sigpwny / 2023-ectf-uiuc Goto Github PK

View Code? Open in Web Editor NEW

3.0 5.0 0.0 1.67 MB

UIUC's Rust PARED implementation for MITRE eCTF 2023

License: Apache License 2.0

Makefile 0.15% Python 0.23% C 98.43% Assembly 0.11% Dockerfile 0.02% Rust 1.04% GDB 0.02%

ectf rust tm4c123gh6pm

2023-ectf-uiuc's People

Contributors

Stargazers

Watchers

2023-ectf-uiuc's Issues

Feature number messages correspond to feature indices instead of active features count

Problem

Vulnerability in current protocol:
an attacker can just send the same signed feature consecutively three times to the car to have it show all three feature flags.

Related vulnerability:
An attacker could send features from the fob to the car out of order to have it send the flags for other feature indices.

Solution

"Feature numbers" are better thought of as "feature IDs" and they aren't inherently tied to feature indices since this is not defined by enable features from MITRE's host tools.
The MSG_FEAT_1, MSG_FEAT_2, and MSG_FEAT_3 are not "which feature is enabled" but "how many features are enabled."

The interpretation of MSG_FEAT_# where # is the number of active valid features is also how the insecure example does this, but obviously they have zero validation.

TLDR: FEAT_# in protocol does NOT correspond to MSG_FEAT_#

Requirements for Fix

The car only sends MSG_FEAT_3 IF AND ONLY IF three valid features were sent and all three feature numbers are different. MSG_FEAT_1 and MSG_FEAT_2 are also sent.
If an attacker formats an UNLOCK_FEAT message to only include a valid feature at FEAT_3, the car only sends MSG_FEAT_1 since only one unique valid feature was provided.
If an attacker sends the same feature number and signature two or three times consecutively, the car only send MSG_FEAT_1 since only one unique valid feature was provided.
Similar tests should be used for two valid features.
Fix should ONLY be implemented in car and should not depend on fob implementation of how features are stored or sent.

Timeout on enabling features and unlocking on MITRE testing server

Testing complete. If no error messages show, you may be ready to submit for Handoff.
[12:02:24] SUCCESS  [Logger] PASS Substep: Remove Existing Design              
[12:02:25] SUCCESS  [Logger] PASS Substep: Clone New Design                    
                    ([email protected]:sigpwny/2023-ectf-sigpwny.git, v1.1)       
[12:02:25] SUCCESS  [Logger] PASS Substep: Fetch LFS Files                     
[12:02:25] SUCCESS  [Logger] PASS Step: CloneDesign                            
[12:02:26] SUCCESS  [Logger] PASS Substep: Kill Docker Containers              
[12:02:26] SUCCESS  [Logger] PASS Substep: Remove Docker Containers            
[12:02:28] SUCCESS  [Logger] PASS Substep: Remove Docker Image                 
[12:08:05] SUCCESS  [Logger] PASS Substep: Build Environment                   
[12:08:07] SUCCESS  [Logger] PASS Substep: Build Tools                         
[12:08:08] SUCCESS  [Logger] PASS Substep: Build Deployment                    
[12:08:11] SUCCESS  [Logger] PASS Substep: Build Unpaired Fob                  
[12:08:16] SUCCESS  [Logger] PASS Substep: Build Car Fob Pair 1                
[12:08:22] SUCCESS  [Logger] PASS Substep: Build Car Fob Pair 2                
[12:08:23] SUCCESS  [Logger] PASS Substep: Package Feature 1 for Car 1         
[12:08:24] SUCCESS  [Logger] PASS Substep: Package Feature 2 for Car 1         
[12:08:25] SUCCESS  [Logger] PASS Substep: Package Feature 1 for Car 2         
[12:08:27] SUCCESS  [Logger] PASS Substep: Package Feature 2 for Car 2         
[12:08:27] SUCCESS  [Logger] PASS Substep: Protect car1 Image                  
[12:08:27] SUCCESS  [Logger] PASS Substep: Protect car2 Image                  
[12:08:27] SUCCESS  [Logger] PASS Substep: Protect fob1 Image                  
[12:08:27] SUCCESS  [Logger] PASS Substep: Protect fob2 Image                  
[12:08:27] SUCCESS  [Logger] PASS Substep: Protect fob0 Image                  
[12:08:27] SUCCESS  [Logger] PASS Substep: Kill Docker Containers              
[12:08:29] SUCCESS  [Logger] PASS Substep: Remove Docker Containers            
[12:08:29] SUCCESS  [Logger] PASS Step: BuildSystem                            
[12:08:29] SUCCESS  [Logger] PASS Substep: Reset Devices                       
[12:08:30] SUCCESS  [Logger] PASS Substep: Initiate car1_protected Device      
                    Firmware Update                                            
[12:09:01] SUCCESS  [Logger] PASS Substep: Load car1_protected Device          
[12:09:03] SUCCESS  [Logger] PASS Substep: Reset car1_protected Device         
[12:09:04] SUCCESS  [Logger] PASS Substep: Initiate fob1_protected Device      
                    Firmware Update                                            
[12:09:35] SUCCESS  [Logger] PASS Substep: Load fob1_protected Device          
[12:09:37] SUCCESS  [Logger] PASS Substep: Reset fob1_protected Device         
[12:09:37] SUCCESS  [Logger] PASS Substep: Start Car Bridge                    
[12:09:37] SUCCESS  [Logger] PASS Substep: Start Fob Bridge                    
[12:09:48] ERROR    [UnlockCar] FAIL Substep: Enable Feature 1                 
[12:09:48] ERROR    [UnlockCar] FAIL Step: UnlockCar                           
[12:09:48] ERROR    [JeffFlow] Substep timed out: Enable Feature 1             
[12:09:48] ERROR    [JeffFlow] Verification Flow Failed

use of constants for bytecode with hashlib in fob_stuff

Bytecode not generated at build time in fob_stuff. Possible band-aid test?

Repo Structure does not match competition technical specs

Implement pairing

Unpaired fob does not recover properly after PAIR_RST

If the PIN is incorrect, the paired fob sends a PAIR_RST. The unpaired fob is supposed to address this and return to main loop.

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.