Original Versions

• Author-supplied POVs: POV1
• Browse Source
POVs in CQE must follow the POV markup specification.

Known Vulnerabilities

• CWE-121 - Stack-based Buffer Overflow
CWEs are listed as indicated by the challenge author.

Scores

• ForAllSecure: 1.27
• CodeJitsu: 0.01
• TECHx: 0.01
• CSDS: 0.01
• Disekt: 0.0
• Shellphish: 0.0
• FuzzBOMB: 0.0
• TrailofBits: 0.0
• DeepRed: 0.0
The maximum score for each challenge in CQE is 4, following the CQE Scoring Document.

Passed consensus evaluation

• CodeJitsu - CB1
• CSDS - CB1
• DeepRed - CB1
• Disekt - CB1
• ForAllSecure - CB1
• FuzzBOMB - CB1
• Shellphish - CB1
• TECHx - CB1
• TrailofBits - CB1

Proved a POV in reference challenge

POVs in CQE must follow the POV markup specification.

Defense against reference POVs

• CodeJitsu: 100.0% - CB1
• Disekt: 100.0% - CB1
• ForAllSecure: 100.0% - CB1
• TECHx: 100.0% - CB1
• CSDS: 100.0% - CB1
• TrailofBits: 100.0% - CB1

No submission

• Eighth Place Team
• Eleventh Place Team
• Fifth Place Team - Finalist
• First Place Team - Finalist
• Fourth Place Team - Finalist
• Ninth Place Team
• Second Place Team - Finalist
• Seventh Place Team - Finalist
• Sixth Place Team - Finalist
• Tenth Place Team
• Third Place Team - Finalist
• Thirteenth Place Team
• Twelfth Place Team

All Submissions

• Submission 1
• Submission 2
• Submission 3
• Submission 4
• Submission 5
• Submission 6
• Submission 7
• Submission 8
• Submission 9

Author Information

"Bryce Kerley" bk@cromulence.co

DARPA performer group

Cromulence (CROMU)

Description

This service uses floating point and integer operations to set up internal state based on a provided seed. It then requires clients to make assertions about that state before allowing them access to an echo service with a buffer overrun vulnerability.

Feature List

This service forces clients to seed a RNG with 256 bits of entropy. With that entropy, it initializes a 4096 bit pool using mixed floating-point and integer operations on the same data. This is intended to only allow CRSes capable of correctly implementing x86 math. Beyond that, it's a simple stack buffer overrun vulnerability.

Protocol

Standard Type-Length-Value protocol. The functions in messages.c and constants in messages.h are generated by tool/message_builder.rb based on data in tool/messages.csv .

Vulnerability

After navigating the RNG state matching, an echo message with length over 80 bytes will overflow the buffer on the stack for messages to be echoed back. Patching this vulnerability requires adding a length check, removing the buffer altogether, or dynamically allocating an appropriately-sized buffer.

Generic class of vulnerability

Stack-based buffer overflow

CWE classification

CWE-121 Stack-based Buffer Overflow

Challenges

The primary difficulty with this challenge is maintaining identical RNG state with mixed floating-point and integer operations.