unauthorized access.
- Access sensitive resources.
- Exploiting IAM AssumeRole Misconfiguration with Overly Permissive Role
- An overly permissive IAM role configuration can lead to privilege escalation by creating a role with administrative privileges and allow a user to assume this role.
- Objective: Show how overly permissive IAM roles can lead to privilege escalation.
- Steps:
- Create role with administrative privileges.
- Allow user to assume the role.
- Perform administrative actions.
- Differentiation between PassRole vs AssumeRole
Try at [killercoda.com](https://killercoda.com/cloudsecurity-scenario/)
Build the Next Generation of Apps with the Einstein 1 Platform.
Rejoignez Philippe Ozil pour une session de workshops qui vous guidera à travers les détails de la plateforme Einstein 1, l'importance des données pour la création d'applications d'intelligence artificielle et les différents outils et technologies que Salesforce propose pour vous apporter tous les bénéfices de l'IA.
5. A weakness of an asset or group of assets that can be exploited
by one or more threats -- ISO 27005
Programmer may make some mistakes, the unpredictable
behavior may result in software vulnerability
Buffer overflow
Use-After-Free
Type Confusion
What attacker can do?
Information leak – Heartbleed
Arbitrary Code Execution - PHPMailer
5
6. CVE is a dictionary of publicly known information security
vulnerabilities and exposures
More than 10000 CVEs in 2016
6
7. Malware, which may use vulnerability to attack/exploit, is
mostly active only 2~3 hours
The vulnerability needs about 24 day to patch
Between the time windows, it’s the 0 day.
7
10. The a prize competition organized by DARPA to make innovation
for next generation technique
2007 Urban Challenge
2012 Robotics Challenge
Cyber Grand Challenge
The first full machine attack-defense CTF
Focus on develop automatic attack-defense system
10
11. 7 teams are qualified to compete the final champion
11
12. Start from 2014
Qualification round in June 3, 2015
12
13. Modified Linux
Customize ELF format
only 7 syscalls
terminate (exit)
transmit (write)
receive (read)
fdwait (select)
allocate (mmap)
deallocate (munmap)
Random
no signal handling, no not-executable stack, no ASLR, …
13
14. CGC format
Minor modification to ELF
32-bit, x86
Inetd-style services
Each connection create a new process
IPC, communicate via controlled fd socket-pairs
Userspace
Statically linked
Compiled Binaries only (not hand coded)
14
16. Type 1
Hi-jack control flow
Control EIP and one register
Type 2
Information leak
Leak information in the magic page
16
17. Cyber Reasoning System
Given Challenge Binary
CRS
CB
CB
CB
RCB
IDS
POV
17
18. 113 CBs are provided to participator’s CRS
CRS – Cyber Reasoning System
Produce crash
Generate and apply patch
2 Scored Events for testing the CRS
基本理念是希望展現各隊的特長。若某個CB全部隊伍都解出/都沒
解出,這些題目分數就會較低。而只有部分隊伍解出的題目,將會
得到比較高的分數。這樣的計分方式可以鼓勵各隊提出不同獨特的
程式分析技術。
18
19. VM Provided by DARPA
Code and Data
https://github.com/cybergrandchallenge
https://repo.cybergrandchallenge.com/
VirtualBox VM and Vagrant
19
20. A small program with overflow
Crash when we give it long input
20
24. Poller : Check if your program remains it’s functionalities
Cb-test can test if your
patch binary pass the poller
24
25. SECUINSIDE CTF 2016
Simple ECHO Server
Ask user name
Echo every thing from user
Make it crash to get the flag
25
26. Use radare2 to reverse
Steps
Become admin
Give admin’s key
Reach crash point
How to find admin’s key
Use symbolic execution
We will talk about it later
26
mov dword [ebp - local_454h], 0
mov eax, dword [ebp - local_454h]
mov byte [eax], 0xa
35. Team Research CTF Enterprise
CodeJitsu Berkeley BlueLotus Cyberhaven
CSDS University of
Idaho
Deep Red Some CTF Player Raytheon
disekt Different
university
disekt
ForAllSecure CMU CyLab PPP ForAllSecure
Shellphish UCSB Shellphish LastLine
TECHx University of
Virginia
Some White Hack
Students
GrammaTech
35
37. CGC Final Event was held at DEF CON 2016
Final Winner – ForAllSecure/Mayhem
Startup company ForAllSecure
Most member come from PPP CTF Team
Researcher from CMU CyLab
Next day to the CGC, Mayhem competed with top human
hackers in DEFCON CTF
Mayhem get the last rank, but PPP win the game
37
56. Determine if the program has a vulnerability is undicidable
Assume we have a Machine M that can detect any vulnerability in the
program
Halting Problem If M(P) has no bug:
do_some_bug()
Else:
do_nothing()
