Organize some technique used in DARPA CGC

1. 從DARPA CGC及DEFCON CTF探討自動攻防技術
C.K. Chen
Twitter: Bletchley13
1

2. § Introduction to CGC
§ Automatic Vulnerability Discovery
§ Fuzz
§ Symbolic/Concolic Execution
§ Symbolic-assist Fuzzing
§ Software Hardeness
§ Conclusion
2

3. § The a prize competition organized by DARPA to make innovation
for next generation technique
§ 2007 Urban Challenge
§ 2012 Robotics Challenge
§ Cyber Grand Challenge
§ The first full machine attack-defense CTF
§ Focus on develop automatic attack-defense system
3

4. § Start from 2014
§ Qualification round in June 3, 2015
4

5. 5

6. §
6

7. Team Research CTF Enterprise
CodeJitsu Berkeley BlueLotus Cyberhaven
CSDS University of
Idaho
Deep Red Some CTF Player Raytheon
disekt Different
university
disekt
ForAllSecure CMU CyLab PPP ForAllSecure
Shellphish UCSB Shellphish LastLine
TECHx University of
Virginia
Some White Hack
Students
GrammaTech
7

8. § CGC Final Event was held at DEF CON 2016
§ Final Winner – ForAllSecure/Mayhem
§ Startup company ForAllSecure
§ Most member come from PPP CTF Team
§ Researcher from CMU CyLab
§ Next day to the CGC, Mayhem competed with top human
hackers in DEFCON CTF
§ Mayhem get the last rank, but PPP win the game
8

9. 9

10. § Cyber Reasoning System
§ Given Challenge Binary
§ Given Other Team’s RCB, IDS
§ Patch Binary
§ IDS Rule
§ POV – Exploit program
CRS
CB
CB
CB
CB
CB
RCB
CB
CB
IDS
CB
CB
PCAP
RCB
IDS
CFE
POV
10

11. § Modified Linux
§ Customize ELF format
§ only 7 syscalls
§ terminate (exit)
§ transmit (write)
§ receive (read)
§ fdwait (select)
§ allocate (mmap)
§ deallocate (munmap)
§ Random
§ no signal handling, no not-executable stack, no ASLR, …
11

12. § Type 1
§ Hi-jack control flow
§ Control EIP and one register
§ Type 2
§ Information leak
§ Leak information in the magic page
12

13. § 2016 CloudSec, HITCON駭客戰隊挑戰美國CGC天網機器⼈人, 探討AI
⾃自動攻防技術發展
§ KB.HITCON
§ Cyber Grand Challenge 簡介
§ 台灣駭客挑戰美國CGC天網機器⼈人專題系列報導
§ Let’s focus more on technique !
13

14. § Determine if the program has a vulnerability is undicidable
§ Assume we have a Machine M that can detect any vulnerability in the
program
§ Halting Problem
If M(P) has no bug:
do_some_bug()
Else:
do_nothing()
14

15. § If we have a execution trace, we can check if the bug appeared
in this path
§ To testing software complete, we need to traversal all the code
inside the program
§ Halting problem
§ If we can run more trace, we can find more bug!!
§ But we can still do something J
15

16. § Automatic generate the input to make the program crash
§ Not inspect into program semantic
§ Generate input randomly, or some heuristic
§ Coverage-based
§ AFL, Peach, BFF
16

17. § American Fuzzy Loop
§ The easy-to-use fuzzer
§ Efficiency
§ low-level compile-time
instrumentation
§ Coverage-based Fuzzer
§ Effective Mutation Strategy
At least 4 team in CGC use AFL
17

18. § How AFL do?
1. Load user-supplied initial test cases into the queue
2. Take next input file from the queue
3. Attempt to trim the test case to the smallest size that doesn't alter
the measured behavior of the program,
4. Repeatedly mutate the file using a balanced and well-researched
variety of traditional fuzzing strategies
5. If any of the generated mutations resulted in a new state transition
recorded by the instrumentation, add mutated output as a new
entry in the queue.
6. Go to 2.
§ Binary fuzzer -> QEMU(emulator) support
§ Good seed is important
18

19. § Feed every thing in network PCAP into AFL
§ Using AFL as first layer checker
§ Check if the input is worth for deep analysis
§ This instance would run through each of the incoming PCAP files and
evaluate whether they brought anything "new" to the table.
Building an Autonomous Cyber Battle System: Our Experience in DARPA's Cyber
Grand Challenge
19

20. § Most test falls into some high frequency path
§ Strategy to find the low frequency path
§ Energy
§ The number of inputs to be generated from that seed
§ Strategy
§ low energy to seeds exercising high-frequency paths
§ high energy to seeds exercising low-frequency paths
§ AFLFast Paper published in
§ ACM Conference on Computer
and Communications Security
§ Github
§ https://github.com/mboehme/
aflfast
20

21. § Murphy is the directed fuzzer based on AFL
§ Most improvement is on the efficiency
§ Binary-only instrument
§ Maybe base on BAP
21

22. § A mechanism to discover the code coverage
§ Translate each instruction/code line into constraints
§ Constraints: a formula define the operation functionality
§ Collect all the constraints
§ Solve when required condition is meet
§ E.g. branch happened
22

23. 1st 2nd 3rd
0 ebx = 0
1 ecx = 0
2 eax = 3
3 ebx = 3 ebx = 6 ebx = 9
4 ecx = 1 ecx = 2 ecx = 3
5 NE NE E
6 N N Y
7 Y Y
8 NE
9 N
0 mov ebx, 0
1 mov ecx, 0
2 mov eax, input
3 add ebx, eax
4 add ecx, 1
5 cmp ecx, 3
6 je final
7 jmp loop
8 cmp ebx, 15
9 je f1
f1 f2 23

24. 1st 2nd 3rd
0 ebx_0 = 0
1 ecx_0 = 0
2 eax_0 = sym_0
3 ebx_1 =
ebx_0+eax_0
ebx_2 =
ebx_1+eax_0
ebx_3 =
ebx_2+eax_0
4 ecx_1 =
ecx_0+1
ecx_2 =
ecx_1+1
ecx_3 =
ecx_2+1
5 NE NE E
6 N N Y
7 Y Y
8 NE
9 N
24
0 mov ebx, 0
1 mov ecx, 0
2 mov eax, input
3 add ebx, eax
4 add ecx, 1
5 cmp ecx, 3
6 je final
7 jmp loop
8 cmp ebx, 15
9 je f1
f1 f2

25. § Can we jump to final block when loop 3
times?
1st 2nd 3rd
0 ebx_0 = 0
1 ecx_0 = 0
2 eax_0 = sym_0
3 ebx_1 =
ebx_0+eax_0
ebx_2 =
ebx_1+eax_0
ebx_3 =
ebx_2+eax_0
4 ecx_1 =
ecx_0+1
ecx_2 =
ecx_1+1
ecx_3 =
ecx_2+1
5 NE NE E
25
0 mov ebx, 0
1 mov ecx, 0
2 mov eax, input
3 add ebx, eax
4 add ecx, 1
5 cmp ecx, 3
6 je final
7 jmp loop
8 cmp ebx, 15
9 je f1
f1 f2

26. § Can we jump to final block when loop 3
times?
( = ecx_3 3)
( = ( + ecx_2 1 ) 3)
( = ( + (+ ecx_1 1 ) 1 ) 3)
( = ( + (+ (+ ecx_0 1) 1 ) 1 ) 3) and ( = ecx_0
0)
SMT Solver
SAT! This formula is
satisfiable.
26
0 mov ebx, 0
1 mov ecx, 0
2 mov eax, input
3 add ebx, eax
4 add ecx, 1
5 cmp ecx, 3
6 je final
7 jmp loop
8 cmp ebx, 15
9 je f1
f1 f2

27. § Convert instruction into constraints
§ Add the branch constraint
§ Solve the conatrint
27

