using machines to exploit machines
play

Using Machines to Exploit Machines Harnessing AI to Accelerate - PowerPoint PPT Presentation

Apr 25, 2023 •150 likes •731 views

Using Machines to Exploit Machines Harnessing AI to Accelerate Exploitation Guy Barnhart-Magen Ezra Caltum @barnhartguy @aCaltum Legal Notice and Disclaimers This presentation contains the general insights and opinions of its authors, Guy

  1. Using Machines to Exploit Machines Harnessing AI to Accelerate Exploitation Guy Barnhart-Magen Ezra Caltum @barnhartguy @aCaltum

  2. Legal Notice and Disclaimers This presentation contains the general insights and opinions of its authors, Guy Barnhart-Magen and Ezra Caltum. We are speaking on behalf of ourselves only, and the views and opinions contained in this presentation should not be attributed to our employer. The information in this presentation is provided for informational and educational purposes only and is not to be relied upon for any other purpose. Use at your own risk! We makes no representations or warranties regarding the accuracy or completeness of the information in this presentation. We accept no duty to update this presentation based on more current information. We disclaim all liability for any damages, direct or indirect, consequential or otherwise, that may arise, directly or indirectly, from the use or misuse of or reliance on the content of this presentation. No computer system can be absolutely secure. No license (express or implied, by estoppel or otherwise) to any intellectual property rights is granted by this document. *Other names and brands may be claimed as the property of others. @barnhartguy @aCaltum

  3. $ ID Guy Barnhart-Magen Ezra Caltum @barnhartguy @acaltum BSidesTLV Chairman and CTF Lead BSidesTLV Co-Founder DC9723 Lead @barnhartguy @aCaltum

  5. OUR PROBLEM Fuzz Testing Literally thousands of crashes to analyze 1 (good problem to have?) @barnhartguy @aCaltum

  6. OUR PROBLEM Automation Might miss something important, but helps 2 Fuzz Testing reduce from thousands Literally thousands to hundreds of results of crashes to analyze 1 (good problem to have?) @barnhartguy @aCaltum

  7. OUR PROBLEM Manual Analysis Can only do a limited amount with limited 3 researchers time Automation Might miss something important, but helps 2 Fuzz Testing reduce from thousands Literally thousands to hundreds of results of crashes to analyze 1 (good problem to have?) @barnhartguy @aCaltum

  8. EFFORT BALANCE Build the Model @barnhartguy @aCaltum

  9. EFFORT BALANCE Gather Data Build the Model @barnhartguy @aCaltum

  10. EFFORT BALANCE Keep Good Data Build the Model @barnhartguy @aCaltum

  11. PROBLEM STATEMENT @barnhartguy @aCaltum

  12. PROBLEM STATEMENT What is Australia? @barnhartguy @aCaltum

  13. PROBLEM STATEMENT Can we create an ML model that can triage crashes and help us focus on the exploitable ones? (we got a lot of crashes from AFL) @barnhartguy @aCaltum

  14. REVISED PROBLEM STATEMENT Can we create an ML model that can outperform exploitable , based on the same data? it should perform at least as well as exploitable @barnhartguy @aCaltum

  15. FULL DISCLOSURE Limited dataset - but we tried anyway (no DL today) We want to focus on the methodology We can’t trust this results, but they are worth sharing @barnhartguy @aCaltum

  16. MACHINE LEARNING See our previous talks on hacking machine learning systems :-)

  17. WHAT IS MACHINE LEARNING? Data Feat. Math Pred. Data Ingestion Feature Extraction Model Fitting Predictions Normalizing and converting data Analyzing the data and Repeatedly trying to improve Given a never seen before to a canonical way for feature extracting the interesting model fit to the data observed datum, what does the model extraction features from it predict it to be @barnhartguy @aCaltum

  18. MACHINE LEARNING What it isn’t: ● Magic ● A solution to every problem ● Difficult or Complex ● One of the holy VC buzzwords: ○ Blockchain ○ Cyber ○ Zero Trust @barnhartguy @aCaltum

  19. THE DIFFERENCE BETWEEN ML AND AI If it is written in Python, it’s probably Machine Learning If it is written in PowerPoint, it’s probably AI @barnhartguy @aCaltum

  20. EXAMPLE @barnhartguy @aCaltum

  21. EXAMPLE Using Machines to Exploit Machines Harnessing AI to Accelerate Exploitation @barnhartguy @aCaltum

  22. Everyone Confuses “AI” with “ML” So do We Sorry @barnhartguy @aCaltum

  23. WHAT IS IT GOOD FOR? Finding patterns in a lot of data, patterns you did not expect (counter intuitive) @barnhartguy @aCaltum

  24. WHAT IS IT GOOD FOR? Finding patterns in a lot of data, patterns you did not expect (counter intuitive) Correlating different inputs you suspect are related somehow @barnhartguy @aCaltum

  25. WHAT IS IT GOOD FOR? Finding patterns in a lot of data, patterns you did not expect (counter intuitive) Correlating different inputs you suspect are related somehow Abstracting a problem and throwing it at an algorithm, hoping for the best (e.g. being lazy) @barnhartguy @aCaltum

  26. PREDICTIONS ML makes predictions based on previously seen data Your data quality is important! (data is not information) @barnhartguy @aCaltum

  27. WHAT DO YOU GET? How is this new sample I am testing now similar to all the other samples I’ve seen in the past? Testing - extracting and then comparing features against your model @barnhartguy @aCaltum

  28. Crash Triage

  29. A COMMON MORNING IN MY LIFE ● I start a fuzzing process overnight and go home @barnhartguy @aCaltum

  30. A COMMON MORNING IN MY LIFE ● I start a fuzzing process overnight and go home ● At first light in the morning (11:00) I drink a cup of coffee @barnhartguy @aCaltum

  31. A COMMON MORNING IN MY LIFE ● I start a fuzzing process overnight and go home ● At first light in the morning (11:00) I drink a cup of coffee ● I analyze the data from the crash dump with the help of a debugger @barnhartguy @aCaltum

  32. A COMMON MORNING IN MY LIFE ● I start a fuzzing process overnight and go home ● At first light in the morning (11:00) I drink a cup of coffee ● I analyze the data from the crash dump with the help of a debugger ● Based on my experience, and the output of some plugins, I classify the crashes as either exploitable or not @barnhartguy @aCaltum

  33. A COMMON MORNING IN MY LIFE ● I start a fuzzing process overnight and go home ● At first light in the morning (11:00) I drink a cup of coffee ● I analyze the data from the crash dump with the help of a debugger ● Based on my experience, and the output of some plugins, I classify the crashes as either exploitable or not ● I start developing a POC for the exploitable crashes. @barnhartguy @aCaltum

  34. A COMMON MORNING IN MY LIFE ● I start a fuzzing process overnight and go No need for sleep for our AI overlords ➔ home ● At first light in the morning (11:00) I drink a No need for coffee for our AI overlords ➔ cup of coffee ● I analyze the data from the crash dump with ➔ Preprocessing phase prepares the data for the help of a debugger the ML analysis ● Based on my experience, and the output of ML analyzes the data, based on its ➔ some plugins, I classify the crashes as either experience (training data), emits predictions exploitable or not (human intuition or heuristics) ● I start developing a POC for the exploitable Human minions will develop a PoC for the ➔ crashes. overlords @barnhartguy @aCaltum

  35. Our Data Set

  36. DARPA CYBER GRAND CHALLENGE We have 632 test cases that we know are exploitable We ran exploitable against them and got: ● 607 were definitely exploitable ● 12 were probably exploitable ● 13 were unknown - the tool couldn’t reach a decision @barnhartguy @aCaltum

  37. SO, WHAT DOES A CRASH GIVE US? EAX, EBX, ECX, EDX - general purpose (values, addresses) ESP, EBP - Stack pointers ESI, EDI - Source and Destination Index (for string operations) EIP - Instruction pointer eflags - metadata (wasn’t actually useful at all, empty values) CS, SS, DS, ES, FS, GS - Segment registers Also a whole lot of other things which we didn't look at @barnhartguy @aCaltum

  38. OUR PROCESS Creating Crashes Crash Analysis Feature Extracting Running tests Analyzing the crash Converting the data against a ~600 dumps using collected from the exploitable , exploitable programs with known crashes, collecting the stack output to a collecting the crash and register values canonical dumps representation, extracting the features we cared about @barnhartguy @aCaltum

  39. PROBLEM Register values are discrete and unrelated to each other What can we learn from specific register values? @barnhartguy @aCaltum

  40. CLASSIFYING DATA We tried breaking the values of the registers into three groups: ● High address range (kernel) ● Low address range (userland) ● Values Bad results - data distribution not uniform :-( @barnhartguy @aCaltum

  41. BINNING Dividing the values to evenly spaced bins 10 bins total, evenly distributed between [min_val, max_val] This helps the model ignore specific values, and look at them as ranges Good results :-) @barnhartguy @aCaltum

  42. OneClassSVM Train your major class (609 records, EXPLOITABLE) Test your data against similarity to the model {-1,1} +1 = very similar to the model -1 = very not similar to the model @barnhartguy @aCaltum

Recommend

Virtual Machines Uses for Virtual Machines There are several uses for virtual machines:

Virtual Machines Uses for Virtual Machines There are several uses for virtual machines:

Virtual Machines Uses for Virtual Machines There are several uses for virtual machines: Virtual machine technology, often just called virtualization , makes one computer behave as several Running several operating systems simultaneously on

254 views • 10 slides
Finite State Machines (FSM) Chapter 8 State Machines Introduction State Machines Mealy and

Finite State Machines (FSM) Chapter 8 State Machines Introduction State Machines Mealy and

Finite State Machines (FSM) Chapter 8 State Machines Introduction State Machines Mealy and Moore Machines State Machines Synchronous & Asynchronous Systems State Diagrams Elements of Diagrams State Diagrams Properties State Diagrams

607 views • 33 slides
Vulnerable Machines with Ansible Nathaniel Beckstead whoami Nathaniel Beckstead Automation

Vulnerable Machines with Ansible Nathaniel Beckstead whoami Nathaniel Beckstead Automation

Vulnerable Machines with Ansible Nathaniel Beckstead whoami Nathaniel Beckstead Automation Infrastructure Tooling scriptingis.life 2 Why Vulnerable Machines? King of the Hill Practice Red team - scan and exploit Blue team

304 views • 18 slides
Kernel Machines Steven J Zeil Old Dominion Univ. Fall 2010 1 Support Vector Machines Kernel

Kernel Machines Steven J Zeil Old Dominion Univ. Fall 2010 1 Support Vector Machines Kernel

Support Vector Machines Kernel Machines Kernel Machines Steven J Zeil Old Dominion Univ. Fall 2010 1 Support Vector Machines Kernel Machines Kernel Machines Support Vector Machines 1 Optimal Separating HyperPlanes Soft Margin

368 views • 36 slides
Machines Murray Cole Machines 1 Machines 2 Implementing Systems Monitor, mouse, keyboard etc

Machines Murray Cole Machines 1 Machines 2 Implementing Systems Monitor, mouse, keyboard etc

I V N E U R S E I H T Y T O H F G R E U D I B N Machines Murray Cole Machines 1 Machines 2 Implementing Systems Monitor, mouse, keyboard etc are electrical devices which produce simple effects in response to simple

768 views • 19 slides
Finite State Machines (FSM) AKA Finite State Automat on State Machines Introduction State

Finite State Machines (FSM) AKA Finite State Automat on State Machines Introduction State

Finite State Machines (FSM) AKA Finite State Automat on State Machines Introduction State Machines Mealy and Moore Machines State Machines Synchronous & Asynchronous Systems State Diagrams Elements of Diagrams State Diagrams Properties

676 views • 33 slides
Kernel Machines Support Vector Machines 1 Kernel Machines Optimal Separating HyperPlanes Soft

Kernel Machines Support Vector Machines 1 Kernel Machines Optimal Separating HyperPlanes Soft

Support Vector Machines Kernel Machines Support Vector Machines Kernel Machines Kernel Machines Support Vector Machines 1 Kernel Machines Optimal Separating HyperPlanes Soft Margin HyperPlanes Steven J Zeil Kernel Machines 2 Old

655 views • 8 slides
? 17.10.2018 3 17.10.2018 4 Support Vector Machines (SVM): Background Support Vector Machines

? 17.10.2018 3 17.10.2018 4 Support Vector Machines (SVM): Background Support Vector Machines

INF3490 - Biologically inspired computing Support Vector Machines Support Vector Machines, Ensemble Learning, and Dimensionality (SVM) Reduction Weria Khaksar October 17, 2018 17.10.2018 2 Support Vector Machines (SVM): Background Support

579 views • 9 slides
MACHINES FOR METALWORKING Machines Genauigkeits Maschinenbau Nrnberg GmbH TPS MPS 2

MACHINES FOR METALWORKING Machines Genauigkeits Maschinenbau Nrnberg GmbH TPS MPS 2

Grinding MACHINES FOR METALWORKING Machines Genauigkeits Maschinenbau Nrnberg GmbH TPS MPS 2 R300DC MPS 1 MPS 2 R300DCHP (MPS 1 R125) MPS R400D MPS 2 (MPS 2 R220) MPS R700 MPS 2K MPS 2K R300 MPS 3H

313 views • 29 slides
Sparse Kernel Machines - SVM Henrik I. Christensen Robotics & Intelligent Machines @ GT

Sparse Kernel Machines - SVM Henrik I. Christensen Robotics & Intelligent Machines @ GT

Introduction Maximum Margin Multiple Classes Regression Example Summary Sparse Kernel Machines - SVM Henrik I. Christensen Robotics & Intelligent Machines @ GT Georgia Institute of Technology, Atlanta, GA 30332-0280 hic@cc.gatech.edu

596 views • 42 slides
Knowledge Tracing Machines: Factorization Machines for Knowledge Tracing Jill-Jnn Vie Hisashi

Knowledge Tracing Machines: Factorization Machines for Knowledge Tracing Jill-Jnn Vie Hisashi

Introduction Knowledge Tracing Encoding existing models Knowledge Tracing Machines Results Conclusion Knowledge Tracing Machines: Factorization Machines for Knowledge Tracing Jill-Jnn Vie Hisashi Kashima KJMLW, February 22, 2019

698 views • 51 slides
STREAM FINISHING MACHINES STREAM FINISHING MACHINES Structure and function PERFEKTE OBERFLCHEN

STREAM FINISHING MACHINES STREAM FINISHING MACHINES Structure and function PERFEKTE OBERFLCHEN

STREAM FINISHING MACHINES STREAM FINISHING MACHINES Structure and function PERFEKTE OBERFLCHEN WELTWEIT | 2 STREAM FINISHING MACHINES (SF) Technique Workpieces are fixed in a holder and immersed in a rotating process container filled

481 views • 36 slides
WASH BAY MACHINES Objective To develop technological self-service wash bay machines capable of

WASH BAY MACHINES Objective To develop technological self-service wash bay machines capable of

WASH BAY MACHINES Objective To develop technological self-service wash bay machines capable of addressing all needs and requirements, with machines ranging from a single wash bay to large installations with eight wash bays. Two different Looks

165 views • 15 slides
Support Vector Machines (Ch. 18.9) SVM Basics Support Vector Machines (SVMs) try to do our

Support Vector Machines (Ch. 18.9) SVM Basics Support Vector Machines (SVMs) try to do our

Support Vector Machines (Ch. 18.9) SVM Basics Support Vector Machines (SVMs) try to do our normal linear classification (last few lectures), but with a couple of twists 1. Find the line in the middle of points with the largest gap (called

454 views • 32 slides
Virtual Machines Tom Goff & David Dufresne We have created virtual machines for both

Virtual Machines Tom Goff & David Dufresne We have created virtual machines for both

Motivation for using Virtual Machines Tom Goff & David Dufresne We have created virtual machines for both VirtualBox and Vmware Player. Both options are supported across several platforms, but experience says that some hardware plays

178 views • 5 slides
Turing Machines 9-0 Turing Machines Now for a machine model of much greater

Turing Machines 9-0 Turing Machines Now for a machine model of much greater

Griffith University 3130CIT Theory of Computation (Based on slides by Harald Sndergaard of The University of Melbourne) Turing Machines 9-0 Turing Machines Now for a machine model of much greater power. A

322 views • 14 slides
Machines: Where Next? Murray Cole Machines: Where next? 1 Technological Progress Moores

Machines: Where Next? Murray Cole Machines: Where next? 1 Technological Progress Moores

I V N E U R S E I H T Y T O H F G R E U D I B N Machines: Where Next? Murray Cole Machines: Where next? 1 Technological Progress Moores Law suggests that the number of transistors embeddable per unit area

508 views • 17 slides
Science (Bridging Course) Turing Machines Gian Diego Tipaldi Topics Covered Turing machines

Science (Bridging Course) Turing Machines Gian Diego Tipaldi Topics Covered Turing machines

Theoretical Computer Science (Bridging Course) Turing Machines Gian Diego Tipaldi Topics Covered Turing machines Variants of Turing machines Multi-tape Non-deterministic Definition of algorithm The Church-Turing Thesis

962 views • 48 slides
Hardware Design with VHDL Finite State Machines ECE 443 Finite State Machines FSMs are

Hardware Design with VHDL Finite State Machines ECE 443 Finite State Machines FSMs are

Hardware Design with VHDL Finite State Machines ECE 443 Finite State Machines FSMs are sequential machines with "random" next-state logic Used to implement functions that are realized by carrying out a sequence of steps -- commonly

794 views • 65 slides
Sparse Kernel Machines - RVM Henrik I. Christensen Robotics & Intelligent Machines @ GT

Sparse Kernel Machines - RVM Henrik I. Christensen Robotics & Intelligent Machines @ GT

Introduction Regression Model RVM for classification Summary Sparse Kernel Machines - RVM Henrik I. Christensen Robotics & Intelligent Machines @ GT Georgia Institute of Technology, Atlanta, GA 30332-0280 hic@cc.gatech.edu Henrik I.

565 views • 22 slides
LEADING MANUFACTURER IN COMPONENT CLEANING MACHINES COMPANY PROFILE Cleanster Machines

LEADING MANUFACTURER IN COMPONENT CLEANING MACHINES COMPANY PROFILE Cleanster Machines

LEADING MANUFACTURER IN COMPONENT CLEANING MACHINES COMPANY PROFILE Cleanster Machines started as proprietary firm for Industrial component cleaning machines requirements of engineering industries. Initially a marketing firm -

504 views • 24 slides
Virtual machines COMP 520 Fall 2012 Virtual machines (2) Compilation and execution modes of

Virtual machines COMP 520 Fall 2012 Virtual machines (2) Compilation and execution modes of

COMP 520 Fall 2012 Virtual machines (1) Virtual machines COMP 520 Fall 2012 Virtual machines (2) Compilation and execution modes of Virtual machines: Abstract syntax trees AOT-compile Interpreter Virtual machine code

662 views • 40 slides
Tensor Networks for Generative Modeling From Boltzmann machines to Born machines, and back ang (

Tensor Networks for Generative Modeling From Boltzmann machines to Born machines, and back ang (

Tensor Networks for Generative Modeling From Boltzmann machines to Born machines, and back ang ( ) Lei W https://wangleiphy.github.io Institute of Physics, Beijing Han, Wang, Fan, LW, Zhang, PRX18 Chen, Cheng, Xie, LW, Xiang, PRB

825 views • 80 slides
Overengineered : 1337 * crackme- 100 Generated by machines for machines Camille MOUGEY Florent

Overengineered : 1337 * crackme- 100 Generated by machines for machines Camille MOUGEY Florent

Overengineered : 1337 * crackme- 100 Generated by machines for machines Camille MOUGEY Florent MONJALET Commissariat lnergie Atomique et aux nergies alternatives Direction des Applications Militaires 17 novembre 2017 Guidelines :

672 views • 49 slides

More recommend