Reading SECRET U.S. Air Force HACKING Document!!

LiveUnderflow · Advanced ·📄 Research Papers Explained ·4y ago

Key Takeaways

The video discusses the 'EDGE OF THE ART IN VULNERABILITY RESEARCH' report by the US Air Force, covering state-of-the-art vulnerability research, reverse engineering, and program analysis tools, including Binary Ninja, Ida Pro, and Frida. The report introduces various techniques and tools for static and dynamic analysis, fuzzing, and decompilation.

Full Transcript

clickbait title uh added i changed the title of the stream to um reading secret u.s military hacking document it's not secret because it's approved for public release distribution unlimited so this is not a secret but you know gotta do the clickbait this was shared on my subreddit and somebody said like oh look at here this u.s military document about the state of the art and vulnerability research version 304 it's fairly recent january 2021 written by a company called two six labs so this was contracted out apparently by the air force research laboratory to a company and when i scrolled here and i just like did a quick overview there's here a report documentation page which listed the authors of this and when i read this name i thought oh wait i know her i mean i don't really know her i know her on twitter i'm following her on twitter so she is the one of the authors of this paper so i thought hey look that's interesting um you know who would have thought i haven't really looked into it i just looked over the timetable briefly so um i just thought we could check it out and see what this document is about is it worth reading what is it like the content we can maybe speculate why the air force research laboratory the military wants information about state-of-the-art vulnerability research but yeah it could be interesting these kind of papers do exist for for example also google contracted companies to write a browser security paper a few years ago and i'm actually an author on that as well browser ours is one of them here the qa3 if you are interested in the tangled web and these kind of web security things so client-side web security more likely and how it relates to browsers and so forth then our paper here could be maybe interesting but it's also now four years old or so so obviously some browser tricks and stuff might not work anymore but yeah this was something for example google contracted out so here's just the military wanting to get some experts some to tell them hey what's the current state of the art of vulnerability research okay but let's see what this is about it's very curious it's just like really fun exploring a document like this okay also this i never heard this is this proper english i've never heard this the this edge of the art report why does it why is it not this cutting-edge report or the state-of-the-art report like what what the edge of the odd report i've never heard this sounds really weird to me but i guess it's a thing so this report aggregates the most recent advances in vulnerability research reverse engineering and program analysis tools 116 pages so we are not going to read this all introductions go with the document tools criteria techniques okay static analysis okay they are introducing three decompilation frameworks binary ninja ida pro and gitra then binary differentiation sheen and deep bindif okay wait so how do we do this do we just scroll over this stuff or do let's just quickly go with table of contents and look closely in it because i for example don't know these two i mean deep binder sounds like a fork maybe of bindiff i don't know but hasher sheen i've actually never heard so yeah and kernel static analysis critics also never heard of it dynamic analysis so here you have debuggers wind debugger with time travel debugging binary ninja debugger plugin that's pretty new actually i've not tried it yet curious what they write a bit and then plutonium dbg also never heard about that so you can see i'm not very advanced in my vulnerability hacking research stuff coverage analysis lighthouse i've heard before and be cough i think i've also it before but those never used and then we have frida which is obviously very popular then we have fuzzing uh mutation based fuzzing tortoise fuss and i john also i think toddlers have maybe heard somewhere never used this stuff no clue nautilus never heard of it hive l hypercube okay nodules no clue no platform specific fasting hifi and hypercube i don't know but platform specific i guess means it's for a certain operating system because this caller is for linux um this is called fuzzing so i know this one the other two is no clue and then exploitation techniques data oriented attacks dopp dop and b or pc to be honest i am not like up to date with the data oriented like terminology i never understood why they have a terminology at all like it's but maybe i also don't understand it properly for like i don't know like this differentiation with data oriented attacks it's kind of weird to me um but maybe i want to read here more closely maybe i understand why they give these specific names so there's a lot to learn for me in here as well um so i guess let's start scrolling and see what we can find in here static analysis we have relevant tools they consider relevant tools are ida gidra binary ninja miasm and bab2 i know miazim i don't know bab2 but isn't me asm also for like what's it called for symbolic execution it's like an intermediate language so i guess here is about strictly speaking this assembly that oh an assembler converts program from assembly language to machine code and a disassembler performs a reverse so a disassembler like binary ninja for example takes the assembly and not only shows you the disassembly but maybe translates it also too an intermediate language or something yeah i don't know how deep i want to dig into this paper now i kind of want just curious if i know the tools and maybe i wonder like why is this a big section um i feel like is that like a big important thing in in vulnerability research that you can reassemble things because like and and then wondering why is ida and guitar not listed here because i understand that for vulnerability research you might want to patch out some stuff maybe for fuzzing you want to knob out a section just because it's not important for fuzzing and so forth like i