Download - HITCON X Playground - CRAX
![Page 1: HITCON X Playground - CRAX](https://reader038.vdocuments.us/reader038/viewer/2022102600/547e532db479598e508b4b70/html5/thumbnails/1.jpg)
CRAXAn Automatic Exploit Generating System
Lance Chen
Software Quality Laboratory, NCTU
Aug 21, 2014
![Page 2: HITCON X Playground - CRAX](https://reader038.vdocuments.us/reader038/viewer/2022102600/547e532db479598e508b4b70/html5/thumbnails/2.jpg)
Disclaimer
CRAX is not my personal project,but built by many members of the SQLab.
![Page 3: HITCON X Playground - CRAX](https://reader038.vdocuments.us/reader038/viewer/2022102600/547e532db479598e508b4b70/html5/thumbnails/3.jpg)
About me
Lance Chen
▶ MS in Computer Scienceand Engineering Instituteof NCTU
▶ A System and NetworkAdministrator in NCTUCSCC for four years
![Page 4: HITCON X Playground - CRAX](https://reader038.vdocuments.us/reader038/viewer/2022102600/547e532db479598e508b4b70/html5/thumbnails/4.jpg)
About SQLab
▶ Advisor: Prof. Shih-kun Huang▶ Current members:
▶ Ph.D student * 2▶ MS student * 8
▶ Central Idea: Bugs are Backdoors
![Page 5: HITCON X Playground - CRAX](https://reader038.vdocuments.us/reader038/viewer/2022102600/547e532db479598e508b4b70/html5/thumbnails/5.jpg)
How do you feel?
![Page 6: HITCON X Playground - CRAX](https://reader038.vdocuments.us/reader038/viewer/2022102600/547e532db479598e508b4b70/html5/thumbnails/6.jpg)
Figure 1: A) Rage
![Page 7: HITCON X Playground - CRAX](https://reader038.vdocuments.us/reader038/viewer/2022102600/547e532db479598e508b4b70/html5/thumbnails/7.jpg)
Figure 2: B) Excited...
![Page 8: HITCON X Playground - CRAX](https://reader038.vdocuments.us/reader038/viewer/2022102600/547e532db479598e508b4b70/html5/thumbnails/8.jpg)
Figure 3: A) Rage Figure 4: B) Excited...
![Page 9: HITCON X Playground - CRAX](https://reader038.vdocuments.us/reader038/viewer/2022102600/547e532db479598e508b4b70/html5/thumbnails/9.jpg)
Unclear relation between input and crashes
![Page 10: HITCON X Playground - CRAX](https://reader038.vdocuments.us/reader038/viewer/2022102600/547e532db479598e508b4b70/html5/thumbnails/10.jpg)
Symbolic Execution
x : X
PC : true
x : X
PC : X ≥ 0
x : X
PC : X < 0
x : X y : X+100
PC : (X ≥ 0) ∧ (X+100 = 2011)
x : X y : X+100
PC : (X ≥ 0) ∧ (X+100 ≠ 2011)
x : X y : X+100
PC : (X < 0) ∧ (X+100 = 2011)
x : X y : X+100
PC : (X < 0) ∧ (X+100 ≠ 2011)
Infeasible!