28. § Can we enter f1?
1st 2nd 3rd
0 ebx_0 = 0
1 ecx_0 = 0
2 eax_0 = sym_0
3 ebx_1 =
ebx_0+eax_0
ebx_2 =
ebx_1+eax_0
ebx_3 =
ebx_2+eax_0
4 ecx_1 =
ecx_0+1
ecx_2 =
ecx_1+1
ecx_3 =
ecx_2+1
5 NE NE E
6 N N Y
7 Y Y
8 NE
9 N 28
0 mov ebx, 0
1 mov ecx, 0
2 mov eax, input
3 add ebx, eax
4 add ecx, 1
5 cmp ecx, 3
6 je final
7 jmp loop
8 cmp ebx, 15
9 je f1
f1 f2

29. § Number of possible path increasing exponentially
§ In symbolic execution, every memory location is symbolize
§ Too many symbole to solve
§ Concolic Execution
§ Only make the interesting memory symbolize
§ Concrete value
29

30. § Tracking related instructions only?
1st 2nd 3rd
0 ebx = 0
1 ecx = 0
2 eax = 3
3 ebx = 3 ebx = 6 ebx = 9
4 ecx = 1 ecx = 2 ecx = 3
5 NE NE E
6 N N Y
7 Y Y
8 NE
9 N
30
0 mov ebx, 0
1 mov ecx, 0
2 mov eax, input
3 add ebx, eax
4 add ecx, 1
5 cmp ecx, 3
6 je final
7 jmp loop
8 cmp ebx, 15
9 je f1
f1 f2

31. 1st 2nd 3rd
0 ebx_0 = 0
1 ecx_0 = 0
2 eax_0 = sym_0
3 ebx_1 =
ebx_0+eax_0
ebx_2 =
ebx_1+eax_0
ebx_3 =
ebx_2+eax_0
4 ecx_1 = 1 ecx_2 = 2 ecx_3 = 3
5 NE NE E
6 N N Y
7 Y Y
8 NE
9 N 31
0 mov ebx, 0
1 mov ecx, 0
2 mov eax, input
3 add ebx, eax
4 add ecx, 1
5 cmp ecx, 3
6 je final
7 jmp loop
8 cmp ebx, 15
9 je f1
f1 f2

32. § Which input make us arrive f1?
1st 2nd 3rd
0 ebx_0 = 0
1 ecx_0 = 0
2 eax_0 =
sym_0
3 ebx_1 =
ebx_0+eax_
0
ebx_2 =
ebx_1+eax_
0
ebx_3 =
ebx_2+eax_
0
4 ecx_1 = 1 ecx_2 = 2 ecx_3 = 3
5 NE NE E
6 N N Y
7 Y Y
8 NE
9 N
ebx_3
+
ebx_2
+
ebx_1
+
eax_0
eax_0
eax_0ebx_0
0 32

33. § Which input make us arrive f1?
Final
( = 15 (+ in ( + in (+ in 0) ) ) )
SMT Solver
SAT! This formula is
satisfiable when in = 5.
ebx_3
+
ebx_2
+
ebx_1
+
eax_0
eax_0
eax_0ebx_0
0
33

34. § In-house symbolic execution engine, called Grace
§ Path Priority
§ “Grace to focus on unique and interesting inputs, rather than
churning away at things that would likely lead down previously-
explored paths”
§ Symbolize authentication/random token
§ Powerful static
analysis
Building an Autonomous Cyber Battle System: Our Experience in DARPA's Cyber
Grand Challenge
34

35. § Virtual Machine Symbolic Execution
Framework - S2E
§ Selective symbolic execution/Concolic
Execution
§ Execution consistency models
§ state merging and prioritizing
Whole
System
QEMU
KLEEBinary
LLVM
35

36. § Angr
§ Not only the symbolic execution engine, but a binary analysis
framework
§ http://angr.io/
“Cyber Grand Shellphish”, shellphish, DEFCON 24
36

