<?php //author: https://github.com/wupco/ //realworldctf 2021 MoP https://realworldctf.com/challenge classA{ function__construct(){ // str_ireplace could be replaced by other functions which have "reference args" such as similar_text etc. $this->{'str_ireplace'} = "call_user_func_array"; } }
statically identifying the error sites in the source code of the tested program (静态地识别被测程序源码中的error sites)
running the tested program and collecting runtime information about calling contexts of each executed error site and code coverage (在运行时收集error site执行时的上下文和覆盖率)
creating error sequences about executed error sites according to runtime information, and each element of such a sequence is differentiated by the location of the executed error site and the information about its calling context (利用收集到的运行时的error point信息,构造用于执行mutation和fault inject的错误序列,)
after running the program, mutating each created error sequence to generate new sequences (迭代生成新的错误序列)
running the tested program and injecting faults according to the mutated error sequences (继续跑输入,并且在运行时执行fault injection)
collecting runtime information, creating new error sequences and performing mutation of these error sequences again, which constructs a fuzzing loop (循环往复)
Abstract—As existing defenses like ALSR, DEP, and stackcookies are not sufficient to stop determined attackers fromexploiting our software, interest in Control Flow Integrity (CFI)is growing. In its ideal form, CFI prevents any flow of controlthat was not intended by the original program, effectively puttinga stop to exploitation based on return oriented programming(and many other attacks besides). Two main problems haveprevented CFI from being deployed in practice. First, many CFIimplementations require source code or debug information thatis typically not available for commercial software. Second, inits ideal form, the technique is very expensive. It is for thisreason that current research efforts focus on making CFI fastand practical. Specifically, much of the work on practical CFI isapplicable to binaries, and improves performance by enforcing aloosernotion of control flow integrity. In this paper, we examinethe security implications of such looser notions of CFI: are theystill able to prevent code reuse attacks, and if not, how hard is itto bypass its protection? Specifically, we show that with two newtypes of gadgets, return oriented programming is still possible.We assess the availability of our gadget sets, and demonstratethe practicality of these results with a practical exploit againstInternet Explorer that bypasses modern CFI implementations.
kBouncer 通过监控进程来检查函数返回地址是否在call指令后面,这一技术需要硬件的支持(Last Record Branch),其还支持一种启发式的算法,用来检查在没有call的情况下频繁的return操作,这样完全用CS-R构造的ROP chain就没法用了,但是CS-IC-R或者CS-F-R还是有可能骗过这个算法的。
How do we evaluate techniques instead of implementations?
自己的观点
最大的感触就是“Human in the loop”,我把它翻译成了Fuzzing从来都不是一个黑盒子,这一点我自己深有感触,在做实际做东西当产品用的时候,却偏偏让你做成一个黑盒子,这一类的安全产品实际上并不是给完全不会安全的人用的,这一点要特别明确。但是让安全产品快速的让普通的程序员,就马上使用,在未来依然是一个很大的挑战。关于evaluate的东西我记录的很少,因为我总觉得没有一个规范的东西在那里,也许小领域也就这样,没有完整而坚实的理论基础,Fuzzing未来的路真的还有很远要走。
TNT :每个条件指令的token or not taken用1bit的1和0来表示,TNT又有两种分组:分为short TNT(1字节)和 long TNT(8字节),short TNT可以最多包含6个bit TNT,long TNT可以最多包含47bit TNT,结尾用1标志或者stop bit。