[Dailydave] DARPA CGC Recap

Dave Aitel dave.aitel at gmail.com
Thu Aug 17 19:28:29 UTC 2017


I just want a list of which vulnerabilities were exploited by which engines
and in what round + all the vulnerabilities in source (which is in the repo
I think). :)

In a way, having them be able to SEE people throw vulnerabilities at each
other corrupts the data a bit I think, because you no longer no what they
FOUND and what they SAW, if that makes sense?
-dave


On Thu, Aug 17, 2017 at 3:20 PM Jordan Wiens <jordan at psifertex.com> wrote:

> Happy to answer any questions if there are any. (As best as I can remember
> anyway--been a while since we first recorded it and even longer since most
> of the analysis)
>
> One of my favorite moments we found what looked like true back-and-forth
> interaction between two of the CRS's. To be clear, we don't know at all
> /why/ they behaved the way they did since they were black boxes from our
> perspective. Even some of the teams I've talked to after the competition
> have no idea why their systems did what they did -- whether because lack of
> logging, or because the system architecture made introspection into which
> component initiated which actions difficult.
>
> These two systems had multiple rounds of back-and-forth behavior where:
>
> 1) a stack based BO was exploited against a service, and the payload
> obfuscated the address of the flag page data it was stealing bytes from
> (reading from the flag page was one mechanism for scoring).
>
> 2) a patch was submitted in the minimum time possible from the team being
> scored upon that generically protected the binary by remapping the stack as
> non-executable (and did a few other changes as well--they were all part of
> the standard toolkit this team applied to some binaries)
>
> 3) the attacking team re-formulated their payload to use ROP gadgets,
> successfully evading the NX stack protection, but now exposing the "flag
> page" address they were reading data from in cleartext on the wire
>
> 4) the defending team deployed a network filter that fairly naively (but
> effectively it turns out) blocked the first several bytes of the address of
> the flag page, stopping the exploit.
>
> And all it happened in less time than it would take even very good human
> exploiters to land bug in the first place (at least when forced to work
> with unfamiliar tools and a stressful environment). We actually have
> reasonably good data on that from last year's Infiltrate NOPCert challenge.
>
> On Wed, Aug 9, 2017 at 6:36 PM, Kristian Erik Hermansen <
> kristian.hermansen at gmail.com> wrote:
>
>> A 2+ hour video recap released with interesting visuals and technical
>> analysis:
>>
>> Watch "Cyber Grand Challenge: The Analysis" on YouTube
>>
>> https://youtu.be/SYYZjTx92KU
>>
>> _______________________________________________
>> Dailydave mailing list
>> Dailydave at lists.immunityinc.com
>> https://lists.immunityinc.com/mailman/listinfo/dailydave
>>
>>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/dailydave/attachments/20170817/b02413d2/attachment.html>


More information about the Dailydave mailing list