A Dozen Years of Shellphish: From DEFCON to the DARPA Cyber Grand Challenge

Presented at 32C3 (2015), Dec. 29, 2015, 5:15 p.m. (60 minutes).

How we built an automatic exploitation system and qualified for the DARPA Cyber Grand Challenge. From a rag-tag hackademic group to getting money from DARPA for auto-exploiting and auto-patching. A tale of surfing, CTF-playing, and releasing an <a href="http://angr.io">angry binary-analysis framework</a> as <a href="https://github.com/angr/angr">open source</a> :) <p>Beside introducing <a href="http://shellphish.net">Shellphish</a>, we will explain how we qualified to the final round of the DARPA Cyber Grand Challenge. The CGC is a security competition played by programs. Yep, you read it right, your code must <strong>automatically exploit and patch binaries</strong>, without any human intervention! <p>In particular, we will show how our open source binary analysis framework (<a href="http://angr.io">angr</a>) can help you find vulnerabilities in binaries. <p>Shellphish is a group of security enthusiasts born in the University of California, Santa Barbara (UCSB) in 2004. Since then Shellphish played countless Capture the Flag (CTF) security competitions, <a href="https://www.defcon.org/html/links/dc-ctf-history.html">winning the DEFCON CTF finals in 2005</a>. <p>In 2015, Shellphish enrolled in the DARPA Cyber Grand Challenge (CGC). Differently from others security competitions, in which humans have to solve security challenges (such as exploiting binaries or web services), during the CGC participants have to <b>build an automatic system that plays for them</b>! In particular, teams have to build a system that is able to <em>automatically</em> find vulnerabilities in binaries, exploit them, and patch them, without any human intervention. <p>In this talk we will present the system we developed to participate in the CGC, our almost-million dollar baby :) Our system was able to score among the top 7 teams during the qualification event of the CGC, qualifying us for the final event (in August 2016 at Las Vegas), in which participants will compete against each other to win a first-place prize of 2 million dollars (and eternal bragging rights). <p>Part of the system we developed is based on <a href="http://angr.io">angr</a>, the open source binary analysis framework developed at UCSB.<br> During the talk we will demo angr, showing how it can be used to automatically find vulnerabilities in binaries.<br> In particular, we will first show how angr helped us during CGC and then how, more generally, it can be used to automatically solve binaries challenges proposed in recent CTF security competitions.

Presenters:

  • Antonio Bianchi
    He is a PhD student at UCSB (University of California, Santa Barbara), working, under the supervision of professors Christopher Kruegel and Giovanni Vigna, in the Computer Security Group (seclab). He worked on different projects about mobile security and he is also very interested in anything related to reverse engineering and low-level binary analysis. He played many different CTF security competitions as a member of the Shellphish hacking group, qualifying multiple times for the DEFCON CTF and, recently, for the DARPA Cyber Grand Challenge.
  • Jacopo Corbetta
    Developer, minimalist, safety nut. Researcher at the <a href="https://seclab.cs.ucsb.edu">UCSB Seclab</a>, I hack with <a href="https://twitter.com/shellphish_ctf">Shellphish</a> and for its <a href="https://twitter.com/UCSBiCTF">CTF</a>, and I'm a member of the team that qualified to the DARPA <a href="http://cybergrandchallenge.com">Cyber Grand Challenge</a> finals :) <p>Soon-to-graduate researcher in the <a href="https://seclab.cs.ucsb.edu">UCSB Computer Security Group</a>, I am passionate about defending users (and coders!) from exploits and bad practices in programming and on the web. In short, I want <i>programs</i> to behave how users and programmers <i>intend</i> them to. <p>I first worked on defending binaries via a fast-and-crazy 32-on-64 dynamic binary translation (DBT) system, then turned to the web to detect frauds and catch bad guys via their very own obfuscation shenanigans. I also cooperated in projects looking at how the Android UI opens the door to new (and horribly powerful) UI attacks on users, and I'm now looking at how HTTPS is deployed in practice and how this is sometimes failing even when the crypto is all-right. <p>I don't disdain working on attacks, though, in fact I was a major contributor to how we found the vulnerabilities that led us to qualify to the finals of the DARPA Cyber Grand Challenge, the fully-automated program-vs-program security competition. And, in case you're wondering, yes, we did get the money and we're adapting our system to participate in the finals next year :) <p>On the side, I was for many years a system and network administrator (even for UCSB's security lab itself), tasted wine and tons of good food, learned to love small things in life, and coded many random things -- like a ridiculously-popular Chrome extension, a visual editor for MediaWiki, and some software for a moon-ready hexapod robot. (Yep, you read that last one right :D)
  • Andrew Dutcher
    Undergraduate at the University of California Santa Barbara, researching computer security, especially type inference for binary analysis and binary patching. Really likes puns, ducks, and hats.

Links:

Similar Presentations: