[Dailydave] DARPA CGC Recap

Jordan Wiens jordan at psifertex.com
Thu Aug 17 19:41:06 UTC 2017 

Bit of a crappy format, but here's a screenshot from the trace-api tool I
linked to in my other email that shows all the POVs from each team (it's
sorted by those that CRSPY got because I happened to have them selected)
but it shows all teams, just look for any non-"1" score.

Anyway, this, plus the source itself is a starting point. The source
includes ifdefs around all intended vulns. Of course, not all POVs were the
intended ones. We did some analysis but I forget the numbers offhand.

[image: Inline image 1]

On Thu, Aug 17, 2017 at 3:28 PM, Dave Aitel <dave.aitel at gmail.com> wrote:

> I just want a list of which vulnerabilities were exploited by which
> engines and in what round + all the vulnerabilities in source (which is in
> the repo I think). :)
>
> In a way, having them be able to SEE people throw vulnerabilities at each
> other corrupts the data a bit I think, because you no longer no what they
> FOUND and what they SAW, if that makes sense?
> -dave
>
>
> On Thu, Aug 17, 2017 at 3:20 PM Jordan Wiens <jordan at psifertex.com> wrote:
>
>> Happy to answer any questions if there are any. (As best as I can
>> remember anyway--been a while since we first recorded it and even longer
>> since most of the analysis)
>>
>> One of my favorite moments we found what looked like true back-and-forth
>> interaction between two of the CRS's. To be clear, we don't know at all
>> /why/ they behaved the way they did since they were black boxes from our
>> perspective. Even some of the teams I've talked to after the competition
>> have no idea why their systems did what they did -- whether because lack of
>> logging, or because the system architecture made introspection into which
>> component initiated which actions difficult.
>>
>> These two systems had multiple rounds of back-and-forth behavior where:
>>
>> 1) a stack based BO was exploited against a service, and the payload
>> obfuscated the address of the flag page data it was stealing bytes from
>> (reading from the flag page was one mechanism for scoring).
>>
>> 2) a patch was submitted in the minimum time possible from the team being
>> scored upon that generically protected the binary by remapping the stack as
>> non-executable (and did a few other changes as well--they were all part of
>> the standard toolkit this team applied to some binaries)
>>
>> 3) the attacking team re-formulated their payload to use ROP gadgets,
>> successfully evading the NX stack protection, but now exposing the "flag
>> page" address they were reading data from in cleartext on the wire
>>
>> 4) the defending team deployed a network filter that fairly naively (but
>> effectively it turns out) blocked the first several bytes of the address of
>> the flag page, stopping the exploit.
>>
>> And all it happened in less time than it would take even very good human
>> exploiters to land bug in the first place (at least when forced to work
>> with unfamiliar tools and a stressful environment). We actually have
>> reasonably good data on that from last year's Infiltrate NOPCert challenge.
>>
>> On Wed, Aug 9, 2017 at 6:36 PM, Kristian Erik Hermansen <
>> kristian.hermansen at gmail.com> wrote:
>>
>>> A 2+ hour video recap released with interesting visuals and technical
>>> analysis:
>>>
>>> Watch "Cyber Grand Challenge: The Analysis" on YouTube
>>>
>>> https://youtu.be/SYYZjTx92KU
>>>
>>> _______________________________________________
>>> Dailydave mailing list
>>> Dailydave at lists.immunityinc.com
>>> https://lists.immunityinc.com/mailman/listinfo/dailydave
>>>
>>>
>> _______________________________________________
>> Dailydave mailing list
>> Dailydave at lists.immunityinc.com
>> https://lists.immunityinc.com/mailman/listinfo/dailydave
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/dailydave/attachments/20170817/8141ca66/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: evaluation-score.png
Type: image/png
Size: 372390 bytes
Desc: not available
URL: <http://lists.immunityinc.com/pipermail/dailydave/attachments/20170817/8141ca66/attachment-0001.png>

More information about the Dailydave mailing list