GCC2025, 応募課題晒し

Global Cybersecurity Camp 2025(以下GCC2025) の選考に通過したので, 選考の際に提出した課題についてインターネット上に残しておくことにする. 原文をそのままコピペしてもいいのだが, せっかくなので所感を交えておく. 誰かの何かにとって参考になれば幸いである.

2024年12/18日現在, アドベントカレンダーに間に合わせるために急ぎで書いている. 本エントリは, 後に修正される可能性が大いにあることに留意されたし.

基本方針

GCCについての説明文を読む限り, 講義やコミュニケーションは全部英語で行われるらしい. であればまあ課題もできるだけ英語で書いておこうかと思い, 可能な限り英語で回答することにした.

What is your cyber security experience

My cybersecurity experience started in 2023, October. At that time, I learned about CTF. Especially pwnable and reverse seemed pretty cool. But I literarily knew nothing about low-layer knowledge of computers, so I spent half a year studying that by myself. Nowadays, I consistently ranked 20th ~ 50th place in many CTFs by solving only pwn, rev, and sometimes misc and OSINT challenges.

Since last March, I've been studying and researching about decompilers. Existing decompilers are not perfect. Generally speaking, they have 4 unresolved problems. Control Flow Graph Recovery, Type Recovery, Control Flow Structuring, Symbol (Identifier) Recovery. These days, I'm working on verifying the augmentation of datasets used by an LLM-based decompiler. In the future, I'd like to work on anti-disassembly techniques, control flow graph recovery, and category theory-based machine learning-based decompilers.

Last July, I participated in Crisis Management Contest. My team ranked 2nd place and receive the Mizuo RT prize. Also, as an individual, I received the grand prize from JPCERT/CC. Crisis Management Contest is a competition of an incident response desk exercise. I learned much about incident response, log forensics, and reporting from this contest.

Last August, I participated in an IoT security class in Security Camp. I worked on and learned much about security in medical systems, cars, binary forensics, sbom, IoT, and CPU. This was an encouraging experience. There were also many interesting classes, and thankfully, students have access rights to all documents in almost all classes. I learned about compilers and hypervisors by reading these documents, particularly for compilers, I made my own one in the C language.

Last October, I participated in the MWS Cup. MWS is a security competition held in CSS (Computer Security Symposium). MWS stands for Malware Workshop. In this competition, I worked on static analysis and ranked 2nd place in the category. In the competition, the target binary is made by the Go language. Analyzing the target binary was pretty difficult because the Go language has its own ABI and data structures. Through the contest, I learned about the basics of the binary that is not written in C language.

所感

とりあえず書けそうな経験を列挙してみた. セキュリティキャンプネクストの応募課題同様加点方式だと信じていっぱい書いたが, もうちょっとコンパクトに書いた方がよかった可能性もある. 2024年12月現在, セキュリティに入門して一年ちょいしか経ってないので, あまりかけることはない. 対外的にいろいろやってますよというアピールがメインである. デコンパイラのくだりについては今見るとちょっとお粗末なところがあり恥ずかしい.

What is your English proficiency?

Since I was a high school student, I learned English by communicating with English speakers on the internet, watching videos on YouTube, and reading English documents and tech blogs on programming and software. Through these experiences, I can at least have daily conversations in English. On the other hand, I'm not so good at writing English. To write English mail or articles, I sometimes use machine translators and dictionaries. For reference, my TOEIC score is 865.

所感

英語についての質問. 正直に書いた. しゃべる分にはそんなに困らない(と思っている)こと, ライティングはちょっと苦手なこと, そのような英語をどのように身に着けたかについて. 参考になればいいと思ってTOEICの点数とかも書いてみた.

セキュリティ・キャンプに参加したことがある人は、参加した大会名と、クラス/トラック/受講講義等を教えてください。 (ない場合は「なし」と記載。)

I joined the IoT security class in Security Camp 2024(セキュリティキャンプ2024 全国大会). The classes I participated in are

  • Information security about medical information systems.
  • The exercise of analyzing CAN packets.
  • Understanding of file system and analysis of data in a memory chip.
  • Security risk analysis of IoT devices based on sbom and system information.
  • Secure coding experience with robot car.
  • Circuit-level CPU design

所感

参加経験があったのでその旨を記載. この設問に関しては日本語で書いた方がよかったんじゃなかろうかという気もする. その方が正確なので. でもまあ英語圏の講師が見てくれたらお得かなって.

公開してる技術系の活動や資料(ブログや、X、GitHub、Slideshare、Speaker Deckなど)がありましたらURL等を記載してください。

X: https://x.com/77777kusa
Qiita: https://qiita.com/kikyo_nanakusa
Blog: https://kikyonanakusa.github.io/blog/
Hatena Blog: https://kikyonanakusa.hatenablog.com/
GitHub: https://github.com/Kikyonanakusa

所感

書いたけど見られてるんだろうか. 1回以上技術的な発信をしたことのあるメディアを列挙した.

FindTheKey.exeをダウンロードし、解析してください。そのプログラムが要求するKeyを見つけ、解答してください。

You passed GCC 2025 pre-test!!

上記のプログラムでKeyを生成するために必要となる暗号/復号鍵(鍵が暗号化されていれば、それを復号した後の文字列)を”すべて”アドレスとともに列挙してください。ただし、Keyの生成に不要なダミーの鍵は含まないように取り除き、Keyの生成に必要な鍵のみを列挙してください。アドレスを記述する際、プログラムを実行するとASLRによってアドレスが変わってしまうため、ベースアドレスには、このプログラムの本来のベースアドレスである0x140000000を用いてください。


All numbers are in hexadecimal unless otherwise noted. From 140022a37: 6c 6b 3c 41 24 2b 5f 66 4c 40 From 140022a30: 7b From 140022a45: 61 From 140022a71: 6c From 140022a50: 54 68 32 61 54 4a 2c 15 29 24 2d 40 04 02 04 19 6f 54 79 60 7d 75 22 6c 50 4e 2c 12 6d 61

どのようにして解いたのかを、技術的に200字以内で答えてください。短すぎる、もしくは長すぎる説明は減点の対象となりますので、ご注意ください。


Ghidraを使用して該当バイナリをデコンパイルを行った. デコンパイルされたコードからエントリポイントを発見し, 解析を開始した. バイナリは, 主に3の剰余で分類したバイトに対して, XORで暗号化, 復号化を行っていることが分かった. 演算には, 結果を変化させないダミーも含まれていた. 解析をもとに, Keyを特定するpythonスクリプトを作成し, 要求されるキーを導いた.

所感

FindTheKey.exeなるバイナリが渡されて解析せよとの話であった. 正直初めに見たときは「PEか~, 得意じゃねんだよな~」と思っていたがやってみたらまあ何とかなった. 解析にはGhidraを使用した. Ghidraを使うコツとして, デコンパイルされたコードを信用せず, アセンブリを読むのが重要だな~と最近は思っている. 鍵の暗号化は多重XOR演算で行われており, 見つけてしまえば復号は容易だった. ただ二問目にあるように, 暗号化の過程で消える演算が混じっていたので, そこだけ提出しないように気を付けた. (i$key \oplus a \oplus a$ の$a$みたいな)
三問目は200字以内と言われたので, 文字当たりの情報圧縮率が高い日本語で回答した. 英語で200文字だと言いたいことが言えなかった.

攻撃者がCommand & Control通信を行う手法として、DNSトンネリングがあります。①DNSトンネリングとは何か、②攻撃者が利用するメリット、③対策手法を調べて、回答してください。


1st question:
DNS stands for Domain Name System. It is usually used to convert raw IP address (e.g. 142.250.206.206) to URL (e.g. google.com). For its uses, almost all computers that are connected to the internet use DNS, and it is trusted. Generally, software uses URL to communicate through networks. While doing this, the computer communicates with the DNS server to convert the URL to an IP address. For this reason, DNS is required to network, and many firewalls don't block DNS packets. Malicious actors use this rule of the firewalls to avoid security systems and deliver traffic.
To establish DNS tunneling, crackers use the following method.

  1. Crackers prepare a domain and an authoritative DNS server under control.
  2. In some way, crackers deliver malware to inside firewalls.
  3. The malware issues a DNS query to the cracker's DNS server. Data is often appended to subdomains. This packet is not filtered by firewalls.
  4. Cracker's server returns the response. It contains data or commands that will be executed in the infected machine.

2nd question: The advantages of using DNS tunneling are the following.

  1. DNS is widely used and trusted. For this reason, DNS packets are rarely blocked.
  2. The packet itself is a perfectly legal DNS packet. This makes DNS tunneling difficult to detect.
  3. DNS uses a UDP connection. It means DNS is connection-less. It allows attackers to spoof the source IP address more easily.

3rd question:
To counter DNS tunneling, the following methods are suggested.

  1. DNS tunneling needs malware or payload first. To avoid installing that, malware detection software, mail/website filtering, train the employee is effective.
  2. Checking the size of the DNS request packet. If data is sent to attackers by DNS request, the size of the packet should be bigger than usual requests. Monitoring the oversized DNS packets helps discover the attacks.
  3. Checking the high frequency or routine DNS request to a specific domain. Such activities are suspicious and should be investigated.

