not scoring system, problem solved Generally you have to be permissive and allow traffic from the entire game world If you can classify “good” from “bad” at the network level…
is using your computer? This depends on how much the person using your computer cares This also depends on how much you can “see” or are permitted to see
nothing on the network, and yet it’s talking to the network, you might be owned For CTFs this can be a problem because you need to be able to put the system into a quiescent state This could mean shutting down the ability to make points off of a service poll, which could be bad if done for too long
system and how much control you have As a user, you are limited to what system services will tell you UNIX-style wtmp logs recording login/logout accessible via ‘w’ When someone pops a shell, they don’t log in Process listings via ‘ps’ If someone backdoors your ‘ps’ binary, you have problems Information in some kind of procfs (if your platform has it) Or inotify, if your platform supports it netstat
resources Tracking global file or network activity needs kernel cooperation Dumping all packets coming in our with wireshark/ tcpdump Problem: discerning good from bad? Sometimes you can create honest signatures for vulnerabilities that you have identified
for things you haven’t seen before Things to consider: on your platform, how can you have a thread running code? Sometimes they need their own PID, sometimes not Could an attacker inject a thread into a process that you trust? Maybe you can get more information about programs internal state What is heap size What is memory map
to exploit them and fail because they haven’t perfected the exploit yet This is a great opportunity to capture another teams exploit! Pros have capture frameworks where they correlate socket information and time of crash to a packet capture Extract failed exploit, identify bug, fix it up, and turn it around on other teams before the failed exploit team fixes their own exploit
what programs are connecting to what remote hosts Long-lived connections would be weird Or would they? Ask your reverse engineers if challenge binaries should have long running connections
Some clever people did profiling of the IP headers received by their game systems Discovered a difference between scoring system traffic and contestant system traffic Implemented a classification algorithm and used this to guide all contestant system traffic to a honeypot
on your system under gdb with break-prints on calls to ‘open’ If you see programs opening files they normally don’t… problems? This isn’t perfect Attacker – how would you evade detection by this scheme? When present, facilities like inotify can help identify changes to the filesystem in near real time
/ death Process memory maps Network activity What processes are connecting to what hosts for how long File activity Use gdb to get into processes Periodically re-scan the system for changes using some tools you write
they will be trying to find you the same way that you find people using your computers Generally, speed is good Persistent access is also very good (how long until they patch the bug)
Computers? Where can you write text on the filesystem that turns into programs running at some later point? Example: crontab , bashrc Another example: cat your own key into their authorized_keys Do you always need this? Find some long-running process and put something there in memory-only using some handy tool you wrote previously
Back-dooring system binaries seems like it would be appropriately devious but the other guys could have file-integrity tools that tells them when you do this Or they might not? Maybe you should have those tools too… Just take everything you can think of to defend, and invert it
trailofbits
akexorcist
salaboy
eventhub
kazzpapa3
sinsoku
neuecc
shigashiyama
emiki
lycorp_recruit_jp
ishikawa_satoru
fumiyasac0921
reverentgeek
kneath
jacobian
denniskardys
irinanazarova
bermonpainter
erikaheidi
csswizardry
tammyeverts
hatefulcrawdad
cassininazir
iamctodd
