This is an archived web site made available for research purposes. The web site is no longer maintained.

Qualifier Challenge - NRFIN_00007


Original Versions

Known Vulnerabilities

  • CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
  • CWE-193 - Off-by-one Error
  • CWEs are listed as indicated by the challenge author.

Scores

  • ForAllSecure: 1.23
  • CSDS: 0.13
  • CodeJitsu: 0.06
  • Disekt: 0.0
  • TECHx: 0.0
  • Shellphish: 0.0
  • FuzzBOMB: 0.0
  • TrailofBits: 0.0
  • DeepRed: 0.0
  • The maximum score for each challenge in CQE is 4, following the CQE Scoring Document.

Passed consensus evaluation

  • CodeJitsu - CB1
  • CSDS - CB1
  • DeepRed - CB1
  • Disekt - CB1
  • ForAllSecure - CB1
  • FuzzBOMB - CB1
  • Shellphish - CB1
  • TrailofBits - CB1

Proved a POV in reference challenge

Defense against reference POVs

  • ForAllSecure: 100.0% - CB1
  • CodeJitsu: 100.0% - CB1
  • CSDS: 100.0% - CB1
  • DeepRed: 100.0% - CB1

No submission

  • Eighth Place Team
  • Eleventh Place Team
  • Fifth Place Team - Finalist
  • First Place Team - Finalist
  • Fourth Place Team - Finalist
  • Ninth Place Team
  • Second Place Team - Finalist
  • Seventh Place Team - Finalist
  • Sixth Place Team - Finalist
  • Tenth Place Team
  • Third Place Team - Finalist
  • Thirteenth Place Team
  • Twelfth Place Team

All Submissions

Author Information

Narf Industries info@narfindustries.com

DARPA performer group

Narf Industries (NRFIN)

Description

Mixology is a new chemical discovery service that allows one to efficiently mix chemical compounds from a list and name their new discoveries.

The chemical compounds list this is based off of is a random sample from: http://pubchem.ncbi.nlm.nih.gov/citations.html

It public domain information generated by a Government agency.

Feature List

Mixology supports random sampling of a chemical list and sending of that list to the client in an efficient bloom filter-like format. The client chooses the seed for the random sample. The client can then send back a unique compound, compiled from that sample list, which is weighed and can be named by the user.

Vulnerability

Certain compounds have a fixed molecular weight of more than 2.3. The client must determine which random seed to give to the server to get a sample that consists of > 20 compounds that weigh more than 2.3. This is because 2.320 > 224. The weight total for 20 of these compounds ends up being occupying the MSB byte in the unsigned mole integer in this struct:

typedef struct mixed_compound{ char compound_name[MAX_NEW_CMPND_SZ]; unsigned int moles;

}mixed_compound_t;

The comoound_name char[] var, is off by 1 so the upper byte of the moles variable is acting as its null terminator. When the client manages to create a sample (by choosing the correct random seed, and rebuilding a smaller sample bloom filter) where moles > 2**24 then the following lines will segfault:

(libmixology.c:225) size_t cpsz = strlen(mc->compound_name); memcpy(last_compound, mc->compound_name, cpsz);

This is because mc->compound_name is no longer null terminated and the last_compound is way too small for the size computed by strlen().

Generic class of vulnerability

Buffer Overflow Off by one error Integer overflow (not technically, but practically)

CWE classification

CWE-120: Buffer Overflow CWE-193: Off-by-one Error

Challenges

The challenges for the automated system will be: a) Tracking taint to understand how samples are packed into bloom filters and sent across the wire b) Understanding that the "MIX" command requires a smaller sample buffer then the "PREP" cmd c) Satisifying multiple requirements for the vulnerability (e.g. new compound name == 128 chars && molecular weight > 2.3 for each input compound) d) Isolating the hash function and determining which seed must be used to derive a sample with 20 compounds over 2.3 molecular weight. Note the hash is not cryptographic and its only a 4 byte integer. It is, however, diffuse and is based off murmur2 with many modifications. e) Understanding the relationship between the mole variable's MSB and the fact that a it effectively acts as a null terminator for the new compound name.


Curated by Lunge Technology, LLC. Questions or comments? Send us email