XCon 2014 => http://xcon.xfocus.org/
In the past was quite common to exploit heap / pool manager vulnerabilities attacking its internal linked structures. However current memory management improve a lot and at current date it is quite ineffective to attack heap in this way. But still those techniques come into hand when we start to looking at linked structures widespread throughout kernel that are unfortunately not hardened enough.
In this presentation we will examine power of these vulnerabilities by famous example “CVE – 2013 - 3660”. Showing bypass on ‘lazy’ assertions of _LIST_ENTRY, present exploitation after party and teleport to kernel.
[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik OpcodesCODE BLUE
Trueseeing is an automatic vulnerability scanner for Android apps. It is capable of not only directly conducting data flow analysis over Dalvik bytecode but also automatically fixing the code, i.e. without any decompilers. This capability makes it resillent against basic obfuscations and distinguishes it among similar tools -- including the QARK, the scanner/explotation tool shown by Linkedin in DEF CON 23. Currently it recognizes the most class of vulnerabilities (as in OWASP Mobile Top 10 (2015).) We have presented it in DEF CON 25 Demo Labs. Our tool is at: https://github.com/monolithworks/trueseeing.
Takahiro Yoshimura
TAKAHIRO YOSHIMURA: He is Chief Technology Officer at Monolith Works Inc. In 2012 METI-coodinated CTF, Challenge CTF Japan 2012, his team (Enemy10) had won local qualification round at the 1st prize. In 2013, his team (Sutegoma2) took the 6th prize in DEFCON 21 CTF. He like to read binaries and hack things. He loves a GSD.
https://keybase.io/alterakey
Ken-ya Yoshimura
KEN-YA YOSHIMURA: Working as Chief Executive Officer at Monolith Works Inc, he is supervising an R&D lab specializing in emerging technologies. His hacker life starts when he was 8 years old; he likes to hack MSXs, NEC PC-9800s, Sharp X68000s, Windows, Macs, iPhones, iOS/Android apps, and circumvent copyright protection (for fun,) etc. He adores a GSD.
https://keybase.io/ad3liae
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...CODE BLUE
In this talk, we are going to disclose two unconventional Use-after-free kernel bugs on Android we found last year, and introduce the new techniques we used to make these exploits 100% reliable.
The first bug is CVE-2017-0403, which we used to gain root privilege on almost all devices shipped with 3.10 or earlier Linux kernel last year. So far more than 14 million users have successfully rooted their smartphones with this exploit. With this vulnerability, an attacker only can overwrite the freed object at a fixed offset with a pointer to object itself. How to achieve kernel code execution with this bug can be very challenging.To solve the problem, we propose a new method which is using iovec to re-fill the freed object and compromising the pipe subsystem in kernel.In this way we can covert this unusual memory corruption to arbitrary kernel memory overwriting.
The second bug is CVE-2016-6787. The bug is an UAF due to race condition, may corrupt a critical kernel structure, and lead to the kernel crash when scheduler switched context back to attacker's process. So we'll introduce a way to freeze the attacker's process soon after UAF happened ,stop kernel from crashing, and make the exploit reliable.
In summary, this presentation gives out the new techniques of exploiting use-after-free bugs we just found in Android kernel. The ideas of exploitation are fresh, detail of bugs is also never discussed before.
As @nicowaisman mentioned in his talk Aleatory Persistent Threat, old school heap specific exploiting is dying. And with each windows SP or new version, is harder to attack heap itself. Heap management adapt quickly and include new mittigation techniques. But sometimes is better to rethink the idea of mittigation and do this technique properly even half version of it will cover all known heap exploit techniques…
[COSCUP 2021] A trip about how I contribute to LLVMDouglas Chen
https://coscup.org/2021/zh-TW/session/YBFMNB
1. Motivation
CppNameLint and Clang-Tidy
2. Beginning of a trip
Phabricator, Arcanist, Build, Test, and their flows
3. Tips in a trip
Get out of trouble
4. Trip moments
Happened during the code review
5. The last
XCon 2014 => http://xcon.xfocus.org/
In the past was quite common to exploit heap / pool manager vulnerabilities attacking its internal linked structures. However current memory management improve a lot and at current date it is quite ineffective to attack heap in this way. But still those techniques come into hand when we start to looking at linked structures widespread throughout kernel that are unfortunately not hardened enough.
In this presentation we will examine power of these vulnerabilities by famous example “CVE – 2013 - 3660”. Showing bypass on ‘lazy’ assertions of _LIST_ENTRY, present exploitation after party and teleport to kernel.
[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik OpcodesCODE BLUE
Trueseeing is an automatic vulnerability scanner for Android apps. It is capable of not only directly conducting data flow analysis over Dalvik bytecode but also automatically fixing the code, i.e. without any decompilers. This capability makes it resillent against basic obfuscations and distinguishes it among similar tools -- including the QARK, the scanner/explotation tool shown by Linkedin in DEF CON 23. Currently it recognizes the most class of vulnerabilities (as in OWASP Mobile Top 10 (2015).) We have presented it in DEF CON 25 Demo Labs. Our tool is at: https://github.com/monolithworks/trueseeing.
Takahiro Yoshimura
TAKAHIRO YOSHIMURA: He is Chief Technology Officer at Monolith Works Inc. In 2012 METI-coodinated CTF, Challenge CTF Japan 2012, his team (Enemy10) had won local qualification round at the 1st prize. In 2013, his team (Sutegoma2) took the 6th prize in DEFCON 21 CTF. He like to read binaries and hack things. He loves a GSD.
https://keybase.io/alterakey
Ken-ya Yoshimura
KEN-YA YOSHIMURA: Working as Chief Executive Officer at Monolith Works Inc, he is supervising an R&D lab specializing in emerging technologies. His hacker life starts when he was 8 years old; he likes to hack MSXs, NEC PC-9800s, Sharp X68000s, Windows, Macs, iPhones, iOS/Android apps, and circumvent copyright protection (for fun,) etc. He adores a GSD.
https://keybase.io/ad3liae
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...CODE BLUE
In this talk, we are going to disclose two unconventional Use-after-free kernel bugs on Android we found last year, and introduce the new techniques we used to make these exploits 100% reliable.
The first bug is CVE-2017-0403, which we used to gain root privilege on almost all devices shipped with 3.10 or earlier Linux kernel last year. So far more than 14 million users have successfully rooted their smartphones with this exploit. With this vulnerability, an attacker only can overwrite the freed object at a fixed offset with a pointer to object itself. How to achieve kernel code execution with this bug can be very challenging.To solve the problem, we propose a new method which is using iovec to re-fill the freed object and compromising the pipe subsystem in kernel.In this way we can covert this unusual memory corruption to arbitrary kernel memory overwriting.
The second bug is CVE-2016-6787. The bug is an UAF due to race condition, may corrupt a critical kernel structure, and lead to the kernel crash when scheduler switched context back to attacker's process. So we'll introduce a way to freeze the attacker's process soon after UAF happened ,stop kernel from crashing, and make the exploit reliable.
In summary, this presentation gives out the new techniques of exploiting use-after-free bugs we just found in Android kernel. The ideas of exploitation are fresh, detail of bugs is also never discussed before.
As @nicowaisman mentioned in his talk Aleatory Persistent Threat, old school heap specific exploiting is dying. And with each windows SP or new version, is harder to attack heap itself. Heap management adapt quickly and include new mittigation techniques. But sometimes is better to rethink the idea of mittigation and do this technique properly even half version of it will cover all known heap exploit techniques…
[COSCUP 2021] A trip about how I contribute to LLVMDouglas Chen
https://coscup.org/2021/zh-TW/session/YBFMNB
1. Motivation
CppNameLint and Clang-Tidy
2. Beginning of a trip
Phabricator, Arcanist, Build, Test, and their flows
3. Tips in a trip
Get out of trouble
4. Trip moments
Happened during the code review
5. The last
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru OtsukaCODE BLUE
In this talk, I investigate several exploiting ideas for iOS kernel jailbreak using recently exposed vulnerabilities. Recently, Ian Beer found the following promising vulnerabilities:
CVE-2016-7637: Broken kernel mach port name ‘uref’ handling on iOS/MacOS can lead to privileged port name replacement in other processes,
CVE-2016-7644: XNU kernel UaF due to lack of locking in set_dp_control_port,
CVE-2016-7661: MacOS/iOS arbitrary port replacement in powerd.
However, naive combination of the above vulnerabilities cannot easily break recent mitigations implemented in iOS versions. Recent iOS provides the kernel level mitigations against exploitation such as kernel patch protection, sandboxing, AMFI(Apple Mobile File Integrity), MAC(Mandatory Access Control) policy, KASLR(Kernel ASLR) etc. These mitigations will be briefly explained.
Ведущий: Иван Ёлкин
Ведущий фаст-трека расскажет об опыте внедрения Static Analysis Security Tool в QIWI, о сложностях, с которыми сталкивались разработчики. Писать «костыли» или рефакторить код? Что делать, когда мнения клиента и разработчика расходятся? Поведает, сколько строк кода пришлось прочитать и написать до и после запуска сканера, и предложит краткий обзор найденных и упущенных уязвимостей.
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types LaterPositive Hack Days
Ведущий: Алексей Черепанов
Скорость взлома хешей растет. Растет и количество алгоритмов хеширования. Объем задач для поддержки универсального инструмента для взлома тоже увеличивается. В ответ на это был разработан john-devkit — улучшенный генератор кода к известному приложению для взлома паролей John the Ripper. john-devkit содержит более 100 типов хешей. Ведущий рассмотрит ключевые аспекты его использования: разделение алгоритмов, оптимизация и вывод данных для различных устройств, простое промежуточное представление алгоритмов хеширования, трудности оптимизации для человека и машины, bitslicing, сравнение скорости обработки.
In the past few years, the bar for exploitation was raised highly, and in the current state of software security it is harder and harder to make successful exploitation on newest operating systems.
But as some systems continue to evolve and introduce new mitigations, the others just freeze a few years behind. In our talk we will focus on rooting Android by two racing conditions vulnerabilities. We will show the differences between level of exploitation needed, and how some mobile vendors are killing offered security features.
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
Past few years our team was focusing on different operating systems including Microsoft windows kernel. Honestly our first pwn at Windows kernel was not that challenging. Number of available targets with friendly environment for straightforward pwn, from user up to reliable kernel code execution.
However, step by step, security policies continue to evolve, and it becomes more troublesome to choose ideal attack surface from various sandboxes. In addition, what steps to follow for digging security holes is highly dependent upon the chosen target. In general, a few common strategies are available for researchers to choose: e.g choose “unknown” one which hasn’t been researched before; Select well fuzzed or well audited one, or research on kernel module internals to find “hidden” attack surfaces which are not explicitly interconnected. In the first part of the talk we introduce our methodology of selecting, alongside with cost of tricks around to choose seemingly banned targets, illustrated by notable examples.
After getting hands on potential bug available from targeted sandbox, it is time for Microsoft windows taking hardening efforts to put attacker into corner. Strong mitigations are being introduced more frequently than ever, with promising direction which cuts lots of attack surface off, and a several exploitation techniques being killed. We will show difficulties of developing universal exploitation techniques, and demonstrate needed technical level depending on code quality of target. We will examine how different it becomes with era of Redstone and following versions even with those techniques and good vulnerability in hand. How it changed attacker landscape and how it will (and will not) kill those techniques and applications. However will it really change the game or not?
In order to prevent exploiting mistakes, introduced in developing process, are continuously implemented various security mitigations & hardening on application level and in operating system level as well.
Even when those mitigations highly increase difficulty of exploitation of common bugs in software / core, you should not rely solely on them. And it can help to know background and limits of those techniques, which protect your software directly or indirectly.
In this talk we will take a look at some of helpful mitigations & features introduces past years (x64 address space, SMAP & SMEP, CFG, ...) focusing from kernel point of view. Its benefits, and weak points same time.
In current era of exploitation it is coming more complex to develop even PoC for vulnerability, especially when it comes to more complicated one, like race conditions, sandbox escapes ...
And it seems that nowdays is still quite common write concept of exploitability for vendors, or even final code, in prehistoric way, and even using shellcoding.
We will show how vulnerability "design patterns" transform writing code, from current widespread form of magic black box, to developing software which breaks another one. We believe that developing is the way to go for boosting vulnerability research, for sake of security and your own time.
Rainbow Over the Windows: More Colors Than You Could ExpectPeter Hlavaty
As time goes on operating systems keep evolving, like Microsoft Windows do, it ships new designs, features and codes from time to time. However sometimes it also ships more than bit of codes for complex subsystems residing in its kernel ... and at some future point it starts implementing new designs to prevent unnecessary access to it. However is it safe enough?
As we can see from security bulletins, win32k subsystem attracts lots of attention. It looks that with efforts of many security researchers who has dug into this area, finding bugs here shall becomes pretty tough and almost fruitless. But unfortunately this is not true, as win32k is backed up by very complex logic and large amount of code by nature..
