April 13 (Thu), 10:00-17:00 l 알림2관
Title_ Automatic Exploitation in the Cyber Grand Challenge and Beyond
Chris Salls is a PhD student at the security lab of UC Santa Barbara where he studies binary analysis.
As a member of Shellphish, he has competed in many Capture the Flag competitions as well as the first automated hacking competition, the Cyber Grand Challenge.
Chris is also a core contributor to the angr binary analysis framework. Recently, he has dabbled in smartphone exploitation, and demoed an Android root exploit at Geekpwn.
Exploitation is a challenging task for experienced security researchers and an even more challenging task for computers. In the Cyber Grand Challenge (CGC), competitors were asked to create a system to automatically find, patch, and exploit bugs in software.
In this talk, I will be discussing Shellphish’s automatic exploitation system. Shellphish’s bot exploited the most binaries and stole more flags during the finals of the Cyber Grand Challenge than any other team. I will explain the design of our automatic exploitation engine, as well as the specific techniques we implemented for the Cyber Grand Challenge.
I will briefly explain how we generate crashing inputs by combining fuzzing with symbolic execution. Then I will show how we use symbolic tracing (specifically using angr) to collect constraints along the path. From here, we must determine what control we have over the crash. Depending on the type of crash and control, we apply one or multiple techniques to transform the crashing input into an exploit.
Finally, I will discuss the limitations in automatic exploitation. This includes why even state of the art systems are typically unable to automatically exploit bugs in complex real-world binaries and what advancements are needed for these systems to become effective for modern binary exploitation.