SlideShare ist ein Scribd-Unternehmen logo

Autonomous Hacking: The New Frontiers of Attack and Defense

Priyanka Aash
Priyanka Aash

Vulnerability analysis has largely been a process that requires substantial human expertise. However, very recently there has been a push for completely autonomous hacking systems, which can find flaws, exploit them and even provide patches, all without any human intervention. This talk presents recent advances in autonomous hacking and provides lessons learned from participating in the DARPA CGC. (Source: RSA USA 2016-San Francisco)

Technologie
1 von 83
Downloaden Sie, um offline zu lesen
SESSION ID: #RSAC Giovanni Vigna Autonomous Hacking: The New Frontiers of Attack and Defense HT-W02 CTO Lastline, Inc. @lastlinelabs
#RSAC Hacking 2 ?
#RSAC Hacking Teams 3
#RSAC Hacking What? 4 Security compromises can be achieved through different routes
#RSAC Hacking the User 5
#RSAC Hacking the Process 6
#RSAC Hacking the Code 7
#RSAC Hacking Binary Code 8 Low abstraction level No structured types No modules or clearly defined functions Compiler optimization and other artifacts can make the code more complex to analyze WYSIWYE: What you see is what you execute
#RSAC Finding Vulnerabilities Human Semi-Automated Fully Automated
#RSAC Manual Analysis “Look at the code and see what you can find” Requires substantial expertise The analysis is as good as the person performing it Allows for the identification of complex vulnerabilities (e.g., logic-based) Expensive, does not scale
#RSAC Tool-Assisted Analysis “Run these tools and verify/expand the results” Tools help in identifying areas of interest By ruling out known code By identifying potential vulnerabilities Since a human is involved, expertise and scale are still issues
#RSAC Automated Analysis “Run this tool and find the vulnerability” … and possibly generate an exploit... ...and possibly generate a patch Requires well-defined models for the vulnerabilities Can only detect the vulnerabilities that are modeled Can scale (not always!)
#RSAC Automated Vulnerability Analysis An algorithm that takes as input a code artifact (source code, byte-code, binary code) and identifies potential vulnerabilities The Halting Problem: “the halting problem is the problem of determining, from a description of an arbitrary computer program and an input, whether the program will finish running or continue to run forever.” https://en.wikipedia.org/wiki/Halting_problem Alan Turing proved that a general algorithm does not exist
#RSAC Types of Vulnerability Analysis Static Analysis A form of abstract interpretation Does not execute the code Dynamic Analysis A form of concrete interpretation Executes the code (or a model of it)
#RSAC Static Analysis The goal of static analysis techniques is to characterize all possible run- time behaviors over all possible inputs without actually running the program Find possible bugs, or prove absence of certain kinds of vulnerabilities Static analysis has been around for a long while Type checkers, compilers Formal verification Challenges: soundness, precision, and scalability
#RSAC P Actual run-time behaviors Soundness and Completeness
#RSAC P Actual run-time behaviors Soundness and Completeness Over-approximation (sound)
#RSAC P Actual run-time behaviors Soundness and Completeness More precise over-approximation (sound)
#RSAC P Actual run-time behaviors Soundness and Completeness Under-approximation (complete)
#RSAC P Actual run-time behaviors Soundness and Completeness Unsound, incomplete analysis
#RSAC Example Analyses Control-flow analysis: Find and reason about all possible control-flow transfers (sources and destinations) Data-flow analysis: Reason about how data flows at run-time (from sources to sinks) Data dependency analysis: Reason about how data influences other data Points-to analysis: Reason about what values can pointers take Alias analysis: Determine if two pointers might point to the same address Value -set analysis: Reason about what are all the possible values that variables can hold
#RSAC Dynamic Analysis Dynamic approaches are very precise for particular environment and inputs You execute the code! However they provide no guarantee of coverage You evaluate only the part of a program that you exercise!
#RSAC Example Analyses 23 Taint analysis Fuzzing Forward symbolic execution Concolic execution
#RSAC Fuzzing Fuzzing is an automated procedure to send inputs and record safety condition violations as crashes Assumption: crashes are potentially exploitable Several dimensions in the fuzzing space How to supply inputs to the program under test? How to generate inputs? How to generate more “relevant” crashes? How to change inputs between runs? Goal: maximized effectiveness of the process
#RSAC Gray/White-box Fuzzing Input Generator Application Under Analysis Crash Crash Database Bugs (0-day) Fuzzing Infrastructure Feedback
#RSAC Fuzzing: American Fuzzy Lop
#RSAC Fuzzing: American Fuzzy Lop Instrumentation-guided genetic fuzzer developed by Michael Zalewski The instrumentation collects information at branch points Supports the generation of inputs that improve coverage Inputs that bring new paths are considered more interesting and queued for further exploration Inputs are chosen and mutated Unique crashes are identified using branch analysis (instead of stack summaries)
#RSAC Symbolic Execution: angr Framework for the analysis of binaries Supports a number of architectures x86 (32 and 64), MIPS, ARM, PPC, etc. http://angr.io https://github.com/angr angr@lists.cs.ucsb.edu
#RSAC angr Components Static Analysis Routines Symbolic Execution Engine Control-Flow Graph Data-Flow Analysis Binary Loader Value-Set Analysis angr Forward Symbolic Execution Under-constrained SE
#RSAC Symbolic Execution "How do I trigger path X or condition Y?” Dynamic analysis Input A? No. Input B? No. Input C? … Based on concrete inputs to application (Concrete) static analysis You can’t/You might be able to Based on various static techniques
#RSAC Symbolic Execution "How do I trigger path X or condition Y?” Interpret the application Track "constraints" on variables When the required condition is triggered, "concretize" to obtain a possible input
#RSAC Concretization Constraint solving Conversion from set of constraints to set of concrete values that satisfy them Constraints x >= 10 x < 100 x = 42Concretize
#RSAC Example x = int(input()) if x >= 10: if x < 100: vulnerable_code() else: func_a() else: func_b()
#RSAC Example x = int(input()) if x >= 10: if x < 100: vulnerable_code() else: func_a() else: func_b() State A Variables x = ??? Constraints ------
#RSAC Example x = int(input()) if x >= 10: if x < 100: vulnerable_code() else: func_a() else: func_b() State A Variables x = ??? Constraints ------ State AA Variables x = ??? Constraints x < 10 State AB Variables x = ??? Constraints x >= 10
#RSAC Example x = int(input()) if x >= 10: if x < 100: vulnerable_code() else: func_a() else: func_b() State AA Variables x = ??? Constraints x < 10 State AB Variables x = ??? Constraints x >= 10
#RSAC Example x = int(input()) if x >= 10: if x < 100: vulnerable_code() else: func_a() else: func_b() State AA Variables x = ??? Constraints x < 10 State AB Variables x = ??? Constraints x >= 10 State ABA Variables x = ??? Constraints x >= 10 x < 100 State ABB Variables x = ??? Constraints x >= 10 x >= 100
#RSAC Example x = int(input()) if x >= 10: if x < 100: vulnerable_code() else: func_a() else: func_b() State ABA Variables x = ??? Constraints x >= 10 x < 100 Concretized ABA Variables x = 99
#RSAC Putting It All Together Fuzzing excels at producing general input Symbolic execution is able to satisfy complex path predicates for specific input Key insight: Combine both techniques to leverage their strengths and mitigate their weaknesses
#RSAC Assisting Fuzzing with Symbolic Execution Fuzzing good at finding solutions for general input Symbolic Execution good at find solutions for specific input
#RSAC Driller Test Cases
#RSAC Driller “Cheap” fuzzing coverage Test Cases “Y” “X”
#RSAC Driller “Cheap” fuzzing coverage Test Cases “Y” “X” Dynamic Symbolic Execution !
#RSAC Driller “Cheap” fuzzing coverage Test Cases “Y” “X” Dynamic Symbolic Execution “CGC_MAGIC” New test cases generated
#RSAC Driller “Cheap” fuzzing coverage Test Cases “Y” “X” Dynamic Symbolic Execution “CGC_MAGIC” New test cases generated “CGC_MAGICY”
#RSAC Why Hacking? Vulnerability analysis can be used Offensively Defensively For fun (and profit) Hacking competitions have become a popular venue for the application of breakthrough techniques in vulnerability analysis DefCon CTF Pwn20wn
#RSAC Many Competition Styles Challenge-based Should not be called “CTF”! Easy to organize Easy to scale Exclusively focused on attacking No real-time component Interactive, online CTFs Very difficult to organize Require substantial infrastructure Difficult to scale Focused on both attacking and defending in real time
#RSAC Current Interactive, Online CTFs From ctftime.org: 100+ events listed Online attack-defense competitions: UCSB iCTF 13 editions RuCTF 5 editions FAUST 1 edition
#RSAC The iCTF Framework Lessons learned from running iCTFs were the basis for building a framework The framework formalizes the structure of services and allows for the reuse of the infrastructure Available at: http://github.com/ucsb-seclab/ictf-framework http://ictf.cs.ucsb.edu/framework
#RSAC CTFs Are Playgrounds… 52 For people (hackers) For tools (attack, defense) But can they be used to advance science?
#RSAC DARPA Competitions 53 Self-driving Cars Robots
#RSAC The DARPA Cyber Grand Challenge 54 Programs!
#RSAC The DARPA Cyber Grand Challenge 55
#RSAC The DARPA Cyber Grand Challenge 56
#RSAC The DARPA Cyber Grand Challenge 57 CTF-style competition Autonomous Cyber-Reasoning Systems (CRS) attack and defend a number of services (binary programs) NO HUMAN IN THE LOOP A first qualification round decided who the 7 finalists are Qualification comes with a $750,000 cash prize The final event is scheduled for August 4, 2016 during DefCon The top team will receive a $2,000,000 cash prize
#RSAC Shellphish CGC Team 58
#RSAC CGC Other Finalists 59 CodeJitsu CSDS DeepRed disekt ForAllSecure TECHx
#RSAC CGC Participant Systems 60 CB vulnerable program RB patched program POV exploit Cyber Reasoning System
#RSAC The CGC Environment 61 Binaries run on a custom OS, called DECREE Limited number of system calls A POV has to demonstrate the ability: To read a specific value from memory To set a register to a specific value Not all rules have been finalized
#RSAC The Shellphish CRS: ShellWePlayAGame? 62 CYBER GRAND CHALLENGE
#RSAC The Shellphish CRS: ShellWePlayAGame? 63 CB Proposed RBs Proposed POVs Autonomous vulnerability scanning Shellphish CRS Autonomous service resiliency PCAP Test cases POV RB Autonomous processing Autonomous patching
#RSAC May the Best CRS Win! 64 Patching cannot affect performance Patching cannot affect functionality When you are shooting blindfolded automatic weapons, it’s easy to shoot yourself in the foot...
#RSAC Fostering Research in Automated Hacking 65 The goal of the CGC is to foster the development of new attack and defense techniques that… Automatically identify and exploit vulnerabilities in binary programs Automatically patch vulnerability and provide functionally- equivalent yet secure versions of a vulnerable binary
#RSAC What Does All This Mean to YOU? 66 Novel automated analysis techniques will allow for The identification of vulnerabilities (and, possibly, backdoors) in binaries before they are deployed The patching of binaries on-the-fly without having to wait for vendors’ fixes Scale…
#RSAC What Can I Do NOW? 67 Use CTFs (or other security competitions) to foster computer education in your company The iCTF Framework is free, open, and can be used to create sophisticated attack-defense security competition within your organization Familiarize yourself with vulnerability analysis tool and learn how to use them as integral part of your development process After all…
#RSAC Human + Machine = WIN! 68 OMG, can’t do stairs?!?
#RSAC Q&A 69
#RSAC Extra Slides
#RSAC The iCTF Architecture … VPN Server Team 1 Team 2 Vulnerable Server VPN Gateway Vulnerable Server VPN Gateway Vulnerable Server VPN Gateway VPN Gateway Team Interface Scriptbot Gamebot DatabaseScoreboard Shows the current scores to the teams Allows teams to register and submit flags Stores the state of the competition Runs the scripts to update flags and check for services For each tick, schedules scripts and compute scores Vulnerable Server 10.7.1.X 10.7.1.2 10.7.2.2 10.7.21.2Team 21 Team 22 10.7.22.2
#RSAC Example: Simple Overflows int main(int argc, char** argv) { char buf[256]; strcpy(buf, argv[1]); return 0; } Simplest detection approach: grep forstrcpy More rigorous: Determine data flow from command-line argument to strcpy’s parameter Determine size of source, destination buffers Model semantics of strcpy Check safety condition: len(argv[1]) < len(buf)
#RSAC Fuzzing vs. Symbolic Execution
#RSAC Exploration Process
#RSAC The UCSB iCTFs Year Theme Teams 2003 Open-Source Windows 7 2004 UN Voting System 15 2004 Bass Tard Corporation 9 2005 Spam Museum 22 2006 Hillbilly Bank 25 2007 Copyright Mafia 36 2008 Softerror.com Terrorist Network 39 2009 Rise of the Botnet 57 2010 Rogue Nation of Litya 73 2011 Money Laundering 89 2012 SCADA Defense 92 2013 Nuclear Cyberwar 123 2014 Large-Scale Hacking 86 2015 Crowdsourced Evil 35
#RSAC Branch Tracking The instrumentation collects information about which branches are taken The information is stored in a shared hash table. A branch from a previous location to the current location triggers the instrumentation code: cur_location = <COMPILE_TIME_RANDOM>; shared_mem[cur_location ^ prev_location]++; prev_location = cur_location >> 1;
#RSAC Branch Tracking cur_location = <COMPILE_TIME_RANDOM>; shared_mem[cur_location ^ prev_location]++; prev_location = cur_location >> 1; Note that the index in the hash is a combination of the previous and current location The size of the shared memory is 64K Big enough to avoid collisions Small enough to be fast and fit in memory caches The shift of the marker for the current location allows for Distinguishing A->B from B->A Distinguishing A->A from B->B
#RSAC Branch Tracking Branch tracking is a better metric for program exploration than plain basic block coverage Consider the following cases, where A, B, C, D, E are code blocks: A -> B -> C -> D -> E (tuples: AB, BC, CD, DE) A -> B -> D -> C -> E (tuples: AB, BD, DC, CE) While the same amount of code is covered, but different paths are taken
#RSAC Guiding Exploration AFL maintains a global map of all the paths observed in all the executions up to the current one When a mutated input file introduces tuple that were not observed before, the input file is queued for further processing Inputs that do not generate new transitions, are discarded (even if the sequence has not been seen before)
#RSAC Example #1: A -> B -> C -> D -> E #2: A -> B -> C -> A -> E (C->A, A->E are new) #3: A -> B -> C -> A -> B -> C -> A -> B -> C -> D -> E (no new tuples)
#RSAC Counting Branches AFL keeps track of how many times a certain transition happens for each run Buckets: 1, 2, 3, 4-7, 8-15, 16-31, 32-127, 128+ If a particular input causes a transition to move between buckets, then the input is deemed interesting and queues for processing Buckets allow for emphasizing small changes (1 to 2) vs. not-so- relevant changes (67 to 70)
#RSAC Processing Input The interesting file (thousands) are added to the input queue Usually 10-30% from the discovery of new transitions The rest from changes in the hit count The input queue is analyzed so that a subset of the (best) files is marked as “favorite” The files cover all the tuples The files have lowest latency and size
#RSAC Prioritizing the Inputs 1. Choose a tuple from the ones observed so far and put it in a set 2. Select the input that caused the shortest execution and has the smallest size 3. Add all the transitions observed for that execution to the set 4. If the set does not covered all the previously observed transitions, goto 1
#RSAC Prioritizing the Inputs If there are new, yet-to-be-fuzzed favorites present in the queue, 99% of non-favored entries will be skipped to get to the favored ones If there are no new favorites: If the current non-favored entry was fuzzed before, it will be skipped 95% of the time If the current non-favored entry was not fuzzed before, the odds of skipping it are 75% These values are chosen to balance queue cycling and diversity
#RSAC Fuzzing Strategies Sequential bit flips with varying lengths and stepovers Sequential addition and subtraction of small integers Sequential insertion of known interesting integers (0, 1, INT_MAX, etc.) Stacked bit flips, insertions, deletions, arithmetic operations, and splicing of different test cases It is also possible to provide dictionaries of known keywords to help in the fuzzing process

Empfohlen

Tech Days 2015: Static Analysis CodePeer
Tech Days 2015: Static Analysis CodePeer Tech Days 2015: Static Analysis CodePeer
Tech Days 2015: Static Analysis CodePeer
AdaCore
 
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Yuji Kosuga
 
Unmasking Anonymous: An Eyewitness Account of a Hacktivist Attack
Unmasking Anonymous: An Eyewitness Account of a Hacktivist AttackUnmasking Anonymous: An Eyewitness Account of a Hacktivist Attack
Unmasking Anonymous: An Eyewitness Account of a Hacktivist Attack
Imperva
 
Automated Attack Surface Approximation [FSE - SRC 2015]
Automated Attack Surface Approximation [FSE - SRC 2015]Automated Attack Surface Approximation [FSE - SRC 2015]
Automated Attack Surface Approximation [FSE - SRC 2015]
Chris Theisen
 
Fuzzing 101 Webinar on Zero Day Management
Fuzzing 101 Webinar on Zero Day ManagementFuzzing 101 Webinar on Zero Day Management
Fuzzing 101 Webinar on Zero Day Management
Codenomicon
 
Blending Automated and Manual Testing
Blending Automated and Manual TestingBlending Automated and Manual Testing
Blending Automated and Manual Testing
Denim Group
 
Software Security Education at Scale
Software Security Education at ScaleSoftware Security Education at Scale
Software Security Education at Scale
Chris Theisen
 
A DevOps Guide to Web Application Security
A DevOps Guide to Web Application SecurityA DevOps Guide to Web Application Security
A DevOps Guide to Web Application Security
Imperva Incapsula
 

Empfohlen

Tech Days 2015: Static Analysis CodePeer
Tech Days 2015: Static Analysis CodePeer Tech Days 2015: Static Analysis CodePeer
Tech Days 2015: Static Analysis CodePeer
AdaCore
 
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Yuji Kosuga
 
Unmasking Anonymous: An Eyewitness Account of a Hacktivist Attack
Unmasking Anonymous: An Eyewitness Account of a Hacktivist AttackUnmasking Anonymous: An Eyewitness Account of a Hacktivist Attack
Unmasking Anonymous: An Eyewitness Account of a Hacktivist Attack
Imperva
 
Automated Attack Surface Approximation [FSE - SRC 2015]
Automated Attack Surface Approximation [FSE - SRC 2015]Automated Attack Surface Approximation [FSE - SRC 2015]
Automated Attack Surface Approximation [FSE - SRC 2015]
Chris Theisen
 
Fuzzing 101 Webinar on Zero Day Management
Fuzzing 101 Webinar on Zero Day ManagementFuzzing 101 Webinar on Zero Day Management
Fuzzing 101 Webinar on Zero Day Management
Codenomicon
 
Blending Automated and Manual Testing
Blending Automated and Manual TestingBlending Automated and Manual Testing
Blending Automated and Manual Testing
Denim Group
 
Software Security Education at Scale
Software Security Education at ScaleSoftware Security Education at Scale
Software Security Education at Scale
Chris Theisen
 
A DevOps Guide to Web Application Security
A DevOps Guide to Web Application SecurityA DevOps Guide to Web Application Security
A DevOps Guide to Web Application Security
Imperva Incapsula
 
Attacks Against Captcha Systems - DefCamp 2012
Attacks Against Captcha Systems - DefCamp 2012Attacks Against Captcha Systems - DefCamp 2012
Attacks Against Captcha Systems - DefCamp 2012
DefCamp
 
DefCamp 2013 - In vehicle CAN network security
DefCamp 2013 - In vehicle CAN network securityDefCamp 2013 - In vehicle CAN network security
DefCamp 2013 - In vehicle CAN network security
DefCamp
 
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
Priyanka Aash
 
Keynote Session : Kill The Password
Keynote Session : Kill The PasswordKeynote Session : Kill The Password
Keynote Session : Kill The Password
Priyanka Aash
 
Automated and Effective Testing of Web Services for XML Injection Attacks
Automated and Effective Testing of Web Services for XML Injection AttacksAutomated and Effective Testing of Web Services for XML Injection Attacks
Automated and Effective Testing of Web Services for XML Injection Attacks
Lionel Briand
 
DARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
DARPA CGC and DEFCON CTF: Automatic Attack and Defense TechniqueDARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
DARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
Chong-Kuan Chen
 
Crowd-Sourced Threat Intelligence
Crowd-Sourced Threat IntelligenceCrowd-Sourced Threat Intelligence
Crowd-Sourced Threat Intelligence
AlienVault
 
Implementing An Automated Incident Response Architecture
Implementing An Automated Incident Response ArchitectureImplementing An Automated Incident Response Architecture
Implementing An Automated Incident Response Architecture
Priyanka Aash
 
Finding Triggered Malice in Android Apps
Finding Triggered Malice in Android AppsFinding Triggered Malice in Android Apps
Finding Triggered Malice in Android Apps
Priyanka Aash
 
Isolating the Ghost in the Machine: Unveiling Post Exploitation Threatsrsac
Isolating the Ghost in the Machine: Unveiling Post Exploitation ThreatsrsacIsolating the Ghost in the Machine: Unveiling Post Exploitation Threatsrsac
Isolating the Ghost in the Machine: Unveiling Post Exploitation Threatsrsac
Priyanka Aash
 
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in FirmwareUsing Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Lastline, Inc.
 
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
Aaron Rinehart
 
Practical Approaches to Cloud Native Security
Practical Approaches to Cloud Native SecurityPractical Approaches to Cloud Native Security
Practical Approaches to Cloud Native Security
Karthik Gaekwad
 
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
Priyanka Aash
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
Raffael Marty
 
Security precognition chaos engineering in incident response
Security precognition chaos engineering in incident responseSecurity precognition chaos engineering in incident response
Security precognition chaos engineering in incident response
Priyanka Aash
 
FIM and System Call Auditing at Scale in a Large Container Deployment
FIM and System Call Auditing at Scale in a Large Container DeploymentFIM and System Call Auditing at Scale in a Large Container Deployment
FIM and System Call Auditing at Scale in a Large Container Deployment
Priyanka Aash
 
DevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise SecurityDevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise Security
Priyanka Aash
 
Serverless Security: Are you ready for the Future?
Serverless Security: Are you ready for the Future?Serverless Security: Are you ready for the Future?
Serverless Security: Are you ready for the Future?
James Wickett
 
