[Dailydave] DARPA CGC Recap

Jordan Wiens jordan at psifertex.com
Mon Aug 14 00:48:41 UTC 2017

Happy to answer any questions if there are any. (As best as I can remember
anyway--been a while since we first recorded it and even longer since most
of the analysis)

One of my favorite moments we found what looked like true back-and-forth
interaction between two of the CRS's. To be clear, we don't know at all
/why/ they behaved the way they did since they were black boxes from our
perspective. Even some of the teams I've talked to after the competition
have no idea why their systems did what they did -- whether because lack of
logging, or because the system architecture made introspection into which
component initiated which actions difficult.

These two systems had multiple rounds of back-and-forth behavior where:

1) a stack based BO was exploited against a service, and the payload
obfuscated the address of the flag page data it was stealing bytes from
(reading from the flag page was one mechanism for scoring).

2) a patch was submitted in the minimum time possible from the team being
scored upon that generically protected the binary by remapping the stack as
non-executable (and did a few other changes as well--they were all part of
the standard toolkit this team applied to some binaries)

3) the attacking team re-formulated their payload to use ROP gadgets,
successfully evading the NX stack protection, but now exposing the "flag
page" address they were reading data from in cleartext on the wire

4) the defending team deployed a network filter that fairly naively (but
effectively it turns out) blocked the first several bytes of the address of
the flag page, stopping the exploit.

And all it happened in less time than it would take even very good human
exploiters to land bug in the first place (at least when forced to work
with unfamiliar tools and a stressful environment). We actually have
reasonably good data on that from last year's Infiltrate NOPCert challenge.

On Wed, Aug 9, 2017 at 6:36 PM, Kristian Erik Hermansen <
kristian.hermansen at gmail.com> wrote:

> A 2+ hour video recap released with interesting visuals and technical
> analysis:
> Watch "Cyber Grand Challenge: The Analysis" on YouTube
> https://youtu.be/SYYZjTx92KU
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/dailydave/attachments/20170814/8b3e2e89/attachment.html>

More information about the Dailydave mailing list