所感

勉強になった. 正直名前しか知らなかったので, ちゃんと詳しく調べる機会になってよかった.
ブラウザの検索履歴を見る限りでは, 以下のページ等を参考にしていたようだ.

Volt Typhoonについて、調べたことをまとめて下さい。特に、①攻撃者の意図、②攻撃者が使う攻撃手法、③なぜVolt Typhoonが注目されているのか、自分の考えをまとめてください。

Attackers intent:
Volt Typhoon is a state-sponsored actor from China.
According to CISA, NSA, and FBI, Volt Typhoon compromised the IT environments primarily in the Communications, Energy, Transportation Systems, and Water and Wastewater Systems Sectors in the US and its territories.
The objective of Volt Typhoon is developing a method of re-entry into government agencies and critical infrastructures. To achieve the objective, Volt Typhoon mainly stole credentials for network access of them.
As international advisory says, it is concerned that these credentials are used for disruptive effects in the event of potential geopolitical tensions and/or military conflicts.

Attacker strategy: Volt Typhoon mainly uses the strategy called Living Off The Land(LotL). In LotL strategy, attackers do not use malware or malicious payload. They use the software within the intruded networks. These software are totally legitimate software like PowerShell and cmd. Because of that LotL activity is difficult to detect.

These are details of Volt Typhoon strategy.

  1. First, Volt Typhoon conducts in-depth reccoassance of target networks and operations.
  2. Volt Typhoon gains initial access to target networks by exploiting vulnerabilities, including known zero-day.
  3. Volt Typhoon tries to gain administrator access in the network often by using privilege escalation vulnerabilities.
  4. When Volt Typhoon got valid administrator access, they use it for lateral movement.
  5. Volt Typhoon uses LotL binary to collect information in the intruded network.
  6. Volt Typhoon typically steals Active Directory Database(NTDS.dat) from domain controller. It has a lot of information about the networks, including usernames and hashed passwords.
  7. Volt Typhoon tries to gain access to OT system by gaining credentials.

Why Volt Typhoon is attracting attention?
Volt Typhoon has been just gaining credentials and access to critical infrastructures in the US and also maybe Asia region, but Volt Typhoon has not been using them to cause real damage. This leads us to believe Volt Typhoon has not yet achieved the final goal of its operation. This means we can potentially defend against their next strategic actions. I believe this is one of the reasons for the increased attention. On the other hand, detecting the activities of Volt Typhoon is difficult. They thoroughly use LotL not to leave information that could be used for detection. To counter this, different strategies are needed to detect activities. I believe this is also a reason for attracting attention.

Reference:
https://www.microsoft.com/ja-jp/security/security-insider/volt-typhoon
https://www.jpcert.or.jp/at/2024/at240013.html
https://blogs.jpcert.or.jp/ja/2024/06/volt-typhoon-threat-hunting.html
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a
https://jp.security.ntt/resources/cyber_security_report/CSR_202402.pdf

所感

APTの話. 主にJPCERT/CCさんとCISAのレポートを読んで書いた. これについては, 事実(もしくは事実として受け入れられていること) を間違いなく書くのがいいと思ったので参考文献も含めて提出した. CISA産のレポートを初めて読んだが, その丁寧さと詳細さに驚いた. これを機に他にもいろいろ読んでみている.
これ関連だと最近Solt Typhoonも話題ですねなど

What are the key differences between “Automotive Ethernet” and “Traditional Ethernet?”

One of the key differences between Automotive Ethernet and Traditional Ethernet is the cable. Traditional Ethernet uses two twisted pair cables. One is for transmitting data, the other is for receiving data. In contrast, Automotive Ethernet uses only one twisted pair cable. Also, the cable length is limited to 15 meters. In the automotive industry, reduction of the cables in vehicles is a major challenge. The specification of the cable is for solving this issue.
Broadcom invented this cable and IEEE confided that as 100BASE-T1. This is the first specification of Automotive Ethernet.
Later, 1000BASE-T1, 10BASE-T1, and some specifications are standardized. Some of these new specifications has PoDL(Power Over Data Lines), PLCA(Physical Layer Collision Avoidance), etc for stability and space-saving of cables. These are also differences from Traditional Ethernet.

