using machines to exploit machines
play

Using Machines to Exploit Machines Harnessing AI to Accelerate - PowerPoint PPT Presentation

Apr 25, 2023 •150 likes •731 views

Using Machines to Exploit Machines Harnessing AI to Accelerate Exploitation Guy Barnhart-Magen Ezra Caltum @barnhartguy @aCaltum Legal Notice and Disclaimers This presentation contains the general insights and opinions of its authors, Guy

  1. Using Machines to Exploit Machines Harnessing AI to Accelerate Exploitation Guy Barnhart-Magen Ezra Caltum @barnhartguy @aCaltum

  2. Legal Notice and Disclaimers This presentation contains the general insights and opinions of its authors, Guy Barnhart-Magen and Ezra Caltum. We are speaking on behalf of ourselves only, and the views and opinions contained in this presentation should not be attributed to our employer. The information in this presentation is provided for informational and educational purposes only and is not to be relied upon for any other purpose. Use at your own risk! We makes no representations or warranties regarding the accuracy or completeness of the information in this presentation. We accept no duty to update this presentation based on more current information. We disclaim all liability for any damages, direct or indirect, consequential or otherwise, that may arise, directly or indirectly, from the use or misuse of or reliance on the content of this presentation. No computer system can be absolutely secure. No license (express or implied, by estoppel or otherwise) to any intellectual property rights is granted by this document. *Other names and brands may be claimed as the property of others. @barnhartguy @aCaltum

  3. $ ID Guy Barnhart-Magen Ezra Caltum @barnhartguy @acaltum BSidesTLV Chairman and CTF Lead BSidesTLV Co-Founder DC9723 Lead @barnhartguy @aCaltum

  5. OUR PROBLEM Fuzz Testing Literally thousands of crashes to analyze 1 (good problem to have?) @barnhartguy @aCaltum

  6. OUR PROBLEM Automation Might miss something important, but helps 2 Fuzz Testing reduce from thousands Literally thousands to hundreds of results of crashes to analyze 1 (good problem to have?) @barnhartguy @aCaltum

  7. OUR PROBLEM Manual Analysis Can only do a limited amount with limited 3 researchers time Automation Might miss something important, but helps 2 Fuzz Testing reduce from thousands Literally thousands to hundreds of results of crashes to analyze 1 (good problem to have?) @barnhartguy @aCaltum

  8. EFFORT BALANCE Build the Model @barnhartguy @aCaltum

  9. EFFORT BALANCE Gather Data Build the Model @barnhartguy @aCaltum

  10. EFFORT BALANCE Keep Good Data Build the Model @barnhartguy @aCaltum

  11. PROBLEM STATEMENT @barnhartguy @aCaltum

  12. PROBLEM STATEMENT What is Australia? @barnhartguy @aCaltum

  13. PROBLEM STATEMENT Can we create an ML model that can triage crashes and help us focus on the exploitable ones? (we got a lot of crashes from AFL) @barnhartguy @aCaltum

  14. REVISED PROBLEM STATEMENT Can we create an ML model that can outperform exploitable , based on the same data? it should perform at least as well as exploitable @barnhartguy @aCaltum

  15. FULL DISCLOSURE Limited dataset - but we tried anyway (no DL today) We want to focus on the methodology We can’t trust this results, but they are worth sharing @barnhartguy @aCaltum

  16. MACHINE LEARNING See our previous talks on hacking machine learning systems :-)

  17. WHAT IS MACHINE LEARNING? Data Feat. Math Pred. Data Ingestion Feature Extraction Model Fitting Predictions Normalizing and converting data Analyzing the data and Repeatedly trying to improve Given a never seen before to a canonical way for feature extracting the interesting model fit to the data observed datum, what does the model extraction features from it predict it to be @barnhartguy @aCaltum

  18. MACHINE LEARNING What it isn’t: ● Magic ● A solution to every problem ● Difficult or Complex ● One of the holy VC buzzwords: ○ Blockchain ○ Cyber ○ Zero Trust @barnhartguy @aCaltum