understand all that but do you need more advanced reassembly stuff and then also i'm not quite understanding what anger does in here because anger uh is like a binary analysis framework but they know each other so like uh perry knows this very well anger like didn't they go to the same university as an rps or maybe i say some no that's new york okay but yeah they know each other for sure 100 okay intermediate representations here's a good text actually intermediate representations are commonly used in compilers a familiar example is lvm the intermediate uh ir what is it i or what does it ir stand for intermediate intermediate representation maybe using clan compiler so yeah so your c code is translated into llvm intermediate language and then that is actually compiled to assembly and then you can also do fancy like cross-compiling stuff once you have the intermediate language you can also compile to arm or you could compile it to python code or something like this right like if you have an intermediate language it's for it's very cool if you can if different things can be turned into that intermediate language then all of these things can also be turned into all the other stuff in an intermediate representation i or make sense uh okay decompilation either pro guidera binary ninja okay it's also clear static vulnerability discovery cricks there are a number of tools and techniques designed to statically discover vulnerabilities sounds interesting that's a cryptocurrency detecting missing checkbox via semantics semantic and context over criticalness and constraint inference example a new missing checkbox found by cricks the miss check against variable smc ibdev will cause multiple problems as annotated in the code yeah so this apparently was a paper i don't know if this was turned into proper code unfortunately with a lot of papers like this they have like one proof of concept like kind of these techniques you come up with them you find some stuff you fix the stuff and now you need new things to find different kinds of vulnerabilities yeah look it looks like unmaintained did a proof of concept once for the paper found some stuff and it makes no sense to pursue this further because now you found the stuff with it okay static program analysis control flow recovery let's just google these things just to get like a quick idea what these things are clearly not popular tools when you oh binary analysis platform ah that makes sense okay kira was such a cool proof of concept thingy yeah geohot made a cool project let's see if the website is still up this was like kira was released when i just started to get into like ctfs and i was blown away that somebody could develop such a tool like as far as i know remember geohot was an intern at google project zero and developed this tool during um project zero and it's a timeless debugger where you run the code and then you could like step forwards and backward through the code through the code and you observe uh what is like happening as a beginner was very difficult to set up and but it was really cool for some ctf challenges um i'm just looking for other tools more tools okay decompilation frameworks so was this just like an overview of the stuff and now we look more closely at uh see that that's nice okay so we have binary ninja very well known on from my channel hopefully we used it for porn adventure for example they have done a lot of cool since um i used it back then i haven't actually uh checked it out because i don't have a license anymore but yeah they they have done a lot of cool new features and stuff with the introduction of gydra there are now three actively developed high quality decompilers available this represents a significant disruption to a market that has for years had few viable options for effective decompilation these three reverse engineering platforms are in some respects complementary each having their own benefits and draw effects yeah this is probably the most important like takeaway that each of them have like their pros and cons and whatever you need to do the other tool might be better and it makes maybe sense to switch between those things have you tried out the new gitra debugger yet uh no i have not i've just heard that it's you know there binary ninja is very interesting because they very early on try to have a very good like architecture of their disassembler and i guess here they explain it i also i'm not sure do they just list here the newest software because like why does it not list uh x64 debug for example for windows i think that is like very often used for in vulnerability research or i don't know where people so maybe this paper just lists more newer stuff i don't know new developments i don't know i haven't tried the binary ninja debugger i really want to at some point i just don't have a license trends dynamic analysis dynamic analysis has seen a lot of innovation and maturity in recent years the tools are becoming more powerful transparent efficient and efficient at the same time they are becoming better integrated with platforms such as binary ninja and are optimized for interoperability there have been major updates to existing tools such as windy windy back lighthouse and frida as well as the introduction of entirely new tools such as the binary ninja debugger plutonium debug and be cough given the power of dynamic analysis there is likely to continue rapid improvements in this area exploring deep state space and fighting that's so cool when you let fuzzers play games that's so that's so funny and a nice visualization what fuzzers do they are just like brute forcing something some inputs that lead you somewhere i i don't know how misleading these screenshots are like i honestly don't understand it well enough we should probably read it to understand but like i understand that a fuzzer would try out all these different stuff like what makes this fuzzer special that they don't do that why they make like the upper image makes sense to me for brute forcing inputs but and like then coverage guiding with like trying to get further and further makes sense but it always favoring stuff that got you further but i don't really understand like why i would expect it to look like why is it so different you know for example using simple annotations we are able to play super mario brothers and to solve hard instances from the cgc challenge data set we demonstrate in several case studies how these annotations can be used to explore deeper behaviors of the target application more specifically we show how the state space of a software emulator for trusted platform complex fault parsers the game super mario a maze and a hash mark implementation can be efficiently explored by a fuzzer consider the code listing 1 here it implements a small game in which the player has to navigate a labyrinth by moving in one of the four possible directions it is based on the famous labyrinth demo that is commonly used by the symbolic execution community to demonstrate how a symbolic executor can explore the state space of a maze in this modified version it is possible to walk backwards and to stay in the same place this creates a vast amount of different paths through the program at the same time there are effectively only four branches that can be covered thus the coverage alone is not a good indicator for interesting behavior in this harder version even clear fails to solve the labyrinth here it is essential to understand that x and y coordinates are relevant states that need to be explored in maces with dead ends it is even possible to find the solution by trying to increase x or y individually the combination of both x and y has to be considered to uncover a solution since the mace is rather small at most only a few hundred different xy pairs are reachable the analyst can instruct the father to consider any new pair as new coverage okay that makes sense coverage figure 2a similar scenarios where the user is aware of the precise aspects of the state that is interesting to explore also occur with larger state spaces one example that demonstrates a similar scenario is the game super mario again we mostly care about the player coordinates however the space of player coordinates is significantly larger than in the maze game as a consequence the analyst needs to be able to provide a goal that the father can work towards increase the x-coordinate instead of simply exploring all different states this way the father can discard in inferior intermediate results okay yeah now i slowly understand fuzzing traditionally you want to like get a crash right so the fuzzer with coverage guided learns okay i got into this function a lot i need to try to get into this other function and maybe through random bit flips it found how to got get into this other like to find input that reaches this other function and then it favors that and it tries to go deeper and so forth until you reach a crash and a crash is so so to say the goal and what makes the fuzzer progress through certain parts is new coverage new functions now a game it's not so much about new functions right or in this in this example for example in a maze you only have like this one function or these few basic blocks there's like not much it's not a lot of different functions with coverage it's the same function just the state is different and this is very very difficult for a fuzzer because what is now coverage information you can't simply go by executed blocks for example afl looks at which blocks did you execute and afl would execute this block once and would think okay i explored everything um i would still like to throw random stuff at it but i doubt i or actually i'm not so sure but i doubt that afl would really perform in something like this well yeah for a game you you tell the debug the fuzzer increasing the x coordinate like so moving to the right is good this is always what you want and now the fuzzer tries inputs to always get the x coordinate uh further and then it was good input yeah and so they say they annotate so now i wonder like what do they have to do like does their annotation work automatically can automatically it recognize what is important state information what is not or do you have to by hand say this is ah using the i john enable annotation the green highlight that indicates an added annotation annotate version of the okay so you need to annotate it yourself you need to say these are important state variables we want to explore this as a state inside the main low loop after having a position okay here you say like this is the goal if that gets better this is what we want okay everybody i think i will i don't know this paper is so long and we don't read it anyway we don't read it properly anyway but i think it was a fun like look into the military paying a company to write you know a document about the current state of vulnerability research what tools exist and so forth any guesses how much did this cost how much did the military pay for this so i don't know obviously what they paid for this maybe is that maybe a way how you can look up what what they what this cost contract number i don't know maybe you can look up these things i am not aware but um i wonder what you are guessing what this would cost maybe we are lucky when we search a contract number maybe we can see how much this cost definitely not what i had guessed i would have guessed maybe 50 000 or something 50k max maybe there are two people yeah so between 30 and 50 000 i would have guessed this document stop it oh what blocked here the scrolling that was wrong okay that did get it back hacker expertise can crush machine assisted target exploitation so i mean this definitely seems to be i don't know how the u.s government works but um i guess this is a huge contract and they are just a sub-contractor of like i don't know oh a board adventure two six apps so that vendor was directly given that contract but this is also like this document is version three of four so yeah and it definitely seems to be a bigger thing i wonder what else they do can we search for this title um technic edge of the art funding detail federal transactions this was in january right so maybe we can oh there's so much money hey don't do do you not want to showcase your findings on youtube i take a fraction of this and and throw it on my youtube channel give me one million of this here and i present everything i tell you about the state of the art of youtube videos what's secret about this the clickbait is secret about it sorry it was it's just clickbait but it's this military document here okay yeah that was kind of interesting that was fun to explore um i think i will call it a night now let's see bye bye [Music] you