所感

幸いにも, 私は今年のセキュリティキャンプ全国大会Aクラスで車載CANパケット解析演習という講義を受けているので, ある程度車載ネットワークに関して事前知識がある状態でのスタートとなった.
意識したこととしては, できるだけ一次情報を追うようにした. ある程度事実の列挙はできていると思うのだが, Key differences であるかどうかはあまり自信がない.

What is an “ECU” in an automotive cybersecurity context?

ECU stands for Electronic Control Unit. Modern vehicles are controlled by the ECUs. In cybersecurity context, ECU are the main target of attack for actors and the main target to be protected by cybersecurity.
Normally a modern vehicle has from tens to over a hundred of ECU in the frame. To control the vehicle ECUs have to communicate each other (e.g., handling, braking, door controlling, etc.). This means if attackers take the control of ECU, they can control the vehicle. Actually, in BlackHat, DEFCON, some reports claiming they took control of vehicles by cyberattacks.
To achieve the attack, attackers have to connect to the network of ECUs. ECU may uses proprietary network protocols. One of the most famous protocols is CAN(Control Area network) but this protocol has many problems in security aspects. CAN is a type of bus network and all packets in CAN are sent as broadcast packet, all the packets are visible from outside and packets can be injected. Nevertheless, CAN has no authentication and encryption system. For these reasons, CAN network is essentially vulnerable to ever droppings, spoofing, DoS attacks. Other automotive network protocols like LIN, FlexRay has similar problems.
For this situation, ECU is the main target of cyberattacks and cybersecurity.

所感

これもまた車載セキュリティの話. カーハッカーズ・ハンドブックを読みながら書いた. これについても, セキュリティキャンプの経験が大変役に立った.
https://amzn.asia/d/6z0A1Vn

In your own words, explain the difference between “Hacking” and “Cybersecurity”

I suppose the word "Hacking" is used as doing malicious/illegal thing in cyberspace in this question. This meaning has become widely accepted, but I know original meaning of "Hacking" is not kind of that meaning. I personally call doing such things as "Cracking"
In this question, It is difficult to decide which meaning should be taken of word "Hacking", so I assume the meaning of "Hacking" in this question as doing malicious things in the cyberspace.
Main difference between Hacking and Cybersecurity is this: Cybersecurity protect IT systems. Cracking break into them. In some cases, what Hacking and Cybeersecurity do could be the same thing (e.g., Malicious intrusion and bug bounty are the same in terms of what they are doing.). However the purpose of the acts is completly deferent.

所感

ハッキングとサイバーセキュリティの違いは何かとのこと. 個人的にサイバー空間で悪いことをすることをハッキングと呼ぶのは嫌いですみたいなちょっと思想の強い前置きを置いている. 背景としては, Eric Raymondの書いた以下の文章が好きで, 初めは回答をこれのもじりで作っていた名残というのがある.
http://www.catb.org/~esr/faqs/hacker-howto.html
本当は聞かれている違いについても引用して,

The basic difference is this: hackers build things, crackers break them.

と書いてやろうかと思っていたが "In your own words" って聞かれとるしな~とおもって変えた. でもまあこう思っていることにある程度違いはない.

Explain the key differences between Bluetooth Legacy Pairing and Secure Simple Pairing.When was SSP added to the Bluetooth Specification?

The key differences between Bluetooth Legacy Pairing and SSP(Secure Simple Pairing) is using PIN code or not.
Legacy pairing and SSP are both pairing protocol. Pairing protocols are implemented in Link Management Protocol(LMP). Bluetooth 2.0 or earlier versions use Legacy Pairing. Bluetooth 2.1 or later versions use SSP.
Pairing is the process to authenticate the devices to be connected. Legacy Pairing uses PIN code to authenticate. When devices start connecting, user input same PIN code to both device. Max length of PIN code is 16 digits, but normally all digits are not used. If both devices enter the same PIN code, pairing success. In some devices, PIN code are fixed. This protocol is vulnerable to Brute force and used encryption method called e0 has vulnerabilities. Legacy Pairing remains for backward compatibility and now obsoleted.
SSP uses ECDH algorithm public key exchange to pairing the devices. Also, to defend against MITM (Man In The Middle), multiple authentication methods are supported. This makes pairing safer than Legacy Pairing.
In Bluetooth 2.1, SSP was added to the Bluetooth specification. As official specification document, Bluetooth 2.1 was released in 26 July 2007.1

Reference

所感

ドキュメントを読みましょうという感じ. これについて, 日本語のWikpediaは誤情報が多くトラップと化している (英語版は割とまし).
https://ja.wikipedia.org/wiki/Bluetooth
よいこのみんなは一次情報を参照しようね.
それはそれとして, BlueToothの勉強になって大変良かった. 毎日使ってる規格なので, できれば詳しく知っておきたいとは思っていたものの機会がなかったので, ちょうどよかった. 某室で最近HackRFを買ったので, 無線通信もいろいろやっていきたいとおもっている.

