2018 Penn State Cybersecurity Competition

2018 Penn State Cybersecurity Competition

View on GitHub

Introduction

Welcome to the 2018 Penn State Cybersecurity Competition, a security contest sponsored by NSA (National Security Agency)!

This competition is a 2-stage (i.e., two rounds) cyber competition on crash forensics against memory corruption attacks. Being different from existing Capture the Flag (CTF) competitions, which focus on skills such as reverse-engineering, network sniffing, and cryptanalysis, our competition focuses on software vulnerability identification. In other words, the skills required for this contest include memory forensics, and dynamic and static analysis of vulnerable programs.

The main goal of the competition is to serve as an educational exercise helping participants gain essential experience in finding security loopholes that may be found in commonly available software. In addition, the contest aims to attract a diverse population of students to the field of cybersecurity. The contest will produce a collection of core dumps attributable to real-world memory corruption attacks. We will make these core dumps publicly available as a resource to cybersecurity educators and researchers.

What is the 2018 Competition? When does it start/end?

The Competition consists of two stages:

Who is eligible to participate in the Competition?

The competition is open to all students: high school students, undergraduate students, and graduate students. Each individual who participates in the Competition must:

For more background information of this competition, see http://sites.psu.edu/nsacomptest

Prizes

First Prize: $5,000

Second Prize: $3,500

Third Prize: $1,500

Registration

Registration deadline: Feb 22, 2018

Online registration site: http://sites.psu.edu/nsacomptest/prelimroundov/registration/

Instructions for Stage I Participants

Helpdesk

If you have any questions, please do not hesitate to send emails to: s2istnsa@gmail.com

Preparation

First, you need to download VirtualBox from Download Page according to your host system.

Second, you need to install VirtualBox on your host system. You could refer to :

Third, you need to download the S2ISTNSA.zip or S2ISTNSA.tar.xz, extract it and double click file S2ISTNSA.vbox. The username and password are s2ist and s2ist, respectively. All the files related to the 7 problems are in folder /home/s2ist/Challenges/. Please carefully read the README file in this folder before taking the next step.

NOTE:

  1. You could follow the instruction in Tip 1 to disable ASLR (Address Space Layout Randomization).
  2. Please refer to the Submission section before you submit your answers for each challenge.
  3. See Tip 4 to get the md5 value of a given file.

Challenges for Round I

Challenge 1: Generate a malicious input to print out “Welcome to overflow!”

Using the given vulnerable binary, the participants should generate a malicious input to get the following output: “Welcome to overflow!”. To make this challenge easier, the source code of the vulnerable binary is provided.

What should be submitted: a screenshot with the md5 of the given vulnerable binary, and the commands to get the desired output.

Challenge 2: Generate a malicious input to print out “Welcome to overflow!”

Using the given vulnerable binary, the participants should generate a malicious input to get the following output: “Welcome to overflow!”. To make this challenge easier, the source code of the vulnerable binary is provided.

What should be submitted: a screenshot with the md5 of the given vulnerable binary, and the commands to get the desired output.

Challenge 3: Craft a malicious input file and invoke a gedit window

Using the given vulnerable binary, generate a malicious input file to open a gedit window. To make this challenge easier, the source code of the vulnerable binary is provided.

Hint: Reference 2 is particularly helpful for this challenge.

What should be submitted: a screenshot with the md5 of the given vulnerable binary, and the commands to invoke a gedit window.

Challenge 4: Craft a malicious input file and invoke one command in source code

Using the given vulnerable binary, generate a malicious input file to execute a command hidden in the source code. To make this challenge easier, the source code of the vulnerable binary is provided.

Hint: Reference 3 is particularly helpful for this challenge.

What should be submitted: a screenshot with the md5, and the commands to invoke the command hidden in source code.

Challenge 5: Understand Core Dumps

Using the given post-crash core dump and the corresponding binary, answer the following four questions:

  1. What’s the magic number for the given core dump file?
  2. Can you show the program header table?
  3. What’s the content of address 0x8048010 (double word size) in the core dump?
  4. What’s the stack trace in the core dump?

Hint: Tip 2 and References 4, 5 and 6 are particularly helpful for this challenge.

What should be submitted: your answers for the 4 questions

Challenge 6: Find Root Cause of Vulnerability from Core Dumps

The following files are given: core dump (core), binary (gdb), and source code (gdb.tar.gz). Using these files, find the root cause for the crash (i.e., the buggy source code file and the corresponding line number).

Hint: References 7 and 8 are helpful in leveraging the stack traces. You could read Reference 9 to check the value of a program variable.

What should be submitted: File_name:line_number, for example, test.c:10.

Challenge 7: Find Root Cause of Vulnerability from Core Dumps

The following files are given: core dump (core), binary (latex2rtf), and source code (latex2rtf.tar.gz). Using these files, find the root cause for the crash (i.e., the buggy file and the corresponding line number).

Hint: References 7 and 8 are helpful in leveraging the stack traces. You could read Reference 9 to check the value of a program variable.

What should be submitted: File_name:line_number, for example, test.c:10.

Challenges for Round II

Challenge 8 : More information from Core Dumps

In this challenge, we need your help to provide some detailed information of one software crash. To facilitate your analysis, we prepared one encrypted zip file that contains the following files:

We are expecting the following detailed information:

  1. What’s the ELF header of Core dump?
  2. What’s the File association of the crash? Please refer to Reference 6 for the definition of File association.
  3. What’s the start and end virtual address for libc-2.19.so?

Challenge 9 : Locate Vulnerability from Software Crash

In this challenge, we need your help to locate the vulnerability behind a software crash. To facilitate your diagnosis, we provide one encrypted zip file that contains the following files:

We are expecting the following information:

Hints:

Challenge 10 : Recover the Execution State before a Software Crash

In this challenge, we would like you to recover execution state before a software crash. More specifically, we want to know the execution state, including memory cells and registers, at each instruction executed before the crash. To help you as much as we can, we prepared one encrypted zip file that contains the following resources:

We would really like to know one thing:

Hints:

Challenges 11 : Locate Vulnerability from Software Crash and Execution Trace

In this challenge, we run into problems of finding the vulnerability behind a software crash. Here, unfortunately, source code of the software is unavailable. To facilitate your analysis, we tried our best but could only provide one encrypted zip file that contains the following items:

It will be greatly appreciated if you can share us the following information:

Hints:

Submission

Online solution submission site: http://sites.psu.edu/nsacomptest/prelimroundov/submission-board/

Make sure that you include all of your solutions in a single file.

Tips

Tip 1

Q : How to turn off ASLR?
A : echo 0 | sudo tee /proc/sys/kernel/randomize_va_space

Tip 2

Q : How to use binary and corresponding coredump from gdb?
A : gdb binary coredump

Tip 3

Q : How to find the vulnerable function that contributes to the corrupted object?
A : Traverse all the functions in the stack trace and figure out the function that modifies the corrupted object to bad state.

Tip 4

Q : How to get the MD5 value of a file?
A : md5sum filename

Tip 5

Q: How to easily feed input to those challenge programs?
A: 1. echo "XXX" > tmp ; ./challenge < tmp; 2. echo "XXX" | ./challenge
You could still use python/perl/ruby to directly generate your own payload and feed it to challenge programs.

References

  1. Linux (x86) Exploit Development Series

  2. Classic Stack Based Buffer Overflow

  3. Integer Overflow

  4. ELF Format

  5. ELF Hello World Tutorial

  6. Coredump in Linux

  7. GDB Stacktrace

  8. Get stacktrace from coredump

  9. GDB Variables

  10. Anatomy of a Program in Memory

  11. x86 Instruction Set Reference

FAQs

http://sites.psu.edu/nsacomptest/faqs/