Introduction
Note: This is the legacy 32-bit lab from CS:APP2e. It has been replaced by the Attack Lab.
In the Buffer Lab, students modify the run-time behavior of a 32-bit x86 binary executable
by exploiting a buffer overflow bug. This lab teaches the students about the stack
discipline and teaches them about the danger of writing code that is vulnerable to buffer
overflow attacks.
注意:这是来自 CS:APP2e 的旧版32位实验室.它已被攻击实验室取代.在缓冲区实验室中,学生通过利用
缓冲区溢出错误来修改32位x86二进制可执行文件的运行时行为.该实验室向学生讲授堆栈规则,并教他们
编写易受缓冲区溢出攻击的代码的危险
一:Overview
This directory contains the files that you will use to build and run the CS:APP Buffer Lab
.The purpose of the Buffer Lab is to help students develop a detailed understanding of the
stack discipline on IA32 processors. It involves applying a series of buffer overflow
attacks on an executable file.This version of the lab has been specially modified to
defeat the stack randomization techniques used by newer versions of Linux. It works by
using mmap() and an assembly language insert to move the stack pointed at by %esp to an
unused part of the heap.
此目录包含您将用于构建和运行 CS:APP 缓冲区实验室的文件.Buffer Lab 的目的是帮助学生详细了解
IA32 处理器上的堆栈规则.它涉及对可执行文件应用一系列缓冲区溢出攻击。这个版本的实验室已经过特
别修改以击败较新版本的 Linux 使用的堆栈随机化技术.
它的工作原理是使用mmap()和汇编语言注入将 %esp 指向的堆栈移动到堆的未使用部分。
1.1 Buffer Bombs
A "buffer bomb" is an executable bomb, called "./bufbomb", that is solved using a buffer
overflow attack (exploit). In this lab, students are asked to alter the behavior of a
buffer bomb (called bufbomb) via five increasingly difficult levels of exploits. The
levels are called smoke (level 0), fizz (level 1), bang (level 2), boom (level 3), and
kaboom (level 4), with smoke being the simplest and kaboom being the most difficult.
“缓冲区炸弹”是一种可执行的炸弹,称为“./bufbomb”,使用缓冲区溢出攻击(exploit)解决
在这个实验室中,学生被要求通过五个难度越来越大的漏洞利用级别来改变缓冲炸弹(称为 bufbomb)
的行为. 这些级别包含smoke (level 0), fizz (level 1), bang (level 2), boom (level 3), and
kaboom (level 4), 其中smoke最简单, 而kaboom最难.
1.2 Solving Buffer Bombs
Each exploit involves reading a sequence of bytes from standard input into a buffer
stored on the stack. Students encode each exploit string as a sequence of hex digit
pairs separated by whitespace, where each hex digit pair represents a byte in the exploit
string. The program "hex2raw" converts these strings into a sequence of raw bytes, which
can then fed to the buffer bomb:
unix> cat exploit.txt | ./hex2raw | ./bufbomb -u <userid>
Each student works on an identical buffer bomb, but the solution to the individual phases
is a function of each student's userid. Thus, students must develop the solution on their
own and cannot use the solutions from other students.The solution to each phase is unique
for each student because it typically involves the manipulation on the runtime stack of
a unique "cookie" computed from the userid by the "makecookie" program:
unix> ./makecookie bovik
0x1005b2b7
The lab writeup has extensive details on each phase and solution techniques.