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)"Touching the UNTOUCHABLE" (YSTS Seventh Edition)
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)
Nelson Brito
 
Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”
Priyanka Aash
 
Cyber Crime / Cyber Secuity Testing Architecture by MRITYUNJAYA HIKKALGUTTI (...
Cyber Crime / Cyber Secuity Testing Architecture by MRITYUNJAYA HIKKALGUTTI (...Cyber Crime / Cyber Secuity Testing Architecture by MRITYUNJAYA HIKKALGUTTI (...
Cyber Crime / Cyber Secuity Testing Architecture by MRITYUNJAYA HIKKALGUTTI (...
MrityunjayaHikkalgut1
 

Weitere ähnliche Inhalte

Andere mochten auch

Attacks Against Captcha Systems - DefCamp 2012
Attacks Against Captcha Systems - DefCamp 2012Attacks Against Captcha Systems - DefCamp 2012
Attacks Against Captcha Systems - DefCamp 2012
DefCamp
 
DefCamp 2013 - In vehicle CAN network security
DefCamp 2013 - In vehicle CAN network securityDefCamp 2013 - In vehicle CAN network security
DefCamp 2013 - In vehicle CAN network security
DefCamp
 

Andere mochten auch (8)

Attacks Against Captcha Systems - DefCamp 2012
Attacks Against Captcha Systems - DefCamp 2012Attacks Against Captcha Systems - DefCamp 2012
Attacks Against Captcha Systems - DefCamp 2012
 
DefCamp 2013 - In vehicle CAN network security
DefCamp 2013 - In vehicle CAN network securityDefCamp 2013 - In vehicle CAN network security
DefCamp 2013 - In vehicle CAN network security
 
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
 
Keynote Session : Kill The Password
Keynote Session : Kill The PasswordKeynote Session : Kill The Password
Keynote Session : Kill The Password
 
Automated and Effective Testing of Web Services for XML Injection Attacks
Automated and Effective Testing of Web Services for XML Injection AttacksAutomated and Effective Testing of Web Services for XML Injection Attacks
Automated and Effective Testing of Web Services for XML Injection Attacks
 
DARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
DARPA CGC and DEFCON CTF: Automatic Attack and Defense TechniqueDARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
DARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
 
Crowd-Sourced Threat Intelligence
Crowd-Sourced Threat IntelligenceCrowd-Sourced Threat Intelligence
Crowd-Sourced Threat Intelligence
 
Implementing An Automated Incident Response Architecture
Implementing An Automated Incident Response ArchitectureImplementing An Automated Incident Response Architecture
Implementing An Automated Incident Response Architecture
 

Ähnlich wie Autonomous Hacking: The New Frontiers of Attack and Defense

Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
Raffael Marty
 
Recon for the Defender: You Know Nothing (about Your Assets), Jon Snow
Recon for the Defender: You Know Nothing (about Your Assets), Jon SnowRecon for the Defender: You Know Nothing (about Your Assets), Jon Snow
Recon for the Defender: You Know Nothing (about Your Assets), Jon Snow
Priyanka Aash
 
str-w04_next-wave-of-security-operationalization
str-w04_next-wave-of-security-operationalizationstr-w04_next-wave-of-security-operationalization
str-w04_next-wave-of-security-operationalization
peter lam
 
Efficacy Of Layered Application Security Through The Lens Of Hacker
Efficacy Of Layered Application Security Through The Lens Of HackerEfficacy Of Layered Application Security Through The Lens Of Hacker
Efficacy Of Layered Application Security Through The Lens Of Hacker
Priyanka Aash
 

Ähnlich wie Autonomous Hacking: The New Frontiers of Attack and Defense (20)

Finding Triggered Malice in Android Apps
Finding Triggered Malice in Android AppsFinding Triggered Malice in Android Apps
Finding Triggered Malice in Android Apps
 
Isolating the Ghost in the Machine: Unveiling Post Exploitation Threatsrsac
Isolating the Ghost in the Machine: Unveiling Post Exploitation ThreatsrsacIsolating the Ghost in the Machine: Unveiling Post Exploitation Threatsrsac
Isolating the Ghost in the Machine: Unveiling Post Exploitation Threatsrsac
 
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in FirmwareUsing Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
 
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
 
Practical Approaches to Cloud Native Security
Practical Approaches to Cloud Native SecurityPractical Approaches to Cloud Native Security
Practical Approaches to Cloud Native Security
 
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
 
Security precognition chaos engineering in incident response
Security precognition chaos engineering in incident responseSecurity precognition chaos engineering in incident response
Security precognition chaos engineering in incident response
 
FIM and System Call Auditing at Scale in a Large Container Deployment
FIM and System Call Auditing at Scale in a Large Container DeploymentFIM and System Call Auditing at Scale in a Large Container Deployment
FIM and System Call Auditing at Scale in a Large Container Deployment
 
DevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise SecurityDevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise Security
 
Serverless Security: Are you ready for the Future?
Serverless Security: Are you ready for the Future?Serverless Security: Are you ready for the Future?
Serverless Security: Are you ready for the Future?
 
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)"Touching the UNTOUCHABLE" (YSTS Seventh Edition)
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)
 
Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”
 
Cyber Crime / Cyber Secuity Testing Architecture by MRITYUNJAYA HIKKALGUTTI (...
Cyber Crime / Cyber Secuity Testing Architecture by MRITYUNJAYA HIKKALGUTTI (...Cyber Crime / Cyber Secuity Testing Architecture by MRITYUNJAYA HIKKALGUTTI (...
Cyber Crime / Cyber Secuity Testing Architecture by MRITYUNJAYA HIKKALGUTTI (...
 
Recon for the Defender: You Know Nothing (about Your Assets), Jon Snow
Recon for the Defender: You Know Nothing (about Your Assets), Jon SnowRecon for the Defender: You Know Nothing (about Your Assets), Jon Snow
Recon for the Defender: You Know Nothing (about Your Assets), Jon Snow
 
RSA 2018: Recon For the Defender - You know nothing (about your assets)
RSA 2018: Recon For the Defender - You know nothing (about your assets)RSA 2018: Recon For the Defender - You know nothing (about your assets)
RSA 2018: Recon For the Defender - You know nothing (about your assets)
 
str-w04_next-wave-of-security-operationalization
str-w04_next-wave-of-security-operationalizationstr-w04_next-wave-of-security-operationalization
str-w04_next-wave-of-security-operationalization
 
Efficacy Of Layered Application Security Through The Lens Of Hacker
Efficacy Of Layered Application Security Through The Lens Of HackerEfficacy Of Layered Application Security Through The Lens Of Hacker
Efficacy Of Layered Application Security Through The Lens Of Hacker
 
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & RecoveryCLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
 
Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”
 

Mehr von Priyanka Aash

Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Priyanka Aash
 

Mehr von Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Kürzlich hochgeladen

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 

Kürzlich hochgeladen (20)

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 

Autonomous Hacking: The New Frontiers of Attack and Defense

  • 1. SESSION ID: #RSAC Giovanni Vigna Autonomous Hacking: The New Frontiers of Attack and Defense HT-W02 CTO Lastline, Inc. @lastlinelabs
  • 4. #RSAC Hacking What? 4 Security compromises can be achieved through different routes
  • 8. #RSAC Hacking Binary Code 8 Low abstraction level No structured types No modules or clearly defined functions Compiler optimization and other artifacts can make the code more complex to analyze WYSIWYE: What you see is what you execute
  • 10. #RSAC Manual Analysis “Look at the code and see what you can find” Requires substantial expertise The analysis is as good as the person performing it Allows for the identification of complex vulnerabilities (e.g., logic-based) Expensive, does not scale
  • 11. #RSAC Tool-Assisted Analysis “Run these tools and verify/expand the results” Tools help in identifying areas of interest By ruling out known code By identifying potential vulnerabilities Since a human is involved, expertise and scale are still issues
  • 12. #RSAC Automated Analysis “Run this tool and find the vulnerability” … and possibly generate an exploit... ...and possibly generate a patch Requires well-defined models for the vulnerabilities Can only detect the vulnerabilities that are modeled Can scale (not always!)
  • 13. #RSAC Automated Vulnerability Analysis An algorithm that takes as input a code artifact (source code, byte-code, binary code) and identifies potential vulnerabilities The Halting Problem: “the halting problem is the problem of determining, from a description of an arbitrary computer program and an input, whether the program will finish running or continue to run forever.” https://en.wikipedia.org/wiki/Halting_problem Alan Turing proved that a general algorithm does not exist
  • 14. #RSAC Types of Vulnerability Analysis Static Analysis A form of abstract interpretation Does not execute the code Dynamic Analysis A form of concrete interpretation Executes the code (or a model of it)
  • 15. #RSAC Static Analysis The goal of static analysis techniques is to characterize all possible run- time behaviors over all possible inputs without actually running the program Find possible bugs, or prove absence of certain kinds of vulnerabilities Static analysis has been around for a long while Type checkers, compilers Formal verification Challenges: soundness, precision, and scalability
  • 17. #RSAC P Actual run-time behaviors Soundness and Completeness Over-approximation (sound)
  • 18. #RSAC P Actual run-time behaviors Soundness and Completeness More precise over-approximation (sound)
  • 19. #RSAC P Actual run-time behaviors Soundness and Completeness Under-approximation (complete)
  • 20. #RSAC P Actual run-time behaviors Soundness and Completeness Unsound, incomplete analysis
  • 21. #RSAC Example Analyses Control-flow analysis: Find and reason about all possible control-flow transfers (sources and destinations) Data-flow analysis: Reason about how data flows at run-time (from sources to sinks) Data dependency analysis: Reason about how data influences other data Points-to analysis: Reason about what values can pointers take Alias analysis: Determine if two pointers might point to the same address Value -set analysis: Reason about what are all the possible values that variables can hold
  • 22. #RSAC Dynamic Analysis Dynamic approaches are very precise for particular environment and inputs You execute the code! However they provide no guarantee of coverage You evaluate only the part of a program that you exercise!
  • 23. #RSAC Example Analyses 23 Taint analysis Fuzzing Forward symbolic execution Concolic execution
  • 24. #RSAC Fuzzing Fuzzing is an automated procedure to send inputs and record safety condition violations as crashes Assumption: crashes are potentially exploitable Several dimensions in the fuzzing space How to supply inputs to the program under test? How to generate inputs? How to generate more “relevant” crashes? How to change inputs between runs? Goal: maximized effectiveness of the process
  • 27. #RSAC Fuzzing: American Fuzzy Lop Instrumentation-guided genetic fuzzer developed by Michael Zalewski The instrumentation collects information at branch points Supports the generation of inputs that improve coverage Inputs that bring new paths are considered more interesting and queued for further exploration Inputs are chosen and mutated Unique crashes are identified using branch analysis (instead of stack summaries)
