Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CGC Wrapup Video

From: dave aitel <dave () immunityinc com>
Date: Thu, 17 Aug 2017 15:59:14 -0400
Ah, it's there for sure, although you're not sure which bug they
exploited. Interesting to draw some corrolations. For example DeepRed
(Raytheon) got two weird heap overflows exploited, and then a lot of
stack overflows...did that heap overflow come from a replay of someone
else's bug? Is that a thing?

Heap Overflows:

 1. http://www.lungetech.com/cgc-corpus/challenges/CROMU_00055/
 2. *http://www.lungetech.com/cgc-corpus/challenges/NRFIN_00052/*

Hmm. Lots of interesting information here, although somewhat hard to dig
through I guess?

-dave



On 8/17/2017 3:31 PM, Chris Eagle wrote:

Dave,

You may find some of what you want here: http://www.lungetech.com/cgc-corpus/cfe/

I have all the raw data from the event including the answers to some of your questions below. If I can format then in 
some useful manner I will post some of those answers.

Chris

On 8/17/2017 8:51 AM, dave aitel wrote:

So I wanted to type up some notes on the CGC Wrapup <https://www.youtube.com/watch?v=SYYZjTx92KU> video, which was 
excellent. I mean, a part of what you want to do, while you watch it, is strip out all the parts of the thing that 
are about "playing the game". I know Jordan loves CTFs as some sort of e-sport and also there's a whole community 
who for whatever reason plays CTFs instead of playing corewars on helpless Chinese networks like of yore, but that 
stuff is 100% distraction when it comes to the CGC.


As you can see, the tiny red lines on the right are supposed to be some combination of "could hack and could secure 
a service". I can't find anywhere something that has a simple spreadsheet of which samples 
<http://www.lungetech.com/cgc-corpus/challenges/NRFIN_00080/>  (and even which vulns in which samples) were able to 
be attacked by which teams. So much of the game was weighted towards performance characteristics that it's hard to 
determine the information you really need from the scores, although the video goes over some anecdotal examples 
where RUBEUS and MECHAPHISH were able to attack particular historically interesting programs. It's telling that 
Mayhem won despite being basically off for half the contest. ;)

Does anyone have better data on this?

-dave

P.S. Holy cow the visualizations on program execution are next gen! Worth a close watch just to see them.



_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave




_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: