SlideShare a Scribd company logo

Autonomous Hacking: The New Frontiers of Attack and Defense

Priyanka Aash, profile picture
Priyanka Aash

The document discusses various techniques for vulnerability analysis, highlighting approaches such as manual, tool-assisted, and automated analysis. It emphasizes the importance of combining fuzzing and symbolic execution for effective vulnerability detection, along with the role of competitions like Capture The Flag (CTF) in fostering innovation in this field. Key insights also include the challenges and potential of automated systems in identifying and patching vulnerabilities in binary programs.

Technology
1 of 83
Downloaded 20 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
SESSION ID: #RSAC Giovanni Vigna Autonomous Hacking: The New Frontiers of Attack and Defense HT-W02 CTO Lastline, Inc. @lastlinelabs
#RSAC Hacking 2 ?
#RSAC Hacking Teams 3
#RSAC Hacking What? 4 Security compromises can be achieved through different routes
#RSAC Hacking the User 5
#RSAC Hacking the Process 6
#RSAC Hacking the Code 7
#RSAC Hacking Binary Code 8 Low abstraction level No structured types No modules or clearly defined functions Compiler optimization and other artifacts can make the code more complex to analyze WYSIWYE: What you see is what you execute
#RSAC Finding Vulnerabilities Human Semi-Automated Fully Automated
#RSAC Manual Analysis “Look at the code and see what you can find” Requires substantial expertise The analysis is as good as the person performing it Allows for the identification of complex vulnerabilities (e.g., logic-based) Expensive, does not scale
#RSAC Tool-Assisted Analysis “Run these tools and verify/expand the results” Tools help in identifying areas of interest By ruling out known code By identifying potential vulnerabilities Since a human is involved, expertise and scale are still issues
#RSAC Automated Analysis “Run this tool and find the vulnerability” … and possibly generate an exploit... ...and possibly generate a patch Requires well-defined models for the vulnerabilities Can only detect the vulnerabilities that are modeled Can scale (not always!)
#RSAC Automated Vulnerability Analysis An algorithm that takes as input a code artifact (source code, byte-code, binary code) and identifies potential vulnerabilities The Halting Problem: “the halting problem is the problem of determining, from a description of an arbitrary computer program and an input, whether the program will finish running or continue to run forever.” https://en.wikipedia.org/wiki/Halting_problem Alan Turing proved that a general algorithm does not exist
#RSAC Types of Vulnerability Analysis Static Analysis A form of abstract interpretation Does not execute the code Dynamic Analysis A form of concrete interpretation Executes the code (or a model of it)
#RSAC Static Analysis The goal of static analysis techniques is to characterize all possible run- time behaviors over all possible inputs without actually running the program Find possible bugs, or prove absence of certain kinds of vulnerabilities Static analysis has been around for a long while Type checkers, compilers Formal verification Challenges: soundness, precision, and scalability
#RSAC P Actual run-time behaviors Soundness and Completeness
#RSAC P Actual run-time behaviors Soundness and Completeness Over-approximation (sound)
#RSAC P Actual run-time behaviors Soundness and Completeness More precise over-approximation (sound)
#RSAC P Actual run-time behaviors Soundness and Completeness Under-approximation (complete)
#RSAC P Actual run-time behaviors Soundness and Completeness Unsound, incomplete analysis
#RSAC Example Analyses Control-flow analysis: Find and reason about all possible control-flow transfers (sources and destinations) Data-flow analysis: Reason about how data flows at run-time (from sources to sinks) Data dependency analysis: Reason about how data influences other data Points-to analysis: Reason about what values can pointers take Alias analysis: Determine if two pointers might point to the same address Value -set analysis: Reason about what are all the possible values that variables can hold
#RSAC Dynamic Analysis Dynamic approaches are very precise for particular environment and inputs You execute the code! However they provide no guarantee of coverage You evaluate only the part of a program that you exercise!
#RSAC Example Analyses 23 Taint analysis Fuzzing Forward symbolic execution Concolic execution
#RSAC Fuzzing Fuzzing is an automated procedure to send inputs and record safety condition violations as crashes Assumption: crashes are potentially exploitable Several dimensions in the fuzzing space How to supply inputs to the program under test? How to generate inputs? How to generate more “relevant” crashes? How to change inputs between runs? Goal: maximized effectiveness of the process
#RSAC Gray/White-box Fuzzing Input Generator Application Under Analysis Crash Crash Database Bugs (0-day) Fuzzing Infrastructure Feedback
#RSAC Fuzzing: American Fuzzy Lop
#RSAC Fuzzing: American Fuzzy Lop Instrumentation-guided genetic fuzzer developed by Michael Zalewski The instrumentation collects information at branch points Supports the generation of inputs that improve coverage Inputs that bring new paths are considered more interesting and queued for further exploration Inputs are chosen and mutated Unique crashes are identified using branch analysis (instead of stack summaries)
#RSAC Symbolic Execution: angr Framework for the analysis of binaries Supports a number of architectures x86 (32 and 64), MIPS, ARM, PPC, etc. http://angr.io https://github.com/angr angr@lists.cs.ucsb.edu
#RSAC angr Components Static Analysis Routines Symbolic Execution Engine Control-Flow Graph Data-Flow Analysis Binary Loader Value-Set Analysis angr Forward Symbolic Execution Under-constrained SE
#RSAC Symbolic Execution "How do I trigger path X or condition Y?” Dynamic analysis Input A? No. Input B? No. Input C? … Based on concrete inputs to application (Concrete) static analysis You can’t/You might be able to Based on various static techniques
#RSAC Symbolic Execution "How do I trigger path X or condition Y?” Interpret the application Track "constraints" on variables When the required condition is triggered, "concretize" to obtain a possible input
#RSAC Concretization Constraint solving Conversion from set of constraints to set of concrete values that satisfy them Constraints x >= 10 x < 100 x = 42Concretize
#RSAC Example x = int(input()) if x >= 10: if x < 100: vulnerable_code() else: func_a() else: func_b()
#RSAC Example x = int(input()) if x >= 10: if x < 100: vulnerable_code() else: func_a() else: func_b() State A Variables x = ??? Constraints ------
#RSAC Example x = int(input()) if x >= 10: if x < 100: vulnerable_code() else: func_a() else: func_b() State A Variables x = ??? Constraints ------ State AA Variables x = ??? Constraints x < 10 State AB Variables x = ??? Constraints x >= 10
#RSAC Example x = int(input()) if x >= 10: if x < 100: vulnerable_code() else: func_a() else: func_b() State AA Variables x = ??? Constraints x < 10 State AB Variables x = ??? Constraints x >= 10
#RSAC Example x = int(input()) if x >= 10: if x < 100: vulnerable_code() else: func_a() else: func_b() State AA Variables x = ??? Constraints x < 10 State AB Variables x = ??? Constraints x >= 10 State ABA Variables x = ??? Constraints x >= 10 x < 100 State ABB Variables x = ??? Constraints x >= 10 x >= 100
#RSAC Example x = int(input()) if x >= 10: if x < 100: vulnerable_code() else: func_a() else: func_b() State ABA Variables x = ??? Constraints x >= 10 x < 100 Concretized ABA Variables x = 99
#RSAC Putting It All Together Fuzzing excels at producing general input Symbolic execution is able to satisfy complex path predicates for specific input Key insight: Combine both techniques to leverage their strengths and mitigate their weaknesses
#RSAC Assisting Fuzzing with Symbolic Execution Fuzzing good at finding solutions for general input Symbolic Execution good at find solutions for specific input
#RSAC Driller Test Cases
#RSAC Driller “Cheap” fuzzing coverage Test Cases “Y” “X”
#RSAC Driller “Cheap” fuzzing coverage Test Cases “Y” “X” Dynamic Symbolic Execution !
#RSAC Driller “Cheap” fuzzing coverage Test Cases “Y” “X” Dynamic Symbolic Execution “CGC_MAGIC” New test cases generated
#RSAC Driller “Cheap” fuzzing coverage Test Cases “Y” “X” Dynamic Symbolic Execution “CGC_MAGIC” New test cases generated “CGC_MAGICY”
#RSAC Why Hacking? Vulnerability analysis can be used Offensively Defensively For fun (and profit) Hacking competitions have become a popular venue for the application of breakthrough techniques in vulnerability analysis DefCon CTF Pwn20wn
#RSAC Many Competition Styles Challenge-based Should not be called “CTF”! Easy to organize Easy to scale Exclusively focused on attacking No real-time component Interactive, online CTFs Very difficult to organize Require substantial infrastructure Difficult to scale Focused on both attacking and defending in real time
#RSAC Current Interactive, Online CTFs From ctftime.org: 100+ events listed Online attack-defense competitions: UCSB iCTF 13 editions RuCTF 5 editions FAUST 1 edition
#RSAC The iCTF Framework Lessons learned from running iCTFs were the basis for building a framework The framework formalizes the structure of services and allows for the reuse of the infrastructure Available at: http://github.com/ucsb-seclab/ictf-framework http://ictf.cs.ucsb.edu/framework
#RSAC CTFs Are Playgrounds… 52 For people (hackers) For tools (attack, defense) But can they be used to advance science?
#RSAC DARPA Competitions 53 Self-driving Cars Robots
#RSAC The DARPA Cyber Grand Challenge 54 Programs!
#RSAC The DARPA Cyber Grand Challenge 55
#RSAC The DARPA Cyber Grand Challenge 56
#RSAC The DARPA Cyber Grand Challenge 57 CTF-style competition Autonomous Cyber-Reasoning Systems (CRS) attack and defend a number of services (binary programs) NO HUMAN IN THE LOOP A first qualification round decided who the 7 finalists are Qualification comes with a $750,000 cash prize The final event is scheduled for August 4, 2016 during DefCon The top team will receive a $2,000,000 cash prize
#RSAC Shellphish CGC Team 58
#RSAC CGC Other Finalists 59 CodeJitsu CSDS DeepRed disekt ForAllSecure TECHx
#RSAC CGC Participant Systems 60 CB vulnerable program RB patched program POV exploit Cyber Reasoning System
#RSAC The CGC Environment 61 Binaries run on a custom OS, called DECREE Limited number of system calls A POV has to demonstrate the ability: To read a specific value from memory To set a register to a specific value Not all rules have been finalized
#RSAC The Shellphish CRS: ShellWePlayAGame? 62 CYBER GRAND CHALLENGE
#RSAC The Shellphish CRS: ShellWePlayAGame? 63 CB Proposed RBs Proposed POVs Autonomous vulnerability scanning Shellphish CRS Autonomous service resiliency PCAP Test cases POV RB Autonomous processing Autonomous patching
#RSAC May the Best CRS Win! 64 Patching cannot affect performance Patching cannot affect functionality When you are shooting blindfolded automatic weapons, it’s easy to shoot yourself in the foot...
#RSAC Fostering Research in Automated Hacking 65 The goal of the CGC is to foster the development of new attack and defense techniques that… Automatically identify and exploit vulnerabilities in binary programs Automatically patch vulnerability and provide functionally- equivalent yet secure versions of a vulnerable binary
#RSAC What Does All This Mean to YOU? 66 Novel automated analysis techniques will allow for The identification of vulnerabilities (and, possibly, backdoors) in binaries before they are deployed The patching of binaries on-the-fly without having to wait for vendors’ fixes Scale…
#RSAC What Can I Do NOW? 67 Use CTFs (or other security competitions) to foster computer education in your company The iCTF Framework is free, open, and can be used to create sophisticated attack-defense security competition within your organization Familiarize yourself with vulnerability analysis tool and learn how to use them as integral part of your development process After all…
#RSAC Human + Machine = WIN! 68 OMG, can’t do stairs?!?
#RSAC Q&A 69
#RSAC Extra Slides
#RSAC The iCTF Architecture … VPN Server Team 1 Team 2 Vulnerable Server VPN Gateway Vulnerable Server VPN Gateway Vulnerable Server VPN Gateway VPN Gateway Team Interface Scriptbot Gamebot DatabaseScoreboard Shows the current scores to the teams Allows teams to register and submit flags Stores the state of the competition Runs the scripts to update flags and check for services For each tick, schedules scripts and compute scores Vulnerable Server 10.7.1.X 10.7.1.2 10.7.2.2 10.7.21.2Team 21 Team 22 10.7.22.2
#RSAC Example: Simple Overflows int main(int argc, char** argv) { char buf[256]; strcpy(buf, argv[1]); return 0; } Simplest detection approach: grep forstrcpy More rigorous: Determine data flow from command-line argument to strcpy’s parameter Determine size of source, destination buffers Model semantics of strcpy Check safety condition: len(argv[1]) < len(buf)
#RSAC Fuzzing vs. Symbolic Execution
#RSAC Exploration Process
#RSAC The UCSB iCTFs Year Theme Teams 2003 Open-Source Windows 7 2004 UN Voting System 15 2004 Bass Tard Corporation 9 2005 Spam Museum 22 2006 Hillbilly Bank 25 2007 Copyright Mafia 36 2008 Softerror.com Terrorist Network 39 2009 Rise of the Botnet 57 2010 Rogue Nation of Litya 73 2011 Money Laundering 89 2012 SCADA Defense 92 2013 Nuclear Cyberwar 123 2014 Large-Scale Hacking 86 2015 Crowdsourced Evil 35
#RSAC Branch Tracking The instrumentation collects information about which branches are taken The information is stored in a shared hash table. A branch from a previous location to the current location triggers the instrumentation code: cur_location = <COMPILE_TIME_RANDOM>; shared_mem[cur_location ^ prev_location]++; prev_location = cur_location >> 1;
#RSAC Branch Tracking cur_location = <COMPILE_TIME_RANDOM>; shared_mem[cur_location ^ prev_location]++; prev_location = cur_location >> 1; Note that the index in the hash is a combination of the previous and current location The size of the shared memory is 64K Big enough to avoid collisions Small enough to be fast and fit in memory caches The shift of the marker for the current location allows for Distinguishing A->B from B->A Distinguishing A->A from B->B
#RSAC Branch Tracking Branch tracking is a better metric for program exploration than plain basic block coverage Consider the following cases, where A, B, C, D, E are code blocks: A -> B -> C -> D -> E (tuples: AB, BC, CD, DE) A -> B -> D -> C -> E (tuples: AB, BD, DC, CE) While the same amount of code is covered, but different paths are taken
#RSAC Guiding Exploration AFL maintains a global map of all the paths observed in all the executions up to the current one When a mutated input file introduces tuple that were not observed before, the input file is queued for further processing Inputs that do not generate new transitions, are discarded (even if the sequence has not been seen before)
#RSAC Example #1: A -> B -> C -> D -> E #2: A -> B -> C -> A -> E (C->A, A->E are new) #3: A -> B -> C -> A -> B -> C -> A -> B -> C -> D -> E (no new tuples)
#RSAC Counting Branches AFL keeps track of how many times a certain transition happens for each run Buckets: 1, 2, 3, 4-7, 8-15, 16-31, 32-127, 128+ If a particular input causes a transition to move between buckets, then the input is deemed interesting and queues for processing Buckets allow for emphasizing small changes (1 to 2) vs. not-so- relevant changes (67 to 70)
#RSAC Processing Input The interesting file (thousands) are added to the input queue Usually 10-30% from the discovery of new transitions The rest from changes in the hit count The input queue is analyzed so that a subset of the (best) files is marked as “favorite” The files cover all the tuples The files have lowest latency and size
#RSAC Prioritizing the Inputs 1. Choose a tuple from the ones observed so far and put it in a set 2. Select the input that caused the shortest execution and has the smallest size 3. Add all the transitions observed for that execution to the set 4. If the set does not covered all the previously observed transitions, goto 1
#RSAC Prioritizing the Inputs If there are new, yet-to-be-fuzzed favorites present in the queue, 99% of non-favored entries will be skipped to get to the favored ones If there are no new favorites: If the current non-favored entry was fuzzed before, it will be skipped 95% of the time If the current non-favored entry was not fuzzed before, the odds of skipping it are 75% These values are chosen to balance queue cycling and diversity
#RSAC Fuzzing Strategies Sequential bit flips with varying lengths and stepovers Sequential addition and subtraction of small integers Sequential insertion of known interesting integers (0, 1, INT_MAX, etc.) Stacked bit flips, insertions, deletions, arithmetic operations, and splicing of different test cases It is also possible to provide dictionaries of known keywords to help in the fuzzing process

More Related Content

PPTX
Tech Days 2015: Static Analysis CodePeer
AdaCore
 
PPTX
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Yuji Kosuga
 
PDF
Unmasking Anonymous: An Eyewitness Account of a Hacktivist Attack
Imperva
 
PPTX
Automated Attack Surface Approximation [FSE - SRC 2015]
Chris Theisen
 
PPT
Fuzzing 101 Webinar on Zero Day Management
Codenomicon
 
PDF
Blending Automated and Manual Testing
Denim Group
 
PPTX
Software Security Education at Scale
Chris Theisen
 
PPTX
A DevOps Guide to Web Application Security
Imperva Incapsula
 
Tech Days 2015: Static Analysis CodePeer
AdaCore
 
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Yuji Kosuga
 
Unmasking Anonymous: An Eyewitness Account of a Hacktivist Attack
Imperva
 
Automated Attack Surface Approximation [FSE - SRC 2015]
Chris Theisen
 
Fuzzing 101 Webinar on Zero Day Management
Codenomicon
 
Blending Automated and Manual Testing
Denim Group
 
Software Security Education at Scale
Chris Theisen
 
A DevOps Guide to Web Application Security
Imperva Incapsula
 

Viewers also liked (8)

PPT
Attacks Against Captcha Systems - DefCamp 2012
DefCamp
 
PPTX
DefCamp 2013 - In vehicle CAN network security
DefCamp
 
PPTX
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
Priyanka Aash
 
PPTX
Keynote Session : Kill The Password
Priyanka Aash
 
PDF
Automated and Effective Testing of Web Services for XML Injection Attacks
Lionel Briand
 
PDF
DARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
Chong-Kuan Chen
 
PPTX
Crowd-Sourced Threat Intelligence
AlienVault
 
PDF
Implementing An Automated Incident Response Architecture
Priyanka Aash
 
Attacks Against Captcha Systems - DefCamp 2012
DefCamp
 
DefCamp 2013 - In vehicle CAN network security
DefCamp
 
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
Priyanka Aash
 
Keynote Session : Kill The Password
Priyanka Aash
 
Automated and Effective Testing of Web Services for XML Injection Attacks
Lionel Briand
 
DARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
Chong-Kuan Chen
 
Crowd-Sourced Threat Intelligence
AlienVault
 
Implementing An Automated Incident Response Architecture
Priyanka Aash
 

Similar to Autonomous Hacking: The New Frontiers of Attack and Defense (20)

PDF
Finding Triggered Malice in Android Apps
Priyanka Aash
 
PDF
Isolating the Ghost in the Machine: Unveiling Post Exploitation Threatsrsac
Priyanka Aash
 
PPTX
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Lastline, Inc.
 
PPTX
Practical Approaches to Cloud Native Security
Karthik Gaekwad
 
PDF
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
Priyanka Aash
 
PDF
Creating Your Own Threat Intel Through Hunting & Visualization
Raffael Marty
 
PDF
Security precognition chaos engineering in incident response
Priyanka Aash
 
PDF
FIM and System Call Auditing at Scale in a Large Container Deployment
Priyanka Aash
 
PDF
DevOps and the Future of Enterprise Security
Priyanka Aash
 
PDF
Serverless Security: Are you ready for the Future?
James Wickett
 
PDF
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)
Nelson Brito
 
PDF
Attacks on Critical Infrastructure: Insights from the “Big Board”
Priyanka Aash
 
PDF
Cyber Crime / Cyber Secuity Testing Architecture by MRITYUNJAYA HIKKALGUTTI (...
MrityunjayaHikkalgut1
 
PPTX
RSA 2018: Recon For the Defender - You know nothing (about your assets)
Jonathan Cran
 
PDF
Recon for the Defender: You Know Nothing (about Your Assets), Jon Snow
Priyanka Aash
 
PDF
str-w04_next-wave-of-security-operationalization
peter lam
 
PDF
Efficacy Of Layered Application Security Through The Lens Of Hacker
Priyanka Aash
 
PDF
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
Priyanka Aash
 
PDF
Corpsec: “What Happened to Corpses A and B?”
Priyanka Aash
 
PDF
API First with play and swagger
slavaschmidt
 
Finding Triggered Malice in Android Apps
Priyanka Aash
 
Isolating the Ghost in the Machine: Unveiling Post Exploitation Threatsrsac
Priyanka Aash
 
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Lastline, Inc.
 
Practical Approaches to Cloud Native Security
Karthik Gaekwad
 
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
Priyanka Aash
 
Creating Your Own Threat Intel Through Hunting & Visualization
Raffael Marty
 
Security precognition chaos engineering in incident response
Priyanka Aash
 
FIM and System Call Auditing at Scale in a Large Container Deployment
Priyanka Aash
 
DevOps and the Future of Enterprise Security
Priyanka Aash
 
Serverless Security: Are you ready for the Future?
James Wickett
 
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)
Nelson Brito
 
Attacks on Critical Infrastructure: Insights from the “Big Board”
Priyanka Aash
 
Cyber Crime / Cyber Secuity Testing Architecture by MRITYUNJAYA HIKKALGUTTI (...
MrityunjayaHikkalgut1
 
RSA 2018: Recon For the Defender - You know nothing (about your assets)
Jonathan Cran
 
Recon for the Defender: You Know Nothing (about Your Assets), Jon Snow
Priyanka Aash
 
str-w04_next-wave-of-security-operationalization
peter lam
 
Efficacy Of Layered Application Security Through The Lens Of Hacker
Priyanka Aash
 
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
Priyanka Aash
 
Corpsec: “What Happened to Corpses A and B?”
Priyanka Aash
 
API First with play and swagger
slavaschmidt
 

More from Priyanka Aash (20)

PPTX
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
Priyanka Aash
 
PDF
From Chatbot to Destroyer of Endpoints - Can ChatGPT Automate EDR Bypasses (1...
Priyanka Aash
 
PDF
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
Priyanka Aash
 
PDF
Oh, the Possibilities - Balancing Innovation and Risk with Generative AI.pdf
Priyanka Aash
 
PDF
Lessons Learned from Developing Secure AI Workflows.pdf
Priyanka Aash
 
PDF
Cyber Defense Matrix Workshop - RSA Conference
Priyanka Aash
 
PDF
A Constitutional Quagmire - Ethical Minefields of AI, Cyber, and Privacy.pdf
Priyanka Aash
 
PDF
Securing AI - There Is No Try, Only Do!.pdf
Priyanka Aash
 
PDF
GenAI Opportunities and Challenges - Where 370 Enterprises Are Focusing Now.pdf
Priyanka Aash
 
PDF
Coordinated Disclosure for ML - What's Different and What's the Same.pdf
Priyanka Aash
 
PDF
10 Key Challenges for AI within the EU Data Protection Framework.pdf
Priyanka Aash
 
PDF
Techniques for Automatic Device Identification and Network Assignment.pdf
Priyanka Aash
 
PDF
Keynote : Presentation on SASE Technology
Priyanka Aash
 
PDF
Keynote : AI & Future Of Offensive Security
Priyanka Aash
 
PDF
Redefining Cybersecurity with AI Capabilities
Priyanka Aash
 
PDF
Demystifying Neural Networks And Building Cybersecurity Applications
Priyanka Aash
 
PDF
Finetuning GenAI For Hacking and Defending
Priyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
Priyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
Priyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
Priyanka Aash
 
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
Priyanka Aash
 
From Chatbot to Destroyer of Endpoints - Can ChatGPT Automate EDR Bypasses (1...
Priyanka Aash
 
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
Priyanka Aash
 
Oh, the Possibilities - Balancing Innovation and Risk with Generative AI.pdf
Priyanka Aash
 
Lessons Learned from Developing Secure AI Workflows.pdf
Priyanka Aash
 
Cyber Defense Matrix Workshop - RSA Conference
Priyanka Aash
 
A Constitutional Quagmire - Ethical Minefields of AI, Cyber, and Privacy.pdf
Priyanka Aash
 
Securing AI - There Is No Try, Only Do!.pdf
Priyanka Aash
 
GenAI Opportunities and Challenges - Where 370 Enterprises Are Focusing Now.pdf
Priyanka Aash
 
Coordinated Disclosure for ML - What's Different and What's the Same.pdf
Priyanka Aash
 
10 Key Challenges for AI within the EU Data Protection Framework.pdf
Priyanka Aash
 
Techniques for Automatic Device Identification and Network Assignment.pdf
Priyanka Aash
 
Keynote : Presentation on SASE Technology
Priyanka Aash
 
Keynote : AI & Future Of Offensive Security
Priyanka Aash
 
Redefining Cybersecurity with AI Capabilities
Priyanka Aash
 
Demystifying Neural Networks And Building Cybersecurity Applications
Priyanka Aash
 
Finetuning GenAI For Hacking and Defending
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
Priyanka Aash
 

Recently uploaded (20)

PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 

Autonomous Hacking: The New Frontiers of Attack and Defense

  • 1. SESSION ID: #RSAC Giovanni Vigna Autonomous Hacking: The New Frontiers of Attack and Defense HT-W02 CTO Lastline, Inc. @lastlinelabs
  • 4. #RSAC Hacking What? 4 Security compromises can be achieved through different routes
  • 8. #RSAC Hacking Binary Code 8 Low abstraction level No structured types No modules or clearly defined functions Compiler optimization and other artifacts can make the code more complex to analyze WYSIWYE: What you see is what you execute
  • 10. #RSAC Manual Analysis “Look at the code and see what you can find” Requires substantial expertise The analysis is as good as the person performing it Allows for the identification of complex vulnerabilities (e.g., logic-based) Expensive, does not scale
  • 11. #RSAC Tool-Assisted Analysis “Run these tools and verify/expand the results” Tools help in identifying areas of interest By ruling out known code By identifying potential vulnerabilities Since a human is involved, expertise and scale are still issues
  • 12. #RSAC Automated Analysis “Run this tool and find the vulnerability” … and possibly generate an exploit... ...and possibly generate a patch Requires well-defined models for the vulnerabilities Can only detect the vulnerabilities that are modeled Can scale (not always!)
  • 13. #RSAC Automated Vulnerability Analysis An algorithm that takes as input a code artifact (source code, byte-code, binary code) and identifies potential vulnerabilities The Halting Problem: “the halting problem is the problem of determining, from a description of an arbitrary computer program and an input, whether the program will finish running or continue to run forever.” https://en.wikipedia.org/wiki/Halting_problem Alan Turing proved that a general algorithm does not exist
  • 14. #RSAC Types of Vulnerability Analysis Static Analysis A form of abstract interpretation Does not execute the code Dynamic Analysis A form of concrete interpretation Executes the code (or a model of it)
  • 15. #RSAC Static Analysis The goal of static analysis techniques is to characterize all possible run- time behaviors over all possible inputs without actually running the program Find possible bugs, or prove absence of certain kinds of vulnerabilities Static analysis has been around for a long while Type checkers, compilers Formal verification Challenges: soundness, precision, and scalability
  • 17. #RSAC P Actual run-time behaviors Soundness and Completeness Over-approximation (sound)
  • 18. #RSAC P Actual run-time behaviors Soundness and Completeness More precise over-approximation (sound)
  • 19. #RSAC P Actual run-time behaviors Soundness and Completeness Under-approximation (complete)
  • 20. #RSAC P Actual run-time behaviors Soundness and Completeness Unsound, incomplete analysis
  • 21. #RSAC Example Analyses Control-flow analysis: Find and reason about all possible control-flow transfers (sources and destinations) Data-flow analysis: Reason about how data flows at run-time (from sources to sinks) Data dependency analysis: Reason about how data influences other data Points-to analysis: Reason about what values can pointers take Alias analysis: Determine if two pointers might point to the same address Value -set analysis: Reason about what are all the possible values that variables can hold
  • 22. #RSAC Dynamic Analysis Dynamic approaches are very precise for particular environment and inputs You execute the code! However they provide no guarantee of coverage You evaluate only the part of a program that you exercise!
  • 23. #RSAC Example Analyses 23 Taint analysis Fuzzing Forward symbolic execution Concolic execution
  • 24. #RSAC Fuzzing Fuzzing is an automated procedure to send inputs and record safety condition violations as crashes Assumption: crashes are potentially exploitable Several dimensions in the fuzzing space How to supply inputs to the program under test? How to generate inputs? How to generate more “relevant” crashes? How to change inputs between runs? Goal: maximized effectiveness of the process
  • 27. #RSAC Fuzzing: American Fuzzy Lop Instrumentation-guided genetic fuzzer developed by Michael Zalewski The instrumentation collects information at branch points Supports the generation of inputs that improve coverage Inputs that bring new paths are considered more interesting and queued for further exploration Inputs are chosen and mutated Unique crashes are identified using branch analysis (instead of stack summaries)
  • 28. #RSAC Symbolic Execution: angr Framework for the analysis of binaries Supports a number of architectures x86 (32 and 64), MIPS, ARM, PPC, etc. http://angr.io https://github.com/angr angr@lists.cs.ucsb.edu
  • 29. #RSAC angr Components Static Analysis Routines Symbolic Execution Engine Control-Flow Graph Data-Flow Analysis Binary Loader Value-Set Analysis angr Forward Symbolic Execution Under-constrained SE
  • 30. #RSAC Symbolic Execution "How do I trigger path X or condition Y?” Dynamic analysis Input A? No. Input B? No. Input C? … Based on concrete inputs to application (Concrete) static analysis You can’t/You might be able to Based on various static techniques
  • 31. #RSAC Symbolic Execution "How do I trigger path X or condition Y?” Interpret the application Track "constraints" on variables When the required condition is triggered, "concretize" to obtain a possible input
  • 32. #RSAC Concretization Constraint solving Conversion from set of constraints to set of concrete values that satisfy them Constraints x >= 10 x < 100 x = 42Concretize
  • 33. #RSAC Example x = int(input()) if x >= 10: if x < 100: vulnerable_code() else: func_a() else: func_b()
  • 34. #RSAC Example x = int(input()) if x >= 10: if x < 100: vulnerable_code() else: func_a() else: func_b() State A Variables x = ??? Constraints ------
  • 35. #RSAC Example x = int(input()) if x >= 10: if x < 100: vulnerable_code() else: func_a() else: func_b() State A Variables x = ??? Constraints ------ State AA Variables x = ??? Constraints x < 10 State AB Variables x = ??? Constraints x >= 10
  • 36. #RSAC Example x = int(input()) if x >= 10: if x < 100: vulnerable_code() else: func_a() else: func_b() State AA Variables x = ??? Constraints x < 10 State AB Variables x = ??? Constraints x >= 10
  • 37. #RSAC Example x = int(input()) if x >= 10: if x < 100: vulnerable_code() else: func_a() else: func_b() State AA Variables x = ??? Constraints x < 10 State AB Variables x = ??? Constraints x >= 10 State ABA Variables x = ??? Constraints x >= 10 x < 100 State ABB Variables x = ??? Constraints x >= 10 x >= 100
  • 38. #RSAC Example x = int(input()) if x >= 10: if x < 100: vulnerable_code() else: func_a() else: func_b() State ABA Variables x = ??? Constraints x >= 10 x < 100 Concretized ABA Variables x = 99
  • 39. #RSAC Putting It All Together Fuzzing excels at producing general input Symbolic execution is able to satisfy complex path predicates for specific input Key insight: Combine both techniques to leverage their strengths and mitigate their weaknesses
  • 40. #RSAC Assisting Fuzzing with Symbolic Execution Fuzzing good at finding solutions for general input Symbolic Execution good at find solutions for specific input
  • 43. #RSAC Driller “Cheap” fuzzing coverage Test Cases “Y” “X” Dynamic Symbolic Execution !
  • 44. #RSAC Driller “Cheap” fuzzing coverage Test Cases “Y” “X” Dynamic Symbolic Execution “CGC_MAGIC” New test cases generated
  • 45. #RSAC Driller “Cheap” fuzzing coverage Test Cases “Y” “X” Dynamic Symbolic Execution “CGC_MAGIC” New test cases generated “CGC_MAGICY”
  • 46. #RSAC Why Hacking? Vulnerability analysis can be used Offensively Defensively For fun (and profit) Hacking competitions have become a popular venue for the application of breakthrough techniques in vulnerability analysis DefCon CTF Pwn20wn
  • 47. #RSAC Many Competition Styles Challenge-based Should not be called “CTF”! Easy to organize Easy to scale Exclusively focused on attacking No real-time component Interactive, online CTFs Very difficult to organize Require substantial infrastructure Difficult to scale Focused on both attacking and defending in real time
  • 48. #RSAC Current Interactive, Online CTFs From ctftime.org: 100+ events listed Online attack-defense competitions: UCSB iCTF 13 editions RuCTF 5 editions FAUST 1 edition
  • 49. #RSAC The iCTF Framework Lessons learned from running iCTFs were the basis for building a framework The framework formalizes the structure of services and allows for the reuse of the infrastructure Available at: http://github.com/ucsb-seclab/ictf-framework http://ictf.cs.ucsb.edu/framework
  • 50. #RSAC CTFs Are Playgrounds… 52 For people (hackers) For tools (attack, defense) But can they be used to advance science?
  • 52. #RSAC The DARPA Cyber Grand Challenge 54 Programs!
  • 53. #RSAC The DARPA Cyber Grand Challenge 55
  • 54. #RSAC The DARPA Cyber Grand Challenge 56
  • 55. #RSAC The DARPA Cyber Grand Challenge 57 CTF-style competition Autonomous Cyber-Reasoning Systems (CRS) attack and defend a number of services (binary programs) NO HUMAN IN THE LOOP A first qualification round decided who the 7 finalists are Qualification comes with a $750,000 cash prize The final event is scheduled for August 4, 2016 during DefCon The top team will receive a $2,000,000 cash prize
  • 57. #RSAC CGC Other Finalists 59 CodeJitsu CSDS DeepRed disekt ForAllSecure TECHx
  • 58. #RSAC CGC Participant Systems 60 CB vulnerable program RB patched program POV exploit Cyber Reasoning System
  • 59. #RSAC The CGC Environment 61 Binaries run on a custom OS, called DECREE Limited number of system calls A POV has to demonstrate the ability: To read a specific value from memory To set a register to a specific value Not all rules have been finalized
  • 60. #RSAC The Shellphish CRS: ShellWePlayAGame? 62 CYBER GRAND CHALLENGE
  • 61. #RSAC The Shellphish CRS: ShellWePlayAGame? 63 CB Proposed RBs Proposed POVs Autonomous vulnerability scanning Shellphish CRS Autonomous service resiliency PCAP Test cases POV RB Autonomous processing Autonomous patching
  • 62. #RSAC May the Best CRS Win! 64 Patching cannot affect performance Patching cannot affect functionality When you are shooting blindfolded automatic weapons, it’s easy to shoot yourself in the foot...
  • 63. #RSAC Fostering Research in Automated Hacking 65 The goal of the CGC is to foster the development of new attack and defense techniques that… Automatically identify and exploit vulnerabilities in binary programs Automatically patch vulnerability and provide functionally- equivalent yet secure versions of a vulnerable binary
  • 64. #RSAC What Does All This Mean to YOU? 66 Novel automated analysis techniques will allow for The identification of vulnerabilities (and, possibly, backdoors) in binaries before they are deployed The patching of binaries on-the-fly without having to wait for vendors’ fixes Scale…
  • 65. #RSAC What Can I Do NOW? 67 Use CTFs (or other security competitions) to foster computer education in your company The iCTF Framework is free, open, and can be used to create sophisticated attack-defense security competition within your organization Familiarize yourself with vulnerability analysis tool and learn how to use them as integral part of your development process After all…
  • 66. #RSAC Human + Machine = WIN! 68 OMG, can’t do stairs?!?
  • 69. #RSAC The iCTF Architecture … VPN Server Team 1 Team 2 Vulnerable Server VPN Gateway Vulnerable Server VPN Gateway Vulnerable Server VPN Gateway VPN Gateway Team Interface Scriptbot Gamebot DatabaseScoreboard Shows the current scores to the teams Allows teams to register and submit flags Stores the state of the competition Runs the scripts to update flags and check for services For each tick, schedules scripts and compute scores Vulnerable Server 10.7.1.X 10.7.1.2 10.7.2.2 10.7.21.2Team 21 Team 22 10.7.22.2
  • 70. #RSAC Example: Simple Overflows int main(int argc, char** argv) { char buf[256]; strcpy(buf, argv[1]); return 0; } Simplest detection approach: grep forstrcpy More rigorous: Determine data flow from command-line argument to strcpy’s parameter Determine size of source, destination buffers Model semantics of strcpy Check safety condition: len(argv[1]) < len(buf)
  • 73. #RSAC The UCSB iCTFs Year Theme Teams 2003 Open-Source Windows 7 2004 UN Voting System 15 2004 Bass Tard Corporation 9 2005 Spam Museum 22 2006 Hillbilly Bank 25 2007 Copyright Mafia 36 2008 Softerror.com Terrorist Network 39 2009 Rise of the Botnet 57 2010 Rogue Nation of Litya 73 2011 Money Laundering 89 2012 SCADA Defense 92 2013 Nuclear Cyberwar 123 2014 Large-Scale Hacking 86 2015 Crowdsourced Evil 35
  • 74. #RSAC Branch Tracking The instrumentation collects information about which branches are taken The information is stored in a shared hash table. A branch from a previous location to the current location triggers the instrumentation code: cur_location = <COMPILE_TIME_RANDOM>; shared_mem[cur_location ^ prev_location]++; prev_location = cur_location >> 1;
  • 75. #RSAC Branch Tracking cur_location = <COMPILE_TIME_RANDOM>; shared_mem[cur_location ^ prev_location]++; prev_location = cur_location >> 1; Note that the index in the hash is a combination of the previous and current location The size of the shared memory is 64K Big enough to avoid collisions Small enough to be fast and fit in memory caches The shift of the marker for the current location allows for Distinguishing A->B from B->A Distinguishing A->A from B->B
  • 76. #RSAC Branch Tracking Branch tracking is a better metric for program exploration than plain basic block coverage Consider the following cases, where A, B, C, D, E are code blocks: A -> B -> C -> D -> E (tuples: AB, BC, CD, DE) A -> B -> D -> C -> E (tuples: AB, BD, DC, CE) While the same amount of code is covered, but different paths are taken
  • 77. #RSAC Guiding Exploration AFL maintains a global map of all the paths observed in all the executions up to the current one When a mutated input file introduces tuple that were not observed before, the input file is queued for further processing Inputs that do not generate new transitions, are discarded (even if the sequence has not been seen before)
  • 78. #RSAC Example #1: A -> B -> C -> D -> E #2: A -> B -> C -> A -> E (C->A, A->E are new) #3: A -> B -> C -> A -> B -> C -> A -> B -> C -> D -> E (no new tuples)
  • 79. #RSAC Counting Branches AFL keeps track of how many times a certain transition happens for each run Buckets: 1, 2, 3, 4-7, 8-15, 16-31, 32-127, 128+ If a particular input causes a transition to move between buckets, then the input is deemed interesting and queues for processing Buckets allow for emphasizing small changes (1 to 2) vs. not-so- relevant changes (67 to 70)
  • 80. #RSAC Processing Input The interesting file (thousands) are added to the input queue Usually 10-30% from the discovery of new transitions The rest from changes in the hit count The input queue is analyzed so that a subset of the (best) files is marked as “favorite” The files cover all the tuples The files have lowest latency and size
  • 81. #RSAC Prioritizing the Inputs 1. Choose a tuple from the ones observed so far and put it in a set 2. Select the input that caused the shortest execution and has the smallest size 3. Add all the transitions observed for that execution to the set 4. If the set does not covered all the previously observed transitions, goto 1
  • 82. #RSAC Prioritizing the Inputs If there are new, yet-to-be-fuzzed favorites present in the queue, 99% of non-favored entries will be skipped to get to the favored ones If there are no new favorites: If the current non-favored entry was fuzzed before, it will be skipped 95% of the time If the current non-favored entry was not fuzzed before, the odds of skipping it are 75% These values are chosen to balance queue cycling and diversity
  • 83. #RSAC Fuzzing Strategies Sequential bit flips with varying lengths and stepovers Sequential addition and subtraction of small integers Sequential insertion of known interesting integers (0, 1, INT_MAX, etc.) Stacked bit flips, insertions, deletions, arithmetic operations, and splicing of different test cases It is also possible to provide dictionaries of known keywords to help in the fuzzing process