每个漏洞利用都涉及从标准输入读取字节序列到存储在堆栈上的缓冲区中。 学生将每个漏洞利用字
符串编码为十六进制数字序列由空格分隔的对,其中每个十六进制数字对代表漏洞利用字符串中的一
个字节。 程序“hex2raw”将这些字符串转换为原始字节序列,然后可以将其馈送到缓冲区炸弹:
unix> cat exploit.txt | ./hex2raw | ./bufbomb -u <userid>
每个学生都在使用相同的缓冲炸弹,但各个阶段的解决方案
是每个学生的用户 ID 的函数。 因此,学生必须根据自己的情况开发解决方案
自己的,不能使用其他学生的解决方案。每个阶段的解决方案都是独一无二的
对于每个学生,因为它通常涉及对运行时堆栈的操作
由“makecookie”程序根据用户标识计算出的唯一“cookie”:
unix> ./makecookie bovik
0x1005b2b7
1.3. Autograding Service
We have provided the same stand-alone user-level autograding service
used by the Bomb Lab to handle all aspects of the Buffer Lab for
you. Students download their buffer bombs from a server. As the
students work on their bombs, they can submit successful exploit
strings to the server by running the buffer bomb with "-s" argument:
unix> cat exploit.txt | ./hex2raw | ./bufbomb -u <userid> -s
The current results for each bomb are displayed on a Web "scoreboard."
As with the Bomb Lab there are no explicit handins and the lab is
self-grading.
The autograding service consists of four user-level programs that run
in the main ./buflab directory:
- Request Server. Students download their bombs and display the
scoreboard by pointing a browser at a simple HTTP server called the
"request server."
- Result Server. Each time a student submits an exploit string
the buffer bomb sends a short HTTP message, called an "autoresult
string," to an HTTP "result server," which simply appends the
autoresult string to a "scoreboard log file."
- Report Daemon. The "report daemon" periodically scans the scoreboard
log file. The report daemon finds the most recent exploit string
submitted by each student for each phase, and validates these strings
by applying them to a local copy of the buffer bomb (unlike the Bomb
Lab, each student works on the same buffer bomb). It then updates the
HTML scoreboard that summarizes phases that have been successfully
solved for each bomb (identified by cookie to protect the student
privacy), rank ordered by the number of solved levels.
To avoid infinite loops during validation, the Report Daemon calls
each bufbomb in autograding mode, using the -g flag. This causes the
bomb to timeout after 5 seconds.
- Main daemon. The "main daemon" starts and nannies the request
server, result server, and report deamon, ensuring that exactly one of
these processes (and itself) is running at any point in time. If one
of these processes dies for some reason, the main daemon detects this
and automatically restarts it. The main daemon is the only program
you actually need to run.
二. Files
The ./buflab directory contains the following files:
Makefile - For starting/stopping the lab and cleaning files
buflab-handout/ - Contains the files handed out to each student
buflab.pl* - Main daemon that nannies the other servers & daemons
Buflab.pm - Buflab configuration file
buflab-reportd.pl* - Report daemon that continuously updates scoreboard
buflab-requestd.pl* - Request server that serves bombs to students
buflab-resultd.pl* - Result server that gets autoresult strings from bombs
buflab-scoreboard.html - Real-time Web scoreboard
buflab-update.pl* - Helper to buflab-reportd.pl that updates scoreboard
handin/ - Most recent exploits from each student and each level
log-status.txt - Status log with msgs from various servers and daemons
log.txt - Scoreboard log of autoresults received from bombs
makebomb.pl* - Program that builds a buffer bomb
scores.txt - Summarizes current scoreboard scores for each student
src/ - The buffer bomb source files, including a master
- solver in ./src/solve the automatically generates
- a solution string for any userid and level.
writeup/ - Sample Latex Buffer Lab writeup
三:Buffer Bomb Terminology
Notifying Bomb:可以使用 NOTIFY 选项编译缓冲区炸弹,该选项允许学生将成功的漏洞利用字符串提交
给自动分级服务。 这种炸弹被称为“通知炸弹”.
Quiet Bomb:不是通知炸弹的缓冲炸弹被称为“安静炸弹”.
Cookie:与 Bomb Lab 不同,每个学生都使用相同的二进制文件。然而,每个阶段的解决方案对于
每个学生都是不同的,因为漏洞利用字符串通常必须包含一个 32 位的“cookie”,它是根据学生的用
户 ID 计算出来的
四:Solve