Original Description

Reading the "EDGE OF THE ART IN VULNERABILITY RESEARCH" report by the US Air Force. The Document: https://apps.dtic.mil/sti/pdfs/AD1122204.pdf → Support: https://www.liveoverflow.com/support -=[ 📄 Info. ]=- Main Channel: https://youtube.com/LiveOverflowCTF Twitch: https://twitch.tv/LiveOverflow -=[ 🐕 Social ]=- → Twitter: https://twitter.com/LiveOverflow/ → Website: https://liveoverflow.com/ → Subreddit: https://www.reddit.com/r/LiveOverflow/ → Facebook: https://www.facebook.com/LiveOverflow/ -=[ 📄 P.S. ]=- #liveoverflow
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from LiveUnderflow · LiveUnderflow · 14 of 42

1 BUILDING AN 8-BIT COMPUTER FROM SCRATCH #2 (Full Stream)
BUILDING AN 8-BIT COMPUTER FROM SCRATCH #2 (Full Stream)
LiveUnderflow
2 LiveOverflow's Makeup Tutorial #1
LiveOverflow's Makeup Tutorial #1
LiveUnderflow
3 MakeUp Tutorial for Streaming and YouTube
MakeUp Tutorial for Streaming and YouTube
LiveUnderflow
4 MurmusCTF, SSD CTF Challenge, Google CTF writeups - PwnNews 27/06/19
MurmusCTF, SSD CTF Challenge, Google CTF writeups - PwnNews 27/06/19
LiveUnderflow
5 Google CTF 2019 Chat - Looking at Writeups
Google CTF 2019 Chat - Looking at Writeups
LiveUnderflow
6 Discussing Hacking Videos - Community Guidelines YouTube
Discussing Hacking Videos - Community Guidelines YouTube
LiveUnderflow
7 Hacking Skills Perspective
Hacking Skills Perspective
LiveUnderflow
8 Chatting about Cryptography and Exploit Regulations
Chatting about Cryptography and Exploit Regulations
LiveUnderflow
9 BUILDING AN 8-BIT COMPUTER FROM SCRATCH #1 (Full Stream)
BUILDING AN 8-BIT COMPUTER FROM SCRATCH #1 (Full Stream)
LiveUnderflow
10 BUILDING AN 8-BIT COMPUTER FROM SCRATCH #3 (Full Stream)
BUILDING AN 8-BIT COMPUTER FROM SCRATCH #3 (Full Stream)
LiveUnderflow
11 BUILDING AN 8-BIT COMPUTER FROM SCRATCH #4 (Full Stream)
BUILDING AN 8-BIT COMPUTER FROM SCRATCH #4 (Full Stream)
LiveUnderflow
12 Studying Cybersecurity in USA vs. Germany | ReHacked
Studying Cybersecurity in USA vs. Germany | ReHacked
LiveUnderflow
13 Examining JavaScript Inter-Process Communication in Firefox | Watch Together & Q&A
Examining JavaScript Inter-Process Communication in Firefox | Watch Together & Q&A
LiveUnderflow
Reading SECRET U.S. Air Force HACKING Document!!
Reading SECRET U.S. Air Force HACKING Document!!
LiveUnderflow
15 Why Don't Use alert(1) for XSS? | Watch Together + Q&A
Why Don't Use alert(1) for XSS? | Watch Together + Q&A
LiveUnderflow
16 Escaping from JavaScript Sandbox (AngularJS)
Escaping from JavaScript Sandbox (AngularJS)
LiveUnderflow
17 Why proofing impact for every XSS is "dumb" - Bug Bounty Reports
Why proofing impact for every XSS is "dumb" - Bug Bounty Reports
LiveUnderflow
18 Password Cracking Explained | ReHacked
Password Cracking Explained | ReHacked
LiveUnderflow
19 HTTP Desync Attack Explained With Paper
HTTP Desync Attack Explained With Paper
LiveUnderflow
20 Better than Stack Overflow for Development
Better than Stack Overflow for Development
LiveUnderflow
21 Thumbnail A/B Test Experiment for CTR
Thumbnail A/B Test Experiment for CTR
LiveUnderflow
22 How To Exploit a Heap Overflow
How To Exploit a Heap Overflow
LiveUnderflow
23 Log4Shell | Bug Bounty Public Service Announcement #shorts
Log4Shell | Bug Bounty Public Service Announcement #shorts
LiveUnderflow
24 New Details on Commercial Spyware Vendor Variston - Revisiting Firefox Sandbox Escape
New Details on Commercial Spyware Vendor Variston - Revisiting Firefox Sandbox Escape
LiveUnderflow
25 Can AI Hack Websites with XSS? #ChatGPT
Can AI Hack Websites with XSS? #ChatGPT
LiveUnderflow
26 ping Vulnerability Patch Analysis (with #ChatGPT) - CVE-2022-23093
ping Vulnerability Patch Analysis (with #ChatGPT) - CVE-2022-23093
LiveUnderflow
27 Using CodeQL to Investigate GraphQL Resolvers
Using CodeQL to Investigate GraphQL Resolvers
LiveUnderflow
28 Security Issue Found in US Gov CISA Tool?
Security Issue Found in US Gov CISA Tool?
LiveUnderflow
29 Using joern to Find GraphQL Authorization Issue
Using joern to Find GraphQL Authorization Issue
LiveUnderflow
30 Analytics from 7 Years on YouTube...
Analytics from 7 Years on YouTube...
LiveUnderflow
31 3D Printer Researching Igus Bearings - Prusa i3 MK3S+ (part 3)
3D Printer Researching Igus Bearings - Prusa i3 MK3S+ (part 3)
LiveOverflow
32 Attacking VSCode Extension from Browser? - Live Security Research
Attacking VSCode Extension from Browser? - Live Security Research
LiveOverflow
33 I Don't Trust Websites! - The Everything API with ChatGPT
I Don't Trust Websites! - The Everything API with ChatGPT
LiveOverflow
34 Do Hackers Need To Know Algorithms and Data Structures?
Do Hackers Need To Know Algorithms and Data Structures?
LiveOverflow
35 "Remove the video as soon as possible"
"Remove the video as soon as possible"
LiveOverflow
36 Arm®-based Video
Arm®-based Video
LiveOverflow
37 How to make good HACKING videos
How to make good HACKING videos
LiveOverflow
38 LEEROY fällt auf HACKER rein?
LEEROY fällt auf HACKER rein?
LiveOverflow
39 Hacking for an Intelligence Agency
Hacking for an Intelligence Agency
LiveOverflow
40 Tier List of My Worst Tweets
Tier List of My Worst Tweets
LiveOverflow
41 Step by Step Phishing Setup Tutorials are Unethical!
Step by Step Phishing Setup Tutorials are Unethical!
LiveOverflow
42 Hacker Reacts to 23andme Data Leak
Hacker Reacts to 23andme Data Leak
LiveOverflow