![Page 11: HITCON X Playground - CRAX](https://reader038.vdocuments.us/reader038/viewer/2022102600/547e532db479598e508b4b70/html5/thumbnails/11.jpg)
S2E
http://s2e.epfl.ch/
X86 Instructions
(32-bit)
TCG IRs
LLVM IRs (bitcode)
X86 Instructions
(64-bit)
KLEE (Symbolic execution)
CPU (Concrete execution)
QEMU
![Page 12: HITCON X Playground - CRAX](https://reader038.vdocuments.us/reader038/viewer/2022102600/547e532db479598e508b4b70/html5/thumbnails/12.jpg)
Exploit Generating Progress
▶ Symbolic data propagating and constraintscollecting
▶ process crashed and symbolic eip detected▶ Reasoning out exploit
![Page 13: HITCON X Playground - CRAX](https://reader038.vdocuments.us/reader038/viewer/2022102600/547e532db479598e508b4b70/html5/thumbnails/13.jpg)
Exploit Generating Progress
![Page 14: HITCON X Playground - CRAX](https://reader038.vdocuments.us/reader038/viewer/2022102600/547e532db479598e508b4b70/html5/thumbnails/14.jpg)
Exploit Generating Progress
![Page 15: HITCON X Playground - CRAX](https://reader038.vdocuments.us/reader038/viewer/2022102600/547e532db479598e508b4b70/html5/thumbnails/15.jpg)
Exploit Generating Progress
![Page 16: HITCON X Playground - CRAX](https://reader038.vdocuments.us/reader038/viewer/2022102600/547e532db479598e508b4b70/html5/thumbnails/16.jpg)
Exploit Generating Progress
![Page 17: HITCON X Playground - CRAX](https://reader038.vdocuments.us/reader038/viewer/2022102600/547e532db479598e508b4b70/html5/thumbnails/17.jpg)
Exploit Generating Progress
![Page 18: HITCON X Playground - CRAX](https://reader038.vdocuments.us/reader038/viewer/2022102600/547e532db479598e508b4b70/html5/thumbnails/18.jpg)
Exploit Generating Progress
![Page 19: HITCON X Playground - CRAX](https://reader038.vdocuments.us/reader038/viewer/2022102600/547e532db479598e508b4b70/html5/thumbnails/19.jpg)
Exploit Generating Progress
![Page 20: HITCON X Playground - CRAX](https://reader038.vdocuments.us/reader038/viewer/2022102600/547e532db479598e508b4b70/html5/thumbnails/20.jpg)
Exploit Generating Progress
![Page 21: HITCON X Playground - CRAX](https://reader038.vdocuments.us/reader038/viewer/2022102600/547e532db479598e508b4b70/html5/thumbnails/21.jpg)
Exploit Generating Progress
![Page 22: HITCON X Playground - CRAX](https://reader038.vdocuments.us/reader038/viewer/2022102600/547e532db479598e508b4b70/html5/thumbnails/22.jpg)
Exploit Generating Progress
![Page 23: HITCON X Playground - CRAX](https://reader038.vdocuments.us/reader038/viewer/2022102600/547e532db479598e508b4b70/html5/thumbnails/23.jpg)
Exploit Generating Progress
![Page 24: HITCON X Playground - CRAX](https://reader038.vdocuments.us/reader038/viewer/2022102600/547e532db479598e508b4b70/html5/thumbnails/24.jpg)
Exploit Generating Progress
![Page 25: HITCON X Playground - CRAX](https://reader038.vdocuments.us/reader038/viewer/2022102600/547e532db479598e508b4b70/html5/thumbnails/25.jpg)
Exploit Generating Progress
![Page 26: HITCON X Playground - CRAX](https://reader038.vdocuments.us/reader038/viewer/2022102600/547e532db479598e508b4b70/html5/thumbnails/26.jpg)
MUST Live Demo
![Page 27: HITCON X Playground - CRAX](https://reader038.vdocuments.us/reader038/viewer/2022102600/547e532db479598e508b4b70/html5/thumbnails/27.jpg)
Good ol’ 90s - return to stack
![Page 28: HITCON X Playground - CRAX](https://reader038.vdocuments.us/reader038/viewer/2022102600/547e532db479598e508b4b70/html5/thumbnails/28.jpg)
FancyˆHˆHˆHˆHˆH protections
▶ ASLR▶ Non-executable stack
![Page 29: HITCON X Playground - CRAX](https://reader038.vdocuments.us/reader038/viewer/2022102600/547e532db479598e508b4b70/html5/thumbnails/29.jpg)
ROP for CRAX
Work In Progress
![Page 30: HITCON X Playground - CRAX](https://reader038.vdocuments.us/reader038/viewer/2022102600/547e532db479598e508b4b70/html5/thumbnails/30.jpg)
Questions?