We will present our point of view to Windows graphic subsystem, as well as schema of our fuzzing strategies. We will introduce some unusual areas of win32k, its extensions and how it can breaks even locked environments.
Part of our talk will be dedicated to CVE-2016-0176, the bug we used for this year's Pwn2Own Edge sandbox bypass, from its discovery to its exploitation techniques, which could serves as an example for universal DirectX escape which is independent of graphics vendors.
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...CODE BLUE
Virtual machines play a crucial role in modern computing. They often are used to isolate multiple customers with instances on the same physical server. Virtual machines are also used by researchers and security practitioners to isolate potentially harmful code for analysis and review. The assumption being made is that by running in a virtual machine, the potentially harmful code cannot execute anywhere else. However, this is not foolproof, as a vulnerability in the virtual machine hypervisor can give access to the entire system. While this was once thought of as just hypothetical, two separate demonstrations at Pwn2Own 2017 proved this exact scenario.
This talk details the host-to-guest communications within VMware. Additionally, the presentation covers the functionalities of the RPC interface. In this section of the presentation, we discuss the techniques that can be used to record or sniff the RPC requests sent from the Guest OS to the Host OS automatically. We also demonstrate how to write tools to query the RPC Interface in C++ and Python for fuzzing purposes.
Finally, we demonstrate how to exploit Use-After-Free vulnerabilities in VMware by walking through a patched vulnerability.
Mining Branch-Time Scenarios From Execution LogsDirk Fahland
This presentation was given at the International Conference on Automated Software Engineering (ASE 2013) in Palo Alto, November 2013.
We describe a technique for automatically extracting specifications from execution traces of an application. The particular specification that we extract are scenarios in the form of conditional existential Live-Sequence Charts (LSC), which are similar to UML Sequence Diagrams.
The technique is implemented in a tool and was evaluated on two real-life event logs.
syzbot and the tale of million kernel bugsDmitry Vyukov
The root cause of most software exploits is bugs. Hardening, mitigations and containers are important, but they can't protect a system with thousands of bugs. In this presentation, Dmitry Vyukov will review the current [sad] situation with Linux kernel bugs and security implications based on their experience testing kernel for the past 3 years; overview a set of bug finding tools they are developing (syzbot, syzkaller, KASAN, KMSAN, KTSAN); and discuss problems and areas that require community help to improve the situation.
These slides contain an introduction to Symbolic execution and an introduction to KLEE.
I made this for a small demo/intro for my research group's meeting.
Java Performance: Speedup your application with hardware countersSergey Kuksenko
A modern CPU looks under the cover to understand what performance. What about hardware for Java application performance? Let's understand Performance Monitoring Unit works, Hardware Counters & using them to speeding up Java apps.
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru OtsukaCODE BLUE
In this talk, I investigate several exploiting ideas for iOS kernel jailbreak using recently exposed vulnerabilities. Recently, Ian Beer found the following promising vulnerabilities:
CVE-2016-7637: Broken kernel mach port name ‘uref’ handling on iOS/MacOS can lead to privileged port name replacement in other processes,
CVE-2016-7644: XNU kernel UaF due to lack of locking in set_dp_control_port,
CVE-2016-7661: MacOS/iOS arbitrary port replacement in powerd.
However, naive combination of the above vulnerabilities cannot easily break recent mitigations implemented in iOS versions. Recent iOS provides the kernel level mitigations against exploitation such as kernel patch protection, sandboxing, AMFI(Apple Mobile File Integrity), MAC(Mandatory Access Control) policy, KASLR(Kernel ASLR) etc. These mitigations will be briefly explained.
Ведущий: Иван Ёлкин
Ведущий фаст-трека расскажет об опыте внедрения Static Analysis Security Tool в QIWI, о сложностях, с которыми сталкивались разработчики. Писать «костыли» или рефакторить код? Что делать, когда мнения клиента и разработчика расходятся? Поведает, сколько строк кода пришлось прочитать и написать до и после запуска сканера, и предложит краткий обзор найденных и упущенных уязвимостей.
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types LaterPositive Hack Days
Ведущий: Алексей Черепанов
Скорость взлома хешей растет. Растет и количество алгоритмов хеширования. Объем задач для поддержки универсального инструмента для взлома тоже увеличивается. В ответ на это был разработан john-devkit — улучшенный генератор кода к известному приложению для взлома паролей John the Ripper. john-devkit содержит более 100 типов хешей. Ведущий рассмотрит ключевые аспекты его использования: разделение алгоритмов, оптимизация и вывод данных для различных устройств, простое промежуточное представление алгоритмов хеширования, трудности оптимизации для человека и машины, bitslicing, сравнение скорости обработки.
In the past few years, the bar for exploitation was raised highly, and in the current state of software security it is harder and harder to make successful exploitation on newest operating systems.
But as some systems continue to evolve and introduce new mitigations, the others just freeze a few years behind. In our talk we will focus on rooting Android by two racing conditions vulnerabilities. We will show the differences between level of exploitation needed, and how some mobile vendors are killing offered security features.
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
Past few years our team was focusing on different operating systems including Microsoft windows kernel. Honestly our first pwn at Windows kernel was not that challenging. Number of available targets with friendly environment for straightforward pwn, from user up to reliable kernel code execution.
However, step by step, security policies continue to evolve, and it becomes more troublesome to choose ideal attack surface from various sandboxes. In addition, what steps to follow for digging security holes is highly dependent upon the chosen target. In general, a few common strategies are available for researchers to choose: e.g choose “unknown” one which hasn’t been researched before; Select well fuzzed or well audited one, or research on kernel module internals to find “hidden” attack surfaces which are not explicitly interconnected. In the first part of the talk we introduce our methodology of selecting, alongside with cost of tricks around to choose seemingly banned targets, illustrated by notable examples.
After getting hands on potential bug available from targeted sandbox, it is time for Microsoft windows taking hardening efforts to put attacker into corner. Strong mitigations are being introduced more frequently than ever, with promising direction which cuts lots of attack surface off, and a several exploitation techniques being killed. We will show difficulties of developing universal exploitation techniques, and demonstrate needed technical level depending on code quality of target. We will examine how different it becomes with era of Redstone and following versions even with those techniques and good vulnerability in hand. How it changed attacker landscape and how it will (and will not) kill those techniques and applications. However will it really change the game or not?
In order to prevent exploiting mistakes, introduced in developing process, are continuously implemented various security mitigations & hardening on application level and in operating system level as well.