56
57. If we have a execution trace, we can check if the bug appeared
in this path
To testing software complete, we need to traversal all the code
inside the program
Halting problem
But we can still do something
57
58. Automatic generate the input to make the program crash
Not inspect into program semantic
Generate input randomly, or some heuristic
Coverage-based
AFL, Peach, BFF
58
59. American Fuzzy Loop
The easy-to-use fuzzer
Efficiency
low-level compile-time
instrumentation
Coverage-based Fuzzer
Effective Mutation Strategy
At least 4 team in CGC use AFL
59
60. How AFL do?
1. Load user-supplied initial test cases into the queue
2. Take next input file from the queue
3. Attempt to trim the test case to the smallest size that doesn't
alter the measured behavior of the program,
4. Repeatedly mutate the file using a balanced and well-
researched variety of traditional fuzzing strategies
5. If any of the generated mutations resulted in a new state
transition recorded by the instrumentation, add mutated output
as a new entry in the queue.
6. Go to 2.
Binary fuzzer -> QEMU(emulator) support
60
61. Feed every thing in network PCAP into APF
Using AFL as first layer checker
Check if the input is worth for deep analysis
This instance would run through each of the incoming PCAP files and
evaluate whether they brought anything "new" to the table.
Building an Autonomous Cyber Battle System: Our Experience in DARPA's Cyber
Grand Challenge
61
62. Most test falls into some high frequency path
Strategy to find the low frequency path
Energy
The number of inputs to be generated from that seed
Strategy
low energy to seeds exercising high-frequency paths
high energy to seeds exercising low-frequency paths
AFLFast Paper published in
ACM Conference on Computer
and Communications Security
Github
https://github.com/mboehme/
aflfast
62
63. Murphy is the directed fuzzer based on AFL
Most improvement is on the efficiency
Binary-only instrument
Maybe base on BAP
63
64. A mechanism to discover the code coverage
Translate each instruction/code line into constraints
Constraints: a formula define the operation functionality
Collect all the constraints
Solve when required condition is meet
E.g. branch happened
64
65. 1st 2nd 3rd
0 ebx = 0
1 ecx = 0
2 eax = 3
3 ebx = 3 ebx = 6 ebx = 9
4 ecx = 1 ecx = 2 ecx = 3
5 NE NE E
6 N N Y
7 Y Y
8 NE
9 N
0 mov ebx, 0
1 mov ecx, 0
2 mov eax, input
3 add ebx, eax
4 add ecx, 1
5 cmp ecx, 3
6 je final
7 jmp loop
8 cmp ebx, 15
9 je f1
f1 f2 65
66. 1st 2nd 3rd
0 ebx_0 = 0
1 ecx_0 = 0
2 eax_0 = sym_0
3 ebx_1 =
ebx_0+eax_0
ebx_2 =
ebx_1+eax_0
ebx_3 =
ebx_2+eax_0
4 ecx_1 =
ecx_0+1
ecx_2 =
ecx_1+1
ecx_3 =
ecx_2+1
5 NE NE E
6 N N Y
7 Y Y
8 NE
9 N
66
0 mov ebx, 0
1 mov ecx, 0
2 mov eax, input
3 add ebx, eax
4 add ecx, 1
5 cmp ecx, 3
6 je final
7 jmp loop
8 cmp ebx, 15
9 je f1
f1 f2
67. Can we jump to final block when loop 3
times?
1st 2nd 3rd
0 ebx_0 = 0
1 ecx_0 = 0
2 eax_0 = sym_0
3 ebx_1 =
ebx_0+eax_0
ebx_2 =
ebx_1+eax_0
ebx_3 =
ebx_2+eax_0
4 ecx_1 =
ecx_0+1
ecx_2 =
ecx_1+1
ecx_3 =
ecx_2+1
5 NE NE E
67
0 mov ebx, 0
1 mov ecx, 0
2 mov eax, input
3 add ebx, eax
4 add ecx, 1
5 cmp ecx, 3
6 je final
7 jmp loop
8 cmp ebx, 15
9 je f1
f1 f2
68. Can we jump to final block when loop 3
times?
( = ecx_3 3)
( = ( + ecx_2 1 ) 3)
( = ( + (+ ecx_1 1 ) 1 ) 3)
( = ( + (+ (+ ecx_0 1) 1 ) 1 ) 3) and ( = ecx_0
0)
SMT Solver
SAT! This formula is
satisfiable.
68
0 mov ebx, 0
1 mov ecx, 0
2 mov eax, input
3 add ebx, eax
4 add ecx, 1
5 cmp ecx, 3
6 je final
7 jmp loop
8 cmp ebx, 15
9 je f1
f1 f2
69. Can we enter f1?
1st 2nd 3rd
0 ebx_0 = 0
1 ecx_0 = 0
2 eax_0 = sym_0
3 ebx_1 =
ebx_0+eax_0
ebx_2 =
ebx_1+eax_0
ebx_3 =
ebx_2+eax_0
4 ecx_1 =
ecx_0+1
ecx_2 =
ecx_1+1
ecx_3 =
ecx_2+1
5 NE NE E
6 N N Y
7 Y Y
8 NE
9 N 69
0 mov ebx, 0
1 mov ecx, 0
2 mov eax, input
3 add ebx, eax
4 add ecx, 1
5 cmp ecx, 3
6 je final
7 jmp loop
8 cmp ebx, 15
9 je f1
f1 f2
70. Tracking related instructions only?
1st 2nd 3rd
0 ebx = 0
1 ecx = 0
2 eax = 3
3 ebx = 3 ebx = 6 ebx = 9
4 ecx = 1 ecx = 2 ecx = 3
5 NE NE E
6 N N Y
7 Y Y
8 NE
9 N
70
0 mov ebx, 0
1 mov ecx, 0
2 mov eax, input
3 add ebx, eax
4 add ecx, 1
5 cmp ecx, 3
6 je final
7 jmp loop
8 cmp ebx, 15
9 je f1
f1 f2
71. Number of possible path increasing exponentially
In symbolic execution, every memory location is symbolize
Too many symbole to solve
Concolic Execution
Only make the interesting memory symbolize
Concrete value
71
72. 1st 2nd 3rd
0 ebx_0 = 0
1 ecx_0 = 0
2 eax_0 = sym_0
3 ebx_1 =
ebx_0+eax_0
ebx_2 =
ebx_1+eax_0
ebx_3 =
ebx_2+eax_0
4 ecx_1 = 1 ecx_2 = 2 ecx_3 = 3
5 NE NE E
6 N N Y
7 Y Y
8 NE
9 N 72
0 mov ebx, 0
1 mov ecx, 0
2 mov eax, input
3 add ebx, eax
4 add ecx, 1
5 cmp ecx, 3
6 je final
7 jmp loop
8 cmp ebx, 15
9 je f1
f1 f2
73. Which input make us arrive f1?
1st 2nd 3rd
0 ebx_0 = 0
1 ecx_0 = 0
2 eax_0 =
sym_0
3 ebx_1 =
ebx_0+eax_
0
ebx_2 =
ebx_1+eax_
0
ebx_3 =
ebx_2+eax_
0
4 ecx_1 = 1 ecx_2 = 2 ecx_3 = 3
5 NE NE E
6 N N Y
7 Y Y
8 NE
9 N
ebx_3
+
ebx_2
+
ebx_1
+
eax_0
eax_0
eax_0ebx_0
0 73
74. Which input make us arrive f1?
Final
( = 15 (+ in ( + in (+ in 0) ) ) )
SMT Solver
SAT! This formula is
satisfiable when in = 5.
ebx_3
+
ebx_2
+
ebx_1
+
eax_0
eax_0
eax_0ebx_0
0
74
75. In-house symbolic execution engine, called Grace
Path Priority
“Grace to focus on unique and interesting inputs, rather than
churning away at things that would likely lead down previously-
explored paths”
Symbolize authentication/random token
Powerful static
analysis
Building an Autonomous Cyber Battle System: Our Experience in DARPA's Cyber
Grand Challenge
75
76. Virtual Machine Symbolic Execution
Framework - S2E
Selective symbolic execution/Concolic
Execution
Execution consistency models
state merging and prioritizing
Whole
System
QEMU
KLEEBinary
LLVM
76
77. Angr
Not only the symbolic execution engine, but a binary analysis
framework
http://angr.io/
“Cyber Grand Shellphish”, shellphish, DEFCON 24
77
78. binary-only symbolic execution
Fast than S2E(whole system/LLVM), Angr(VEX Simulator)
BAP-based binary instrument
Veritesting
A search strategy based on coverage
Other feature
fine-tuned process-based instrumentation and taint analysis
access to an extensive set of tested x86 semantics
several years of performance tuning for solvers (expression
rewriting, caches, etc)
path merging
78
79. Shellphish
SoK: (State of) The Art of War:
Offensive Techniques in Binary
Analysis
IEEE Symposium on Security
and Privacy 2016
79
80. One of most important technique we learn from CGC is “How to
integrate efficiency fuzzer and sophisticated symbolic
execution”
80
81. sharing seeds between Mayhem and our custom AFL.
