Artificial truth

The more you see, the less you believe.

[archives] [latest] | [homepage] | [atom/rss]

Recycling wargames/ctf challenges into papers and Blackhat talks
Mon 17 September 2018 — download

There is a trend in recycling challenges from various CTF or wargames into either papers or talks at security conferences like Blackhat, without giving any form of credits at all. It doesn't mean that those papers are necessarily bad nor uninteresting, simply that it's discouraging and frustrating to see people taking credit, inadvertently or not, for the work of others.

The latest in date was the talk from Sam Thomas, It's a PHP Unserialization Vulnerability Jim, but Not as We Know It at the Blackhat USA 2018, presenting phar://-base unserialization as a "novel attack technique". This technique was the expected (and documented) solution to solve Orange's (amazing as usual) baby^h master php challenge of the HITCON CTF 2017. It was also discussed a bit further on

The Web Cache Deception Attack talk by Omer Gil presented at Blackhat US 2017 presented web cache abuse/poisoning as a "new web attack vector", while it was publicly documented by several people, since at least 2004.

Hector Marco is known to recycle things on a regular basis: His Glibc Pointer guarding weakness disclosed the 5th of September, 2015 was publicly documented as a solution to one of Over the Wire's wargame: Utumno, since 2013, and part of the State Threads Library documentation's since 2010. It was also mentioned in the Doctoral Dissertation of Željko Vrba, Implementation and performance aspects of Kahn process networks, publshed in July 2009, on page 52:

New linux C libraries make the jmp_buf structure truly opaque by xor-ing the contents with a perthread random constant. This could be probably disabled by the undocumented LD_POINTER_GUARD environment variable on some Linux versions.

The oldest public trace that I found about this bypass is from the 20th of October, 2006, on yupo5656's article 最近のglibcではatexit関数やjmp_bufを狙った攻撃は効かない (PTR_MANGLE ("Attacks targeting atexit and jmp_buf aren't very effective anymore against recent versions of glibc" in English).

Marco also gave a talk at Blackhat Asia 2018 entitled "return-to-csu: A New Method to Bypass 64-bit Linux ASLR". The title is misleading, it's about an universal gadget in constructors of ELF binareys (__libc_csu_init), documented in 2013 by voidsecurity and in 2014 on inaz2's blog.

Finally, the infamous offset2lib technique, presented at Blackhat Asia 2018, about the fact that you can bruteforce ASLR in case of a forking service to find the pointer to the previous stackframe, infer the base address and then use the constant offset between libraries to find where the libc is mapped. This is public knowledge since years, but the paper only has 7 references, with 4 of them authored by the author himself, and the others aren't specific to the paper's topic.

And the list goes on and on…

It's worrying to see that those talks/papers are reviewed and accepted at high-profile conferences, normalizing this kind of behaviour, while they should instead get comments pointing at the lack of citations, when not be straightly reject in some pathological cases.


As pointed by albinowax, Thomas later acknowledged Orange Tsai's challenge at BSides Manchester, and Orange knew about Thomas' research.

Omer Gil, the author of the Web Cache Deception Attack paper pointed that "the paragraph stating that the web cache deception technique was "publicly documented by several people, since at least 2004", while giving reference to web cache poisoning, which is just... not the same technique at all."

I would argue that it's a variant of cache poisoning, only the other way around: the victim is putting things in the cache that shouldn't be there, instead of the attacker. If I wanted to be picky, it would actually be a variant of caching sensitive pages, due to code issues, instead of the classic configuration issue. I wouldn't name it a "new web attack vector", but I understand why others might, albeit even in the case, citations are still missing.

This blogpost generated some heat on twitter, so I feel like I need to clarify its purpose:

I didn't want to discourage researchers from publishing new papers, nor to, as it's often the case else, fire some free derisive shots at people who are doing their best to find and present interesting results.

I only wanted to highlight that the computer security community should have better standards in regard to citations. I didn't want to imply that all the papers linked in this article are necessarily bad, nor that all they respective authors acted in bad faith.