DARPA Cyber Grand Challenge Final Event Archive

Rounds Enabled

65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79

Details

POV Information

Original Versions

Original Build: CB1 , CB2 , CB3 , CB4 , CB5 , CB6
Author-supplied patches: CB1 , CB2 , CB3 , CB4 , CB5 , CB6
Author-supplied POVs: POV1
Browse Source

Known Vulnerabilities

CWE-201 - Information Exposure Through Sent Data

CWEs are listed as indicated by the challenge author.

Deployed patches

Round 67 : Disekt - CB1 (disassembly) CB2 (disassembly) CB3 (disassembly) CB4 (disassembly) CB5 (disassembly) CB6 (disassembly)
Round 67 : TECHx - CB1 (disassembly) CB2 (disassembly) CB3 (disassembly) CB4 (disassembly) CB5 (disassembly) CB6 (disassembly)
Round 68 : TECHx - CB1 (disassembly) CB2 (disassembly) CB3 (disassembly) CB4 (disassembly) CB5 (disassembly) CB6 (disassembly)
Round 71 : Shellphish - CB1 (disassembly) CB2 (disassembly) CB3 (disassembly) CB4 (disassembly) CB5 (disassembly) CB6 (disassembly)
Round 76 : Disekt - CB1 (disassembly) CB2 (disassembly) CB3 (disassembly) CB4 (disassembly) CB5 (disassembly) CB6 (disassembly)

Deployed IDS rules

Round 67 - TECHx

Author Information

"Nick Davis" info@narfindustries.com

DARPA performer group

Narf Industries (NRFIN)

Description:

Card players often spend significant effort memorizing all of the strategies and odds of possible each state of a game. This style of game presents a high bar to entry for those who have problems learning and remembering strategies and odds. For those people, we've created, A Game of Chance.

We simplified the deck to remove face cards and Aces; leaving the cards numbered 2 - 10. We've removed the need and ability to calculate odds, by making every deck into randomly generated collections of the possible valid card numbers. And lastly, we've minimized the need to develop strategies by making it a 2 card game where the bids are placed after the first card is dealt, face up, and the results are calculated after the second card is dealt, face up.

The rules of each round are simple. First, the dealer deals one card face up to each player. Then each player makes a wager. Then the dealer deals the second card face up to each player. The winner is the player that has the highest 2-card sum. If there is a tie for winner, each is considered a winner. The dealer does not play a hand. The players are playing against each other.

Those that win, are given a dollar amount equal to their wager. Those that do not win, lose their wager.

The most common strategy, that all current players use, is to wager 0 if the first card is a 2 or 3, and wager some other amount when the first card is 4 or greater.

Feature List:

One CB (cb_1) is the dealer, the others are the players (cb_2 - cb_7). The poller/pov/CRS communicates only with the dealer.

Each cb_1 - cb_7 represents a player at the table and functions the same, except that they have different parameters to provide variations.

There are 6 possible messages that the dealer accepts from the poller/pov/CRS.

Get Player Count - This message is used to ask the dealer how many players are in the game.

Supply New Deck - This message is used to supply the dealer with a new deck. This could be at the start of a game. Or during a game if the dealer runs out of cards.

Deal One Round - This message directs the dealer to deal one hand to each player and process the results of that hand.

Get Round Data - This message asks the dealer to report the wagers and results of each player.

Get Player Earnings - This message asks the dealer to report the dollar amount that each player as won/lost.

Quit - This message asks the dealer to inform each player that the dealer has to quit for the day and the table is closed.

Vulnerability 1

Each player uses the flag page to determine how much they will wager. All players use the first byte of the flag page as their first wager. If they win, their flag page index pointer will shift by 126 char mod 4096 to determine which flag page byte to use for the next wager. If they lose, their flag page index pointer will shift by -77 chars mod 4096 to determine which flag page byte to use for the next wager.

Since the CRS provides the deck to the dealer, and it can ask the dealer for the number of players, it can stack the deck such that the players move through the flag page indices in a manner that will eventually cause 4 consecutive flag page bytes to be used for wagers. Also, the Get Round Data command provides the CRS with the wagers that were made by all players in that round, so the CRS can track each byte that was used by each player.

Generic Class of Vulnerability

Information Leakage

CWE Classification

CWE-201: Information Exposure Through Sent Data

Challenges

The biggest challenge this CB was designed to test was how well a CRS can associate a large number of disperate bytes with their origin location from the flag page. A taint tracking tool can certainly determine which functions will cause flag page bytes to be released (as a wager). But those are only single bytes, so the CRS will have to determine which indices each byte comes from, so they can then determine when 4 consecutive bytes have been released.
A challenge the CRS's will have to figure out is that the 5 byte command buffer that the CRS sends to cb_1 has byte indices associated with each command. So, there are a large number of buffers that can trigger each command. And the order in which that buffer is parsed will determine which command gets run. A smart fuzzer will be helpful to narrow down which bytes trigger each command.
Each of the 5 player CBs has the same code, but as they win or lose a hand, their flag page pointers will diverge. This will enable the CRS to direct the players to move their flag page pointers through the flag page, so it will be a challenge for the CRS to develop the proper deck at the start that will enable the wagers made during the game to provide at least one set of 4 consecutive bytes.

Difficulty

Discovering is medium
Proving is hard
Fixing is easy

Round	Source	Destination	Result	POV	Video
66	CSDS	CodeJitsu	Failed POV	POV	Watch
66	CSDS	DeepRed	Failed POV	POV	Watch
66	CSDS	Disekt	Failed POV	POV	Watch
66	CSDS	ForAllSecure	Failed POV	POV	Watch
66	CSDS	Shellphish	Failed POV	POV	Watch
66	CSDS	TECHx	Failed POV	POV	Watch
66	DeepRed	CodeJitsu	Failed POV	POV	Watch
66	DeepRed	CSDS	Failed POV	POV	Watch
66	DeepRed	Disekt	Failed POV	POV	Watch
66	DeepRed	ForAllSecure	Failed POV	POV	Watch
66	DeepRed	Shellphish	Failed POV	POV	Watch
66	DeepRed	TECHx	Failed POV	POV	Watch
67	CodeJitsu	Disekt	Failed POV through defenses	POV	Watch
67	CSDS	CodeJitsu	Failed POV	POV	Watch
67	CSDS	DeepRed	Failed POV	POV	Watch
67	CSDS	Disekt	Failed POV through defenses	POV	Watch
67	CSDS	ForAllSecure	Failed POV	POV	Watch
67	CSDS	Shellphish	Failed POV	POV	Watch
67	DeepRed	CodeJitsu	Failed POV	POV	Watch
67	DeepRed	CSDS	Failed POV	POV	Watch
67	DeepRed	Disekt	Failed POV through defenses	POV	Watch
67	DeepRed	ForAllSecure	Failed POV	POV	Watch
67	DeepRed	Shellphish	Failed POV	POV	Watch
68	CSDS	CodeJitsu	Failed POV	POV	Watch
68	CSDS	DeepRed	Failed POV	POV	Watch
68	CSDS	Disekt	Failed POV through defenses	POV	Watch
68	CSDS	ForAllSecure	Failed POV	POV	Watch
68	CSDS	Shellphish	Failed POV	POV	Watch
68	CSDS	TECHx	Failed POV through defenses	POV	Watch
68	DeepRed	CodeJitsu	Failed POV	POV	Watch
68	DeepRed	CSDS	Failed POV	POV	Watch
68	DeepRed	Disekt	Failed POV through defenses	POV	Watch
68	DeepRed	ForAllSecure	Failed POV	POV	Watch
68	DeepRed	Shellphish	Failed POV	POV	Watch
68	DeepRed	TECHx	Failed POV through defenses	POV	Watch
69	CSDS	CodeJitsu	Failed POV	POV	Watch
69	CSDS	DeepRed	Failed POV	POV	Watch
69	CSDS	Disekt	Failed POV through defenses	POV	Watch
69	CSDS	ForAllSecure	Failed POV	POV	Watch
