Wednesday, February 15, 2017

DEF CON 24 - Shellphish - Panel: Cyber Grand Shellphish





##########################################
Yes I'd of everybody's like okay this is cool but not that cool apart from jon was totally cool okay should we start let's start all right you're up so I'm gonna put this off because I I sort of started shellfish but I sort of reaping the the benefit of it without really doing anything these guys are actually the brains behind it and the guys that stayed up all night doing all the work i'm just looking at them thinking oh my god i remember when i did that do any five years ago provided a lot of high-level planning and sushi delivery exactly that's my role feed them they will poop software.
Ok seven grandchildren showed that's really actually true.
That's actually true so I i'm going to be very short this and shellfish was born out of the sack lab which is the security group at UC Santa Barbara every time you say you see people say University of California that's not right that's Berkeley UC Santa Monica that does not exist its UC Santa Barbara so get it right.
Sec lab is the group that's where we come from and the group is led currently by me and my colleague Christopher crew google we look very professional here like professors but we're actually hackers behind weird handles like everybody else.
I never got the handle thing but I I needed one.
And so if you look about minority on the on the internet is somebody with a gigantic nose and a ponytail which I once had the money would you say chris is your life partner.
I think Christmas good Christmas Christopher is my academic wife so I have to take care of all these needs and is I wish she would be here it would be very is super proud of everybody but this is our university not bad and that's why shellfish is here our lab is exactly.
There were there were arrow points where all right on the beach we have a private beach and that's why our tagline is hex on the beach and we're like might be back here is it back here yes it is it is alright so how do you started it starting 2004 I know it's incredibly such a long time ago and it's me but then I had a bunch of a grad students including chris and we evolved into a community and in 2005 we actually want to consider F never won since then there was the good old days and it's all it's awesome because they say the older you get the more awesome you wear so I'm milking it for whatever I can but we grew up you know and then suddenly void Chris moved to Vienna become a professor their record some more people that became more people that came back to Santa Barbara because it's awesome became more people more students more students even more students and what happened is that some people went to Boston so we have a substantial presence in boston and we evolved as a group more and more in the years until a certain point all our graduates graduate students actually became professors as well and so a lot of you you know you see people became professor all around the world in london at Arizona State University your common friends and right now.
Shellfish is a very group of all academic people all around the world doing interesting stuff so right now our group is pretty much this we're very inclusive where you know we foster research and that's what we care about and with this I'll give my presentation gone too young Thank You Giovanni so before we go on with the cyber grand challenge itself i'd like to give a shout-out to all the other shellfish she's in the audience to raise your hand if your shellfish.
Oh yeah right there nice nice yeah shellfish is a bigger than just the c-team the cg team is a strict subset but we have a lot of people that were cheering us from the sidelines even on the team so let's talk about the cyber can challenge I DARPA has a history of Grand Challenges right you guys are probably familiar with the subprime car grand challenge and the robotics grand challenge because they got a lot of press similar to the second challenge just now and the idea behind these is darker finds this fledgling technology self-driving cars and they fund it with a lot of money right so their prizes million-dollar prizes for self-driving cars and this motivate a lot of people to put a lot of research into it at the time people were of course saying because the time was 2006 when we didn't even have smartphones and people are saying do you really think that someday you'll be sitting inside a computer and it will be driving you around that's absurd and a BF people driving themselves to the hospital while they're having a heart attack in there Tesla and so you know this technology push really pays off and it's probably going to be the same with robotics dr. did the robotics arrogant challenge and probably in 10 years we're all gonna be dead and it's also going to be the same with programs so the cyber Grand Challenge really pushed the frontier of automatic program analysis exploitation and defense right now it's in its infancy I think you'll see how the crs did at DEFCON CTF but maybe they won't be the best humans but that's the beginning the chest systems didn't be the best humans and the self-driving cars aren't going to be the best humans and races right now but eventually they will and eventually mechanical fish will kill us all.
Or hackus all while the actual robots killers so as a cyber grand challenge let's talk about shellfish is involved in the second challenge as you want he said shellfish is a bunch of academics and hackers right so you're kind of academics so i'm at one point we decided to shift our research I interests in my at UCSB closer to binary analysis right we started looking into doing automated by analysis and all of the things along with that automatically ability discovery and so forth completely independent of the cyber grandchild you start doing that sometime in 2013 and in late 2013 dark announces the side or grin challenge right so i have an email somewhere in my history of saying hey guys check this out this is this cool thing maybe should participate because we're working a lot of the same stuff and everyone said yeah let's do it let's go for it as a great and then probably forgot about it for like a year right so the deadline for registration was in late 2014 i sent in the kind of application literally 15 seconds before the deadline because that's that's have your role and they said great you're in congratulations lets you know see what you got the first quarter that is coming up in like four months and so we're like okay cool or like on the graph is like in one month.
Right so he said cool let's let's build the crs we're gonna have we're gonna rock this Court event that the first kind of practice round that is the terms are used from scored events so the first practice round.
I you're gonna we're gonna do super awesome we're gonna kill it every totally forgot about it the morning of the practice round I wake up and I'm like shit there's a practice round for the the CGC stuff tonight and so we started working on our crs right so the first commit to the crs is two hours maybe three hours let's say before the practice round begins right so we start writing our crs practice round begins to play the practice round with some janky-ass ers that that kind of half works cool so then be like all right well now here we started we're going to get it all super put together before the second practice round second round rolls around and have you remember about it maybe three days before right so the second commit to the crs happens three days before the second practice round the build-up that build up playing the second round.
Oh ok cool now we have this I kind of cyber reasoning system that's kind of ready to play in the C key if we keep working on it solidly until the qualifiers and of course we forget about it for another couple months and then two and a half weeks before the qualifiers remember hey wait a second the qualifiers are coming up so then we start working like crazy and not sleeping three weeks of complete insanity until the site Grand Challenge qualifiers and we have a cyber reasoning system that we can field for the cyber Grand Challenge qualifiers and be qualified with three weeks of absolute insanity and so then we'll figured cool now a super rich because the qualifiers came with some 150 thousand dollars of prize money and be we can now spend a year working solidly right solidly with test cases test cases code freezes milestones milestones lots of milestones and absolutely you know continuous integration and you know test rounds and everything for an entire freaking year agile development that's that's the key word here none of that happen.
So for nine months bi use their money to fly around the world giving conference stocks and like saying how cool we are and how you know fishes as a Chinese martial arts expert or wait that was that was Kevin Kevin Chinese martial arts expert and you know Antonio's mysterious and all this shit but it really knew we should've been doing is working on the crs right and three months before the final three months ago we realized this me like crap we should really write a crs for real actually write like you should take what we have in quality and actually like you know extended so can win finals so three months agobe we started working like crazy be stopped sleeping right I have a fiance and I haven't seen her in three months basically that that's you know the insanity to the founding agency there listening we're a lot more responsible than it looks yeah at that this is our hacker persona right we also have an academic persona where of course we fci of course come on who doesn't have see I'm code freezes right and we we finished all our papers to weekly for their do so that our professors gonna go over them and absolutely this is the hacker shelter for sony alright anyways so we went crazy for three months we got the final commit to the crs 30 minutes before the air gap was established 30 minutes right and it was a commit in one of the core components oh shit could go wrong there's a slide for that and alright i'm killing us so we did it we play the CGC you got third and this is the team that you already introduced here from all around the world italy germany the us-india there's a guy qualifying with us was hopefully sitting in the audience from Senegal I fish from China there from all over the place i'm here very rich because we got to 750,000 dollar prizes now so that's kind of a brief interview our involvement in the CCL pastor officer iacopo to introduce the CGC as a platform and what it means right so let's thank you I'm very very very true and very effective introduction to the shellfish a cranberry distinct from academia interesting in the shellfish academic alright so just very briefly so what does it mean to actually score well in the CC you have to you're going to go blind with bindings that you have never seen before you have to analyze them in whatever way you want no limitation how you do it you have to own them either by a crash or by leaking a secret and you also have to patch them so the other guys cannot do the same to you and this is a classic classic CTF structure that has some modifications to decree in in the decree operating system to make it more model more easier to model and easier to handle for a for a program okay so on the simplifications is that the so the architecture is intel x86 all up codes are legal which can lead to interesting situations that we will in a beat arm these calls are simplified much easier to model pretty much read and write select allocate the alligator like my look and free random and obviously exit a lot easier to model for a program and the actual binaries are actually a lot.
A lot more realistic a very real they're not a complete fake guyanese so as a side note in the DEFCON CTF transformation DEFCON CTF was also played on the same platform so just as an example of how real and complex these binaries could be one of the challenges in the DEFCON CTF with a powerpc interpreter in jitter which was awful and so there's a lot of room for complexity in these programs and under actual morningside I don't know if some of you guys want to barge in basically what it means is that there is no there is no state every program runs once there is no state it runs you either own it or is going to do its thing there's no there's no state there's no fight system to modify this is a lot easier to to model for the for the qualifications and only for qualification it was just enough to crash the program set for illegal instruction you will get the points you have all the binaries for the finals things a lot more nuanced and the actual exploitation as we will see is a lot is a lot more complicated and it's a very interesting application of how to use symbolic execution and technologies but as a as a basic idea at the two ways to do is either braa control crash in which you can show that you can not only cross the program in someplace where you can actually press the program at a place that the API that was going to tell you please cross the program in this place and said this register to these values you can do that you verify that you have actually control of the program or alternatively you can leak a secret flag from memory and on the patch inside just a brief note on how you unlock how this API is designed so that it does not become too easy like for instance we can submit patches to the binary ok so what is preventing us from just submitting a binary just exits ok this programs this program obviously never crashes.
But also does not do anything useful so the way this is prevented his bed is that there are functionality checks if you if the program does not maintain its benign function if the program is a mark calculator it needs to still be able to do all the math operation that he can do normally and similarly there is no signaling so no way to just hide away all the safeguards if you set fault you are crashing and finally how would prevent us from putting in an interpreter that runs everything so checks before every possible instruction and I'm gonna crash am I gonna crash obviously we never crash and the way this is prevented by dr. that you can actually do it you can do it if you want but you're going to pay a performance price you're going to lose points for performance this is believe me not as easy as it sounds understanding exactly how your patches performing it's definitely not an easy task menu bar looking to eat i'm looking through the beach i'm trying to intervene in a beat it's definitely pretty hard and then we gave up testing performance we just say this is our patch deal with it yes yes that's very true and panic you know informally we know other teams also had trouble but I think known more than aravind knows very well how much of a pain how much of a big pain it can be to actually test the performance and the functionality of binary so big props to our been for actually pushing through this task and actually make it and this actually helped us a lot doing our own internal testing even if it not go into the live part and I will now hand over all right so the cqe but a qualifying event was not the full that was not the full-size began challenge it was you need to patch binaries and need to crash bynars you didn't need to exploit anything you just need to crash it the final event you need to patch binaries crash binary to find where vulnerabilities are and then exploit those vulnerabilities and on top of that it wasn't just a simple game are simple program challenge where you got a binary crashed it was a game so you have to have a game-theoretic aspect that played against other actual competitors right similar to a human CTF but always computers so the competition was actually divided 296 rounds and that wasn't predetermined it was you know however many rounds they got through in a day.
I there was a minimum time around and end up being 96 and there was a bunch of challenge binaries as they term as dr. terms them at which were provided to the teams to hack and for each score for each round the teams would have a separate round score that when aggregated would be their total score for the game the score is calculated based on the multiplication of the team's availability which means how much they fuck up the binary and how fast the binary still was right how much overhead the patches had which is something I peluda to the security score which is how exploitable where the binary still or were they still exploitable and evaluation score which means did we find that the team find and exploit for this binary so it was very easy to screw yourself in this context because if they're all multipliers if you completely break the binary even if you have perfect offensive you even if you find all of the exploits for this binary then you still get your points because you broke the binary in developing for this competition we I ran into a lot of kind of organizational things as I alluded to earlier we started super late so for example up until depressingly short time ago this was our database right after all this is a research group run by an italian again this is our hacker persona so we actually have to do a joint on this database at one point when we got the real database top you're joining between the paper database and the actual database.
This is relevant because the dollar performance scores this dress is the database of performance scores were trying to analyze that yeah I was relevant to the previous slide specifically this database contains the feedback from some my practice sessions for the final event so this is what diaper called sparring partner sessions we wrote them down and then we have to join them with the real database to get the actual information that we needed to tune our patches we also tried to go to code three several times so at 41 p.m. at some godforsaken day I be frozen component of our crs called Farnsworth I and very shortly thereafter this is the committee log right so the code freeze didn't work very well I their commit such as this gem here so that that that Francesco here at the you know beautiful beautiful goat that this committee was ok actually he just had very high standards actually was probably crap but yeah I'm and then of course this is I a long time into our code freeze 1215 hours before our nose shut down a couple days ago we were still changing very core components of the system that's me upside down i was at this point no longer saying.
So our crs consisted of a lot of components right we had a we had a central database that we call Farnsworth for some reason which is stored all of the data that I've got from that side we can change API through a component that i will talk about later on it stored network I captures it I made I it stormed the scheduling decisions of what jobs to run and then store the result of those jobs so now we're gonna go one by one into all of these components probably pretty quickly 15 minutes left and we'll start with the organization or the core ganization components and also handed over to Francesco and Kevin so obviously coordination is very important if you're running a cluster of 64 notes and of course since we needed to do that we simply came up with like using one database install the ground to that we have as a bunch of you probably know this is from futurama so we just went with essentially Farnsworth because well good news everyone and it's the only component that we actually tested fairly well at about sixty nine percent test coverage i think the rest probably dumped surrounded like 1% 0o perfect even better.
Who needs testing anyway so it in anger has at least fifteen percent coverage i think Francesca probably disagrees but and ok then on top of that we since they had meister which the germans and you know so just master which looks at scheduling jobs and deciding what jobs we want to run.
What kind of part of our pipeline we're going to run exploits patching if we want to run AFL these kind of things scheduled them based on priority and this obviously sorry the last component that we actually changed with the last commit being I guess two hours and 18 minutes before the actual deadline so yeah this was a 1242.
And the same deadline to actually the note shutdown what that 3pm but we made a commitment i think the role that commits back 30 minutes before the dead yeah there were a bunch of commitment like 2pm but we actually reported them and clean up the history just to make sure that they're actually not there because they cost a bunch of failures on our side anyways we would also like to give a big shout-out to essentially the open source component which simply rely on one of them is paisa and Microsoft Research 33 compiler all over things runs into the inside of docker containers which are rounding ubuntu with pie.
We also using grenades cute movie we back spas grass obviously anger which i'm sure a bunch of people are going to talk about now and I think that's probably on possibly salts andrew john i guess and pizza yeah go ahead agree with everything you said angers the open-source binary project by our analysis project that we have in the SEC lab it's really really cool to an open source for like a year now we released a Def Con last year right yeah it does everything it's cool no time.
It's very cool after logo its creative commons we in order to do the actual exploitation analysis pipeline we split up into a whole bunch of components and rearrange them into these weird things like using colic execution order to do some basic analysis of what can go where is automatic exploitation and patching which will all be talked about that other sections this presentation is crashes think you can slow down a little fine wants to sorry.
So whose crap who want to talk about crashing crashing hey guys we haven't been sleeping for three days so now we're sorry if your hands to all the funding agency we're not doing drugs or alcohol.
Looks like it but I'm not 21 alright crashes souls Nick talk about it you see how prepared we wear for this huge defcon talk.
Hello.
So crashing uh so our acquisition strategy is we find crashes we turn this into exploits already incredible I so actually like a lot of teams that thing we do the most is buzzing and this is what generates a lot of test cases lots of crashes the majority of pressures but not entirely all the goodies we find so we use AFL as a core component buzzing we I'm explain how NFL works like these slides do i suppose and essentially be it begins by generating lots of inputs which attempt to explore different parts of the program the inputs are basically random I some of our more or less educated guesses and how all these inputs doing following the program is tracked by instrumentation which is compiled into the binary or which is provided by an emulator like um so you take over all these so Abel is a great job of doing this we've modified it slightly to work better on TV see binaries so we have a couple of hacks which i think will be open sourcing which makes it perfect for cc or at least a lot better okay the uncrushed I don't think that's actually actually exist but don't use an incremental the point of flag and all this shit.
