a dozen years of shellphish -...
TRANSCRIPT
A Dozen Years of Shellphish From DEFCON to the Cyber Grand Challenge
Antonio Bianchi [email protected]
Nuit Du Hack / July 2nd, 2016
2A Dozen Years of Shellphish – from DEFCON to the Cyber Grand Challenge
Shellphish
● Who are we?○ A team of security enthusiasts
■ do research in System Security■ play Capture the Flag competitions■ released a couple of tools
3A Dozen Years of Shellphish – from DEFCON to the Cyber Grand Challenge
Shellphish○ Started (in 2004) at:
■ SecLab: University of California, Santa Barbara
4A Dozen Years of Shellphish – from DEFCON to the Cyber Grand Challenge
Shellphish
○ expanded to:■ Northeastern
University: Boston■ Eurecom: France■ ...
6A Dozen Years of Shellphish – from DEFCON to the Cyber Grand Challenge
Mini-primer: What’s a CTF
● Security competition:○ exploit a vulnerable service / website / device○ reverse a binary○ …
● Different formats○ Jeopardy ‒ Attack-Defense○ Online ‒ Live○ ...
8A Dozen Years of Shellphish – from DEFCON to the Cyber Grand Challenge
Shellphish
○ We do not only play CTFs○ We also organize them!
■ UCSB iCTF● Attack-Defense format● every year, since 2002!
■ Try to innovate with a different style every year● Site: ictf.cs.ucsb.edu● Base: github.com/ucsb-seclab/ictf-framework● Vigna, et al., "Ten years of ictf: The good, the bad,
and the ugly." 3GSE, 2014.
9A Dozen Years of Shellphish – from DEFCON to the Cyber Grand Challenge
Shellphish○ Releasing tools
■ angr● demo!
■ how2heap● https://github.com/shellphish/how2heap
■ ctf-tools● https://github.com/zardus/ctf-tools
10A Dozen Years of Shellphish – from DEFCON to the Cyber Grand Challenge
Coming up:
● DARPA Cyber Grand Challenge (CGC)The (almost-)Million Dollar Baby
● Our Cyber Reasoning System (CRS)Fancy term for auto-playing a CTF
● Automated Vulnerability Discovery● Live example using angr
Open-source binary analysis framework
● Towards the Cyber Grand Challenge Finals (CFE)
11A Dozen Years of Shellphish – from DEFCON to the Cyber Grand Challenge
Cyber Grand Challenge (CGC)● 2004: DARPA Grand Challenge
○ Autonomous vehicles
12A Dozen Years of Shellphish – from DEFCON to the Cyber Grand Challenge
Cyber Grand Challenge (CGC)● 2014: DARPA Cyber Grand Challenge
○ Autonomous hacking!
13A Dozen Years of Shellphish – from DEFCON to the Cyber Grand Challenge
Cyber Grand Challenge (CGC)
● Started in 2014
● Qualification event: June 3rd, 2015, online○ ~70 teams → 7 qualified teams
● Final event: August 4th, 2016 @ DEFCON (Las Vegas)
14A Dozen Years of Shellphish – from DEFCON to the Cyber Grand Challenge
CGC ‒ Rules
● Attack-Defense CTF● Solving security challenges → Developing a system that
solves security challenges
● Develop a system that automatically○ Exploit vulnerabilities in binaries○ Patch binaries, removing the vulnerabilities
● No human intervention
15A Dozen Years of Shellphish – from DEFCON to the Cyber Grand Challenge
CGC ‒ Rules
● Every team has to:○ Generate exploits
■ For the quals → an input to a binary, making it crash (invalid memory access)
○ Patch binaries■ fix the vulnerabilities■ preserve the original binary’s functionality■ performance impact is evaluated
● CPU time, memory consumption, disk space
16A Dozen Years of Shellphish – from DEFCON to the Cyber Grand Challenge
CGC ‒ Rules
● Basic idea:○ Real(istic) programs○ No “extra” complications
■ Simplified system calls■ Simplified IPC
17A Dozen Years of Shellphish – from DEFCON to the Cyber Grand Challenge
CGC ‒ Rules
● Architecture: Intel x86, 32-bit
● OS: DECREE○ Linux-like, but with 7 syscalls only
■ transmit / receive / fdwait (≈ select)■ allocate / deallocate (even executable!)■ random■ _terminate
○ no signals, threads, shared memory, file system, ...
● “Bring Your Own Defense” approach (and pay for it)○ Not even “the usual”: stack is executable, no ASLR, …
18A Dozen Years of Shellphish – from DEFCON to the Cyber Grand Challenge
Coming up:
● DARPA Cyber Grand Challenge (CGC)The (almost-)Million Dollar Baby
● Our Cyber Reasoning System (CRS)Fancy term for auto-playing a CTF
● Automated Vulnerability Discovery● Live example using angr
Open-source binary analysis framework
● Towards the Cyber Grand Challenge Finals (CFE)
19A Dozen Years of Shellphish – from DEFCON to the Cyber Grand Challenge
Shellphish CRS
vulnerable binary
patched binary
exploit
CyberReasoning
System
20A Dozen Years of Shellphish – from DEFCON to the Cyber Grand Challenge
Shellphish CRS
vulnerablebinary
proposedpatches
proposedexploits
Shellphish CRS
AutomaticTesting
exploit
patchedbinary
AutomaticPatching
AutomaticVulnerability
Finding
AutomaticVulnerability
Finding
21A Dozen Years of Shellphish – from DEFCON to the Cyber Grand Challenge
Why we’re here
● DARPA Cyber Grand Challenge (CGC)The (almost-)Million Dollar Baby
● Our Cyber Reasoning System (CRS)Fancy term for auto-playing a CTF
● Automated Vulnerability Discovery● Live example using angr
Open-source binary analysis framework
● Towards the Cyber Grand Challenge Finals (CFE)
22A Dozen Years of Shellphish – from DEFCON to the Cyber Grand Challenge
Automatic Vulnerability Discovery
“How do I crash a binary?”
“How do I reach state X in a binary?”
Fuzzing Symbolic Execution
23A Dozen Years of Shellphish – from DEFCON to the Cyber Grand Challenge
Fuzzing● How do I reach the state: “You win!” is printed?
x = int(input())if x >= 10:
if x < 100:print "You win!"
else:print "You lose!"
else:print "You lose!"
24A Dozen Years of Shellphish – from DEFCON to the Cyber Grand Challenge
Fuzzing● How do I reach the state: “You win!” is printed?
x = int(input())if x >= 10:
if x < 100:print "You win!"
else:print "You lose!"
else:print "You lose!"
● Try “1” → “You lose!”
● Try “2” → “You lose!”
● …
● Try “10” → “You win!”
25A Dozen Years of Shellphish – from DEFCON to the Cyber Grand Challenge
Fuzzing
● How did we use Fuzzing for CGC?
● Coverage-guided fuzzing○ Looking for “crashing inputs”○ Based on AFL lcamtuf.coredump.cx/afl/
● In general, it cannot work in some cases○ e.g., “magic numbers”, computations, ...
26A Dozen Years of Shellphish – from DEFCON to the Cyber Grand Challenge
Fuzzing● How do I reach the state: “You win!” is printed?
x = int(input())if x >= 10:
if x^2 == 152399025:print "You win!"
else:print "You lose!"
else:print "You lose!"
27A Dozen Years of Shellphish – from DEFCON to the Cyber Grand Challenge
Symbolic Execution● Interpret the binary code and replace user-input with
symbolic variables
x = int(input())if x >= 10:
if x < 100:print "You win!"
else:print "You lose!"
else:print "You lose!"
State A
Variablesx = ???
Constraints{}
28A Dozen Years of Shellphish – from DEFCON to the Cyber Grand Challenge
Symbolic Execution● Interpret the binary code and replace user-input with
symbolic variables
x = int(input())if x >= 10:
if x < 100:print "You win!"
else:print "You lose!"
else:print "You lose!"
State A
Variablesx = ???
Constraints{}
29A Dozen Years of Shellphish – from DEFCON to the Cyber Grand Challenge
Symbolic Execution
State A
Variablesx = ???
Constraints{}
State AA
Variablesx = ???
Constraints{x >= 10}
● Follow all feasible paths, tracking "constraints" on variables
x = int(input())if x >= 10:
if x < 100:print "You win!"
else:print "You lose!"
else:print "You lose!"
30A Dozen Years of Shellphish – from DEFCON to the Cyber Grand Challenge
State AB
Variablesx = ???
Constraints{x < 10}
Symbolic Execution
State A
Variablesx = ???
Constraints{}
State AA
Variablesx = ???
Constraints{x >= 10}
● Follow all feasible paths, tracking "constraints" on variables
x = int(input())if x >= 10:
if x < 100:print "You win!"
else:print "You lose!"
else:print "You lose!"
31A Dozen Years of Shellphish – from DEFCON to the Cyber Grand Challenge
Symbolic Execution
x = int(input())if x >= 10:
if x < 100:print "You win!"
else:print "You lose!"
else:print "You lose!"
State AA
Variablesx = ???
Constraints{x >= 10}
State AB
Variablesx = ???
Constraints{x < 10}
● Follow all feasible paths, tracking "constraints" on variables
32A Dozen Years of Shellphish – from DEFCON to the Cyber Grand Challenge
Symbolic Execution
x = int(input())if x >= 10:
if x < 100:print "You win!"
else:print "You lose!"
else:print "You lose!"
State AA
Variablesx = ???
Constraints{x >= 10}
● Follow all feasible paths, tracking "constraints" on variables
33A Dozen Years of Shellphish – from DEFCON to the Cyber Grand Challenge
Symbolic Execution
x = int(input())if x >= 10:
if x < 100:print "You win!"
else:print "You lose!"
else:print "You lose!"
State AA
Variablesx = ???
Constraints{x >= 10}
State AAA
Variablesx = ???
Constraints{x >= 10, x < 100}
State AAB
Variablesx = ???
Constraints{x >= 10, x >= 100}
● Follow all feasible paths, tracking "constraints" on variables
34A Dozen Years of Shellphish – from DEFCON to the Cyber Grand Challenge
Symbolic Execution
x = int(input())if x >= 10:
if x < 100:print "You win!"
else:print "You lose!"
else:print "You lose!"
State AAA
Variablesx = ???
Constraints{x >= 10, x < 100}
State AAA
Variablesx = 99
Concretization
● Concretize the constraints on the symbolic variables
35A Dozen Years of Shellphish – from DEFCON to the Cyber Grand Challenge
Symbolic Execution
x = int(input())if x >= 10:
if x^2 == 152399025:print "You win!"
else:print "You lose!"
else:print "You lose!"
State AAA
Variablesx = ???
Constraints{x >= 10,
x^2 == 152399025}
State AAA
Variablesx = 12345
Concretization
● Concretize the constraints on the symbolic variables
36A Dozen Years of Shellphish – from DEFCON to the Cyber Grand Challenge
Symbolic Execution● How did we use Symbolic Execution for CGC?
1. We used the symbolic execution engine of angr,the binary analysis platform developed at UCSB
● Symbolically execute the binaries looking for 1. Memory accesses outside allocated regions2. “Unconstrained” instruction pointer
(e.g., controlled by user input)■ eax = <user input>, jmp eax
● If either 1. or 2. is true → we found an input that will make the program crash
37A Dozen Years of Shellphish – from DEFCON to the Cyber Grand Challenge
Future directions
● Combining the two approaches
● “Driller: Augmenting Fuzzing Through Selective Symbolic Execution”○ Network and Distributed System Security
Symposium (NDSS), February 2016, San Diego
38A Dozen Years of Shellphish – from DEFCON to the Cyber Grand Challenge
Future directions ● “Driller: Augmenting Fuzzing Through Selective
Symbolic Execution”
FUZZING
BINARIES SYMBOLIC EXECUTION
DRILLER
39A Dozen Years of Shellphish – from DEFCON to the Cyber Grand Challenge
Coming up:
● DARPA Cyber Grand Challenge (CGC)The (almost-)Million Dollar Baby
● Our Cyber Reasoning System (CRS)Fancy term for auto-playing a CTF
● Automated Vulnerability Discovery● Live example using angr
Open-source binary analysis framework
● Towards the Cyber Grand Challenge Finals (CFE)
40A Dozen Years of Shellphish – from DEFCON to the Cyber Grand Challenge
angr
● Binary analysis platform, developed at UCSB
● Open source: github.com/angr (star it!)
● Architecture independent○ x86 (ELF, CGC, PE), amd64, mips, mips64, arm,
aarch64, ppc, ppc64
41A Dozen Years of Shellphish – from DEFCON to the Cyber Grand Challenge
angr
● Written in Python!○ installable with one (two?) command!