Suppose you wish to perform a penetration test of a device with a USB interface. What kinds of tests would you perform? Assume that the device can read audio and video files from a USB storage device and play them (like a vehicle navigation system or radio)

Check the specification and information of target device.

  • What file formats the device can read.
  • When device read the file from USB.
  • Try to play invalid files and non-audio / video files to check error message.
  • Try to find the documents on the internet.
  • Try to find hidden commands for debugging.
  • Try to find the devices made by the same vendor that have similar feature and to check if these devices have vulnerabilities. If there is, target device may have same vulnerability.

Check UART or some kind of physical access point are available or not.

Test buffer overflow.

  • Try to play very long audio / video files.
  • Try to play audio / video files that has very long data in metadata section.

Test common vulnerability by known payloads.

  • Try to play the PoC of vulnerabilities of common audio / video file parser and common device driver of speaker and monitor.

Using ROM lighter to extract firmware, file system or any kind of data.

If I found common firmware, Linux or some kind of OS are running in background, I will try

  • Using Bad USB to execute commands.

Try USB killer or high voltage to test how physically robust the device is.

所感

最も自信のない問題. マジで何かいたらいいんだろと思いながら思いつくことを列挙した. とにかくいっぱい書いて, この中に講師の意図したものが紛れていればいいな~という感じ. 他の受講生が何書いたのかすごく気になっています.

What does the Arbitration field in a CAN 2.0B frame do? Why is it important? What are some security concerns with the way arbitration is done in CAN networks?


Arbitration field in a "CAN2.0" (not only 2.0B) is used to identify the destination of the frame. Arbitration field contains the data called CAN ID (CAN Identifier). It sometimes called as Arbitration ID. This ID is directly used to identify the destination ECU. If two CAN packets are sent to CAN bus at the same time, the packet that has smaller CAN ID has priority.
Standard CAN packet has CAN ID as 11bit information. In contrast, CAN2.0B is expanded version of standard CAN packets and its arbitration field is expanded. Expanded arbitration field has CAN ID as 29bit data. Extensions are made to maintain backward compatibility.

Arbitration field is ensuring real-time communication and efficiency in CAN networks. It gives high priority to time critical packets like air-bug control. It is essential for safe automotive systems.

However, CAN bus is a broadcast network. It means any device that is connected to the network can see every packet on the same network. With close observation, attacker can determine which CAN ID corresponds to specific ECUs. Additionally, the CAN protocol has no systems for encryption and authorization. It doesn't even have source address of the packets. Under the above circumstances, it is easy to launch spoofing attacks against the CAN networks.

所感

またしても車載セキュリティ. CANの規格とか, セキュリティキャンプでもらった資料とか, カーハッカーズ・ハンドブックを読みながら書いた.

Pick one CVE ID for a vulnerability stemming from undefined behavior in C or C++ programming. Briefly describe the undefined behavior that led to the vulnerability in few sentences. Please cite at least one relevant section of the C or C++ language standard (or working draft) that explicitly defines the behavior as undefined.

CVE ID: CVE-2008-0062
Undefined behavior: Null Pointer Dereference.

In C, null pointer is defined as pointing nowhere (i.e., not pointing to any valid objects). Dereferencing such pointer is undefined behavior and leads program crash or unexpected results.

This vulnerability was found in 2008, so I reference C99 standard.
In C99 standard 6.3.2.3 says that
An integer constant expression with the value 0, or such an expression cast to type void *, is called a null pointer constant. 55) If a null pointer constant is converted to a pointer type, the resulting pointer, called a null pointer, is guaranteed to compare unequal to a pointer to any object or function.

In C99 standard 6.3.2.1 says that
if an lvalue does not designate an object when it is evaluated, the behavior is undefined.

Because of above definition, null pointer dereference is undefined behavior.

所感

なんだかんだCの規格を初めて読んだ. C99とかの読み方がある程度わかって大変学びが多かった. 人に説明する時とか, 言語仕様をきちんと参照しに行けるというのは割と便利なスキルな気がしている.

全体を通して

学びになる設問が多かったと思いました. 全体を通してなるだけ一次情報を参照しに行けたのが良かったのかな~と思っています.
後半の問いになるにつれ所感が雑になってすみません. また2月の講義が終わったら参加記も書こうと思います. とりあえずさっさとパスポートを取らなくては