Re: DARPA CGC Recap

[Jordan Wiens <jordan () psifertex com>]

Bit of a crappy format, but here's a screenshot from the trace-api tool I
linked to in my other email that shows all the POVs from each team (it's
sorted by those that CRSPY got because I happened to have them selected)
but it shows all teams, just look for any non-"1" score.

Anyway, this, plus the source itself is a starting point. The source
includes ifdefs around all intended vulns. Of course, not all POVs were the
intended ones. We did some analysis but I forget the numbers offhand.

[image: Inline image 1]

On Thu, Aug 17, 2017 at 3:28 PM, Dave Aitel <dave.aitel () gmail com> wrote:

> I just want a list of which vulnerabilities were exploited by which
> engines and in what round + all the vulnerabilities in source (which is in
> the repo I think). :)
>
> In a way, having them be able to SEE people throw vulnerabilities at each
> other corrupts the data a bit I think, because you no longer no what they
> FOUND and what they SAW, if that makes sense?
> -dave
>
>
> On Thu, Aug 17, 2017 at 3:20 PM Jordan Wiens <jordan () psifertex com> wrote:
>
> > Happy to answer any questions if there are any. (As best as I can
> > remember anyway--been a while since we first recorded it and even longer
> > since most of the analysis)
> >
> > One of my favorite moments we found what looked like true back-and-forth
> > interaction between two of the CRS's. To be clear, we don't know at all
> > /why/ they behaved the way they did since they were black boxes from our
> > perspective. Even some of the teams I've talked to after the competition
> > have no idea why their systems did what they did -- whether because lack of
> > logging, or because the system architecture made introspection into which
> > component initiated which actions difficult.
> >
> > These two systems had multiple rounds of back-and-forth behavior where:
> >
> > 1) a stack based BO was exploited against a service, and the payload
> > obfuscated the address of the flag page data it was stealing bytes from
> > (reading from the flag page was one mechanism for scoring).
> >
> > 2) a patch was submitted in the minimum time possible from the team being
> > scored upon that generically protected the binary by remapping the stack as
> > non-executable (and did a few other changes as well--they were all part of
> > the standard toolkit this team applied to some binaries)
> >
> > 3) the attacking team re-formulated their payload to use ROP gadgets,
> > successfully evading the NX stack protection, but now exposing the "flag
> > page" address they were reading data from in cleartext on the wire
> >
> > 4) the defending team deployed a network filter that fairly naively (but
> > effectively it turns out) blocked the first several bytes of the address of
> > the flag page, stopping the exploit.
> >
> > And all it happened in less time than it would take even very good human
> > exploiters to land bug in the first place (at least when forced to work
> > with unfamiliar tools and a stressful environment). We actually have
> > reasonably good data on that from last year's Infiltrate NOPCert challenge.
> >
> > On Wed, Aug 9, 2017 at 6:36 PM, Kristian Erik Hermansen <
> > kristian.hermansen () gmail com> wrote:
> >
> > > A 2+ hour video recap released with interesting visuals and technical
> > > analysis:
> > >
> > > Watch "Cyber Grand Challenge: The Analysis" on YouTube
> > >
> > > https://youtu.be/SYYZjTx92KU
> > >
> > > _______________________________________________
> > > Dailydave mailing list
> > > Dailydave () lists immunityinc com
> > > https://lists.immunityinc.com/mailman/listinfo/dailydave
> > _______________________________________________
> > Dailydave mailing list
> > Dailydave () lists immunityinc com
> > https://lists.immunityinc.com/mailman/listinfo/dailydave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave