Central Exploit Organizer (CEO) extracts, collects, analyzes and build predictive models to guide Cyber Reasoning Systems (CRS) toward the discovery of vulnerabilities in binary programs. It aims to be the missing component in modern CRS. CEO works collecting data to predict which is the best action that a CRS can perform. Given a test case (binary + input), our CRS can perform several actions using the following techniques:
- Symbolic execution with Manticore.
- Smart fuzzing with American Fuzzy Lop.
- Blind fuzzing with GRR.
Every time our CRS performs an action with a fixed amount of resources (time or memory), there is one of these results:
- r0: it fails to start or it produces no new test cases.
- r1: it produces additional test cases.
- r2: it finds a valuable test case (e.g, a crash).
CEO aims to predict the techinque (and parameters) we should use in a test case to obtain the desire result. It is illustrated in this overview diagram:
This repository contains a prototype that will only work with CGC binaries. If you want to test it, you can find a large set of precompiled CGC binaries here.
- Python 2.7 with setuptools
- GRR requirements: gflags.
- AFL requirements (with QEMU support!).
Other required Python packages are: scipy, scikit-learn and imbalanced-learn but these are automatically installed by our script.
In Debian/Ubuntu, you can run:
# apt-get install libgflags-dev bison glib2
To compile and install locally the required external tools (afl-cgc, grr and manticore) execute:
$ ./install.sh
$ wget https://github.com/trailofbits/ceo/releases/download/0.1/cgc-corpus.tar.xz
$ tar -xf cgc-corpus.tar.xz
$ cd corpus
$ mkdir bins
$ wget "https://github.com/angr/binaries/blob/master/tests/cgc/PIZZA_00001?raw=true" -O bins/PIZZA_00001
$ printf "bins/PIZZA_00001" > test.txt
$ mkdir -p PIZZA_00001/inputs
$ printf "AAA" > PIZZA_00001/inputs/file
$ ceo-bin test.txt test
-
Create a text file with one executable program path per line.
-
Optionally, create directories named as the filenames of the binaries to execute. with a directory named "input" to give the initial inputs. For instance:
mkdir -p CROMU_00001/inputs/ printf AAA > CROMU_00001/inputs/fileOtherwise, CEO will use a list of special strings as initial inputs
-
If your target file is "train.txt", execute:
$ ceo-bin train.txt init -
Now you can go to every "fold" directory and run ceo independely in each one. For instance:
$ cd fold-0 $ ceo-bin train.txt train
- After training, open a shell in the directory with the "fold" subdirectories.
- Create a text file with one executable program path per line.
- Create directories named as the filenames of the binaries to execute.
with a directory named "input" to give the initial inputs. For instance:
mkdir -p NRFIN_00001/inputs/ printf AAA > NRFIN_00001/inputs/file - If your target file is "test.txt", execute:
$ ceo-bin test.txt test