Re: CGC Wrapup Video

[Dave Aitel <dave.aitel () gmail com>]

So basically what we REALLY want is to know which team found a POV first?
That CPUID thing did make it into the video btw. That really complicates
the analysis. If you ran this again, maybe there is another way?


https://github.com/lungetech/cgc-challenge-corpus/blob/master/CROMU_00055/src/proto.c
<--would
def. expect simple static analysis to find this. (Shellphish found it
first, I think, but you would expect every time to find this?)

How many vulns did Shellphish find that no one else found? What's the
overlap rate? I see a lot of stack corruption bugs in the corpus - do we
have statistics for what the types of vulns solved were?

This one is interesting:
http://www.lungetech.com/cgc-corpus/challenges/CROMU_00058/

Also, did ForAllSecure or any other teams fix and rerun their engines on
the corpus?
-dave


On Fri, Aug 18, 2017 at 10:06 AM Jordan Wiens <jordan () psifertex com> wrote:

> Replaying someone's bug was absolutely a thing.
>
> Each team was given what amounts to a direct feed of all network traffic
> to their server. If they had good instrumentation they could replay it
> locally and automatically detect which flows represented successful
> exploits and which didn't.
>
> There are some interesting ideas though on how you might ensure that an
> automated system can't do such a thing. Rubeus, for example, fingerprinted
> the cpuid output of the target infrastructure and introduced divergent
> behavior based on that cpuid. I don't know if it made the final cut of the
> video (still watching it now!) but we did find teams biting on their
> honeypot on multiple occasions. A team would be successfully exploit a
> vulnerability, Rubeus would replace the service with one similar except
> adding a fake vuln only reachable with a non CGC infrastructure cpuid and
> the team would now target that vulnerability, losing out on the points they
> were getting before and netting rubeus some free defense points when they
> were still vulnerable.
>
>
> On Thu, Aug 17, 2017 at 3:59 PM, dave aitel <dave () immunityinc com> wrote:
>
> > Ah, it's there for sure, although you're not sure which bug they
> > exploited. Interesting to draw some corrolations. For example DeepRed
> > (Raytheon) got two weird heap overflows exploited, and then a lot of stack
> > overflows...did that heap overflow come from a replay of someone else's
> > bug? Is that a thing?
> >
> > Heap Overflows:
> >
> >    1. http://www.lungetech.com/cgc-corpus/challenges/CROMU_00055/
> >    2. *http://www.lungetech.com/cgc-corpus/challenges/NRFIN_00052/
> >    <http://www.lungetech.com/cgc-corpus/challenges/NRFIN_00052/>*
> >
> > Hmm. Lots of interesting information here, although somewhat hard to dig
> > through I guess?
> >
> > -dave
> >
> >
> >
> > On 8/17/2017 3:31 PM, Chris Eagle wrote:
> >
> > Dave,
> >
> > You may find some of what you want here: http://www.lungetech.com/cgc-corpus/cfe/
> >
> > I have all the raw data from the event including the answers to some of your questions below. If I can format then 
> > in some useful manner I will post some of those answers.
> >
> > Chris
> >
> > On 8/17/2017 8:51 AM, dave aitel wrote:
> >
> > So I wanted to type up some notes on the CGC Wrapup <https://www.youtube.com/watch?v=SYYZjTx92KU> 
> > <https://www.youtube.com/watch?v=SYYZjTx92KU> video, which was excellent. I mean, a part of what you want to do, 
> > while you watch it, is strip out all the parts of the thing that are about "playing the game". I know Jordan loves 
> > CTFs as some sort of e-sport and also there's a whole community who for whatever reason plays CTFs instead of 
> > playing corewars on helpless Chinese networks like of yore, but that stuff is 100% distraction when it comes to the 
> > CGC.
> >
> >
> > As you can see, the tiny red lines on the right are supposed to be some combination of "could hack and could secure 
> > a service". I can't find anywhere something that has a simple spreadsheet of which samples 
> > <http://www.lungetech.com/cgc-corpus/challenges/NRFIN_00080/> 
> > <http://www.lungetech.com/cgc-corpus/challenges/NRFIN_00080/>  (and even which vulns in which samples) were able to 
> > be attacked by which teams. So much of the game was weighted towards performance characteristics that it's hard to 
> > determine the information you really need from the scores, although the video goes over some anecdotal examples 
> > where RUBEUS and MECHAPHISH were able to attack particular historically interesting programs. It's telling that 
> > Mayhem won despite being basically off for half the contest. ;)
> >
> > Does anyone have better data on this?
> >
> > -dave
> >
> > P.S. Holy cow the visualizations on program execution are next gen! Worth a close watch just to see them.
> >
> >
> >
> > _______________________________________________
> > Dailydave mailing listDailydave@lists.immunityinc.comhttps://lists.immunityinc.com/mailman/listinfo/dailydave
> >
> >
> >
> > _______________________________________________
> > Dailydave mailing list
> > Dailydave () lists immunityinc com
> > https://lists.immunityinc.com/mailman/listinfo/dailydave
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunityinc com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave