2018 Penn State Cybersecurity Competition

2018 Penn State Cybersecurity Competition

View on GitHub

Introduction

Welcome to the 2018 Penn State Cybersecurity Competition, a security contest sponsored by NSA (National Security Agency)!

This competition is a 2-stage (i.e., two rounds) cyber competition on crash forensics against memory corruption attacks. Being different from existing Capture the Flag (CTF) competitions, which focus on skills such as reverse-engineering, network sniffing, and cryptanalysis, our competition focuses on software vulnerability identification. In other words, the skills required for this contest include memory forensics, and dynamic and static analysis of vulnerable programs.

The main goal of the competition is to serve as an educational exercise helping participants gain essential experience in finding security loopholes that may be found in commonly available software. In addition, the contest aims to attract a diverse population of students to the field of cybersecurity. The contest will produce a collection of core dumps attributable to real-world memory corruption attacks. We will make these core dumps publicly available as a resource to cybersecurity educators and researchers.

What is the 2018 Competition? When does it start/end?

The Competition consists of two stages:

Who is eligible to participate in the Competition?

The competition is open to all students: high school students, undergraduate students, and graduate students. Each individual who participates in the Competition must:

For more background information of this competition, see http://sites.psu.edu/nsacomptest

Prizes

First Prize: $5,000

Second Prize: $3,500

Third Prize: $1,500

Registration

Registration deadline: Feb 22, 2018

Online registration site: http://sites.psu.edu/nsacomptest/prelimroundov/registration/

Instructions for Stage I Participants

Helpdesk

If you have any questions, please do not hesitate to send emails to: s2istnsa@gmail.com

Preparation

First, you need to download VirtualBox from Download Page according to your host system.

Second, you need to install VirtualBox on your host system. You could refer to :

Third, you need to download the S2ISTNSA.zip or S2ISTNSA.tar.xz, extract it and double click file S2ISTNSA.vbox. The username and password are s2ist and s2ist, respectively. All the files related to the 7 problems are in folder /home/s2ist/Challenges/. Please carefully read the README file in this folder before taking the next step.

NOTE:

  1. You could follow the instruction in Tip 1 to disable ASLR (Address Space Layout Randomization).
  2. Please refer to the Submission section before you submit your answers for each challenge.
  3. See Tip 4 to get the md5 value of a given file.

Challenges

Challenge 1: Generate a malicious input to print out “Welcome to overflow!”

Using the given vulnerable binary, the participants should generate a malicious input to get the following output: “Welcome to overflow!”. To make this challenge easier, the source code of the vulnerable binary is provided.

What should be submitted: a screenshot with the md5 of the given vulnerable binary, and the commands to get the desired output.

Challenge 2: Generate a malicious input to print out “Welcome to overflow!”

Using the given vulnerable binary, the participants should generate a malicious input to get the following output: “Welcome to overflow!”. To make this challenge easier, the source code of the vulnerable binary is provided.

What should be submitted: a screenshot with the md5 of the given vulnerable binary, and the commands to get the desired output.

Challenge 3: Craft a malicious input file and invoke a gedit window

Using the given vulnerable binary, generate a malicious input file to open a gedit window. To make this challenge easier, the source code of the vulnerable binary is provided.

Hint: Reference 2 is particularly helpful for this challenge.

What should be submitted: a screenshot with the md5 of the given vulnerable binary, and the commands to invoke a gedit window.

Challenge 4: Craft a malicious input file and invoke one command in source code

Using the given vulnerable binary, generate a malicious input file to execute a command hidden in the source code. To make this challenge easier, the source code of the vulnerable binary is provided.

Hint: Reference 3 is particularly helpful for this challenge.

What should be submitted: a screenshot with the md5, and the commands to invoke the command hidden in source code.

Challenge 5: Understand Core Dumps

Using the given post-crash core dump and the corresponding binary, answer the following four questions:

  1. What’s the magic number for the given core dump file?
  2. Can you show the program header table?
  3. What’s the content of address 0x8048010 (double word size) in the core dump?
  4. What’s the stack trace in the core dump?

Hint: Tip 2 and References 4, 5 and 6 are particularly helpful for this challenge.

What should be submitted: your answers for the 4 questions

Challenge 6: Find Root Cause of Vulnerability from Core Dumps

The following files are given: core dump (core), binary (gdb), and source code (gdb.tar.gz). Using these files, find the root cause for the crash (i.e., the buggy source code file and the corresponding line number).

Hint: References 7 and 8 are helpful in leveraging the stack traces. You could read Reference 9 to check the value of a program variable.

What should be submitted: File_name:line_number, for example, test.c:10.

Challenge 7: Find Root Cause of Vulnerability from Core Dumps

The following files are given: core dump (core), binary (latex2rtf), and source code (latex2rtf.tar.gz). Using these files, find the root cause for the crash (i.e., the buggy file and the corresponding line number).

Hint: References 7 and 8 are helpful in leveraging the stack traces. You could read Reference 9 to check the value of a program variable.

What should be submitted: File_name:line_number, for example, test.c:10.

Submission

Online solution submission site: http://sites.psu.edu/nsacomptest/prelimroundov/submission-board/

Make sure that you include all of your solutions in a single file.

Tips

Tip 1

Q : How to turn off ASLR?
A : echo 0 | sudo tee /proc/sys/kernel/randomize_va_space

Tip 2

Q : How to use binary and corresponding coredump from gdb?
A : gdb binary coredump

Tip 3

Q : How to find the vulnerable function that contributes to the corrupted object?
A : Traverse all the functions in the stack trace and figure out the function that modifies the corrupted object to bad state.

Tip 4

Q : How to get the MD5 value of a file?
A : md5sum filename

References

  1. Linux (x86) Exploit Development Series

  2. Classic Stack Based Buffer Overflow

  3. Integer Overflow

  4. ELF Format

  5. ELF Hello World Tutorial

  6. Coredump in Linux

  7. GDB Stacktrace

  8. Get stacktrace from coredump

  9. GDB Variables

  10. Anatomy of a Program in Memory

FAQs

http://sites.psu.edu/nsacomptest/faqs/