  • 28. #RSAC Symbolic Execution: angr Framework for the analysis of binaries Supports a number of architectures x86 (32 and 64), MIPS, ARM, PPC, etc. http://angr.io https://github.com/angr angr@lists.cs.ucsb.edu
  • 29. #RSAC angr Components Static Analysis Routines Symbolic Execution Engine Control-Flow Graph Data-Flow Analysis Binary Loader Value-Set Analysis angr Forward Symbolic Execution Under-constrained SE
  • 30. #RSAC Symbolic Execution "How do I trigger path X or condition Y?” Dynamic analysis Input A? No. Input B? No. Input C? … Based on concrete inputs to application (Concrete) static analysis You can’t/You might be able to Based on various static techniques
  • 31. #RSAC Symbolic Execution "How do I trigger path X or condition Y?” Interpret the application Track "constraints" on variables When the required condition is triggered, "concretize" to obtain a possible input
  • 32. #RSAC Concretization Constraint solving Conversion from set of constraints to set of concrete values that satisfy them Constraints x >= 10 x < 100 x = 42Concretize
  • 33. #RSAC Example x = int(input()) if x >= 10: if x < 100: vulnerable_code() else: func_a() else: func_b()
  • 34. #RSAC Example x = int(input()) if x >= 10: if x < 100: vulnerable_code() else: func_a() else: func_b() State A Variables x = ??? Constraints ------
  • 35. #RSAC Example x = int(input()) if x >= 10: if x < 100: vulnerable_code() else: func_a() else: func_b() State A Variables x = ??? Constraints ------ State AA Variables x = ??? Constraints x < 10 State AB Variables x = ??? Constraints x >= 10
  • 36. #RSAC Example x = int(input()) if x >= 10: if x < 100: vulnerable_code() else: func_a() else: func_b() State AA Variables x = ??? Constraints x < 10 State AB Variables x = ??? Constraints x >= 10
  • 37. #RSAC Example x = int(input()) if x >= 10: if x < 100: vulnerable_code() else: func_a() else: func_b() State AA Variables x = ??? Constraints x < 10 State AB Variables x = ??? Constraints x >= 10 State ABA Variables x = ??? Constraints x >= 10 x < 100 State ABB Variables x = ??? Constraints x >= 10 x >= 100
  • 38. #RSAC Example x = int(input()) if x >= 10: if x < 100: vulnerable_code() else: func_a() else: func_b() State ABA Variables x = ??? Constraints x >= 10 x < 100 Concretized ABA Variables x = 99
  • 39. #RSAC Putting It All Together Fuzzing excels at producing general input Symbolic execution is able to satisfy complex path predicates for specific input Key insight: Combine both techniques to leverage their strengths and mitigate their weaknesses
  • 40. #RSAC Assisting Fuzzing with Symbolic Execution Fuzzing good at finding solutions for general input Symbolic Execution good at find solutions for specific input
  • 43. #RSAC Driller “Cheap” fuzzing coverage Test Cases “Y” “X” Dynamic Symbolic Execution !
  • 44. #RSAC Driller “Cheap” fuzzing coverage Test Cases “Y” “X” Dynamic Symbolic Execution “CGC_MAGIC” New test cases generated
  • 45. #RSAC Driller “Cheap” fuzzing coverage Test Cases “Y” “X” Dynamic Symbolic Execution “CGC_MAGIC” New test cases generated “CGC_MAGICY”
  • 46. #RSAC Why Hacking? Vulnerability analysis can be used Offensively Defensively For fun (and profit) Hacking competitions have become a popular venue for the application of breakthrough techniques in vulnerability analysis DefCon CTF Pwn20wn
  • 47. #RSAC Many Competition Styles Challenge-based Should not be called “CTF”! Easy to organize Easy to scale Exclusively focused on attacking No real-time component Interactive, online CTFs Very difficult to organize Require substantial infrastructure Difficult to scale Focused on both attacking and defending in real time
  • 48. #RSAC Current Interactive, Online CTFs From ctftime.org: 100+ events listed Online attack-defense competitions: UCSB iCTF 13 editions RuCTF 5 editions FAUST 1 edition
  • 49. #RSAC The iCTF Framework Lessons learned from running iCTFs were the basis for building a framework The framework formalizes the structure of services and allows for the reuse of the infrastructure Available at: http://github.com/ucsb-seclab/ictf-framework http://ictf.cs.ucsb.edu/framework
  • 50. #RSAC CTFs Are Playgrounds… 52 For people (hackers) For tools (attack, defense) But can they be used to advance science?
  • 52. #RSAC The DARPA Cyber Grand Challenge 54 Programs!
  • 53. #RSAC The DARPA Cyber Grand Challenge 55
  • 54. #RSAC The DARPA Cyber Grand Challenge 56
  • 55. #RSAC The DARPA Cyber Grand Challenge 57 CTF-style competition Autonomous Cyber-Reasoning Systems (CRS) attack and defend a number of services (binary programs) NO HUMAN IN THE LOOP A first qualification round decided who the 7 finalists are Qualification comes with a $750,000 cash prize The final event is scheduled for August 4, 2016 during DefCon The top team will receive a $2,000,000 cash prize
  • 57. #RSAC CGC Other Finalists 59 CodeJitsu CSDS DeepRed disekt ForAllSecure TECHx
  • 58. #RSAC CGC Participant Systems 60 CB vulnerable program RB patched program POV exploit Cyber Reasoning System
  • 59. #RSAC The CGC Environment 61 Binaries run on a custom OS, called DECREE Limited number of system calls A POV has to demonstrate the ability: To read a specific value from memory To set a register to a specific value Not all rules have been finalized
  • 60. #RSAC The Shellphish CRS: ShellWePlayAGame? 62 CYBER GRAND CHALLENGE
  • 61. #RSAC The Shellphish CRS: ShellWePlayAGame? 63 CB Proposed RBs Proposed POVs Autonomous vulnerability scanning Shellphish CRS Autonomous service resiliency PCAP Test cases POV RB Autonomous processing Autonomous patching
  • 62. #RSAC May the Best CRS Win! 64 Patching cannot affect performance Patching cannot affect functionality When you are shooting blindfolded automatic weapons, it’s easy to shoot yourself in the foot...
  • 63. #RSAC Fostering Research in Automated Hacking 65 The goal of the CGC is to foster the development of new attack and defense techniques that… Automatically identify and exploit vulnerabilities in binary programs Automatically patch vulnerability and provide functionally- equivalent yet secure versions of a vulnerable binary
  • 64. #RSAC What Does All This Mean to YOU? 66 Novel automated analysis techniques will allow for The identification of vulnerabilities (and, possibly, backdoors) in binaries before they are deployed The patching of binaries on-the-fly without having to wait for vendors’ fixes Scale…
  • 65. #RSAC What Can I Do NOW? 67 Use CTFs (or other security competitions) to foster computer education in your company The iCTF Framework is free, open, and can be used to create sophisticated attack-defense security competition within your organization Familiarize yourself with vulnerability analysis tool and learn how to use them as integral part of your development process After all…
  • 66. #RSAC Human + Machine = WIN! 68 OMG, can’t do stairs?!?
  • 69. #RSAC The iCTF Architecture … VPN Server Team 1 Team 2 Vulnerable Server VPN Gateway Vulnerable Server VPN Gateway Vulnerable Server VPN Gateway VPN Gateway Team Interface Scriptbot Gamebot DatabaseScoreboard Shows the current scores to the teams Allows teams to register and submit flags Stores the state of the competition Runs the scripts to update flags and check for services For each tick, schedules scripts and compute scores Vulnerable Server 10.7.1.X 10.7.1.2 10.7.2.2 10.7.21.2Team 21 Team 22 10.7.22.2
  • 70. #RSAC Example: Simple Overflows int main(int argc, char** argv) { char buf[256]; strcpy(buf, argv[1]); return 0; } Simplest detection approach: grep forstrcpy More rigorous: Determine data flow from command-line argument to strcpy’s parameter Determine size of source, destination buffers Model semantics of strcpy Check safety condition: len(argv[1]) < len(buf)
  • 73. #RSAC The UCSB iCTFs Year Theme Teams 2003 Open-Source Windows 7 2004 UN Voting System 15 2004 Bass Tard Corporation 9 2005 Spam Museum 22 2006 Hillbilly Bank 25 2007 Copyright Mafia 36 2008 Softerror.com Terrorist Network 39 2009 Rise of the Botnet 57 2010 Rogue Nation of Litya 73 2011 Money Laundering 89 2012 SCADA Defense 92 2013 Nuclear Cyberwar 123 2014 Large-Scale Hacking 86 2015 Crowdsourced Evil 35
  • 74. #RSAC Branch Tracking The instrumentation collects information about which branches are taken The information is stored in a shared hash table. A branch from a previous location to the current location triggers the instrumentation code: cur_location = <COMPILE_TIME_RANDOM>; shared_mem[cur_location ^ prev_location]++; prev_location = cur_location >> 1;
  • 75. #RSAC Branch Tracking cur_location = <COMPILE_TIME_RANDOM>; shared_mem[cur_location ^ prev_location]++; prev_location = cur_location >> 1; Note that the index in the hash is a combination of the previous and current location The size of the shared memory is 64K Big enough to avoid collisions Small enough to be fast and fit in memory caches The shift of the marker for the current location allows for Distinguishing A->B from B->A Distinguishing A->A from B->B
  • 76. #RSAC Branch Tracking Branch tracking is a better metric for program exploration than plain basic block coverage Consider the following cases, where A, B, C, D, E are code blocks: A -> B -> C -> D -> E (tuples: AB, BC, CD, DE) A -> B -> D -> C -> E (tuples: AB, BD, DC, CE) While the same amount of code is covered, but different paths are taken
  • 77. #RSAC Guiding Exploration AFL maintains a global map of all the paths observed in all the executions up to the current one When a mutated input file introduces tuple that were not observed before, the input file is queued for further processing Inputs that do not generate new transitions, are discarded (even if the sequence has not been seen before)
  • 78. #RSAC Example #1: A -> B -> C -> D -> E #2: A -> B -> C -> A -> E (C->A, A->E are new) #3: A -> B -> C -> A -> B -> C -> A -> B -> C -> D -> E (no new tuples)
  • 79. #RSAC Counting Branches AFL keeps track of how many times a certain transition happens for each run Buckets: 1, 2, 3, 4-7, 8-15, 16-31, 32-127, 128+ If a particular input causes a transition to move between buckets, then the input is deemed interesting and queues for processing Buckets allow for emphasizing small changes (1 to 2) vs. not-so- relevant changes (67 to 70)
  • 80. #RSAC Processing Input The interesting file (thousands) are added to the input queue Usually 10-30% from the discovery of new transitions The rest from changes in the hit count The input queue is analyzed so that a subset of the (best) files is marked as “favorite” The files cover all the tuples The files have lowest latency and size
  • 81. #RSAC Prioritizing the Inputs 1. Choose a tuple from the ones observed so far and put it in a set 2. Select the input that caused the shortest execution and has the smallest size 3. Add all the transitions observed for that execution to the set 4. If the set does not covered all the previously observed transitions, goto 1
  • 82. #RSAC Prioritizing the Inputs If there are new, yet-to-be-fuzzed favorites present in the queue, 99% of non-favored entries will be skipped to get to the favored ones If there are no new favorites: If the current non-favored entry was fuzzed before, it will be skipped 95% of the time If the current non-favored entry was not fuzzed before, the odds of skipping it are 75% These values are chosen to balance queue cycling and diversity
  • 83. #RSAC Fuzzing Strategies Sequential bit flips with varying lengths and stepovers Sequential addition and subtraction of small integers Sequential insertion of known interesting integers (0, 1, INT_MAX, etc.) Stacked bit flips, insertions, deletions, arithmetic operations, and splicing of different test cases It is also possible to provide dictionaries of known keywords to help in the fuzzing process