The video teaches viewers about the current state of vulnerability research and tools, including static and dynamic analysis, fuzzing, and decompilation. It covers various techniques and tools, such as Binary Ninja and Frida, and discusses their applications in cybersecurity and hacking.

Key Takeaways
  1. Read the 'EDGE OF THE ART IN VULNERABILITY RESEARCH' report
  2. Use Binary Ninja for reverse engineering
  3. Utilize Frida for dynamic analysis
  4. Apply fuzzing techniques to identify vulnerabilities
  5. Explore the use of decompilation tools, such as Ida Pro
  6. Analyze the state space of a software emulator using coverage-guided fuzzing
💡 The US Air Force has invested significant resources in vulnerability research, highlighting the importance of cybersecurity and hacking in modern warfare.

Related AI Lessons

I Spent Weeks Looking for a Research Gap Before I Realized I Was Searching the Wrong Way
Learn how to effectively find research gaps by changing your approach, a crucial skill for AI researchers and academics
Medium · AI
ICMI 2026 Reviews [D]
Learn how to interpret ICMI 2026 reviews and improve your paper's acceptance chances
Reddit r/MachineLearning
Workshop submission for main conference paper under review [D]
Learn how to navigate submitting a paper to a non-archival workshop before the final decision of a main conference like ECCV
Reddit r/MachineLearning
Kept context-switching between arxiv, OpenReview, GitHub, and HuggingFace for every paper, so I built this. Chrome extension + website with everything inline, plus citation graph + SPECTER2 neighbors. 3M papers, free, feedback welcome [P]
Streamline your research with a new Chrome extension and website that integrates 3M papers from arxiv, OpenReview, GitHub, and HuggingFace, including citation graphs and SPECTER2 neighbors, and provide feedback to improve it
Reddit r/MachineLearning
Up next
Beyond Big Vendors: ERP Systems Explained #shorts
Digital Transformation with Eric Kimberling
Watch →