■ mkvirtualenv angr■ pip install angr
○ interactive shell (using IPython)
42A Dozen Years of Shellphish – from DEFCON to the Cyber Grand Challenge
angr ‒ demo
● CADET_00001○ Very easy, sample binary released by DARPA for CGC
○ Check if a string is a palindrome
43A Dozen Years of Shellphish – from DEFCON to the Cyber Grand Challenge
angr ‒ demo● CADET_00001
○ Classic buffer overflowint check(){
char string[64];
receive_delim(0, string, 128, '\n')
//check if the string is palindrome
//...
return result;
}
45A Dozen Years of Shellphish – from DEFCON to the Cyber Grand Challenge
angr ‒ demo● CADET_00001
○ Finding a crash
import angrp = angr.Project("CADET_00001")pg = p.factory.path_group(save_unconstrained=True)
while len(pg.unconstrained)==0: pg.step()crash_state = pg.unconstrained[0].statecrash_state.posix.dump(0,”/tmp/crash.bin”)
46A Dozen Years of Shellphish – from DEFCON to the Cyber Grand Challenge
angr ‒ demo● CADET_00001
○ Triggering the “Easter Egg”
#define EASTEREGG "\n\nEASTER EGG!\n\n"
//the “caret” character (“^”) triggers the Easter Egg
if(string[0] == '^'){
transmit_all(1,EASTEREGG, sizeof(EASTEREGG)-1)
}
47A Dozen Years of Shellphish – from DEFCON to the Cyber Grand Challenge
angr ‒ demo● CADET_00001
○ Triggering the “Easter Egg”
48A Dozen Years of Shellphish – from DEFCON to the Cyber Grand Challenge
angr ‒ demo● CADET_00001
○ Triggering the “Easter Egg”
import angrp = angr.Project("CADET_00001")pg = p.factory.path_group()
pg.explore(find=0x804833E)egg_state = pg.found[0].stateegg_state.posix.dump(0,"/tmp/egg.bin")
49A Dozen Years of Shellphish – from DEFCON to the Cyber Grand Challenge
Coming up:
● DARPA Cyber Grand Challenge (CGC)The (almost-)Million Dollar Baby
● Our Cyber Reasoning System (CRS)Fancy term for auto-playing a CTF
● Automated Vulnerability Discovery● Live example using angr
Open-source binary analysis framework
● Towards the Cyber Grand Challenge Finals (CFE)
50A Dozen Years of Shellphish – from DEFCON to the Cyber Grand Challenge
● 7 teams passed the qualification phase
● Shellphish is one of them! :-)
● We exploited 44 binaries out of 131
● Every qualified team received $ 750,000 !
CGC Quals ‒ Results
51A Dozen Years of Shellphish – from DEFCON to the Cyber Grand Challenge
● Teams’ submissions are available○ http://repo.cybergrandchallenge.com/cqe_results/cqe_final_submissions.zip
● If you like reversing, you can study:○ How patches were inserted○ Where patches were applied○ How patches were implemented
CGC Quals ‒ Results
52A Dozen Years of Shellphish – from DEFCON to the Cyber Grand Challenge
CGC Finals
● Different setup○ Round-based attack-defense CTF○ Zero human intervention allowed
■ Not even bug fixing!○ Data about previous rounds is available:
■ submitted exploits/patched binaries performance■ (anonymized) network traffic■ patches from other teams
○ Stealing patched binaries/exploits?
53A Dozen Years of Shellphish – from DEFCON to the Cyber Grand Challenge
CGC Finals
● Exploits are more realistic:○ Two types:
■ Crash at a specific location and set a specific register to a given value
■ Leak data from a specific memory page○ We need a more realistic exploit generator
● Every team can also deploy network-level filtering rules
54A Dozen Years of Shellphish – from DEFCON to the Cyber Grand Challenge
CGC Finals
● Every team has access to a cluster of:○ 1280 cores○ 16 TB of RAM○ 128 TB of storage
56A Dozen Years of Shellphish – from DEFCON to the Cyber Grand Challenge
CGC Finals
● How to achieve full automation (No possibility of mistakes!)○ Reading the rules… a lot of rules…
○ Testing… a lot of testing...■ Manual and automatic
57A Dozen Years of Shellphish – from DEFCON to the Cyber Grand Challenge
CGC Finals
● Finals will take place on August 2016○ DEFCON, Las Vegas
● Money prices!○ First place: $ 2’000’000○ Second place: $ 1’000’000○ Third place: $ 750’000
● The winning team will compete against human teams at DEFCON CTF Finals :-)
60A Dozen Years of Shellphish – from DEFCON to the Cyber Grand Challenge
“That’s all folks!”
Questions?References:Official documentation: cybergrandchallenge.org ‒ cgc.darpa.mil ‒ github.com/cybergrandchallengeDARPA CGC presentation (DEFCON 2015): youtu.be/gnyCbU7jGYAangr: angr.io ‒ github.com/angremail: [email protected]: http://goo.gl/GbD2u2