Skip to content
/ subl Public

SUBL, an educational instruction set architecture implementation

License

Notifications You must be signed in to change notification settings

ThinerDAS/subl

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

SUBL

SUBL is one variant of OISC. Here, SUBL is an educational instruction set architecture based on the single instruction: SUBL (subtract and branch if less than).

This architecture supports a special addressing mode, which is base address + offset. As PC is itself mapped into the address space, this architecture supports PIC, enabling ASLR to be implemented easily.

This architecture itself is far from realistic - each instruction is 12 bytes long, considering that one subl instruction can express very little information. Serious computer architecture scientists will not advocate for this architecture for obvious reasons.

This fictional architecture made her first appearance in a domestic CTF AWD competition as a pwnable, namely XNUCA. Only one team seems to manage to solve the challenge in the competition in the final hours (Aurora), and the team is not 0ops as we expected. simplenote.bin is the pwnable rom.

This architecture shares the idea with the DEFCON CTF 2017 Clemency architecture, different only in that subl architecture is very simple, reasonable for 2 days of implementation (mostly working compiler of it, for a simplenote). As for the competition, the reason why we used subl instead of the more famous subleq, is that we suspected that subleq decompiler exists on the Internet, considering that we are not the first to employ esolang for a pwnable.

Pwnable nature

As in simplenote.bin, ASLR is enabled. Stack and code addresses are randomized (though entropy is pretty low). Also a weak flag encryption scheme is enabled, so attacker should use Known Plaintext Attack or reencrypt the flag with a weak key finally.

NX is not implemented here, as enabling NX will require some more modification of compiler, namely, we need to separate .text+.rodata and .data+.bss into different regions and have some controller DMA region about page protections. Stack canary is not implemented either, sadly.

As far as the author's knowledge, there are in total 7 vulnerabilities inside the simplenote.bin. The solver team probably employed around 2-3 of them.

Usage

subl and emu.py are two implementations of this architecture.

./subl simplenote.bin flag

./emu.py simplenote.bin flag

There are certain differences between the two implementations. Also the subl here is a bit different from the binary in the competition. In the competition, the provided binary is unstripped and the SUBL binary is inside the ELF. Also the subl here fixed two bugs occurred in the binary distributed in the competition.

subl binary is merely for convenience. It is compiled within alpine docker statically, stripped.

About

SUBL, an educational instruction set architecture implementation

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published