37. § binary-only symbolic execution
§ Fast than S2E(whole system/LLVM), Angr(VEX Simulator)
§ BAP-based binary instrument
§ Veritesting
§ A search strategy based on coverage
§ Other feature
§ fine-tuned process-based instrumentation and taint analysis
§ access to an extensive set of tested x86 semantics
§ several years of performance tuning for solvers (expression
rewriting, caches, etc)
§ path merging
37

38. § One of most important technique we learn from CGC is “How to
integrate efficiency fuzzer and sophisticated symbolic
execution”
38

39. § Driller
§ Switch between fuzzer and symbolic execution
§ Driller: Augmenting Fuzzing Through Selective Symbolic Execution
§ Network and Distributed System Security Symposium 2016
39

40. § sharing seeds between Mayhem and our custom AFL.
§ Fuzzer
§ If you have the good seed,
it work better
§ Symbolic find the
good seed
https://blog.forallsecure.com/2016/02/09/unleashing-mayhem/
40

41. § Seed sharing: fuzzer + S2E + traffic replay
§ Path exploration
§ S2E helps Fuzzer to break through some branches
41

42. § Remind of AFL Gate-Keeper
42

43. § DEP
§ ASLR
§ Stack Guard
§ CFI
§ Pointer Integrity
§ Shadow Stack
§ Binary Patch
§ Input filter
§ IDS
43

44. § PS: Meyhem put most attention on attack, doing less on defense
44

45. § Patcherex
§ https://github.com/shellphish/patcherex
§ QEMU 0 Day for anti-analysis
“Cyber Grand Shellphish”, shellphish, DEFCON 24
45

46. § Return pointer encryption
§ Protect indirect calls/jmps
§ Extended Malloc allocations
§ Randomly shift the stack (ASLR)
§ Clean uninitialized stack space
46

47. § CFI: control flow integrity
§ Shadow stacks
§ Maintain a duplicate stack
§ Once the return address difference from the one in shadow stack,
then attack is detected
§ DEP
§ Randomization
§ Data leakage defense
47

48. § Control Flow Integrity
https://www.trust.informatik.tu-darmstadt.de/research/projects/current-
projects/control-flow-integrity/
48

49. § TechX achieve the
first place about
security
§ PEASOUP
§ Code Sonar
Building an Autonomous Cyber Battle System: Our Experience in DARPA's Cyber
Grand Challenge
49

50. § The other important aspect is “how to integrate many system in
large architecture”
§ Handle with complicated system architecture
§ Reliable is difficult
§ Mayhem meets some problem and fails in half of the game
50

51. “Cyber Grand Shellphish”, shellphish, DEFCON 24
51

52. “Cyber Grand Challenge and CodeJitsu”, Chao Zhang
52

53. § DARPA CGC Introduction
§ Most team have research, CTF and enterprise support
§ Automatic Vulnerability Discovery
§ Fuzzer and Symbolic Execution are widely used technique in CGC
§ How to integrate fuzzer and symbolic execution
§ Engineering Power: Integration many different software system
53

54. § https://cgc.darpa.mil/
§ https://www.cybergrandchallenge.com/
§ “DARPA’s Cyber Grand Challenge: Creating a League of Extra-Ordinary Machines”, Ben Price
and Michael Zhivich, ACSAC
§ “Rise of the Machines: Cyber Grand Challenge 及 DEFCON 24 CTF 决赛介绍”, MaskRay
§ “Cyber Grand Challenge and CodeJitsu”, Chao Zhang
§ https://www.youtube.com/watch?v=xfgGZq86iWk
§ Reddit IamA Mayhem, the Hacking Machine that won DARPA‘s Cyber Grand Challenge. AMA!
§ Unleashing the Mayhem CRS, ForAllSecure
§ “Cyber Grand Shellphish”, shellphish, DEFCON 24
§ “The Cyber Grand Challenge”, GrammaTech Eric Rizzi
§ “Hybrid Concolic Execution, Part 1 (Background)”, GrammaTech Ducson Nguyen
§ “Hybrid Concolic Execution, Part 2”, GrammaTech Ducson Nguyen
§ “Case Study: LEGIT_00004”, ForAllSecure
54

55. 55