Jack's so what is like Carol key slides right through i already mentioned this red AFL great this housing works random stuff gets put into the binary yeah same and put all over again eventually comes with there anything that works this is much harder for a buzzer at the generator very specific input buzzing will have no luck with this of keeps continues to lose makes absolutely no progress if you guys can't feel like you can't keep up with my pizza I feel like that very frequently ok so anger on the other hand is invisible the execution engine it's slower and more heavy weight but it's great at finding very specific cases like the one we just described and the way this works is by generating these states following different paths as you can see here in the control flow graph we have different states which are being followed eventually there is a state which will satisfy the UN expression and we talked to z 3 we ask you to generate an input which gives us the state and boom so what we try to do is combine both AFL and anger and musical thriller thriller begins by fuzzing its basic code coverage of the program the way you would expect AFL to get maybe it's a couple of test cases in this example x and y we get the cheap coverage next line and ok again then we take this test cases and we trace all of them with anger so we make the input completely concrete almost we actually get keeping symbolic but we can strain it to be this created a file generated and we see at any point the program if we could have taken a different path which AFL failed to take if we could have taken that path we talked to III or anger more specifically we say give me an input which satisfies its new path in this case we get the CGC magic and a new test cases generated and now we continue the loop and we feed this back in the AFL which continued some you to that further and fuzz and it goes on and on until we continue to get more coverage and then we video games all right so this next part is the auto exploitation how we go from a crash which is standard by FL driller to actually an exploit for the CGC which causes a flag alright so in this example I think there's a buff there's a buffer overflow inside the heat inside this malik object here and when you overflow this buffer you actually control the function pointer and so we've been putting in putting in putting the bug bites and eventually we could control the buffer the symbolic address.
We're going to call in to an address we control and so to exploit this we use anger we check we trace the input using anger and check that first the IP is some bought the pc here we say is the state does the state have a symbolic pc at that point we know it's probably exploitable we can control where we're going to jump to.
And so let's set the buffer to contain our shellcode we asked me three to give us input where the buffer pointing contains shellcode and then we jump to the buffer and that'll give us an exploit and to do this we synthesize the input in anger that's just called State DOT posix donne 0 so in the CDC this is discovered by taking a crashing input in tracing that with anger so keeping all the input the AFL created symbolic and then following the path that took until we have or crashing symbolic state so keep in mind this is very simplified we have a bunch more techniques and handle the harder cases and that can take a not-so-good trash and turn into a better crash and you can find those all when we do our open source release and when we release more details and papers later and open-source release and this component is called Rex if you're interested in auto exploitation check that out.
Alright so the steps again we create a vulnerable sunblock state where we control the pc we add the constraints to set the shellcode and to set the the program counter 2.2 the shellcode and then we sympathize the input and that creates RX plate.
Ok so this uh this component will be talking about our quotation of flag league so if you didn't know there are two types of experts you can generate the CGC the type 1 is sort of classic memory corruption show that you can control the program counter sure that you can also control a general purpose register.
However there's another type called the type to very creative which shows that you can leak arbitrary memory from the program so in the CGC there's actually a sensitive sensitive data it's matt a special address are in every single binary if you delete content from this page and memory you score points like a heartbeat for example with there was hardly challenge in this game which where the premise was leaking this data from this blank pages that sensitive data so the way we do this in the fast way is we.
Actually use the unicorn engine which anger integrates to make the entire input completely concrete the only thing which is symbolic during the flight detection is the flying page itself so we trace the entire program and excuse very fast because everything has been completely a emulated by qm with unicorn and we can detect are in transmit because we hook up with anger when the fly pages actually being emitted and then we can see exactly which transformations are done this flight page you can tell this ape and exhort or some complicated countries have applied for example is actually solved at DEFCON CTF challenge which it ok mr. don't have time to talk about that but we saw the DEFCON CTF challenges way so we'll talk about it a little more later so seven so of course one of the challenge was to patch this binary so we have the component called better x that was going from patch from patch binary to patch binary so the general idea is we have matching techniques for some left side let's encrypt their return address and this manganese generate patches such as let's add this code here let's start this data there and these patches were injected with in the binary we had three different ways the first one was slower but more reliable and the last one was faster but we're less a little bit less reliable and fish is probably going to talk about various ember and so we had resided patches they were designed not to make our binary our patch binary analyze world by others and this is a one of them that is pretty cool and this is a detective Quinn detection this if you run this current email from 3-6 it'll hang forever.
Well not really forever as long as it takes two inch increments 64-bit in to the 64 times it's basically forever and we actually owned the cyber Grand Challenge visualization infrastructure with this they're apparently using queen for instruction tracing and at one point during the CGC we notice that their instruction training had just stopped and it stopped right on this code was designed to detect Queen moon crap will not crash but.
0day take a picture there's we have a lot of open source bug fixes to contribute starting now so there are so sore all sort of adverse side effects so to speak process our binary was started by trust me to the flag out but the worst transmitted to SD are so it's pretty icy air so that this could probably confused in analogy system it could means identify this as a as a type to reliability will start the back door that if some team was using our patch in the in the air submission we could actually exploit that and i'm not sure if they back to work during the CGC but for sure that work during the city and how my own community and everyone how many team i feel it our other teams use our backdoor doing ten names i'm sure it was three teams that filled up our back door at the media during cgc ok cool so then we had also sort of genetic patches that are these are more standard academic things such as protecting the three-pointer protecting data course and will when we are going to release these code you will see all this sort of kind of more standard techniques and then target the patches so the general idea who you can speak about zone so targeted patches right so good and qualification events we just wanted to avoid crashes right because anything that crashes council's next play here so we had some you know that we just checked using a weird quirk of one of the six calls using a weird quirk of 16 calls we check to see if the if memory was a readable at a certain point if it wasn't crashed so i would like to take specific credit for our back one slide for our targeted patches in the final event which were exactly nil and it works great so what can I sit there and one note that no functionality overhead i'm motivated by ginger slides The Devil's interests and one could think about these that we thought we were cooler finding these weird cisco tricks to the tech and memory locations but actually when we analyze a qualification binaries from out of to use when they were released we found at least one other team is doing exactly this entry.
So you're saying they're both cool yeah we're both clear ok so all we are running out of time so well that the only thing i want to say is anger is also i spent three days in writing on the sampler and another three days and the optimizer so it works out so so what is a real simpler just real quick example of a static binary re writer that basically ok we all probably later no okay.
We had a we had a breakdown from our i think i think just want her to use it are supplied guys is a is a spot okay it's fine the reassembly is awesome fish wrote a binary writer where you can inject co2 binaries and it'll seamlessly reassemble the binary to include that code check it out in the open source release you go there's nothing much to say but basically tried so we that I gave us 64 powerful servers but how many servants 64c Angeles before holy shit not 3064 so we try to maximize this usage the usage of these nodes and yeah we can get with the same you at least not the memory but the tunes that's better so the 64 servers we had a lot of media attention over the CDC and what we got what we got people excited about the most strangely enough is the fact that we had 64 servers all to ourselves.
Incredible anyways so we implemented all these systems in breakneck like three months I.
And we pushed as hard as we could we got it all running we may commit at the last second and we played the game or rather our baby play the game she walked on her own.
We walk into the room and they told us hey your guys is bought started up and it's doing a lot of disk i/o and be fucking lost it because I will be freaking lost it because up until then we thought you know it's gonna turn on and something will fail and and it'll all crap itself so this was incredible and then we got third place top three is amazing for us guys I can't I can't tell you how incredible it is to have been part of this company and we're going on it was incredible.
Since we played in the CDF we didn't really get much of a chance to actually look at the data I marver we quickly briefly looked at it and told there are 82 channel sense field it at least our bought so only 82 is with more have been filled it we might have actually missed them in total mechanical fish generated about 2,450 exploits we generally do total of 1700 explore its 414 out of the 82 John sets all of them have a hundred percent reliability and so far as a score like always leaking or essentially crashing at a specific address did you check how many were like most reliable i did not so this essentially it seems that we only got 14 out of 82 channel says that we do not know how many essentially grandma tagged with tech axons and regard or mayhem with for all secure the rumors are that we have top exploitations but we didn't have the best game theory so like always our SLA sucks our SLA is shit and yeah so in total like you back up once light on these are essentially the experts would be actually generated some or i should say that the caveat to those rumors mayhem was only have the game and I think they still got almost as many experts so yeah yeah.
And so we got two of the rematch challenges so so two of the historical challenges the DARPA introduced of them was sequel slammer which I think two other teams are also got but don't quote me on that.
And then there was also crack at her which supposedly only we got right and then in trouble if you look at essentially the different challenges that we had and the vulnerabilities that way in there.
This is the list of channels that that since we got and with that from all of us.
Thank you for the attention so real quick let's talk about the next steps real quick the next steps beyond automated hacking is machines augmenting human intelligence so in depth on CTF we hooked up our crs mayhem Oh as the winner they played completely autonomously we played with our crs so I mentioned already that the crs actually owned one binary without even realizing it it actually assisted us with five of the exploits there are five exploits at which either after providing the crash I or after just providing interaction it created an exploit for and RCS insert backdoors into every binary that it patches and so you might have heard already that a lot of teams actually use our backdoor these sounds awesome but we didn't we even close yes we almost got close to last so and let's turn down the bragging that that's right just a tiny the crs did amazing but there were some issues like for example the defcon organizers had to implement a separate api for the infrastructure then darpa did right because the dark baby i had to be secret so that you know everyone was an evil even playing field and so there were some API incompatibilities and computers are very brittle and so these api compatibilities screwed us until the very last day so the last day i feel we had a good showing up until then the crs kept crashing the crs getting invalid data it was kind of touch-and-go I'm so as you might have heard we're going to open source everything we're going to do thank you.
We are going to do a full open source vomit because we believe in raising the playing field for everybody so the next time I CDC runs around rolls around we expect all of you to play as well hopefully using our stuff so we don't have it all ready right now to push the github because we're playing the CTF we thought we had time but we don't but Chris do you think you can do a symbolic open sourcing of anger op alright let's do it right on stage I'm going to unplug the video.
Kevin so criticism locking in unless I mean just don't type your password into the wrong field I've seen that before at DEFCON it was incredible there is someone fairly famous too ah there you better safe than sorry I think that password with star star star star star star star star enable logging before child for is what Johnny says I think that's his password though alright so we're gonna plug it back in while we try to desperately find the settings of the open source project so angry op is our Rob compiler so if you're tired of writing return oriented programming payloads by hand you can wait hold on let me explain what it is you can i use and drop which uses anger to compile rock payloads into whatever you want so you say actually just read this memory or execute this call and it figures out the rap payload that needs to generate Chris wrote it is an amazing guy and it's an amazing project and here it is being open source for the world bone.
The rest of the code we need to scrub free of private keys because they're so depressingly many I'm and other I depressing things and then we'll push it out this week.
Also if you find a private key that we haven't scrub can you please gently let us know instead of destroying our infrastructure I we will appreciate it where hackers hackers on the worst security in the world so and then and my password is six characters long just to give you an idea.
Alright Kevin how do i get back to our a thing but I think we're done basically thank you guys so stay in touch hit us up on twitter by email jump on IRC channel you can chat with us about our crs at shellfish TRS and freenode i'm the only one there right now super exclusive or on anger freenode on anger questions are there any actual questions.
Hi congratulations thank you on your work so in your dealer paper your set dark the fuzzing was mostly responsible for 68 of the binary whereas having the symbolic execution based pausing only let you find vulnerabilities in 11 more than that.
So what is that still the case or is the symbolic execution more effective than posing now you want to talk about drills three-point up.
Sure so one thing we've done to actually improve what the one thing we've done in action to actually improve a driller LCC binaries to identify functions install SCIM procedures in their place so what this means is that a lot of basic block transitions which are hard for or uninteresting 41 symbolic execution solve.
Are more interesting grievance procedure we can talk about it more if you want to come up here Mike last question okay well congrats guys.
Thank you first second I wanted to know how compute bound you felt like where that what did you get enough compute power to little too much would you put something else in there backplane ram would you think so at this point we don't actually know because we haven't gotten a chance to look through all of the locks we had some problems in the very beginning so actually on Wednesday still to get all of our coordinators pot schedule simply because corn is what not catching up.
We kind of solved that but we had this one we don't really know what the status is insofar as the utilization of all the notes from watching the power consumption it seemed that the way that it dropped off it seemed that I had a lot of unnecessary jobs that would be scheduled later so i think we could have used a little less even and and it was still yeah we could probably use 32 nodes and done about the same but the more the merrier especially we can schedule more jobs we definitely had jobs to schedule that you can schedule because of delays and cornetta's cool thanks alright thank you and thank you for organizing this thing please give shellfish team a huge round of applies what they've accomplished this immense thank you guys.


##########################################

No comments:

Post a Comment