  19. THE DIFFERENCE BETWEEN ML AND AI If it is written in Python, it’s probably Machine Learning If it is written in PowerPoint, it’s probably AI @barnhartguy @aCaltum

  20. EXAMPLE @barnhartguy @aCaltum

  21. EXAMPLE Using Machines to Exploit Machines Harnessing AI to Accelerate Exploitation @barnhartguy @aCaltum

  22. Everyone Confuses “AI” with “ML” So do We Sorry @barnhartguy @aCaltum

  23. WHAT IS IT GOOD FOR? Finding patterns in a lot of data, patterns you did not expect (counter intuitive) @barnhartguy @aCaltum

  24. WHAT IS IT GOOD FOR? Finding patterns in a lot of data, patterns you did not expect (counter intuitive) Correlating different inputs you suspect are related somehow @barnhartguy @aCaltum

  25. WHAT IS IT GOOD FOR? Finding patterns in a lot of data, patterns you did not expect (counter intuitive) Correlating different inputs you suspect are related somehow Abstracting a problem and throwing it at an algorithm, hoping for the best (e.g. being lazy) @barnhartguy @aCaltum

  26. PREDICTIONS ML makes predictions based on previously seen data Your data quality is important! (data is not information) @barnhartguy @aCaltum

  27. WHAT DO YOU GET? How is this new sample I am testing now similar to all the other samples I’ve seen in the past? Testing - extracting and then comparing features against your model @barnhartguy @aCaltum

  28. Crash Triage

  29. A COMMON MORNING IN MY LIFE ● I start a fuzzing process overnight and go home @barnhartguy @aCaltum

  30. A COMMON MORNING IN MY LIFE ● I start a fuzzing process overnight and go home ● At first light in the morning (11:00) I drink a cup of coffee @barnhartguy @aCaltum

  31. A COMMON MORNING IN MY LIFE ● I start a fuzzing process overnight and go home ● At first light in the morning (11:00) I drink a cup of coffee ● I analyze the data from the crash dump with the help of a debugger @barnhartguy @aCaltum

  32. A COMMON MORNING IN MY LIFE ● I start a fuzzing process overnight and go home ● At first light in the morning (11:00) I drink a cup of coffee ● I analyze the data from the crash dump with the help of a debugger ● Based on my experience, and the output of some plugins, I classify the crashes as either exploitable or not @barnhartguy @aCaltum

  33. A COMMON MORNING IN MY LIFE ● I start a fuzzing process overnight and go home ● At first light in the morning (11:00) I drink a cup of coffee ● I analyze the data from the crash dump with the help of a debugger ● Based on my experience, and the output of some plugins, I classify the crashes as either exploitable or not ● I start developing a POC for the exploitable crashes. @barnhartguy @aCaltum

  34. A COMMON MORNING IN MY LIFE ● I start a fuzzing process overnight and go No need for sleep for our AI overlords ➔ home ● At first light in the morning (11:00) I drink a No need for coffee for our AI overlords ➔ cup of coffee ● I analyze the data from the crash dump with ➔ Preprocessing phase prepares the data for the help of a debugger the ML analysis ● Based on my experience, and the output of ML analyzes the data, based on its ➔ some plugins, I classify the crashes as either experience (training data), emits predictions exploitable or not (human intuition or heuristics) ● I start developing a POC for the exploitable Human minions will develop a PoC for the ➔ crashes. overlords @barnhartguy @aCaltum

  35. Our Data Set

  36. DARPA CYBER GRAND CHALLENGE We have 632 test cases that we know are exploitable We ran exploitable against them and got: ● 607 were definitely exploitable ● 12 were probably exploitable ● 13 were unknown - the tool couldn’t reach a decision @barnhartguy @aCaltum

  37. SO, WHAT DOES A CRASH GIVE US? EAX, EBX, ECX, EDX - general purpose (values, addresses) ESP, EBP - Stack pointers ESI, EDI - Source and Destination Index (for string operations) EIP - Instruction pointer eflags - metadata (wasn’t actually useful at all, empty values) CS, SS, DS, ES, FS, GS - Segment registers Also a whole lot of other things which we didn't look at @barnhartguy @aCaltum

  38. OUR PROCESS Creating Crashes Crash Analysis Feature Extracting Running tests Analyzing the crash Converting the data against a ~600 dumps using collected from the exploitable , exploitable programs with known crashes, collecting the stack output to a collecting the crash and register values canonical dumps representation, extracting the features we cared about @barnhartguy @aCaltum

  39. PROBLEM Register values are discrete and unrelated to each other What can we learn from specific register values? @barnhartguy @aCaltum

  40. CLASSIFYING DATA We tried breaking the values of the registers into three groups: ● High address range (kernel) ● Low address range (userland) ● Values Bad results - data distribution not uniform :-( @barnhartguy @aCaltum

  41. BINNING Dividing the values to evenly spaced bins 10 bins total, evenly distributed between [min_val, max_val] This helps the model ignore specific values, and look at them as ranges Good results :-) @barnhartguy @aCaltum

  42. OneClassSVM Train your major class (609 records, EXPLOITABLE) Test your data against similarity to the model {-1,1} +1 = very similar to the model -1 = very not similar to the model @barnhartguy @aCaltum

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Virtual Machines Uses for Virtual Machines There are several uses for virtual machines:

Virtual Machines Uses for Virtual Machines There are several uses for virtual machines:

Virtual Machines Uses for Virtual Machines There are several uses for virtual machines: Virtual machine technology, often just called virtualization , makes one computer behave as several Running several operating systems simultaneously on

254 views • 10 slides
Finite State Machines (FSM) Chapter 8 State Machines Introduction State Machines Mealy and

Finite State Machines (FSM) Chapter 8 State Machines Introduction State Machines Mealy and

Finite State Machines (FSM) Chapter 8 State Machines Introduction State Machines Mealy and Moore Machines State Machines Synchronous & Asynchronous Systems State Diagrams Elements of Diagrams State Diagrams Properties State Diagrams

607 views • 33 slides
Vulnerable Machines with Ansible Nathaniel Beckstead whoami Nathaniel Beckstead Automation

Vulnerable Machines with Ansible Nathaniel Beckstead whoami Nathaniel Beckstead Automation

Vulnerable Machines with Ansible Nathaniel Beckstead whoami Nathaniel Beckstead Automation Infrastructure Tooling scriptingis.life 2 Why Vulnerable Machines? King of the Hill Practice Red team - scan and exploit Blue team

304 views • 18 slides
Kernel Machines Steven J Zeil Old Dominion Univ. Fall 2010 1 Support Vector Machines Kernel

Kernel Machines Steven J Zeil Old Dominion Univ. Fall 2010 1 Support Vector Machines Kernel

Support Vector Machines Kernel Machines Kernel Machines Steven J Zeil Old Dominion Univ. Fall 2010 1 Support Vector Machines Kernel Machines Kernel Machines Support Vector Machines 1 Optimal Separating HyperPlanes Soft Margin

368 views • 36 slides
Machines Murray Cole Machines 1 Machines 2 Implementing Systems Monitor, mouse, keyboard etc

Machines Murray Cole Machines 1 Machines 2 Implementing Systems Monitor, mouse, keyboard etc

I V N E U R S E I H T Y T O H F G R E U D I B N Machines Murray Cole Machines 1 Machines 2 Implementing Systems Monitor, mouse, keyboard etc are electrical devices which produce simple effects in response to simple

768 views • 19 slides
Finite State Machines (FSM) AKA Finite State Automat on State Machines Introduction State

Finite State Machines (FSM) AKA Finite State Automat on State Machines Introduction State

Finite State Machines (FSM) AKA Finite State Automat on State Machines Introduction State Machines Mealy and Moore Machines State Machines Synchronous & Asynchronous Systems State Diagrams Elements of Diagrams State Diagrams Properties

676 views • 33 slides
Kernel Machines Support Vector Machines 1 Kernel Machines Optimal Separating HyperPlanes Soft

Kernel Machines Support Vector Machines 1 Kernel Machines Optimal Separating HyperPlanes Soft

Support Vector Machines Kernel Machines Support Vector Machines Kernel Machines Kernel Machines Support Vector Machines 1 Kernel Machines Optimal Separating HyperPlanes Soft Margin HyperPlanes Steven J Zeil Kernel Machines 2 Old

655 views • 8 slides
? 17.10.2018 3 17.10.2018 4 Support Vector Machines (SVM): Background Support Vector Machines

? 17.10.2018 3 17.10.2018 4 Support Vector Machines (SVM): Background Support Vector Machines

INF3490 - Biologically inspired computing Support Vector Machines Support Vector Machines, Ensemble Learning, and Dimensionality (SVM) Reduction Weria Khaksar October 17, 2018 17.10.2018 2 Support Vector Machines (SVM): Background Support

579 views • 9 slides
MACHINES FOR METALWORKING Machines Genauigkeits Maschinenbau Nrnberg GmbH TPS MPS 2

MACHINES FOR METALWORKING Machines Genauigkeits Maschinenbau Nrnberg GmbH TPS MPS 2

Grinding MACHINES FOR METALWORKING Machines Genauigkeits Maschinenbau Nrnberg GmbH TPS MPS 2 R300DC MPS 1 MPS 2 R300DCHP (MPS 1 R125) MPS R400D MPS 2 (MPS 2 R220) MPS R700 MPS 2K MPS 2K R300 MPS 3H

313 views • 29 slides
Sparse Kernel Machines - SVM Henrik I. Christensen Robotics & Intelligent Machines @ GT

Sparse Kernel Machines - SVM Henrik I. Christensen Robotics & Intelligent Machines @ GT

Introduction Maximum Margin Multiple Classes Regression Example Summary Sparse Kernel Machines - SVM Henrik I. Christensen Robotics & Intelligent Machines @ GT Georgia Institute of Technology, Atlanta, GA 30332-0280 hic@cc.gatech.edu

596 views • 42 slides
Knowledge Tracing Machines: Factorization Machines for Knowledge Tracing Jill-Jnn Vie Hisashi

Knowledge Tracing Machines: Factorization Machines for Knowledge Tracing Jill-Jnn Vie Hisashi

Introduction Knowledge Tracing Encoding existing models Knowledge Tracing Machines Results Conclusion Knowledge Tracing Machines: Factorization Machines for Knowledge Tracing Jill-Jnn Vie Hisashi Kashima KJMLW, February 22, 2019

698 views • 51 slides
STREAM FINISHING MACHINES STREAM FINISHING MACHINES Structure and function PERFEKTE OBERFLCHEN

STREAM FINISHING MACHINES STREAM FINISHING MACHINES Structure and function PERFEKTE OBERFLCHEN

STREAM FINISHING MACHINES STREAM FINISHING MACHINES Structure and function PERFEKTE OBERFLCHEN WELTWEIT | 2 STREAM FINISHING MACHINES (SF) Technique Workpieces are fixed in a holder and immersed in a rotating process container filled

481 views • 36 slides
WASH BAY MACHINES Objective To develop technological self-service wash bay machines capable of

WASH BAY MACHINES Objective To develop technological self-service wash bay machines capable of

WASH BAY MACHINES Objective To develop technological self-service wash bay machines capable of addressing all needs and requirements, with machines ranging from a single wash bay to large installations with eight wash bays. Two different Looks

165 views • 15 slides
Support Vector Machines (Ch. 18.9) SVM Basics Support Vector Machines (SVMs) try to do our

Support Vector Machines (Ch. 18.9) SVM Basics Support Vector Machines (SVMs) try to do our

Support Vector Machines (Ch. 18.9) SVM Basics Support Vector Machines (SVMs) try to do our normal linear classification (last few lectures), but with a couple of twists 1. Find the line in the middle of points with the largest gap (called

454 views • 32 slides
Virtual Machines Tom Goff & David Dufresne We have created virtual machines for both

Virtual Machines Tom Goff & David Dufresne We have created virtual machines for both

Motivation for using Virtual Machines Tom Goff & David Dufresne We have created virtual machines for both VirtualBox and Vmware Player. Both options are supported across several platforms, but experience says that some hardware plays

