HITCON X Playground - CRAX

CRAXAn Automatic Exploit Generating System

Lance Chen

Software Quality Laboratory, NCTU

Aug 21, 2014

Disclaimer

CRAX is not my personal project,but built by many members of the SQLab.

About me

Lance Chen

▶ MS in Computer Scienceand Engineering Instituteof NCTU

▶ A System and NetworkAdministrator in NCTUCSCC for four years

About SQLab

▶ Advisor: Prof. Shih-kun Huang▶ Current members:

▶ Ph.D student * 2▶ MS student * 8

▶ Central Idea: Bugs are Backdoors

How do you feel?

Figure 1: A) Rage

Figure 2: B) Excited...

Figure 3: A) Rage Figure 4: B) Excited...

Unclear relation between input and crashes

Symbolic Execution

x : X

PC : true

x : X

PC : X ≥ 0

x : X

PC : X < 0

x : X y : X+100

PC : (X ≥ 0) ∧ (X+100 = 2011)

x : X y : X+100

PC : (X ≥ 0) ∧ (X+100 ≠ 2011)

x : X y : X+100

PC : (X < 0) ∧ (X+100 = 2011)

x : X y : X+100

PC : (X < 0) ∧ (X+100 ≠ 2011)

Infeasible!

S2E

http://s2e.epfl.ch/

X86 Instructions

(32-bit)

TCG IRs

LLVM IRs (bitcode)

X86 Instructions

(64-bit)

KLEE (Symbolic execution)

CPU (Concrete execution)

QEMU

Exploit Generating Progress

▶ Symbolic data propagating and constraintscollecting

▶ process crashed and symbolic eip detected▶ Reasoning out exploit














MUST Live Demo

Good ol’ 90s - return to stack

FancyˆHˆHˆHˆHˆH protections

▶ ASLR▶ Non-executable stack

ROP for CRAX

Work In Progress

Questions?