Note: This is the 64-bit successor to the 32-bit Buffer Lab. Students are given a pair of
unique custom-generated x86-64 binary executables, called targets, that have buffer
overflow bugs. One target is vulnerable to code injection attacks. The other is vulnerable
to return-oriented programming attacks. Students are asked to modify the behavior of the
targets by developing exploits based on either code injection or return-oriented
programming. This lab teaches the students about the stack discipline and teaches them
about the danger of writing code that is vulnerable to buffer overflow attacks.
If you're a self-study student, here are a pair of Ubuntu 12.4 targets that you can
try out for yourself. You'll need to run your targets using the "-q" option so that
they don't try to contact a non-existent grading server. If you're an instructor
with a CS:APP acount, you can download the solutions here.
这是32位缓冲区lab的64位后续版本. 学生将获得一对独特的定制生成的 x86-64 二进制可执行文件,
称为目标,它们具有缓冲区溢出错误. 一个目标容易受到代码注入攻击. 另一个是脆弱的
面向返回的编程攻击. 要求学生通过基于代码注入或面向返回的编程开发漏洞来修改目标的行为.
该实验室向学生讲授堆栈规则,并教他们编写易受缓冲区溢出攻击的代码的危险.
....
This directory contains the files that you will use to build and run the CS:APP Attack Lab.
The purpose of the Attack Lab is to help students develop a detailed understanding of the
stack discipline on x86-64 processors. It involves applying a total of five buffer
overflow attacks on some executable files. There are three code injection attacks and two
return-oriented programming attacks.The lab must be done on an x86-64 Linux system.
It requires a version of gcc that supports the -Og optimization flag (e.g., gcc 4.8.1).
We've tested it at CMU on Ubuntu 12.4 systems.
此目录包含您将用于构建和运行 CS:APP Attack Lab 的文件。Attack Lab 的目的是帮助学生详细了解
x86-64 处理器上的堆栈规则。 它涉及对一些可执行文件应用总共五次缓冲区溢出攻击。
有三种代码注入攻击和两种面向返回的编程攻击。
该实验必须在 x86-64 Linux 系统上完成。 它需要支持 -Og 优化标志的 gcc 版本(例如,gcc 4.8.1)。 我们已经在 Ubuntu 12.4 系统上的 CMU 上对其进行了测试。
Students are given binaries called ctarget and rtarget that have a
buffer overflow bug. They are asked to alter the behavior of their
targets via five increasingly difficult exploits. The three attacks on
ctarget use code injection. The two attacks on rtarget use
return-oriented programming.
给学生一个名为 ctarget 和 rtarget 的二进制文件,它们具有缓冲区溢出错误.
他们被要求改变他们的行为通过五个越来越困难的攻击目标. 三种攻击方式ctarget使用代码注入.
rtarget使用的两种攻击方式面向回报的编程.
Each exploit involves reading a sequence of bytes from standard input
into a buffer stored on the stack. Students encode each exploit string
as a sequence of hex digit pairs separated by whitespace, where each
hex digit pair represents a byte in the exploit string. The program
"hex2raw" converts these strings into a sequence of raw bytes, which
can then be fed to the target:
unix> cat exploit.txt | ./hex2raw | ./ctarget
Each student gets their own custom-generated copy of ctarget and
rtarget. Thus, students must develop the solutions on their own and
cannot use the solutions from other students.
The lab writeup has extensive details on each phase and solution
techniques. We suggest that you read the writeup carefully before
continuing with this README file.
每个漏洞利用都涉及从标准输入读取字节序列到存储在堆栈上的缓冲区中。学生将每个漏洞利用字符串编
码为由空格分隔的一系列十六进制数字对,其中每个十六进制数字对代表漏洞利用字符串中的一个字节。
程序“hex2raw”将这些字符串转换为原始字节序列,然后可以将其提供给目标:
unix> cat exploit.txt | ./hex2raw | ./ctarget
As with the Bomb and Bufer Labs, we have created a stand-alone
user-level autograding service that handles all aspects of the Attack
Lab for you: Students download their targets from a server. As the
students work on their targets, each successful solution is streamed
back to the server. The current results for each target are displayed
on a Web "scoreboard." There are no explicit handins and the lab is
self-grading.
The autograding service consists of four user-level programs that run
in the main ./attacklab directory:
- Request Server (attacklab-requestd.pl). Students download their
targets and display the scoreboard by pointing a browser at a simple
HTTP server called the "request server." The request server builds the
target files, archives them in a tar file, and then uploads the resulting tar
file back to the browser, where it can be saved on disk and
untarred. The request server also creates a copy of the targets and their
solutions for the instructor in the targets/ directory.
- Result Server (attacklab-resultd.pl). Each time a student correctly
solves a target phase, the target sends a short HTTP message, called an
"autoresult string," to an HTTP "result server," which simply appends
the autoresult string to a "scoreboard log file" called log.txt.
- Report Daemon (attacklab-reportd.pl). The "report daemon"
periodically scans the scoreboard log file. The report daemon finds
the most recent autoresult string submitted by each student for each
phase, and validates these strings by applying them to a local copy of
the student's targets. It then updates the HTML scoreboard
(attacklab-scoreboard.html) that summarizes the current number of
solutions for each target, rank ordered by the total number of accrued
points.
- Main daemon (attacklab.pl). The "main daemon" starts and nannies the
request server, result server, and report daemon, ensuring that
exactly one of these processes (and itself) is running at any point in
time. If one of these processes dies for some reason, the main daemon
detects this and automatically restarts it. The main daemon is the
only program you actually need to run.
The ./attacklab directory contains the following files:
Makefile - For starting/stopping the lab and cleaning files
attacklab.pl* - Main daemon that nannies the other servers & daemons
Attacklab.pm - Attacklab configuration file
attacklab-reportd.pl* - Report daemon that continuously updates scoreboard
attacklab-requestd.pl* - Request server that serves targets to students
attacklab-resultd.pl* - Result server that gets autoresult strings from targets
attacklab-scoreboard.html - Real-time Web scoreboard
attacklab-update.pl - Helper to attacklab-reportd.pl that updates scoreboard
targets/ - Contains unique targets generated for each student, with solutions
log-status.txt - Status log with msgs from various servers and daemons
log.txt - Scoreboard log of autoresults received from targets
scores.csv - Summarizes current scoreboard scores for each student
src/ - Attacklab source files
validate.pl - Called periodically by report daemon. Validates solutions
for each student, and updates scoreboard and scores files.
writeup/ - Sample Latex Attack Lab writeup
TargetID: Each target in a given instance of the lab has a unique
non-negative integer called the "targetID."
The five solutions for target n are avalable to you in the
targets/target<n> directory, in the following files:
Phase 1: ctarget.l1,
Phase 2: ctarget.l2,
Phase 3: ctarget.l3,
Phase 4: rtarget.l2,
Phase 5: rtarget.l3,
where "l" stands for level.
x86-64 架构的寄存器有一些使用习惯,比如: