industrial bug mining industrial bug mining
play

Industrial Bug Mining Industrial Bug Mining Extracting, Grading and - PowerPoint PPT Presentation

Oct 17, 2023 •212 likes •591 views

Industrial Bug Mining Industrial Bug Mining Extracting, Grading and Enriching the Ore of Exploits the Ore of Exploits Private & Confidential Property of COSEINC The Bug Mining Analogy The Bug Mining Analogy Phase 1: Extraction Phase 2:

  1. Industrial Bug Mining Industrial Bug Mining Extracting, Grading and Enriching the Ore of Exploits the Ore of Exploits Private & Confidential Property of COSEINC

  2. The Bug Mining Analogy The Bug Mining Analogy • Phase 1: Extraction • Phase 2: Grading • Phase 3: Enrichment • Phase 4: ??? • Phase 5: Profit! Private & Confidential Property of COSEINC

  3. The Bug Mining Analogy The Bug Mining Analogy • Phase 1: Extraction • Phase 2: Grading • Phase 3: Enrichment • Phase 4: ??? • Phase 5: Profit! Private & Confidential Property of COSEINC

  4. Welcome to the Mt era Welcome to the Mt era • 2009: We use 8 servers to build a virtualised fuzzfarm – Sustained testing speed: 30 t/s (2.5Mt / day ) / / • April 2010: MS describe their ‘fuzzing botnet’ – “12 million iterations in a weekend” (6Mt/day) 12 million iterations in a weekend (6Mt/day) – Now upwards of 10Mt/d • May 2010: Project MAN VERSUS BORG!!11! (Bugmine 2.0) – Same hardware, complete stripdown and rebuild – Test and optimise code / architecture at every step – Sustained testing speed: >= 1.12Mt/h g p / Private & Confidential Property of COSEINC

  5. Scale Scale 1. Make each node faster by eliminating bottlenecks network, disk, IO, serialisation, extraneous target – code, node OS overhead…. code node OS overhead You’re not doing it right until the last bottleneck is – CPU time spent on the real target code 2. When adding new nodes, scale as close to perfectly as possible Private & Confidential Property of COSEINC

  6. 350 300 250 200 150 100 50 0 8 16 24 32 40 48 56 64 72 80 Private & Confidential Property of COSEINC

  7. 350 7 300 6 250 5 200 4 150 3 100 2 50 1 0 0 8 16 24 32 40 48 56 64 72 80 Private & Confidential Property of COSEINC

  8. Building It Building It Switch from ESXi to KVM • – Real linux we know how use it Real linux, we know how use it – Performance is apparently ‘comparable’ Move storage to a dedicated network • – Open iSCSI, 4 x 160GB SSD in RAID 0, 4xGigE NIC p , , g – Oracle Cluster Filesystem (OCFS2) on top Optimise Harness • – Ruby is slow anyway, but I removed the worst problems Optimise Fuzzbots • – Kill explorer.exe for ~15% speedup?! – Don’t open a brand new Office process every time Private & Confidential Property of COSEINC

  9. Building It Building It • Easier Provisioning – One fuzzbot template One f bot template – Multiple “overlays” (aka “linked clones”) – “Snapshot Mode” on top of that – Template changes and new rollouts happen in minutes. T l t h d ll t h i i t • Easier and more powerful management – … assuming you like bash and ssh • Total Software Cost $0 (using MSDN licenses) • Total Hardware Cost ~ 30k USD • Total Hardware Cost ~ 30k USD Private & Confidential Property of COSEINC

  10. Private & Confidential Property of COSEINC

  11. Private & Confidential Property of COSEINC

  12. Private & Confidential Property of COSEINC

  13. Private & Confidential Property of COSEINC

  14. Features • Software “Hot swap” Software Hot swap • Tagged queues • Any DB backend b k d • Any case producer frontend • Everything scales horizontally – n producers, n distribution nodes etc etc Private & Confidential Property of COSEINC

  15. The Bug Mining Analogy The Bug Mining Analogy • Phase 1: Extraction • Phase 2: Grading • Phase 3: Enrichment • Phase 4: ??? • Phase 5: Profit! Private & Confidential Property of COSEINC

  16. Bug Triage Bug Triage • There is “exploitable” and EXPLOITABLE There is exploitable and EXPLOITABLE. • !exploitable rocks, but not for this. • Here are some examples from Word 2007 • Here are some examples from Word 2007 (X’s will be removed for the show, just for fun) Private & Confidential Property of COSEINC

  17. head ‐ 15 summary.txt head 15 summary.txt =========SUMMARY=============== <none?>: 229 total: 59965 PROBABLY NOT EXPLOITABLE: 21409 UNKNOWN: 31013 PROBABLY EXPLOITABLE: 6032 EXPLOITABLE: 1282 621 Buckets. 373 unique EIPs. <none?>: 1 EXPLOITABLE 88 EXPLOITABLE: 88 UNKNOWN: 336 PROBABLY NOT EXPLOITABLE: 86 PROBABLY EXPLOITABLE: 110 PROBABLY EXPLOITABLE: 110 =============================== Private & Confidential Property of COSEINC

  18. Bug Examples Bug Examples ‐‐‐ 0xXXXXXXXX.0xXXXXXXXX (count: 4) ‐‐‐ EXPLOITABLE: Exploitable ‐ User Mode Write AV starting at mso!Ordinal7111+0xXXX (Hash=0xXXXXXXXX.0xXXXXXXXX) XXXXXXX 885e21 mov byte ptr [esi+21h],bl ds:0023:32688488=c3 eax=c9330048 ebx=00000000 ecx=32688467 edx=00000000 esi=32688467 edi=00000000 eip=XXXXXXXX esp=001252e8 ebp=001252fc Potentially overwrite a byte with null. Then what? Private & Confidential Property of COSEINC

  19. Bug Examples Bug Examples ‐‐‐ 0xXXXXXXXX.0xXXXXXXXX (count: 29) ‐‐‐ PROBABLY EXPLOITABLE: Probably Exploitable ‐ Read Access Violation on Control Flow starting at wwlib!wdGetApplicationObject+0xXXXXX (Hash=0xXXXXXXXX.0xXXXXXXXX) XXXXXXXX ff5028 call dword ptr [eax+28h] ds:0023:00000029=???????? eax=00000001 ebx=00000000 ecx=022b6590 edx=00121b1c esi=001218b0 edi=06440000 eip=XXXXXXXX esp=001210d0 ebp=00122140 edi=06440000 eip=XXXXXXXX esp=001210d0 ebp=00122140 Only awesome if eax is controlled as a 32 bit value… Private & Confidential Property of COSEINC

  20. Bug Examples Bug Examples ‐‐‐ 0xXXXXXXXX.0xXXXXXXXX (count: 1) ‐‐‐ EXPLOITABLE: Exploitable ‐ Read Access Violation on Control Flow starting at wwlib!FMain+0xXXXXX (Hash=0xXXXXXXXX.0xXXXXXXXX) XXXXXXXX ff5004 call dword ptr [eax+4] ds:0023:b4b4b4b8=???????? eax=b4b4b4b4 ebx=00000000 ecx=01f8cf6c edx=0012e6a8 esi=01f8cf6c edi=06e2366c eip=XXXXXXXX esp=0012e674 ebp=0012e680 … like this Private & Confidential Property of COSEINC

  21. Bug Examples Bug Examples ‐‐‐ 0xXXXXXXX.0xXXXXXXXX (count: 3) ‐‐‐ PROBABLY NOT EXPLOITABLE R PROBABLY NOT EXPLOITABLE: Read Access Violation near NULL starting d A Vi l ti NULL t ti at wwlib!DllGetLCID+0xXXX (Hash=XXXXXXXX.0xXXXXXXXX) XXXXXXXX d7 xlat byte ptr [ebx] ds:0023:00000000=?? eax=00120000 ebx=00000000 ecx=01efff68 edx=0012ca20 esi=01ef9568 edi=07971bec eip=XXXXXXXX esp=01efa093 ebp=fff501f8 3213a302 xlat byte ptr [ebx] 3213a303 std 3213a304 fdivr st,st(5) ( ) 3213a306 fscale !exploitable fail Private & Confidential Property of COSEINC

  22. Bug Examples Bug Examples eax=00000000 ebx=00000000 ecx=07a4e008 edx=07a4e440 esi=07a4e43c edi=00000003 eip=07a4e000 esp=0012f650 p p ebp=0000000d iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 07a4e000 0000 add byte ptr [eax] al 07a4e000 0000 add byte ptr [eax],al ds:0023:00000000=?? EVENT:DEBUG_EVENT_EXCEPTION e06d7363 Exception in winext\msec.dll.exploitable debugger p \ p gg extension. PC: 7c812afb VA: 0006d098 R/W: 19930520 Parameter: 10026bfc EPIC !exploitable fail Private & Confidential Property of COSEINC

  23. Bug Examples Bug Examples ‐‐‐ 0xXXXXXXXX.0xXXXXXXXX (count: 1) ‐‐‐ EXPLOITABLE: Exploitable ‐ Read Access Violation at the p Instruction Pointer starting at Unknown Symbol @ 0x0 01010101 ?? ??? eax=06510000 ebx=0012dc14 ecx=064f56a8 edx=00000000 esi=001297cc edi=00000000 eip=01010101 esp=00125320 ebp=00129724 edi 00000000 eip 01010101 esp 00125320 ebp 00129724 !exploitable needs a new ‘KACHING’ classification But crashes that cool must be rare, right? Private & Confidential Property of COSEINC

  24. Not so much… Not so much… 125 eip=00000000 29 eip=004001b8 2 eip=04c25d5e 1 eip=f7c88b08 22 eip=00000001 20 eip=004002b8 1 eip=0a09007c 1 eip=f98b5733 7 eip=00000002 1 eip=0044002e 2 eip=0f800000 1 eip=ff010274 5 eip=00000003 p 1 eip=00510005 p 1 eip=14065a00 p 2 eip=ff8f4aa3 p 1 eip=00000007 1 eip=0061004c 1 eip=16010273 1 eip=ff8f4b29 2 eip=00000008 2 eip=00640072 1 eip=249f009a 2 eip=ffffffff 1 eip=0000000c 4 eip=00650069 1 eip=277f00fa 4 eip=0000000e 5 eip=00650074 228 eip=2a680531 4 eip=00000014 1 eip=00690046 1 eip=40180000 1 eip=00000015 1 eip=00690053 1 eip=42c2fea9 2 eip=00000067 1 eip=006c0070 1 eip=43003d00 1 eip=0000006f p 1 eip=006e0065 p 3 eip=458b50ff p 1 eip=00000070 1 eip=006f002e 2 eip=507e8068 1 eip=00000086 2 eip=006f0068 2 eip=56ec8b55 2 eip=00000101 1 eip=0070006f 4 eip=575c302e 1 eip=00000181 1 eip=00720063 1 eip=60010006 1 eip=00000225 2 eip=00740069 2 eip=65747369 2 eip=00000300 1 eip=006e0065 2 eip=676e6964 2 eip=00000b33 1 eip=006f002e 1 eip=6f6c6f43 1 eip=00001571 2 eip=006f0068 6 eip=776f6853 1 eip=00001733 1 eip=0070006f 1 eip=80000001 1 eip=0000671d 1 eip=00720063 1 eip=8bec8b55 2 eip=00006887 2 eip=00740069 1 eip=90909090 1 eip=00008201 4 eip=01010101 1 eip=b0202fd0 9 eip=0000c084 1 eip=01040101 4 eip=b4b4b4b4 1 eip=0000da66 1 eip=04000000 357 eip=c13b0000 1 eip=0000db01 4 eip=04010101 1 eip=c240c033 3 eip=00320031 1 eip=04030100 5 eip=c3321204 1 eip=00380032 4 eip=04850f49 5 eip=c3efa5c3 Private & Confidential Property of COSEINC

  25. The Bug Mining Analogy The Bug Mining Analogy • Phase 1: Extraction • Phase 2: Grading • Phase 3: Enrichment • Phase 4: ??? • Phase 5: Profit! Private & Confidential Property of COSEINC

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A Random History of Mining A Random History of Mining (And thus the industrial revolution) (And

A Random History of Mining A Random History of Mining (And thus the industrial revolution) (And

A Random History of Mining A Random History of Mining (And thus the industrial revolution) (And thus the industrial revolution) Matthew Dockrey A Day That Will Live In Infamy, 2009 The Neolithic The Neolithic Flint, Obsidian, Chert,

759 views • 32 slides
Solutions for industrial applications: Industries : Oil &amp; Gas, Petrochemical, Mining,

Solutions for industrial applications: Industries : Oil &amp; Gas, Petrochemical, Mining,

Solutions for industrial applications: Industries : Oil &amp; Gas, Petrochemical, Mining, Steel, Chemical, Cement, Pulp &amp; Paper, Food Environment: Decommissioning, Decontamination, Radiation detection Technical advice and

741 views • 16 slides
Web Mining Web Mining Web Mining Web Mining Web mining is the use of data mining techniques

Web Mining Web Mining Web Mining Web Mining Web mining is the use of data mining techniques

What is Web Mining? Wh t i W b Mi i What is Web Mining? Wh t i W b Mi i ? ? Web Mining Web Mining Web Mining Web Mining Web mining is the use of data mining techniques to automat cally d scover and extract nformat on automatically

774 views • 20 slides
Web Mining Web Mining Web mining is the use of data mining techniques to automatically