Even when those mitigations highly increase difficulty of exploitation of common bugs in software / core, you should not rely solely on them. And it can help to know background and limits of those techniques, which protect your software directly or indirectly.
In this talk we will take a look at some of helpful mitigations & features introduces past years (x64 address space, SMAP & SMEP, CFG, ...) focusing from kernel point of view. Its benefits, and weak points same time.
In current era of exploitation it is coming more complex to develop even PoC for vulnerability, especially when it comes to more complicated one, like race conditions, sandbox escapes ...
And it seems that nowdays is still quite common write concept of exploitability for vendors, or even final code, in prehistoric way, and even using shellcoding.
We will show how vulnerability "design patterns" transform writing code, from current widespread form of magic black box, to developing software which breaks another one. We believe that developing is the way to go for boosting vulnerability research, for sake of security and your own time.
Rainbow Over the Windows: More Colors Than You Could ExpectPeter Hlavaty
As time goes on operating systems keep evolving, like Microsoft Windows do, it ships new designs, features and codes from time to time. However sometimes it also ships more than bit of codes for complex subsystems residing in its kernel ... and at some future point it starts implementing new designs to prevent unnecessary access to it. However is it safe enough?
As we can see from security bulletins, win32k subsystem attracts lots of attention. It looks that with efforts of many security researchers who has dug into this area, finding bugs here shall becomes pretty tough and almost fruitless. But unfortunately this is not true, as win32k is backed up by very complex logic and large amount of code by nature..
We will present our point of view to Windows graphic subsystem, as well as schema of our fuzzing strategies. We will introduce some unusual areas of win32k, its extensions and how it can breaks even locked environments.
Part of our talk will be dedicated to CVE-2016-0176, the bug we used for this year's Pwn2Own Edge sandbox bypass, from its discovery to its exploitation techniques, which could serves as an example for universal DirectX escape which is independent of graphics vendors.
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...CODE BLUE
Virtual machines play a crucial role in modern computing. They often are used to isolate multiple customers with instances on the same physical server. Virtual machines are also used by researchers and security practitioners to isolate potentially harmful code for analysis and review. The assumption being made is that by running in a virtual machine, the potentially harmful code cannot execute anywhere else. However, this is not foolproof, as a vulnerability in the virtual machine hypervisor can give access to the entire system. While this was once thought of as just hypothetical, two separate demonstrations at Pwn2Own 2017 proved this exact scenario.
This talk details the host-to-guest communications within VMware. Additionally, the presentation covers the functionalities of the RPC interface. In this section of the presentation, we discuss the techniques that can be used to record or sniff the RPC requests sent from the Guest OS to the Host OS automatically. We also demonstrate how to write tools to query the RPC Interface in C++ and Python for fuzzing purposes.
Finally, we demonstrate how to exploit Use-After-Free vulnerabilities in VMware by walking through a patched vulnerability.
Mining Branch-Time Scenarios From Execution LogsDirk Fahland
This presentation was given at the International Conference on Automated Software Engineering (ASE 2013) in Palo Alto, November 2013.
We describe a technique for automatically extracting specifications from execution traces of an application. The particular specification that we extract are scenarios in the form of conditional existential Live-Sequence Charts (LSC), which are similar to UML Sequence Diagrams.
The technique is implemented in a tool and was evaluated on two real-life event logs.
syzbot and the tale of million kernel bugsDmitry Vyukov
The root cause of most software exploits is bugs. Hardening, mitigations and containers are important, but they can't protect a system with thousands of bugs. In this presentation, Dmitry Vyukov will review the current [sad] situation with Linux kernel bugs and security implications based on their experience testing kernel for the past 3 years; overview a set of bug finding tools they are developing (syzbot, syzkaller, KASAN, KMSAN, KTSAN); and discuss problems and areas that require community help to improve the situation.
These slides contain an introduction to Symbolic execution and an introduction to KLEE.
I made this for a small demo/intro for my research group's meeting.
Java Performance: Speedup your application with hardware countersSergey Kuksenko
A modern CPU looks under the cover to understand what performance. What about hardware for Java application performance? Let's understand Performance Monitoring Unit works, Hardware Counters & using them to speeding up Java apps.
Test Driven Development of A Static Code AnalyzerTerry Yin
Static analyzers help us find problems in our code. They are like compilers in terms of complexity; they need to know the syntax of target languages. Is it possible to build such tools without comprehensive upfront design? He will share his experience in making such tool in Python over the past 8 years.
Solving Cross-Cutting Concerns in PHP - DutchPHP Conference 2016 Alexander Lisachenko
Talk about solving cross-cutting concerns in PHP at DutchPHP Conference.
Discussed questions:
1) OOP features and limitations
2) OOP patterns for solving cross-cutting concerns
3) Aspect-Oriented approach for solving cross-cutting concerns
4) Examples of using AOP for real life application
JUC Europe 2015: The Famous Cows of Cambridge: A Non-Standard Use Case for Je...CloudBees
By Sarah Woodall, NXP Semiconductors
LPCXpresso is a multi-platform IDE for developers of embedded software to run on NXP Semiconductor's ARM-based microcontrollers. NXP needs to test that the debugger can execute programs on numerous different development boards that connect to the USB ports of host computers. Besides building a complex software product, the Jenkins installation drives an automated test farm consisting of home-built software-controlled USB switches ("cows") that control a huge array of combinations of test board, debug probe and host platform. This talk will give a tour of the NXP farm, including video of the cows in action, and will describe the features of Jenkins that are used to make it work, with particular emphasis on dynamic selection of combinations within matrix jobs, parameterized triggers and the Summary Display plugin. Finally, plans to migrate to the new Workflow plugin will be discussed. NXP believes the Workflow plugin will simplify the structure and make it more maintainable.
Kernel Recipes 2019 - Formal modeling made easyAnne Nicolas
Modeling parts of Linux has become a recurring topic. For instance, the memory model, the model for PREEMPT_RT synchronization, and so on. But the term "formal model" causes panic for most of the developers. Mainly because of the complex notations and reasoning that involves formal languages. It seems to be a very theoretical thing, far from our day-by-day reality.
Believe me. Modeling can be more practical than you might guess!
This talk will discuss the challenges and benefits of modeling, based on the experience of developing the PREEMPT_RT model. It will present a methodology for modeling the Linux behavior as Finite-State Machines (automata), using terms that are very known by kernel developers: tracing events! With the particular focus on how to use models for the formal verification of Linux kernel, at runtime, with low overhead, and in many cases, without even modifying Linux kernel!
Daniel Bristot de Oliveira
(automatic) Testing: from business to university and backDavid Rodenas
This talk cares about the fundamentals of testing, a little bit history of how the professional community developed what we currently know as testing, but also about why I should care about testing? why is it important to do a test? What is important to test? What is not important to test? How to do testing?
There some examples in plnker just to see each step, and many surprises.
This talk also compares what people learned in the Computer Sciences and Engineering degrees and what people does in testing. It gives some tips to catch up with current state of art and gives some points to start changing syllabus to make better engineers.
This talk is good for beginners, teachers, bosses, but also for seasoned techies that just want to light up some of the ideas that they might have been hatching.
Spoiler alert: testing will save you development time and make you a good professional.
How do we go from your Java code to the CPU assembly that actually runs it? Using high level constructs has made us forget what happens behind the scenes, which is however key to write efficient code.
Starting from a few lines of Java, we explore the different layers that constribute to running your code: JRE, byte code, structure of the OpenJDK virtual machine, HotSpot, intrinsic methds, benchmarking.
An introductory presentation to these low-level concerns, based on the practical use case of optimizing 6 lines of code, so that hopefully you to want to explore further!
Presentation given at the Toulouse (FR) Java User Group.
Video (in french) at https://www.youtube.com/watch?v=rB0ElXf05nU
Slideshow with animations at https://docs.google.com/presentation/d/1eIcROfLpdTU2_Z_IKiMG-AwqZGZgbN1Bs2E0nGShpbk/pub?start=true&loop=false&delayms=60000
Inside the JVM - Follow the white rabbit! / Breizh JUGSylvain Wallez
Presentation given at the Rennes (FR) Java User Group in Feb 2019.
How do we go from your Java code to the CPU assembly that actually runs it? Using high level constructs has made us forget what happens behind the scenes, which is however key to write efficient code.
Starting from a few lines of Java, we explore the different layers that constribute to running your code: JRE, byte code, structure of the OpenJDK virtual machine, HotSpot, intrinsic methds, benchmarking.
An introductory presentation to these low-level concerns, based on the practical use case of optimizing 6 lines of code, so that hopefully you to want to explore further!
FortranCon2020: Highly Parallel Fortran and OpenACC DirectivesJeff Larkin
Fortran has long been the language of computational math and science and it has outlived many of the computer architectures on which it has been used. Modern Fortran must be able to run on modern, highly parallel, heterogeneous computer architectures. A significant number of Fortran programmers have had success programming for heterogeneous machines by pairing Fortran with the OpenACC language for directives-based parallel programming. This includes some of the most widely-used Fortran applications in the world, such as VASP and Gaussian. This presentation will discuss what makes OpenACC a good fit for Fortran programmers and what the OpenACC language is doing to promote the use of native language parallelism in Fortran, such as do concurrent and Co-arrays.
Video Recording: https://www.youtube.com/watch?v=OXZ_Wkae63Y
Quand Swift a été annoncé en 2014, personne n'aurait imaginé qu'un jour on aurait pu se servir de ce langage pour réaliser une application... côté serveur ! En ouvrant les sources de Swift, (En rendant Swift Open-Source ?), Apple apporte aux développeurs une nouvelle façon d’imaginer leurs développements, en leur donnant accès aux applications Web. Nous passerons en revue les forces et faiblesses de la proposition d’Apple, de découvrir comment coder des applicatifs back, les déployer dans le cloud ou encore comment Swift se positionne face à ses concurrents directs.
Interesting Observations (7 Sins of Programmers); The compiler is to blame; Archeological strata; The last line effect; Programmers are the smartest; Security, security! But do you test it?; You can’t know everything; Seeking a silver bullet.
The Java Memory Model describes how threads in the Java programming language interact through memory. Together with the description of single-threaded execution of code, the memory model provides the semantics of the Java programming language.
It is crucial for a programmer to know how, according to Java Language Specification, write correctly synchronized, race free programs.
Après avoir fait ce talk à la conférence NSSpain, Simone Civetta va nous expliquer sur quelles métriques il est possible de se baser pour évaluer la qualité d’un code source. Cette question étant toujours sujette à débat, préparez vos arguments !
Prometheus as exposition format for eBPF programs running on KubernetesLeonardo Di Donato
The kernel knows more than our programs. Stop bloating our applications with copy-and-paste instrumentation code for metrics. Let's go look under the hoods!
Nowadays every application exposes their metrics via an HTTP endpoint readable by using Prometheus. Nevertheless, this very common pattern, by definition only exposes metrics regarding the specific applications being observed.
This talk, and its companion slides, wants to expose the idea, and a reference implementation (https://github.com/bpftools/kube-bpf), of using eBPF programs to collect and automatically expose applications and kernel metrics via a Prometheus endpoint.
It walks through the architecture of the proposed reference implementation - a Kubernetes operator with a custom resource for eBPF programs - and finally links to a simple demo showing how to use it to grab and present some metrics without having touched any application running on the demo cluster.
---
Talk given at Cloud_Native Rejekts EU - Barcelona, Spain - on May 18th, 2019
Final project report on grocery store management system..pdfKamal Acharya
In today’s fast-changing business environment, it’s extremely important to be able to respond to client needs in the most effective and timely manner. If your customers wish to see your business online and have instant access to your products or services.
Online Grocery Store is an e-commerce website, which retails various grocery products. This project allows viewing various products available enables registered users to purchase desired products instantly using Paytm, UPI payment processor (Instant Pay) and also can place order by using Cash on Delivery (Pay Later) option. This project provides an easy access to Administrators and Managers to view orders placed using Pay Later and Instant Pay options.
In order to develop an e-commerce website, a number of Technologies must be studied and understood. These include multi-tiered architecture, server and client-side scripting techniques, implementation technologies, programming language (such as PHP, HTML, CSS, JavaScript) and MySQL relational databases. This is a project with the objective to develop a basic website where a consumer is provided with a shopping cart website and also to know about the technologies used to develop such a website.
This document will discuss each of the underlying technologies to create and implement an e- commerce website.
About
Indigenized remote control interface card suitable for MAFI system CCR equipment. Compatible for IDM8000 CCR. Backplane mounted serial and TCP/Ethernet communication module for CCR remote access. IDM 8000 CCR remote control on serial and TCP protocol.
• Remote control: Parallel or serial interface.
• Compatible with MAFI CCR system.
• Compatible with IDM8000 CCR.
• Compatible with Backplane mount serial communication.
• Compatible with commercial and Defence aviation CCR system.
• Remote control system for accessing CCR and allied system over serial or TCP.
• Indigenized local Support/presence in India.
• Easy in configuration using DIP switches.
Technical Specifications
Indigenized remote control interface card suitable for MAFI system CCR equipment. Compatible for IDM8000 CCR. Backplane mounted serial and TCP/Ethernet communication module for CCR remote access. IDM 8000 CCR remote control on serial and TCP protocol.
Key Features
Indigenized remote control interface card suitable for MAFI system CCR equipment. Compatible for IDM8000 CCR. Backplane mounted serial and TCP/Ethernet communication module for CCR remote access. IDM 8000 CCR remote control on serial and TCP protocol.
• Remote control: Parallel or serial interface
• Compatible with MAFI CCR system
• Copatiable with IDM8000 CCR
• Compatible with Backplane mount serial communication.
• Compatible with commercial and Defence aviation CCR system.
• Remote control system for accessing CCR and allied system over serial or TCP.
• Indigenized local Support/presence in India.
Application
• Remote control: Parallel or serial interface.
• Compatible with MAFI CCR system.
• Compatible with IDM8000 CCR.
• Compatible with Backplane mount serial communication.
• Compatible with commercial and Defence aviation CCR system.
• Remote control system for accessing CCR and allied system over serial or TCP.
• Indigenized local Support/presence in India.
• Easy in configuration using DIP switches.
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptxR&R Consult
CFD analysis is incredibly effective at solving mysteries and improving the performance of complex systems!
Here's a great example: At a large natural gas-fired power plant, where they use waste heat to generate steam and energy, they were puzzled that their boiler wasn't producing as much steam as expected.
R&R and Tetra Engineering Group Inc. were asked to solve the issue with reduced steam production.
An inspection had shown that a significant amount of hot flue gas was bypassing the boiler tubes, where the heat was supposed to be transferred.
R&R Consult conducted a CFD analysis, which revealed that 6.3% of the flue gas was bypassing the boiler tubes without transferring heat. The analysis also showed that the flue gas was instead being directed along the sides of the boiler and between the modules that were supposed to capture the heat. This was the cause of the reduced performance.
Based on our results, Tetra Engineering installed covering plates to reduce the bypass flow. This improved the boiler's performance and increased electricity production.
It is always satisfying when we can help solve complex challenges like this. Do your systems also need a check-up or optimization? Give us a call!
Work done in cooperation with James Malloy and David Moelling from Tetra Engineering.
More examples of our work https://www.r-r-consult.dk/en/cases-en/
Overview of the fundamental roles in Hydropower generation and the components involved in wider Electrical Engineering.
This paper presents the design and construction of hydroelectric dams from the hydrologist’s survey of the valley before construction, all aspects and involved disciplines, fluid dynamics, structural engineering, generation and mains frequency regulation to the very transmission of power through the network in the United Kingdom.
Author: Robbie Edward Sayers
Collaborators and co editors: Charlie Sims and Connor Healey.
(C) 2024 Robbie E. Sayers
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdffxintegritypublishin
Advancements in technology unveil a myriad of electrical and electronic breakthroughs geared towards efficiently harnessing limited resources to meet human energy demands. The optimization of hybrid solar PV panels and pumped hydro energy supply systems plays a pivotal role in utilizing natural resources effectively. This initiative not only benefits humanity but also fosters environmental sustainability. The study investigated the design optimization of these hybrid systems, focusing on understanding solar radiation patterns, identifying geographical influences on solar radiation, formulating a mathematical model for system optimization, and determining the optimal configuration of PV panels and pumped hydro storage. Through a comparative analysis approach and eight weeks of data collection, the study addressed key research questions related to solar radiation patterns and optimal system design. The findings highlighted regions with heightened solar radiation levels, showcasing substantial potential for power generation and emphasizing the system's efficiency. Optimizing system design significantly boosted power generation, promoted renewable energy utilization, and enhanced energy storage capacity. The study underscored the benefits of optimizing hybrid solar PV panels and pumped hydro energy supply systems for sustainable energy usage. Optimizing the design of solar PV panels and pumped hydro energy supply systems as examined across diverse climatic conditions in a developing country, not only enhances power generation but also improves the integration of renewable energy sources and boosts energy storage capacities, particularly beneficial for less economically prosperous regions. Additionally, the study provides valuable insights for advancing energy research in economically viable areas. Recommendations included conducting site-specific assessments, utilizing advanced modeling tools, implementing regular maintenance protocols, and enhancing communication among system components.
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...Dr.Costas Sachpazis
Terzaghi's soil bearing capacity theory, developed by Karl Terzaghi, is a fundamental principle in geotechnical engineering used to determine the bearing capacity of shallow foundations. This theory provides a method to calculate the ultimate bearing capacity of soil, which is the maximum load per unit area that the soil can support without undergoing shear failure. The Calculation HTML Code included.
3. § The a prize competition organized by DARPA to make innovation
for next generation technique
§ 2007 Urban Challenge
§ 2012 Robotics Challenge
§ Cyber Grand Challenge
§ The first full machine attack-defense CTF
§ Focus on develop automatic attack-defense system
3
4. § Start from 2014
§ Qualification round in June 3, 2015
4
7. Team Research CTF Enterprise
CodeJitsu Berkeley BlueLotus Cyberhaven
CSDS University of
Idaho
Deep Red Some CTF Player Raytheon
disekt Different
university
disekt
ForAllSecure CMU CyLab PPP ForAllSecure
Shellphish UCSB Shellphish LastLine
TECHx University of
Virginia
Some White Hack
Students
GrammaTech
7
8. § CGC Final Event was held at DEF CON 2016
§ Final Winner – ForAllSecure/Mayhem
§ Startup company ForAllSecure
§ Most member come from PPP CTF Team
§ Researcher from CMU CyLab
§ Next day to the CGC, Mayhem competed with top human
hackers in DEFCON CTF
§ Mayhem get the last rank, but PPP win the game
8
10. § Cyber Reasoning System
§ Given Challenge Binary
§ Given Other Team’s RCB, IDS
§ Patch Binary
§ IDS Rule
§ POV – Exploit program
CRS
CB
CB
CB
CB
CB
RCB
CB
CB
IDS
CB
CB
PCAP
RCB
IDS
CFE
POV
10
11. § Modified Linux
§ Customize ELF format
§ only 7 syscalls
§ terminate (exit)
§ transmit (write)
§ receive (read)
§ fdwait (select)
§ allocate (mmap)
§ deallocate (munmap)
§ Random
§ no signal handling, no not-executable stack, no ASLR, …
11
12. § Type 1
§ Hi-jack control flow
§ Control EIP and one register
§ Type 2
§ Information leak
§ Leak information in the magic page
12
13. § 2016 CloudSec, HITCON駭客戰隊挑戰美國CGC天網機器⼈人, 探討AI
⾃自動攻防技術發展
§ KB.HITCON
§ Cyber Grand Challenge 簡介
§ 台灣駭客挑戰美國CGC天網機器⼈人專題系列報導
§ Let’s focus more on technique !
13
14. § Determine if the program has a vulnerability is undicidable
§ Assume we have a Machine M that can detect any vulnerability in the
program
§ Halting Problem
If M(P) has no bug:
do_some_bug()
Else:
do_nothing()
14
15. § If we have a execution trace, we can check if the bug appeared
in this path
§ To testing software complete, we need to traversal all the code
inside the program
§ Halting problem
§ If we can run more trace, we can find more bug!!
§ But we can still do something J
15
16. § Automatic generate the input to make the program crash
§ Not inspect into program semantic
§ Generate input randomly, or some heuristic
§ Coverage-based
§ AFL, Peach, BFF
16
17. § American Fuzzy Loop
§ The easy-to-use fuzzer
§ Efficiency
§ low-level compile-time
instrumentation
§ Coverage-based Fuzzer
§ Effective Mutation Strategy
At least 4 team in CGC use AFL
17
18. § How AFL do?
1. Load user-supplied initial test cases into the queue
2. Take next input file from the queue
3. Attempt to trim the test case to the smallest size that doesn't alter
the measured behavior of the program,
4. Repeatedly mutate the file using a balanced and well-researched
variety of traditional fuzzing strategies
5. If any of the generated mutations resulted in a new state transition
recorded by the instrumentation, add mutated output as a new
entry in the queue.
6. Go to 2.
§ Binary fuzzer -> QEMU(emulator) support
§ Good seed is important
18
19. § Feed every thing in network PCAP into AFL
§ Using AFL as first layer checker
§ Check if the input is worth for deep analysis
§ This instance would run through each of the incoming PCAP files and
evaluate whether they brought anything "new" to the table.
Building an Autonomous Cyber Battle System: Our Experience in DARPA's Cyber
Grand Challenge
19
20. § Most test falls into some high frequency path
§ Strategy to find the low frequency path
§ Energy
§ The number of inputs to be generated from that seed
§ Strategy
§ low energy to seeds exercising high-frequency paths
§ high energy to seeds exercising low-frequency paths
§ AFLFast Paper published in
§ ACM Conference on Computer
and Communications Security
§ Github
§ https://github.com/mboehme/
aflfast
20
21. § Murphy is the directed fuzzer based on AFL
§ Most improvement is on the efficiency
§ Binary-only instrument
§ Maybe base on BAP
21
22. § A mechanism to discover the code coverage
§ Translate each instruction/code line into constraints
§ Constraints: a formula define the operation functionality
§ Collect all the constraints
§ Solve when required condition is meet
§ E.g. branch happened
22
23. 1st 2nd 3rd
0 ebx = 0
1 ecx = 0
2 eax = 3
3 ebx = 3 ebx = 6 ebx = 9
4 ecx = 1 ecx = 2 ecx = 3
5 NE NE E
6 N N Y
7 Y Y
8 NE
9 N
0 mov ebx, 0
1 mov ecx, 0
2 mov eax, input
3 add ebx, eax
4 add ecx, 1
5 cmp ecx, 3
6 je final
7 jmp loop
8 cmp ebx, 15
9 je f1
f1 f2 23
24. 1st 2nd 3rd
0 ebx_0 = 0
1 ecx_0 = 0
2 eax_0 = sym_0
3 ebx_1 =
ebx_0+eax_0
ebx_2 =
ebx_1+eax_0
ebx_3 =
ebx_2+eax_0
4 ecx_1 =
ecx_0+1
ecx_2 =
ecx_1+1
ecx_3 =
ecx_2+1
5 NE NE E
6 N N Y
7 Y Y
8 NE
9 N
24
0 mov ebx, 0
1 mov ecx, 0
2 mov eax, input
3 add ebx, eax
4 add ecx, 1
5 cmp ecx, 3
6 je final
7 jmp loop
8 cmp ebx, 15
9 je f1
f1 f2
25. § Can we jump to final block when loop 3
times?
1st 2nd 3rd
0 ebx_0 = 0
1 ecx_0 = 0
2 eax_0 = sym_0
3 ebx_1 =
ebx_0+eax_0
ebx_2 =
ebx_1+eax_0
ebx_3 =
ebx_2+eax_0
4 ecx_1 =
ecx_0+1
ecx_2 =
ecx_1+1
ecx_3 =
ecx_2+1
5 NE NE E
25
0 mov ebx, 0
1 mov ecx, 0
2 mov eax, input
3 add ebx, eax
4 add ecx, 1
5 cmp ecx, 3
6 je final
7 jmp loop
8 cmp ebx, 15
9 je f1
f1 f2
26. § Can we jump to final block when loop 3
times?
( = ecx_3 3)
( = ( + ecx_2 1 ) 3)
( = ( + (+ ecx_1 1 ) 1 ) 3)
( = ( + (+ (+ ecx_0 1) 1 ) 1 ) 3) and ( = ecx_0
0)
SMT Solver
SAT! This formula is
satisfiable.
26
0 mov ebx, 0
1 mov ecx, 0
2 mov eax, input
3 add ebx, eax
4 add ecx, 1
5 cmp ecx, 3
6 je final
7 jmp loop
8 cmp ebx, 15
9 je f1
f1 f2
27. § Convert instruction into constraints
§ Add the branch constraint
§ Solve the conatrint
27
28. § Can we enter f1?
1st 2nd 3rd
0 ebx_0 = 0
1 ecx_0 = 0
2 eax_0 = sym_0
3 ebx_1 =
ebx_0+eax_0
ebx_2 =
ebx_1+eax_0
ebx_3 =
ebx_2+eax_0
4 ecx_1 =
ecx_0+1
ecx_2 =
ecx_1+1
ecx_3 =
ecx_2+1
5 NE NE E
6 N N Y
7 Y Y
8 NE
9 N 28
0 mov ebx, 0
1 mov ecx, 0
2 mov eax, input
3 add ebx, eax
4 add ecx, 1
5 cmp ecx, 3
6 je final
7 jmp loop
8 cmp ebx, 15
9 je f1
f1 f2
29. § Number of possible path increasing exponentially
§ In symbolic execution, every memory location is symbolize
§ Too many symbole to solve
§ Concolic Execution
§ Only make the interesting memory symbolize
§ Concrete value
29
30. § Tracking related instructions only?
1st 2nd 3rd
0 ebx = 0
1 ecx = 0
2 eax = 3
3 ebx = 3 ebx = 6 ebx = 9
4 ecx = 1 ecx = 2 ecx = 3
5 NE NE E
6 N N Y
7 Y Y
8 NE
9 N
30
0 mov ebx, 0
1 mov ecx, 0
2 mov eax, input
3 add ebx, eax
4 add ecx, 1
5 cmp ecx, 3
6 je final
7 jmp loop
8 cmp ebx, 15
9 je f1
f1 f2
31. 1st 2nd 3rd
0 ebx_0 = 0
1 ecx_0 = 0
2 eax_0 = sym_0
3 ebx_1 =
ebx_0+eax_0
ebx_2 =
ebx_1+eax_0
ebx_3 =
ebx_2+eax_0
4 ecx_1 = 1 ecx_2 = 2 ecx_3 = 3
5 NE NE E
6 N N Y
7 Y Y
8 NE
9 N 31
0 mov ebx, 0
1 mov ecx, 0
2 mov eax, input
3 add ebx, eax
4 add ecx, 1
5 cmp ecx, 3
6 je final
7 jmp loop
8 cmp ebx, 15
9 je f1
f1 f2
32. § Which input make us arrive f1?
1st 2nd 3rd
0 ebx_0 = 0
1 ecx_0 = 0
2 eax_0 =
sym_0
3 ebx_1 =
ebx_0+eax_
0
ebx_2 =
ebx_1+eax_
0
ebx_3 =
ebx_2+eax_
0
4 ecx_1 = 1 ecx_2 = 2 ecx_3 = 3
5 NE NE E
6 N N Y
7 Y Y
8 NE
9 N
ebx_3
+
ebx_2
+
ebx_1
+
eax_0
eax_0
eax_0ebx_0
0 32
33. § Which input make us arrive f1?
Final
( = 15 (+ in ( + in (+ in 0) ) ) )
SMT Solver
SAT! This formula is
satisfiable when in = 5.
ebx_3
+
ebx_2
+
ebx_1
+
eax_0
eax_0
eax_0ebx_0
0
33
34. § In-house symbolic execution engine, called Grace
§ Path Priority
§ “Grace to focus on unique and interesting inputs, rather than
churning away at things that would likely lead down previously-
explored paths”
§ Symbolize authentication/random token
§ Powerful static
analysis
Building an Autonomous Cyber Battle System: Our Experience in DARPA's Cyber
Grand Challenge
34
35. § Virtual Machine Symbolic Execution
Framework - S2E
§ Selective symbolic execution/Concolic
Execution
§ Execution consistency models
§ state merging and prioritizing
Whole
System
QEMU
KLEEBinary
LLVM
35
36. § Angr
§ Not only the symbolic execution engine, but a binary analysis
framework
§ http://angr.io/
“Cyber Grand Shellphish”, shellphish, DEFCON 24
36
37. § binary-only symbolic execution
§ Fast than S2E(whole system/LLVM), Angr(VEX Simulator)
§ BAP-based binary instrument
§ Veritesting
§ A search strategy based on coverage
§ Other feature
§ fine-tuned process-based instrumentation and taint analysis
§ access to an extensive set of tested x86 semantics
§ several years of performance tuning for solvers (expression
rewriting, caches, etc)
§ path merging
37
38. § One of most important technique we learn from CGC is “How to
integrate efficiency fuzzer and sophisticated symbolic
execution”
38
39. § Driller
§ Switch between fuzzer and symbolic execution
§ Driller: Augmenting Fuzzing Through Selective Symbolic Execution
§ Network and Distributed System Security Symposium 2016
39
40. § sharing seeds between Mayhem and our custom AFL.
§ Fuzzer
§ If you have the good seed,
it work better
§ Symbolic find the
good seed
https://blog.forallsecure.com/2016/02/09/unleashing-mayhem/
40
41. § Seed sharing: fuzzer + S2E + traffic replay
§ Path exploration
§ S2E helps Fuzzer to break through some branches
41
47. § CFI: control flow integrity
§ Shadow stacks
§ Maintain a duplicate stack
§ Once the return address difference from the one in shadow stack,
then attack is detected
§ DEP
§ Randomization
§ Data leakage defense
47
48. § Control Flow Integrity
https://www.trust.informatik.tu-darmstadt.de/research/projects/current-
projects/control-flow-integrity/
48
49. § TechX achieve the
first place about
security
§ PEASOUP
§ Code Sonar
Building an Autonomous Cyber Battle System: Our Experience in DARPA's Cyber
Grand Challenge
49
50. § The other important aspect is “how to integrate many system in
large architecture”
§ Handle with complicated system architecture
§ Reliable is difficult
§ Mayhem meets some problem and fails in half of the game
50
53. § DARPA CGC Introduction
§ Most team have research, CTF and enterprise support
§ Automatic Vulnerability Discovery
§ Fuzzer and Symbolic Execution are widely used technique in CGC
§ How to integrate fuzzer and symbolic execution
§ Engineering Power: Integration many different software system
53
54. § https://cgc.darpa.mil/
§ https://www.cybergrandchallenge.com/
§ “DARPA’s Cyber Grand Challenge: Creating a League of Extra-Ordinary Machines”, Ben Price
and Michael Zhivich, ACSAC
§ “Rise of the Machines: Cyber Grand Challenge 及 DEFCON 24 CTF 决赛介绍”, MaskRay
§ “Cyber Grand Challenge and CodeJitsu”, Chao Zhang
§ https://www.youtube.com/watch?v=xfgGZq86iWk
§ Reddit IamA Mayhem, the Hacking Machine that won DARPA‘s Cyber Grand Challenge. AMA!
§ Unleashing the Mayhem CRS, ForAllSecure
§ “Cyber Grand Shellphish”, shellphish, DEFCON 24
§ “The Cyber Grand Challenge”, GrammaTech Eric Rizzi
§ “Hybrid Concolic Execution, Part 1 (Background)”, GrammaTech Ducson Nguyen
§ “Hybrid Concolic Execution, Part 2”, GrammaTech Ducson Nguyen
§ “Case Study: LEGIT_00004”, ForAllSecure
54