Original Versions

• Author-supplied POVs: POV1, POV2
• Browse Source
POVs in CQE must follow the POV markup specification.

Known Vulnerabilities

• CWE-121 - Stack-based Buffer Overflow
• CWE-122 - Heap-based Buffer Overflow
• CWE-125 - Out-of-bounds Read
• CWE-193 - Off-by-one Error
CWEs are listed as indicated by the challenge author.

Scores

• CodeJitsu: 4.0
• Shellphish: 3.5
• DeepRed: 3.12
• TECHx: 0.99
• CSDS: 0.41
• Disekt: 0.0
• ForAllSecure: 0.0
• FuzzBOMB: 0.0
• TrailofBits: 0.0
The maximum score for each challenge in CQE is 4, following the CQE Scoring Document.

Passed consensus evaluation

• CodeJitsu - CB1
• DeepRed - CB1
• FuzzBOMB - CB1
• Shellphish - CB1
• TrailofBits - CB1

Proved a POV in reference challenge

• CodeJitsu - POV
• DeepRed - POV
• Disekt - POV
• ForAllSecure - POV
• FuzzBOMB - POV
• Shellphish - POV
• TrailofBits - POV
POVs in CQE must follow the POV markup specification.

Defense against reference POVs

• CodeJitsu: 100.0% - CB1
• CSDS: 100.0% - CB1
• FuzzBOMB: 100.0% - CB1
• TrailofBits: 100.0% - CB1
• Disekt: 50.0% - CB1
• TECHx: 50.0% - CB1
• Shellphish: 50.0% - CB1
• DeepRed: 50.0% - CB1

No submission

• Eighth Place Team
• Eleventh Place Team
• Fifth Place Team - Finalist
• First Place Team - Finalist
• Fourth Place Team - Finalist
• Ninth Place Team
• Second Place Team - Finalist
• Seventh Place Team - Finalist
• Sixth Place Team - Finalist
• Tenth Place Team
• Third Place Team - Finalist
• Thirteenth Place Team
• Twelfth Place Team

All Submissions

• Submission 1
• Submission 2
• Submission 3
• Submission 4
• Submission 5
• Submission 6
• Submission 7
• Submission 8
• Submission 9

Author Information

"Jason Rogers" info@narfindustries.com

DARPA performer group

Narf Industries (NRFIN)

Description

This service is a simple stack-based virtual machine for your programming pleasure. Using the commands PUSH, POP, ADD, PRINT and COPY you can construct simple programs that the virtual machine will execute on your behalf.

Feature List

The service accepts commands that allow you to create and execute programs. After instructing the service to create a new program of a specific size, the service will accept up to that many lines of code and store it for you. Once you are all done submitting programs, you can specify the program number of the program you want to execute.

PUSH pushes the value on top of the stack POP removes the top value from the stack ADD will remove the top two values from the stack, adds them together and pushes the result on top top of the stack PRINT will remove the top value from the stack and send it to STDOUT COPY will remove the top value from the stack and push a requested number of copies of the value on top of the stack

Vulnerability

This service has two vulnerabilities.

The first one allows the client to try and execute a program with a negative program number due to a missing check for negative program numbers. This results in an out-of-bounds read.

The second vulnerability is an off-by-one error that allows the VM's stack to overflow by one value. By overflowing the stack one can overwrite the 'size' attribute of a program. The 'size' attribute stipulates how many lines are in the program. This will cause the program to continue advancing line numbers until it attempts to read a portion of memory that is out-of-bounds.

Generic class of vulnerability

Off-by-one Error Stack-based Buffer Overflow Heap-based Buffer Overflow Out-of-bounds Read

CWE classification

Off-by-one Error CWE-193 Stack-based Buffer Overflow CWE-121 Heap-based Buffer Overflow CWE-122 Out-of-bounds Read CWE-125

Challenges

• Must determine how the interpreter works in order to construct a valid program.
• Must understand how the stack used when executing a program is stored relative to the program being executed on the heap.
• Must construct a program that causes the stack to overflow and overwrite the 'size' attribute of the executing program.