Web Mining Web Mining Web mining is the use of data mining techniques to automatically

What is Web Mining? What is Web Mining? Web Mining Web Mining Web mining is the use of data mining techniques to automatically discover and extract information from Web documents/services (Etzioni, 1996, CACM 39(11)) Web mining aims to

566 views • 22 slides
Outdoor-, Industrial-, Military Market Industrial &amp; Harsh Environment (HE) Typical

Outdoor-, Industrial-, Military Market Industrial &amp; Harsh Environment (HE) Typical

Outdoor-, Industrial-, Military Market Industrial &amp; Harsh Environment (HE) Typical applications: 1. Antenna 2. Avionics/Space 3. Mining 4. Solar plant 5. Industry 6. Wind farm 2 CONFIDENTI 7. Oil/Gas 8. Container terminal 9.

358 views • 33 slides
Interim Results FY 2020 TransenseTechnologies plc Sensor systems for the industrial, mining and

Interim Results FY 2020 TransenseTechnologies plc Sensor systems for the industrial, mining and

Interim Results FY 2020 TransenseTechnologies plc Sensor systems for the industrial, mining and transportation markets Tyre management solutions for off-the-road Surface Acoustic Wave (SAW) technology (OTR) and commercial vehicles

622 views • 20 slides
Cyber Security in Mining Automation Ragnar Schierholz, Head of Cyber Security, Industrial

Cyber Security in Mining Automation Ragnar Schierholz, Head of Cyber Security, Industrial

ABB MINING USER CONFERENCE, MAY 02-05, 2017 Cyber Security in Mining Automation Ragnar Schierholz, Head of Cyber Security, Industrial Automation Division Agenda Why worry about cyber security? ABBs approach to cyber security Cyber security

1.07k views • 39 slides
An overview of fibre crop cultivation and multi-product value chains for post-mining industrial

An overview of fibre crop cultivation and multi-product value chains for post-mining industrial

An overview of fibre crop cultivation and multi-product value chains for post-mining industrial development CENTRE FOR BIOPROCESS ENGINEERING RESEARCH STL Harrison, S Rumjeet, X Mabasa, M Solomon, B Verster MINERALS TO METALS INITIATIVE JL

495 views • 23 slides
2019 PNG Industrial &amp; Mining Resources Exhibition Paladin Presentation Community Engagement

2019 PNG Industrial &amp; Mining Resources Exhibition Paladin Presentation Community Engagement

2019 PNG Industrial &amp; Mining Resources Exhibition Paladin Presentation Community Engagement Creating a Social License to Operate Ian Stewart Director, Paladin Introduction Local Village insights Community Engagement Issues

182 views • 14 slides
Web Mining Web Mining to automatically discover and extract information from Web

Web Mining Web Mining to automatically discover and extract information from Web

What is Web Mining? What is Web Mining? Web mining is the use of data mining techniques Web Mining Web Mining to automatically discover and extract information from Web documents/services (Etzioni, 1996, CACM 39(11)) (another definition:

287 views • 15 slides
Web Mining Web Mining to automatically discover and extract information from Web

Web Mining Web Mining to automatically discover and extract information from Web

What is Web Mining? What is Web Mining? Web mining is the use of data mining techniques Web Mining Web Mining to automatically discover and extract information from Web documents/services (Etzioni, 1996, CACM 39(11)) 1 2 The Web The Web

468 views • 23 slides
Introduction to Web Mining What is Web Mining? Discovering useful information from the

Introduction to Web Mining What is Web Mining? Discovering useful information from the

CS 345A Data Mining Lecture 1 Introduction to Web Mining What is Web Mining? Discovering useful information from the World-Wide Web and its usage patterns Web Mining v. Data Mining Structure (or lack of it) Textual information and

744 views • 31 slides
INDUSTRIAL STRATEGY November 2012 Why do we need industrial strategy Industrial strategy

INDUSTRIAL STRATEGY November 2012 Why do we need industrial strategy Industrial strategy

INDUSTRIAL STRATEGY November 2012 Why do we need industrial strategy Industrial strategy activity The Heseltine Review 2 Structural changes in the international economy will impact the UK Globalisation and rise of BRICS are changing

748 views • 12 slides
Developing plant fibre - based products for industrial sectors Maya Jacob John Chemicals Cluster

Developing plant fibre - based products for industrial sectors Maya Jacob John Chemicals Cluster

Developing plant fibre - based products for industrial sectors Maya Jacob John Chemicals Cluster CSIR Port Elizabeth Driving Post-Mining Industrial Development through Fibrous Multi-Product Value Chains May 24th, 2018 1 Contents