https://blog.forallsecure.com/2016/02/09/unleashing-mayhem/
81
82. Seed sharing: fuzzer + S2E + traffic replay
Path exploration
S2E helps Fuzzer to break through some branches
82
91. 91Automatic Binary Exploitation and Patching using Mechanical [Shell]Phish
Automatic Patching
● Prevent binary form being exploit
● Preserve binary functionality
● Preserve binary performance
○ speed
○ memory usage
○ disk space
● Prevent analysis from other teams
92. 92Automatic Binary Exploitation and Patching using Mechanical [Shell]Phish
Patcherex
Patching
Backends
Patching
Techniques
Patches
Patched Binary
Original Binary
95. 95Automatic Binary Exploitation and Patching using Mechanical [Shell]Phish
Patcherex
● Making the original binary faster →
Our patches can be slower!
● Optimization Techniques:
○ Constant Propagation
○ Dead Assignment Elimination
○ ...
96. 96Automatic Binary Exploitation and Patching using Mechanical [Shell]Phish
Patcherex – Backends
● Patching Backends
○ Inject code/data in an existing binary
○ No source code
○ No symbols
98. 98Automatic Binary Exploitation and Patching using Mechanical [Shell]Phish
Patcherex – Backends
● Detour Backend
○ Try to add code without moving the original one
○ Not always possible
○ Slow (requires a lot of additional jmp instructions)
0x0 : mov eax, 0x11
0x5 : jmp eax
0x7 : mov edx, 0x11223344
0xc : mov ebx, 0x55667788
0x11: mov ecx, ebx
0x0 : mov eax, 0x11
0x5 : jmp eax
0x7 : jmp out1
0xc : mov ebx, 0x55667788
0x11: mov ecx, ebx
mov edx, 0x11223344
call inserted_function
jmp 0xc
99. 99Automatic Binary Exploitation and Patching using Mechanical [Shell]Phish
Patcherex – Backends
● Reassemler Backend
○ Recover original “program symbols”
○ More efficient code
○ (Slightly) less reliable
Ramblr: Making Reassembly Great Again.
R. Wang, Y. Shoshitaishvili, A. Bianchi, A. Machiry, J. Grosen, P. Grosen, C. Kruegel,
G. Vigna
In NDSS 2017
101. CFI: control flow integrity
Shadow stacks
Maintain a duplicate stack
Once the return address difference from the one in shadow stack,
then attack is detected
DEP
Randomization
Data leakage defense
101
102. Control Flow Integrity
https://www.trust.informatik.tu-darmstadt.de/research/projects/current-
projects/control-flow-integrity/
102
103. TechX achieve the
first place about
security
PEASOUP
Code Sonar
Building an Autonomous Cyber Battle System: Our Experience in DARPA's Cyber
Grand Challenge
103
104. The other important aspect is “how to integrate many system in
large architecture”
Handle with complicated system architecture
Reliable is difficult
Mayhem meets some problem and fails in half of the game
104
107. DARPA CGC Introduction
Most team have research, CTF and enterprise support
Automatic Vulnerability Discovery
Fuzzer and Symbolic Execution are widely used technique in CGC
How to integrate fuzzer and symbolic execution
Engineering Power: Integration many different software system
107
108. https://cgc.darpa.mil/
https://www.cybergrandchallenge.com/
“DARPA’s Cyber Grand Challenge: Creating a League of Extra-Ordinary Machines”, Ben Price
and Michael Zhivich, ACSAC
“Rise of the Machines: Cyber Grand Challenge 及 DEFCON 24 CTF 决赛介绍”, MaskRay
“Cyber Grand Challenge and CodeJitsu”, Chao Zhang
https://www.youtube.com/watch?v=xfgGZq86iWk
Reddit IamA Mayhem, the Hacking Machine that won DARPA‘s Cyber Grand Challenge. AMA!
Unleashing the Mayhem CRS, ForAllSecure
“Cyber Grand Shellphish”, shellphish, DEFCON 24
“The Cyber Grand Challenge”, GrammaTech Eric Rizzi
“Hybrid Concolic Execution, Part 1 (Background)”, GrammaTech Ducson Nguyen
“Hybrid Concolic Execution, Part 2”, GrammaTech Ducson Nguyen
“Case Study: LEGIT_00004”, ForAllSecure
108