69	CSDS	Shellphish	Failed POV	POV	Watch
69	CSDS	TECHx	Failed POV through defenses	POV	Watch
69	DeepRed	CodeJitsu	Failed POV	POV	Watch
69	DeepRed	CSDS	Failed POV	POV	Watch
69	DeepRed	Disekt	Failed POV through defenses	POV	Watch
69	DeepRed	ForAllSecure	Failed POV	POV	Watch
69	DeepRed	Shellphish	Failed POV	POV	Watch
69	DeepRed	TECHx	Failed POV through defenses	POV	Watch
70	CSDS	CodeJitsu	Failed POV	POV	Watch
70	CSDS	DeepRed	Failed POV	POV	Watch
70	CSDS	Disekt	Failed POV through defenses	POV	Watch
70	CSDS	ForAllSecure	Failed POV	POV	Watch
70	CSDS	Shellphish	Failed POV	POV	Watch
70	CSDS	TECHx	Failed POV through defenses	POV	Watch
70	DeepRed	CodeJitsu	Failed POV	POV	Watch
70	DeepRed	CSDS	Failed POV	POV	Watch
70	DeepRed	Disekt	Failed POV through defenses	POV	Watch
70	DeepRed	ForAllSecure	Failed POV	POV	Watch
70	DeepRed	Shellphish	Failed POV	POV	Watch
70	DeepRed	TECHx	Failed POV through defenses	POV	Watch
71	CodeJitsu	Shellphish	Failed POV through defenses	POV	Watch
71	CSDS	CodeJitsu	Failed POV	POV	Watch
71	CSDS	DeepRed	Failed POV	POV	Watch
71	CSDS	Disekt	Failed POV through defenses	POV	Watch
71	CSDS	ForAllSecure	Failed POV	POV	Watch
71	CSDS	Shellphish	Failed POV through defenses	POV	Watch
71	CSDS	TECHx	Failed POV through defenses	POV	Watch
71	DeepRed	CodeJitsu	Failed POV	POV	Watch
71	DeepRed	CSDS	Failed POV	POV	Watch
71	DeepRed	Disekt	Failed POV through defenses	POV	Watch
71	DeepRed	ForAllSecure	Failed POV	POV	Watch
71	DeepRed	Shellphish	Failed POV through defenses	POV	Watch
71	DeepRed	TECHx	Failed POV through defenses	POV	Watch
72	CSDS	CodeJitsu	Failed POV	POV	Watch
72	CSDS	DeepRed	Failed POV	POV	Watch
72	CSDS	Disekt	Failed POV through defenses	POV	Watch
72	CSDS	ForAllSecure	Failed POV	POV	Watch
72	CSDS	Shellphish	Failed POV through defenses	POV	Watch
72	CSDS	TECHx	Failed POV through defenses	POV	Watch
72	DeepRed	CodeJitsu	Failed POV	POV	Watch
72	DeepRed	CSDS	Failed POV	POV	Watch
72	DeepRed	Disekt	Failed POV through defenses	POV	Watch
72	DeepRed	ForAllSecure	Failed POV	POV	Watch
72	DeepRed	Shellphish	Failed POV through defenses	POV	Watch
72	DeepRed	TECHx	Failed POV through defenses	POV	Watch
73	CSDS	CodeJitsu	Failed POV	POV	Watch
73	CSDS	DeepRed	Failed POV	POV	Watch
73	CSDS	Disekt	Failed POV through defenses	POV	Watch
73	CSDS	ForAllSecure	Failed POV	POV	Watch
73	CSDS	Shellphish	Failed POV through defenses	POV	Watch
73	CSDS	TECHx	Failed POV through defenses	POV	Watch
73	DeepRed	CodeJitsu	Failed POV	POV	Watch
73	DeepRed	CSDS	Failed POV	POV	Watch
73	DeepRed	Disekt	Failed POV through defenses	POV	Watch
73	DeepRed	ForAllSecure	Failed POV	POV	Watch
73	DeepRed	Shellphish	Failed POV through defenses	POV	Watch
73	DeepRed	TECHx	Failed POV through defenses	POV	Watch
74	CSDS	CodeJitsu	Failed POV	POV	Watch
74	CSDS	DeepRed	Failed POV	POV	Watch
74	CSDS	Disekt	Failed POV through defenses	POV	Watch
74	CSDS	ForAllSecure	Failed POV	POV	Watch
74	CSDS	Shellphish	Failed POV through defenses	POV	Watch
74	CSDS	TECHx	Failed POV through defenses	POV	Watch
74	DeepRed	CodeJitsu	Failed POV	POV	Watch
74	DeepRed	CSDS	Failed POV	POV	Watch
74	DeepRed	Disekt	Failed POV through defenses	POV	Watch