525 views • 38 slides
1 The Second Industrial Revolution (cont.) In the Second Industrial Revolution there was

1 The Second Industrial Revolution (cont.) In the Second Industrial Revolution there was

The Second Industrial Revolution In Western Europe, the introduction of electricity, chemicals, and petroleum triggered the Second Industrial Revolution, and a world economy began to develop. 1 The Second Industrial Revolution (cont.) In

438 views • 5 slides
PPS SERVICING CAPABILITY 3/11/2019 About PPS Servicing We are professional in mining processing

PPS SERVICING CAPABILITY 3/11/2019 About PPS Servicing We are professional in mining processing

Engineering Design SMP Construction Mining Maintenance and Shutdown Service Industrial Coating PPS SERVICING CAPABILITY 3/11/2019 About PPS Servicing We are professional in mining processing plants construction, maintenance and shutdown

90 views • 8 slides
Exam 1 preview, Inner classes, Anonymous listeners CSSE 221 Fundamentals of Software Development

Exam 1 preview, Inner classes, Anonymous listeners CSSE 221 Fundamentals of Software Development

Exam 1 preview, Inner classes, Anonymous listeners CSSE 221 Fundamentals of Software Development Honors Rose-Hulman Institute of Technology Announcements Questions on Fifteen or GUIs? Be prepared to show me or a TA your Fifteen UML and

309 views • 16 slides
Take your coaching activities virtual! Coaching is Working together to help someone reach

Take your coaching activities virtual! Coaching is Working together to help someone reach

Take your coaching activities virtual! Coaching is Working together to help someone reach their full potential . PicWord PicWord Acronyms Acronyms Credit: Bruce Temkin

987 views • 14 slides
Skip Lists Mark Redekopp 2 Sources / Reading Material for these slides was derived from the

Skip Lists Mark Redekopp 2 Sources / Reading Material for these slides was derived from the

1 CSCI 104 Skip Lists Mark Redekopp 2 Sources / Reading Material for these slides was derived from the following sources http://courses.cs.vt.edu/cs2604/spring02/Projects /1/Pugh.Skiplists.pdf

532 views • 21 slides
Text Indexing Arun Chauhan COMP 314 Lecture 15, 16 Mar 4, Mar 6, 2003 Searching Text grep

Text Indexing Arun Chauhan COMP 314 Lecture 15, 16 Mar 4, Mar 6, 2003 Searching Text grep

Text Indexing Arun Chauhan COMP 314 Lecture 15, 16 Mar 4, Mar 6, 2003 Searching Text grep utility on Unix - specify a regular expression - search all specified files Lecture 15, 16: Text Indexing Mar 4, Mar 6, 2003 Searching Text

841 views • 32 slides
Alva L. Couch Tufts University Mark Burgess Oslo City University Explaining relationships

Alva L. Couch Tufts University Mark Burgess Oslo City University Explaining relationships

Alva L. Couch Tufts University Mark Burgess Oslo City University Explaining relationships between entities A knowledge base describes relationships between entities. Humans often need to understand relationships between entities

562 views • 32 slides
PFI Seminar Tuesday 15 th May Newcastle | Leeds | Manchester 2 Housekeeping Ward Hadaway

PFI Seminar Tuesday 15 th May Newcastle | Leeds | Manchester 2 Housekeeping Ward Hadaway

Ward Hadaway Guest WiFi Email: guest@wardhadaway.com Password: F1rew0rk$ PFI Seminar Tuesday 15 th May Newcastle | Leeds | Manchester 2 Housekeeping Ward Hadaway Guest WiFi Email: guest@wardhadaway.com Password: F1rew0rk$ Newcastle |

566 views • 42 slides
Breakfast starts the school day! Harriet Green Magic Breakfast Registered Charity Number:

Breakfast starts the school day! Harriet Green Magic Breakfast Registered Charity Number:

Breakfast starts the school day! Harriet Green Magic Breakfast Registered Charity Number: 1102510 Hunger is an issue 32% of UK school children regularly miss breakfast before school. 49% of teachers have brought in have brought in

461 views • 6 slides
1 Relevant Standards MPEG Compression Joint picture Experts Group (JPEG) Compression

1 Relevant Standards MPEG Compression Joint picture Experts Group (JPEG) Compression

Outline MPEG: A Video Compression Standard for Multimedia Applications Introduction MPEG Goals Didier Le Gall MPEG Details Performance and Such Communications of the ACM Summary Volume 34, Number 4 Pages 46-58, 1991

75 views • 6 slides

More recommend