So basically what we REALLY want is to know which team found a POV first? That CPUID thing did make it into the video btw. That really complicates the analysis. If you ran this again, maybe there is another way?
https://github.com/lungetech/cgc-challenge-corpus/blob/master/CROMU_00055/src/proto.c <--would def. expect simple static analysis to find this. (Shellphish found it first, I think, but you would expect every time to find this?) How many vulns did Shellphish find that no one else found? What's the overlap rate? I see a lot of stack corruption bugs in the corpus - do we have statistics for what the types of vulns solved were? This one is interesting: http://www.lungetech.com/cgc-corpus/challenges/CROMU_00058/ Also, did ForAllSecure or any other teams fix and rerun their engines on the corpus? -dave On Fri, Aug 18, 2017 at 10:06 AM Jordan Wiens <[email protected]> wrote: > Replaying someone's bug was absolutely a thing. > > Each team was given what amounts to a direct feed of all network traffic > to their server. If they had good instrumentation they could replay it > locally and automatically detect which flows represented successful > exploits and which didn't. > > There are some interesting ideas though on how you might ensure that an > automated system can't do such a thing. Rubeus, for example, fingerprinted > the cpuid output of the target infrastructure and introduced divergent > behavior based on that cpuid. I don't know if it made the final cut of the > video (still watching it now!) but we did find teams biting on their > honeypot on multiple occasions. A team would be successfully exploit a > vulnerability, Rubeus would replace the service with one similar except > adding a fake vuln only reachable with a non CGC infrastructure cpuid and > the team would now target that vulnerability, losing out on the points they > were getting before and netting rubeus some free defense points when they > were still vulnerable. > > > On Thu, Aug 17, 2017 at 3:59 PM, dave aitel <[email protected]> wrote: > >> Ah, it's there for sure, although you're not sure which bug they >> exploited. Interesting to draw some corrolations. For example DeepRed >> (Raytheon) got two weird heap overflows exploited, and then a lot of stack >> overflows...did that heap overflow come from a replay of someone else's >> bug? Is that a thing? >> >> Heap Overflows: >> >> 1. http://www.lungetech.com/cgc-corpus/challenges/CROMU_00055/ >> 2. *http://www.lungetech.com/cgc-corpus/challenges/NRFIN_00052/ >> <http://www.lungetech.com/cgc-corpus/challenges/NRFIN_00052/>* >> >> Hmm. Lots of interesting information here, although somewhat hard to dig >> through I guess? >> >> -dave >> >> >> >> On 8/17/2017 3:31 PM, Chris Eagle wrote: >> >> Dave, >> >> You may find some of what you want here: >> http://www.lungetech.com/cgc-corpus/cfe/ >> >> I have all the raw data from the event including the answers to some of your >> questions below. If I can format then in some useful manner I will post some >> of those answers. >> >> Chris >> >> On 8/17/2017 8:51 AM, dave aitel wrote: >> >> So I wanted to type up some notes on the CGC Wrapup >> <https://www.youtube.com/watch?v=SYYZjTx92KU> >> <https://www.youtube.com/watch?v=SYYZjTx92KU> video, which was excellent. I >> mean, a part of what you want to do, while you watch it, is strip out all >> the parts of the thing that are about "playing the game". I know Jordan >> loves CTFs as some sort of e-sport and also there's a whole community who >> for whatever reason plays CTFs instead of playing corewars on helpless >> Chinese networks like of yore, but that stuff is 100% distraction when it >> comes to the CGC. >> >> >> As you can see, the tiny red lines on the right are supposed to be some >> combination of "could hack and could secure a service". I can't find >> anywhere something that has a simple spreadsheet of which samples >> <http://www.lungetech.com/cgc-corpus/challenges/NRFIN_00080/> >> <http://www.lungetech.com/cgc-corpus/challenges/NRFIN_00080/> (and even >> which vulns in which samples) were able to be attacked by which teams. So >> much of the game was weighted towards performance characteristics that it's >> hard to determine the information you really need from the scores, although >> the video goes over some anecdotal examples where RUBEUS and MECHAPHISH were >> able to attack particular historically interesting programs. It's telling >> that Mayhem won despite being basically off for half the contest. ;) >> >> Does anyone have better data on this? >> >> -dave >> >> P.S. Holy cow the visualizations on program execution are next gen! Worth a >> close watch just to see them. >> >> >> >> _______________________________________________ >> Dailydave mailing >> [email protected]https://lists.immunityinc.com/mailman/listinfo/dailydave >> >> >> >> _______________________________________________ >> Dailydave mailing list >> [email protected] >> https://lists.immunityinc.com/mailman/listinfo/dailydave >> >> > _______________________________________________ > Dailydave mailing list > [email protected] > https://lists.immunityinc.com/mailman/listinfo/dailydave >
_______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
