HITBCyberWeek 2020 REVEN Lab replay
In November 2020, Tetrane presented a remote technical hands-on lab at HITB CyberWeek about timeless debugging and analysis.
We are sharing the recording of the lab as it’s a good opportunity to discover the dynamic approach of REVEN: the type of questions a trace can provide answers to, how to approach such traces, and how it combines with regular static analysis. The lab goes from trace navigation basics to comparing taint results to understand a CVE’s patch. This video will not replace attending the lab, so make sure you’re there next time!
Tetrane also ran a contest which allowed 3 participants to win REVEN licenses of 12, 6 & 3 months. Congrats again to the winners!
During the lab, we worked on 3 pre-recorded traces:
- Trace 1 was of a simple program crash,
- Trace 2 was a proof of concept of CVE-2020-16898,
- Trace 3 was a proof of concept of CVE-2020-17087. The actual CVE number was hidden because the contest was based on it.
Below is a recording of this lab’s session (see timestamps to specific chapters below) shared by the organizers. Note that in order to keep the contest within the allocated 2-hour time span, we started working on trace 3 before we looked at trace 2.
Here are various timestamps:
Presentation of REVEN:
- 12:17 - Recording a trace
- 14:02 - First look at the data we get
- 17:00 - The GUI & tools to work on the trace
- 22:39 - How to use Jupyter
Exercise 1 - starter trace, basic usage:
- 24:16 - Part 1 intro: GUI, viewing program crash
- 36:43 - Solutions: viewing call details, navigation
- 40:36 - Part 2 intro: why and how to use tainting
- 48:44 - Solutions: information gathered from the taint, and viewing results with the python API
Contest - CVE-2020-17087:
- 56:43 - Presentation of this trace: CVE, crash in kernel, blue screen
- 1:07:20 - A first few hints
- 1:09:53 - End of contest
- 1:13:14 - Solutions: finding the reason for the crash, linking it to the bug, and linking problematic values all the way back to the PoC executable
Exercise 2 - CVE-2020-16898:
- 1:25:12 - Intro: presentation of the crash & security cookie.
- 1:31:04 - Solutions: taint backward to network packet
- 1:33:54 - Taint-assisted code diff: vulnerable code vs patched code
Huge thanks to the HITBSECCONF crew and to the participants of this lab.
See you next time!