industrial bug mining industrial bug mining
play

Industrial Bug Mining Industrial Bug Mining Extracting, Grading and - PowerPoint PPT Presentation

Oct 17, 2023 •212 likes •591 views

Industrial Bug Mining Industrial Bug Mining Extracting, Grading and Enriching the Ore of Exploits the Ore of Exploits Private & Confidential Property of COSEINC The Bug Mining Analogy The Bug Mining Analogy Phase 1: Extraction Phase 2:

  1. Industrial Bug Mining Industrial Bug Mining Extracting, Grading and Enriching the Ore of Exploits the Ore of Exploits Private & Confidential Property of COSEINC

  2. The Bug Mining Analogy The Bug Mining Analogy • Phase 1: Extraction • Phase 2: Grading • Phase 3: Enrichment • Phase 4: ??? • Phase 5: Profit! Private & Confidential Property of COSEINC

  3. The Bug Mining Analogy The Bug Mining Analogy • Phase 1: Extraction • Phase 2: Grading • Phase 3: Enrichment • Phase 4: ??? • Phase 5: Profit! Private & Confidential Property of COSEINC

  4. Welcome to the Mt era Welcome to the Mt era • 2009: We use 8 servers to build a virtualised fuzzfarm – Sustained testing speed: 30 t/s (2.5Mt / day ) / / • April 2010: MS describe their ‘fuzzing botnet’ – “12 million iterations in a weekend” (6Mt/day) 12 million iterations in a weekend (6Mt/day) – Now upwards of 10Mt/d • May 2010: Project MAN VERSUS BORG!!11! (Bugmine 2.0) – Same hardware, complete stripdown and rebuild – Test and optimise code / architecture at every step – Sustained testing speed: >= 1.12Mt/h g p / Private & Confidential Property of COSEINC

  5. Scale Scale 1. Make each node faster by eliminating bottlenecks network, disk, IO, serialisation, extraneous target – code, node OS overhead…. code node OS overhead You’re not doing it right until the last bottleneck is – CPU time spent on the real target code 2. When adding new nodes, scale as close to perfectly as possible Private & Confidential Property of COSEINC

  6. 350 300 250 200 150 100 50 0 8 16 24 32 40 48 56 64 72 80 Private & Confidential Property of COSEINC

  7. 350 7 300 6 250 5 200 4 150 3 100 2 50 1 0 0 8 16 24 32 40 48 56 64 72 80 Private & Confidential Property of COSEINC

  8. Building It Building It Switch from ESXi to KVM • – Real linux we know how use it Real linux, we know how use it – Performance is apparently ‘comparable’ Move storage to a dedicated network • – Open iSCSI, 4 x 160GB SSD in RAID 0, 4xGigE NIC p , , g – Oracle Cluster Filesystem (OCFS2) on top Optimise Harness • – Ruby is slow anyway, but I removed the worst problems Optimise Fuzzbots • – Kill explorer.exe for ~15% speedup?! – Don’t open a brand new Office process every time Private & Confidential Property of COSEINC

  9. Building It Building It • Easier Provisioning – One fuzzbot template One f bot template – Multiple “overlays” (aka “linked clones”) – “Snapshot Mode” on top of that – Template changes and new rollouts happen in minutes. T l t h d ll t h i i t • Easier and more powerful management – … assuming you like bash and ssh • Total Software Cost $0 (using MSDN licenses) • Total Hardware Cost ~ 30k USD • Total Hardware Cost ~ 30k USD Private & Confidential Property of COSEINC

  10. Private & Confidential Property of COSEINC

  11. Private & Confidential Property of COSEINC

  12. Private & Confidential Property of COSEINC

  13. Private & Confidential Property of COSEINC

  14. Features • Software “Hot swap” Software Hot swap • Tagged queues • Any DB backend b k d • Any case producer frontend • Everything scales horizontally – n producers, n distribution nodes etc etc Private & Confidential Property of COSEINC

  15. The Bug Mining Analogy The Bug Mining Analogy • Phase 1: Extraction • Phase 2: Grading • Phase 3: Enrichment • Phase 4: ??? • Phase 5: Profit! Private & Confidential Property of COSEINC

  16. Bug Triage Bug Triage • There is “exploitable” and EXPLOITABLE There is exploitable and EXPLOITABLE. • !exploitable rocks, but not for this. • Here are some examples from Word 2007 • Here are some examples from Word 2007 (X’s will be removed for the show, just for fun) Private & Confidential Property of COSEINC

  17. head ‐ 15 summary.txt head 15 summary.txt =========SUMMARY=============== <none?>: 229 total: 59965 PROBABLY NOT EXPLOITABLE: 21409 UNKNOWN: 31013 PROBABLY EXPLOITABLE: 6032 EXPLOITABLE: 1282 621 Buckets. 373 unique EIPs. <none?>: 1 EXPLOITABLE 88 EXPLOITABLE: 88 UNKNOWN: 336 PROBABLY NOT EXPLOITABLE: 86 PROBABLY EXPLOITABLE: 110 PROBABLY EXPLOITABLE: 110 =============================== Private & Confidential Property of COSEINC

  18. Bug Examples Bug Examples ‐‐‐ 0xXXXXXXXX.0xXXXXXXXX (count: 4) ‐‐‐ EXPLOITABLE: Exploitable ‐ User Mode Write AV starting at mso!Ordinal7111+0xXXX (Hash=0xXXXXXXXX.0xXXXXXXXX) XXXXXXX 885e21 mov byte ptr [esi+21h],bl ds:0023:32688488=c3 eax=c9330048 ebx=00000000 ecx=32688467 edx=00000000 esi=32688467 edi=00000000 eip=XXXXXXXX esp=001252e8 ebp=001252fc Potentially overwrite a byte with null. Then what? Private & Confidential Property of COSEINC

  19. Bug Examples Bug Examples ‐‐‐ 0xXXXXXXXX.0xXXXXXXXX (count: 29) ‐‐‐ PROBABLY EXPLOITABLE: Probably Exploitable ‐ Read Access Violation on Control Flow starting at wwlib!wdGetApplicationObject+0xXXXXX (Hash=0xXXXXXXXX.0xXXXXXXXX) XXXXXXXX ff5028 call dword ptr [eax+28h] ds:0023:00000029=???????? eax=00000001 ebx=00000000 ecx=022b6590 edx=00121b1c esi=001218b0 edi=06440000 eip=XXXXXXXX esp=001210d0 ebp=00122140 edi=06440000 eip=XXXXXXXX esp=001210d0 ebp=00122140 Only awesome if eax is controlled as a 32 bit value… Private & Confidential Property of COSEINC

  20. Bug Examples Bug Examples ‐‐‐ 0xXXXXXXXX.0xXXXXXXXX (count: 1) ‐‐‐ EXPLOITABLE: Exploitable ‐ Read Access Violation on Control Flow starting at wwlib!FMain+0xXXXXX (Hash=0xXXXXXXXX.0xXXXXXXXX) XXXXXXXX ff5004 call dword ptr [eax+4] ds:0023:b4b4b4b8=???????? eax=b4b4b4b4 ebx=00000000 ecx=01f8cf6c edx=0012e6a8 esi=01f8cf6c edi=06e2366c eip=XXXXXXXX esp=0012e674 ebp=0012e680 … like this Private & Confidential Property of COSEINC

  21. Bug Examples Bug Examples ‐‐‐ 0xXXXXXXX.0xXXXXXXXX (count: 3) ‐‐‐ PROBABLY NOT EXPLOITABLE R PROBABLY NOT EXPLOITABLE: Read Access Violation near NULL starting d A Vi l ti NULL t ti at wwlib!DllGetLCID+0xXXX (Hash=XXXXXXXX.0xXXXXXXXX) XXXXXXXX d7 xlat byte ptr [ebx] ds:0023:00000000=?? eax=00120000 ebx=00000000 ecx=01efff68 edx=0012ca20 esi=01ef9568 edi=07971bec eip=XXXXXXXX esp=01efa093 ebp=fff501f8 3213a302 xlat byte ptr [ebx] 3213a303 std 3213a304 fdivr st,st(5) ( ) 3213a306 fscale !exploitable fail Private & Confidential Property of COSEINC

  22. Bug Examples Bug Examples eax=00000000 ebx=00000000 ecx=07a4e008 edx=07a4e440 esi=07a4e43c edi=00000003 eip=07a4e000 esp=0012f650 p p ebp=0000000d iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 07a4e000 0000 add byte ptr [eax] al 07a4e000 0000 add byte ptr [eax],al ds:0023:00000000=?? EVENT:DEBUG_EVENT_EXCEPTION e06d7363 Exception in winext\msec.dll.exploitable debugger p \ p gg extension. PC: 7c812afb VA: 0006d098 R/W: 19930520 Parameter: 10026bfc EPIC !exploitable fail Private & Confidential Property of COSEINC

  23. Bug Examples Bug Examples ‐‐‐ 0xXXXXXXXX.0xXXXXXXXX (count: 1) ‐‐‐ EXPLOITABLE: Exploitable ‐ Read Access Violation at the p Instruction Pointer starting at Unknown Symbol @ 0x0 01010101 ?? ??? eax=06510000 ebx=0012dc14 ecx=064f56a8 edx=00000000 esi=001297cc edi=00000000 eip=01010101 esp=00125320 ebp=00129724 edi 00000000 eip 01010101 esp 00125320 ebp 00129724 !exploitable needs a new ‘KACHING’ classification But crashes that cool must be rare, right? Private & Confidential Property of COSEINC

  24. Not so much… Not so much… 125 eip=00000000 29 eip=004001b8 2 eip=04c25d5e 1 eip=f7c88b08 22 eip=00000001 20 eip=004002b8 1 eip=0a09007c 1 eip=f98b5733 7 eip=00000002 1 eip=0044002e 2 eip=0f800000 1 eip=ff010274 5 eip=00000003 p 1 eip=00510005 p 1 eip=14065a00 p 2 eip=ff8f4aa3 p 1 eip=00000007 1 eip=0061004c 1 eip=16010273 1 eip=ff8f4b29 2 eip=00000008 2 eip=00640072 1 eip=249f009a 2 eip=ffffffff 1 eip=0000000c 4 eip=00650069 1 eip=277f00fa 4 eip=0000000e 5 eip=00650074 228 eip=2a680531 4 eip=00000014 1 eip=00690046 1 eip=40180000 1 eip=00000015 1 eip=00690053 1 eip=42c2fea9 2 eip=00000067 1 eip=006c0070 1 eip=43003d00 1 eip=0000006f p 1 eip=006e0065 p 3 eip=458b50ff p 1 eip=00000070 1 eip=006f002e 2 eip=507e8068 1 eip=00000086 2 eip=006f0068 2 eip=56ec8b55 2 eip=00000101 1 eip=0070006f 4 eip=575c302e 1 eip=00000181 1 eip=00720063 1 eip=60010006 1 eip=00000225 2 eip=00740069 2 eip=65747369 2 eip=00000300 1 eip=006e0065 2 eip=676e6964 2 eip=00000b33 1 eip=006f002e 1 eip=6f6c6f43 1 eip=00001571 2 eip=006f0068 6 eip=776f6853 1 eip=00001733 1 eip=0070006f 1 eip=80000001 1 eip=0000671d 1 eip=00720063 1 eip=8bec8b55 2 eip=00006887 2 eip=00740069 1 eip=90909090 1 eip=00008201 4 eip=01010101 1 eip=b0202fd0 9 eip=0000c084 1 eip=01040101 4 eip=b4b4b4b4 1 eip=0000da66 1 eip=04000000 357 eip=c13b0000 1 eip=0000db01 4 eip=04010101 1 eip=c240c033 3 eip=00320031 1 eip=04030100 5 eip=c3321204 1 eip=00380032 4 eip=04850f49 5 eip=c3efa5c3 Private & Confidential Property of COSEINC

  25. The Bug Mining Analogy The Bug Mining Analogy • Phase 1: Extraction • Phase 2: Grading • Phase 3: Enrichment • Phase 4: ??? • Phase 5: Profit! Private & Confidential Property of COSEINC

Recommend

A Random History of Mining A Random History of Mining (And thus the industrial revolution) (And

A Random History of Mining A Random History of Mining (And thus the industrial revolution) (And

A Random History of Mining A Random History of Mining (And thus the industrial revolution) (And thus the industrial revolution) Matthew Dockrey A Day That Will Live In Infamy, 2009 The Neolithic The Neolithic Flint, Obsidian, Chert,

759 views • 32 slides
Solutions for industrial applications: Industries : Oil &amp; Gas, Petrochemical, Mining,

Solutions for industrial applications: Industries : Oil &amp; Gas, Petrochemical, Mining,

Solutions for industrial applications: Industries : Oil &amp; Gas, Petrochemical, Mining, Steel, Chemical, Cement, Pulp &amp; Paper, Food Environment: Decommissioning, Decontamination, Radiation detection Technical advice and

741 views • 16 slides
Web Mining Web Mining Web Mining Web Mining Web mining is the use of data mining techniques

Web Mining Web Mining Web Mining Web Mining Web mining is the use of data mining techniques

What is Web Mining? Wh t i W b Mi i What is Web Mining? Wh t i W b Mi i ? ? Web Mining Web Mining Web Mining Web Mining Web mining is the use of data mining techniques to automat cally d scover and extract nformat on automatically

774 views • 20 slides
Web Mining Web Mining Web mining is the use of data mining techniques to automatically

Web Mining Web Mining Web mining is the use of data mining techniques to automatically

What is Web Mining? What is Web Mining? Web Mining Web Mining Web mining is the use of data mining techniques to automatically discover and extract information from Web documents/services (Etzioni, 1996, CACM 39(11)) Web mining aims to

566 views • 22 slides
Outdoor-, Industrial-, Military Market Industrial &amp; Harsh Environment (HE) Typical

Outdoor-, Industrial-, Military Market Industrial &amp; Harsh Environment (HE) Typical

Outdoor-, Industrial-, Military Market Industrial &amp; Harsh Environment (HE) Typical applications: 1. Antenna 2. Avionics/Space 3. Mining 4. Solar plant 5. Industry 6. Wind farm 2 CONFIDENTI 7. Oil/Gas 8. Container terminal 9.

358 views • 33 slides
Interim Results FY 2020 TransenseTechnologies plc Sensor systems for the industrial, mining and

Interim Results FY 2020 TransenseTechnologies plc Sensor systems for the industrial, mining and

Interim Results FY 2020 TransenseTechnologies plc Sensor systems for the industrial, mining and transportation markets Tyre management solutions for off-the-road Surface Acoustic Wave (SAW) technology (OTR) and commercial vehicles

622 views • 20 slides
Cyber Security in Mining Automation Ragnar Schierholz, Head of Cyber Security, Industrial

Cyber Security in Mining Automation Ragnar Schierholz, Head of Cyber Security, Industrial

ABB MINING USER CONFERENCE, MAY 02-05, 2017 Cyber Security in Mining Automation Ragnar Schierholz, Head of Cyber Security, Industrial Automation Division Agenda Why worry about cyber security? ABBs approach to cyber security Cyber security

1.07k views • 39 slides
An overview of fibre crop cultivation and multi-product value chains for post-mining industrial

An overview of fibre crop cultivation and multi-product value chains for post-mining industrial

An overview of fibre crop cultivation and multi-product value chains for post-mining industrial development CENTRE FOR BIOPROCESS ENGINEERING RESEARCH STL Harrison, S Rumjeet, X Mabasa, M Solomon, B Verster MINERALS TO METALS INITIATIVE JL

495 views • 23 slides
2019 PNG Industrial &amp; Mining Resources Exhibition Paladin Presentation Community Engagement

2019 PNG Industrial &amp; Mining Resources Exhibition Paladin Presentation Community Engagement

2019 PNG Industrial &amp; Mining Resources Exhibition Paladin Presentation Community Engagement Creating a Social License to Operate Ian Stewart Director, Paladin Introduction Local Village insights Community Engagement Issues

182 views • 14 slides
Web Mining Web Mining to automatically discover and extract information from Web

Web Mining Web Mining to automatically discover and extract information from Web

What is Web Mining? What is Web Mining? Web mining is the use of data mining techniques Web Mining Web Mining to automatically discover and extract information from Web documents/services (Etzioni, 1996, CACM 39(11)) (another definition:

287 views • 15 slides
Web Mining Web Mining to automatically discover and extract information from Web

Web Mining Web Mining to automatically discover and extract information from Web

What is Web Mining? What is Web Mining? Web mining is the use of data mining techniques Web Mining Web Mining to automatically discover and extract information from Web documents/services (Etzioni, 1996, CACM 39(11)) 1 2 The Web The Web

468 views • 23 slides
Introduction to Web Mining What is Web Mining? Discovering useful information from the

Introduction to Web Mining What is Web Mining? Discovering useful information from the

CS 345A Data Mining Lecture 1 Introduction to Web Mining What is Web Mining? Discovering useful information from the World-Wide Web and its usage patterns Web Mining v. Data Mining Structure (or lack of it) Textual information and

744 views • 31 slides
INDUSTRIAL STRATEGY November 2012 Why do we need industrial strategy Industrial strategy

INDUSTRIAL STRATEGY November 2012 Why do we need industrial strategy Industrial strategy

INDUSTRIAL STRATEGY November 2012 Why do we need industrial strategy Industrial strategy activity The Heseltine Review 2 Structural changes in the international economy will impact the UK Globalisation and rise of BRICS are changing

748 views • 12 slides
Developing plant fibre - based products for industrial sectors Maya Jacob John Chemicals Cluster

Developing plant fibre - based products for industrial sectors Maya Jacob John Chemicals Cluster

Developing plant fibre - based products for industrial sectors Maya Jacob John Chemicals Cluster CSIR Port Elizabeth Driving Post-Mining Industrial Development through Fibrous Multi-Product Value Chains May 24th, 2018 1 Contents

525 views • 38 slides
1 The Second Industrial Revolution (cont.) In the Second Industrial Revolution there was

1 The Second Industrial Revolution (cont.) In the Second Industrial Revolution there was

The Second Industrial Revolution In Western Europe, the introduction of electricity, chemicals, and petroleum triggered the Second Industrial Revolution, and a world economy began to develop. 1 The Second Industrial Revolution (cont.) In

438 views • 5 slides
PPS SERVICING CAPABILITY 3/11/2019 About PPS Servicing We are professional in mining processing

PPS SERVICING CAPABILITY 3/11/2019 About PPS Servicing We are professional in mining processing

Engineering Design SMP Construction Mining Maintenance and Shutdown Service Industrial Coating PPS SERVICING CAPABILITY 3/11/2019 About PPS Servicing We are professional in mining processing plants construction, maintenance and shutdown

90 views • 8 slides
93 Years doing Mining Maintenance COMPANY / v.- INSTALLED CAPACITY BAILAC TEAM 1.550 people

93 Years doing Mining Maintenance COMPANY / v.- INSTALLED CAPACITY BAILAC TEAM 1.550 people

COMPANY / iv.- INDUSTRIAL EXPERIENCE 93 Years doing Mining Maintenance COMPANY / v.- INSTALLED CAPACITY BAILAC TEAM 1.550 people around the globe Pic: Team Bailac Caserones - COMPANY / iv.- INDUSTRIAL EXPERIENCE Los Pelambres Los

616 views • 22 slides
Frequent Pattern Mining Frequent Sequence Mining Frequent Tree Mining Christian Borgelt

Frequent Pattern Mining Frequent Sequence Mining Frequent Tree Mining Christian Borgelt

Overview Frequent Pattern Mining comprises Frequent Item Set Mining and Association Rule Induction Frequent Pattern Mining Frequent Sequence Mining Frequent Tree Mining Christian Borgelt Frequent Graph Mining Dept. of Mathematics

1.52k views • 135 slides
DATA MINING LECTURE 1 Introduction What is data mining? After years of data mining there is

DATA MINING LECTURE 1 Introduction What is data mining? After years of data mining there is

DATA MINING LECTURE 1 Introduction What is data mining? After years of data mining there is still no unique answer to this question. A tentative definition: Data mining is the use of efficient techniques for the analysis of very large

1.28k views • 62 slides
Regulatory Framework The Mining Act 1971 The Crown owns the minerals Legislation

Regulatory Framework The Mining Act 1971 The Crown owns the minerals Legislation

Department of the Premier and Cabinet Mining Regulation Branch Determination for a Mining Proposal for the Bird-in-Hand Gold Project Paul ThompsonSenior Mining Assessment Officer 22 May 2017 Regulatory Framework The Mining Act 1971 The

124 views • 9 slides
Welcome Haoma Mining NL Agenda Chairmans Address Business of the day Haoma Mining NL

Welcome Haoma Mining NL Agenda Chairmans Address Business of the day Haoma Mining NL

Haoma Mining NL Annual General Meeting Of Shareholders Wednesday December 18, 2019 Welcome Haoma Mining NL Agenda Chairmans Address Business of the day Haoma Mining NL Location Map of Haoma Mining Pilbara mining tenements

1.05k views • 19 slides
Data Mining: Concepts and Techniques Web Mining Li Xiong Slides credits: Jiawei Han and

Data Mining: Concepts and Techniques Web Mining Li Xiong Slides credits: Jiawei Han and

Data Mining: Concepts and Techniques Web Mining Li Xiong Slides credits: Jiawei Han and Micheline Kamber; Anand Rajaraman, Jeffrey D. Ullman Olfa Nasraoui Bing Liu 4/9/2008 1 Web Mining Web mining vs. data mining Structure (or lack

997 views • 60 slides
DATA MINING LECTURE 2 What is data? The data mining pipeline What is Data Mining? Data

DATA MINING LECTURE 2 What is data? The data mining pipeline What is Data Mining? Data

DATA MINING LECTURE 2 What is data? The data mining pipeline What is Data Mining? Data mining is the use of efficient techniques for the analysis of very large collections of data and the extraction of useful and possibly unexpected

2.4k views • 94 slides
industrial IOT technologies INDUSTRIAL MARKET INSIGHTS within global industrial sector

industrial IOT technologies INDUSTRIAL MARKET INSIGHTS within global industrial sector

WWW.BOX2M.COM industrial IOT technologies INDUSTRIAL MARKET INSIGHTS within global industrial sector &gt; OWN 60% OF THE WORLD MONEY &gt; LOOK TO SAVE OPEX AND CAPEX &gt; 50% OF THOSE THINK ABOUT USING IOT TECHNOLOGIES INDUSTRIAL MARKET

386 views • 12 slides

More recommend