Richard Ford and Brian Knudson
In 1984 A.K. Dewdney wrote his now-famous article on the game “Core War” where two programs would fight to the death in a digital arena (the “core”). Ever since then, variants of this idea have played out in the computer security field, as anti-virus vendors have battled viruses on platforms ranging from Android to Windows. In this talk we talk about perhaps the ultimate core war: a fully automated system for both attacking other machines and for defending itself.
This talk, presented by members of the winning team from the first formal CGC scored event, will look in detail at the technical challenges of fully automated cyber operations. The basic structure of the CGC challenge will be provided, and the simplifying assumptions this allows described. We will then outline the different critical challenges that present themselves. These challenges are not trivial, and cover both static and dynamic analysis techniques.
The basic structure of the CGC requires that the entire system runs with no human intervention. A specialized environment, DECREE, is used in order to make the problem more tractable. DECREE is essentially a variant of Unix, but with limited system calls. Within this environment, players are provided with different binary packages. The automated system must be able to reason about these packages, develop “proofs of vulnerability” that comprise the set of inputs that demonstrates that a binary has an exploitable vulnerability, and develop runtime patches that address the vulnerable condition in the binary. This is complicated by the fact that the full functionality of the binaries is not disclosed to competitors; thus, even if a vulnerable section of code can be located, the system still has to figure out the correct sequence of inputs that leads to this particular set of instructions and satisfy any other state constraints required to exploit the vulnerability. Similarly, determining that a patch fixes just the vulnerability and does not hinder the normal operation of the binary is difficult, as known good input also has to be derived automatically.
Overall, the CGC represents the state of the art in vulnerability and automated defense research. Thus, the techniques developed during this challenge will have lasting implications for the state of the security industry as a whole.