178 views • 5 slides
Turing Machines 9-0 Turing Machines Now for a machine model of much greater

Turing Machines 9-0 Turing Machines Now for a machine model of much greater

Griffith University 3130CIT Theory of Computation (Based on slides by Harald Sndergaard of The University of Melbourne) Turing Machines 9-0 Turing Machines Now for a machine model of much greater power. A

322 views • 14 slides
A Decidable Fragment in Separation Logic with Inductive Predicates and Arithmetic Quang Loc Le

A Decidable Fragment in Separation Logic with Inductive Predicates and Arithmetic Quang Loc Le

A Decidable Fragment in Separation Logic with Inductive Predicates and Arithmetic Quang Loc Le (TU) Makoto Tatsuta (NII) Jun Sun (SUTD) Wei-Ngan Chin (NUS) Computer Aided Verification, 29th International Conference Heidelberg Germany July

490 views • 21 slides
Geometric Representations 3D Graphics Motivation Geometric representation What do we want

Geometric Representations 3D Graphics Motivation Geometric representation What do we want

Geometric Representations 3D Graphics Motivation Geometric representation What do we want to do? empty space (typically 3 ) B geometric object B 3 Fundamental problem The Problem: d B infinite number of

954 views • 47 slides
Welcome! COMP2521 19T0 Data Structures + Algorithms COMP2521 19T0 lec01 cs2521@ jashankj@

Welcome! COMP2521 19T0 Data Structures + Algorithms COMP2521 19T0 lec01 cs2521@ jashankj@

COMP2521 19T0 lec01 cs2521@ jashankj@ Outline Syntax LLs Tools Welcome! COMP2521 19T0 Data Structures + Algorithms COMP2521 19T0 lec01 cs2521@ jashankj@ Outline Syntax LLs Tools COMP2521 19T0 Week 1, Tuesday: Hello, world!

1.63k views • 98 slides
LS1 Activities of the ATLAS Software Project Markus Elsing report at the PH-SFT group meeting

LS1 Activities of the ATLAS Software Project Markus Elsing report at the PH-SFT group meeting

LS1 Activities of the ATLAS Software Project Markus Elsing report at the PH-SFT group meeting December 9th, 2013 reconstructed event in Phase-2 tracker Introduction and Outline the challenges GRID CPU Consumption MC Simulation pileup

675 views • 40 slides
Introduction to Human-Computer Interaction Guest Lectures in the Course Software Engineering

Introduction to Human-Computer Interaction Guest Lectures in the Course Software Engineering

Introduction to Human-Computer Interaction Guest Lectures in the Course Software Engineering (D7025E) Matthias Kranz Department of Computer Science, Electrical and Space Engineering, Lule University of Technology, Sweden

1.57k views • 115 slides
+30 26510 98808, Fax: +30 26510 98890, URL: http://www.cs.uoi.gr/~faturu/

+30 26510 98808, Fax: +30 26510 98890, URL: http://www.cs.uoi.gr/~faturu/

s r

1.65k views • 124 slides
PICO: ASIC Synthesis from C Rob Schreiber Shail Aditya Bob Rau Vinod Kathail Scott Mahlke

PICO: ASIC Synthesis from C Rob Schreiber Shail Aditya Bob Rau Vinod Kathail Scott Mahlke

PICO: ASIC Synthesis from C Rob Schreiber Shail Aditya Bob Rau Vinod Kathail Scott Mahlke Darren Cronquist Mukund Sivaraman HP Labs, Palo Alto R. Schreiber MPsoc Workshop, July 2002 Outline What Can PICO Do for an SOC

604 views • 42 slides
Roles for Government Purchasers in Payment Reform Doug McKeever, Chief CalPERS Health Policy

Roles for Government Purchasers in Payment Reform Doug McKeever, Chief CalPERS Health Policy

Roles for Government Purchasers in Payment Reform Doug McKeever, Chief CalPERS Health Policy Research Division October 30, 2014 1 Roles for Government Purchasers in Payment Reform CalPERS Overview Nearly 1.4 million members More than

149 views • 13 slides

More recommend