74	DeepRed	ForAllSecure	Failed POV	POV	Watch
74	DeepRed	Shellphish	Failed POV through defenses	POV	Watch
74	DeepRed	TECHx	Failed POV through defenses	POV	Watch
75	CSDS	CodeJitsu	Failed POV	POV	Watch
75	CSDS	DeepRed	Failed POV	POV	Watch
75	CSDS	Disekt	Failed POV through defenses	POV	Watch
75	CSDS	ForAllSecure	Failed POV	POV	Watch
75	CSDS	Shellphish	Failed POV through defenses	POV	Watch
75	CSDS	TECHx	Failed POV through defenses	POV	Watch
75	DeepRed	CodeJitsu	Failed POV	POV	Watch
75	DeepRed	CSDS	Failed POV	POV	Watch
75	DeepRed	Disekt	Failed POV through defenses	POV	Watch
75	DeepRed	ForAllSecure	Failed POV	POV	Watch
75	DeepRed	Shellphish	Failed POV through defenses	POV	Watch
75	DeepRed	TECHx	Failed POV through defenses	POV	Watch
76	CodeJitsu	Disekt	Failed POV through defenses	POV	Watch
76	CSDS	CodeJitsu	Failed POV	POV	Watch
76	CSDS	DeepRed	Failed POV	POV	Watch
76	CSDS	Disekt	Failed POV through defenses	POV	Watch
76	CSDS	ForAllSecure	Failed POV	POV	Watch
76	CSDS	Shellphish	Failed POV through defenses	POV	Watch
76	CSDS	TECHx	Failed POV through defenses	POV	Watch
76	DeepRed	CodeJitsu	Failed POV	POV	Watch
76	DeepRed	CSDS	Failed POV	POV	Watch
76	DeepRed	Disekt	Failed POV through defenses	POV	Watch
76	DeepRed	ForAllSecure	Failed POV	POV	Watch
76	DeepRed	Shellphish	Failed POV through defenses	POV	Watch
76	DeepRed	TECHx	Failed POV through defenses	POV	Watch
77	CSDS	CodeJitsu	Failed POV	POV	Watch
77	CSDS	DeepRed	Failed POV	POV	Watch
77	CSDS	Disekt	Failed POV through defenses	POV	Watch
77	CSDS	ForAllSecure	Failed POV	POV	Watch
77	CSDS	Shellphish	Failed POV through defenses	POV	Watch
77	CSDS	TECHx	Failed POV through defenses	POV	Watch
77	DeepRed	CodeJitsu	Failed POV	POV	Watch
77	DeepRed	CSDS	Failed POV	POV	Watch
77	DeepRed	Disekt	Failed POV through defenses	POV	Watch
77	DeepRed	ForAllSecure	Failed POV	POV	Watch
77	DeepRed	Shellphish	Failed POV through defenses	POV	Watch
77	DeepRed	TECHx	Failed POV through defenses	POV	Watch
78	CSDS	CodeJitsu	Failed POV	POV	Watch
78	CSDS	DeepRed	Failed POV	POV	Watch
78	CSDS	Disekt	Failed POV through defenses	POV	Watch
78	CSDS	ForAllSecure	Failed POV	POV	Watch
78	CSDS	Shellphish	Failed POV through defenses	POV	Watch
78	CSDS	TECHx	Failed POV through defenses	POV	Watch
78	DeepRed	CodeJitsu	Failed POV	POV	Watch
78	DeepRed	CSDS	Failed POV	POV	Watch
78	DeepRed	Disekt	Failed POV through defenses	POV	Watch
78	DeepRed	ForAllSecure	Failed POV	POV	Watch
78	DeepRed	Shellphish	Failed POV through defenses	POV	Watch
78	DeepRed	TECHx	Failed POV through defenses	POV	Watch
79	CSDS	CodeJitsu	Failed POV	POV	Watch
79	CSDS	DeepRed	Failed POV	POV	Watch
79	CSDS	Disekt	Failed POV through defenses	POV	Watch
79	CSDS	ForAllSecure	Failed POV	POV	Watch
79	CSDS	Shellphish	Failed POV through defenses	POV	Watch
79	CSDS	TECHx	Failed POV through defenses	POV	Watch
79	DeepRed	CodeJitsu	Failed POV	POV	Watch
79	DeepRed	CSDS	Failed POV	POV	Watch
79	DeepRed	Disekt	Failed POV through defenses	POV	Watch
79	DeepRed	ForAllSecure	Failed POV	POV	Watch
79	DeepRed	Shellphish	Failed POV through defenses	POV	Watch
79	DeepRed	TECHx	Failed POV through defenses	POV	Watch

Challenge Information - NRFIN_00072

Commonly known as: A_Game_of_Chance