The following repository contains the containers, labs, and code used in our undergraduate vulnerability research course described in our SIGCSE 2024 paper
Please cite using: TJ OConnor, Alex Schmith, Chris Stricklan, Marco Carvalho, Sneha Sudhakaran. Pwn Lessons Made Easy With Docker: Toward an Undergraduate Vulnerability Research Cybersecurity Class. Special Interest Group on Computer Science Education (SIGCSE 24), Portland, OR, March 2024 [bib] [pdf]
Course Virtualization Using Docker
For our class, we standardized the student environment by providing a Docker container with all the appropriate course tools and class demonstrations. These challenges are patched with the appropriate libc versions and the scripts and verified to work for the course image. You can pull the course image from dockerhub using docker pull tjoconnor/vr-course
. For more about the container, review README.md
We also standardized deploying course challenges (homework assignments) to our hosting infrastructure at ctfd.io. For usage of this container, review README.md .
Course challenges (homework assignments) available to faculty on request to toconnor [at] fit.edu.
We leveraged the course topics below to teach undergradaute students from the basics of stack-based binary exploitation up to advanced techniques in the kernel and heap. In each lecture, we delivered lessons that exposed the technical underpinnings of exploit techniques. Our suggested readings, slides, and demonstrations are included below. All demonstrations are included in the tjoconnor/undergrad-vr
docker container and verified to work.
- Patrick Biernat et al., Modern Binary Exploitation, 2015
- shellphish, How2Heap.
- Yan Shoshitaishvili et al, Pwn.College
- Logan Stratton, Temple of Pwn
- Andrej Ljubic (ir0nstone), Binary Exploitation Notes
- Knittingirl Writeups
- Nightmare Binary Exploitation/Reverse Engineering Course
- Max Kamper, ROP Emporium
- TJ OConnor, CTF Writeup Examples
- Solar Designer, Return to Libc Exploit: BugTraq Mailing List (Aug 1997)
- Niklas Baumstark, Libc Database
- Libc RIP
- Marco-Gisbert, Hector, and Ismael Ripoll. "Return-to-csu: A new method to bypass 64-bit Linux ASLR." Black Hat Asia 2018. 2018
- Syst3mfailure, Ret2dl_resolve x64: Exploiting Dynamic Linking Procedure In x64 ELF Binaries
- Phrack, The advanced return-into-lib(c) exploits: PaX case study
- UTCTF 21 Resolve Challenge
- Bosman, Erik, and Herbert Bos. "Framing signals-a return to portable shellcode." 2014 IEEE Symposium on Security and Privacy. IEEE, 2014.
- Michal Zalewski, Delivering Signals for Fun and Profit
- Ir0nstone, Signal Return Oriented Programming
- Bletsch, Tyler, et al. "Jump-oriented programming: a new class of code-reuse attack." Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security. 2011
- ViolentTestPen, CTFSG CTF 2021 Writeup
- Bittau, A., Belay, A., Mashtizadeh, A., Mazières, D., & Boneh, D. (2014, May). Hacking blind. In 2014 IEEE Symposium on Security and Privacy (pp. 227-242). IEEE.
- knittingirl, Or How to do Black-Box Pwn without Rage-Quitting Writeup
- Arm Developer, Procedure Standard Call Documentation
- Mark McDermott, The ARM Instruction Set Architecture
- Perfect Blue, ROP-ing on Aarch64 – The CTF Style
- TIS Committee, Tool Interface Standard (TIS) Executable and Linking Format (ELF) Specification v.1.2, 1995.
- Michael Matz et al., System V Application Binary Interface AMD64 Architecture Processor Supplement, 1999.
- Caitlin Whitehead (knittingirl), Unionized Writeup, 2021.
- Phrack, Writing UTF-8 compatible shellcodes
- Pwn.College: Common Challenges Shellcoding
- X86/64 Instruction Set Opcodes and Instructions
- Rappel: A linux-based assembly REPL for x86, amd64, armv7, and armv8
- Gallopsled et al., Pwnlib Shellcraft, Shellcode generation
- LWN, A seccomp overview
- Pwn.College Sandboxing Lesson
- LibSeccomp Github Repo
- UIUCTF 2022 No Syscalls Challenge
- Glibc Wiki, Gnu C Library Malloc Internals Documentation
- Doug Lea: A Memory Allocator (Unix/Mail, 1996)
- Shellphish: How2Heap
- Pwn.College: Dynamic Allocator Misuse
- Phantasmal Phantasmagoria, Malloc Maleficarum
- Blackngel, Malloc Des-Maleficarum
- How2Heap: House of Force Example
- Top Chunk Size Integrity Check Patch
- Malloc Hooks Removed Patch
- guyinatuxedo, Fast Bins Overview
- PwnDbg, Find Fake Fast Command
- Sajjaad Arshad: BabyHeap Write-up
- Maxwell Dulin, Analysis of Malloc Protections on Singly Linked Lists
- Glibc Mailing List: Add Safe-Linking to fastbins and tcache
- NiteCTF Elementary-Tcache Challenge
- Glibc Source Code, Unlink function in malloc.c
- Unsafe Unlink example at Ret2Systems that demonstrates the How2Heap Examples
- Ir0nstone, Dream Diary: Chapter 1 Problem Writeup from Hack the Box
- 0x434b, Overview of GLIBC heap exploitation techniques: Unsafe Unlink
- Glibc v 2.3.4 Malloc.c Patch to prevent unsafe unlink
- Midas, Learning Linux Kernel Exploitation
- Chris Roberts, Linux Kernel Exploit Development
- Pwn.College Linux Kernel Exploit Lessons
- Temple of Pwn Kernel Exploit Lesson
The course materials, slides, and docker containers were designed for academic & educational use only.