Original Versions

• Author-supplied POVs: POV1, POV2, POV3, POV4
• Browse Source
POVs in CQE must follow the POV markup specification.

Known Vulnerabilities

• CWE-131 - Incorrect Calculation of Buffer Size
• CWE-787 - Out-of-bounds Write
CWEs are listed as indicated by the challenge author.

Scores

• ForAllSecure: 0.93
• TECHx: 0.67
• CodeJitsu: 0.0
• Disekt: 0.0
• Shellphish: 0.0
• CSDS: 0.0
• FuzzBOMB: 0.0
• TrailofBits: 0.0
• DeepRed: 0.0
The maximum score for each challenge in CQE is 4, following the CQE Scoring Document.

Passed consensus evaluation

• CodeJitsu - CB1
• CSDS - CB1
• Disekt - CB1
• ForAllSecure - CB1
• TECHx - CB1

Proved a POV in reference challenge

• Disekt - POV
• TrailofBits - POV
POVs in CQE must follow the POV markup specification.

Defense against reference POVs

• ForAllSecure: 100.0% - CB1
• CodeJitsu: 100.0% - CB1
• Disekt: 100.0% - CB1
• CSDS: 100.0% - CB1
• TECHx: 25.0% - CB1

No submission

• Eighth Place Team
• Eleventh Place Team
• Fifth Place Team - Finalist
• First Place Team - Finalist
• Fourth Place Team - Finalist
• Ninth Place Team
• Second Place Team - Finalist
• Seventh Place Team - Finalist
• Sixth Place Team - Finalist
• Tenth Place Team
• Third Place Team - Finalist
• Thirteenth Place Team
• Twelfth Place Team

All Submissions

• Submission 1
• Submission 2
• Submission 3
• Submission 4
• Submission 5
• Submission 6
• Submission 7
• Submission 8
• Submission 9

Author Information

"Ben Schmidt" info@narfindustries.com

DARPA performer group

Narf Industries (NRFIN)

Description

SafeTechs is proud to announce the latest in our ever-expanding line of cloud offerings: GreatView, a memory-as-a-service (MaaS) technology that allows you to easily expand the amount of memory to a local application. As an added benefit, you can retrieve this stored data in any number of supported views, abstracting away all the hassle of converting endianess and data types.

Feature List

Using our patent-pending array management language, you can quickly and easily store and retrieve arbitrary values in any way that you so choose. Because all the data is stored in memory, and our servers are located in some of the fastest data centers in the world, you can be certain that you can access this data as fast as possible.

Vulnerability

The main vulnerability in this CB is based closely off of CVE-2014-1705, a vulnerability in V8's handling of ArrayViews that lead to an arbitrary read-write of memory. In this CVE, by defining a getter for the byteLength attribute of an Array object, it was possible to fool the ArrayView constructor into creating a view with arbitrary bounds. Similarly, this CB allows users to override the byteSize attribute of a view with a summation of declared variables, which will then be trusted by get and set functions. This leads to an arbitrary read-write to the entire process space.

There is an additional vulnerability that causes a tokenization function to write outside the bounds of the lines array. Due to improper bounds checking, it is possible to cause run_viewscript to add more lines to the lines array than it has allocated, leading to a crash.

Generic class of vulnerability

Improper bounds checking

CWE classification

CWE-131: Incorrect Calculation of Buffer Size CWE-787: Out-of-bounds Write

Challenges

Discovery of this vulnerability requires the CRS to utilize the ability to set the byteSize attribute of a view to access outside the bounds of the array. As no example of this is provided in pollers, competitors' must independently discover that this is possible, and properly create and reference variables with large enough values to access outside the bounds of the view.

Patching will also prove difficult, as a CRS must properly enforce bounds checking of the array to prevent all crashes. Multiple PoVs exercising the vulnerability in different ways have been provided for reference.