fbpx
Wikipedia

NOP slide

January 01, 1970

In computer security, a NOP slide, NOP sled or NOP ramp is a sequence of NOP (no-operation) instructions meant to "slide" the CPU's instruction execution flow to its final, desired destination whenever the program branches to a memory address anywhere on the slide.

The technique sees common usage in software exploits, where it is used to direct program execution when a branch instruction target is not known precisely. Other notable applications include defensive programming strategies such as EMC-aware programming.

While a NOP slide will function if it consists of a list of canonical NOP instructions, the presence of such code is suspicious and easy to automatically detect. For this reason, practical NOP slides are often composed of non-canonical NOP instructions (such as moving a register to itself or adding zero[1]), or of instructions that affect program state only inconsequentially, which makes them much more difficult to identify.

A NOP-sled is the oldest and most widely known technique for exploiting stack buffer overflows.[2] It solves the problem of finding the exact address of the buffer by effectively increasing the size of the target area. To do this, much larger sections of the stack are corrupted with the no-op machine instruction. At the end of the attacker-supplied data, after the no-op instructions, the attacker places an instruction to perform a relative jump to the top of the buffer where the shellcode is located. This collection of no-ops is referred to as the "NOP-sled" because if the return address is overwritten with any address within the no-op region of the buffer, the execution will "slide" down the no-ops until it is redirected to the actual malicious code by the jump at the end. This technique requires the attacker to guess where on the stack the NOP-sled is instead of the comparatively small shellcode.[3]

Because of the popularity of this technique, many vendors of intrusion prevention systems will search for this pattern of no-op machine instructions in an attempt to detect shellcode in use. It is important to note that a NOP-sled does not necessarily contain only traditional no-op machine instructions; any instruction that does not corrupt the machine state to a point where the shellcode will not run can be used in place of the hardware assisted no-op. As a result, it has become common practice for exploit writers to compose the no-op sled with randomly chosen instructions which will have no real effect on the shellcode execution.[4]

While this method greatly improves the chances that an attack will be successful, it is not without problems. Exploits using this technique still must rely on some amount of luck that they will guess offsets on the stack that are within the NOP-sled region.[5] An incorrect guess will usually result in the target program crashing and could alert the system administrator to the attacker's activities. Another problem is that the NOP-sled requires a much larger amount of memory in which to hold a NOP-sled large enough to be of any use. This can be a problem when the allocated size of the affected buffer is too small and the current depth of the stack is shallow (i.e., there is not much space from the end of the current stack frame to the start of the stack). Despite its problems, the NOP-sled is often the only method that will work for a given platform, environment, or situation, and as such it is still an important technique.

The entropy of a NOP slide is dependent upon the constraints placed on it. If it can be determined that certain registers are not in use (that is to say, they will be set to a known value before their next use), instructions which manipulate them arbitrarily may be used in the NOP slide. Additionally, if the alignment of both the NOP slide and the instruction pointer are deterministic, multi-byte instructions can be used in a NOP slide without regard to the results of unaligned execution. If the input providing the attack vector into which the NOP slide and payload are to be introduced are filtered (such as accepting only printable characters), the field of possible instructions for inclusion is limited. While instructions that are part of an architecture extension (such as SSE) may frequently be irrelevant to program state, they cannot be used in a NOP slide targeting a computer on which the extension is not supported.

Detection edit

Many techniques exist to detect the presence of NOP slides in memory. For example, in 2005, Greek researchers found that they can be easily detected by checking whether a memory image contains a lengthy sequence of bytes such that each starting offset within the sequence is valid and leads execution to the same place.[6]

See also edit

References edit

  1. ^ corelanc0d3r (2011-12-31). . Corelan Team. Archived from the original on 2015-04-25. Retrieved 2014-01-15.{{cite web}}: CS1 maint: numeric names: authors list (link)
  2. ^ Vangelis (2004-12-08). . Wowhacker via Neworder. Archived from the original (text) on 2007-08-18. {{cite journal}}: Cite journal requires |journal= (help)
  3. ^ Balaban, Murat. "Buffer Overflows Demystified" (text). Enderunix.org. {{cite journal}}: Cite journal requires |journal= (help)
  4. ^ Akritidis, P.; Markatos, Evangelos P.; Polychronakis, M.; Anagnostakis, Kostas D. (2005). (PDF). Proceedings of the 20th IFIP International Information Security Conference (IFIP/SEC 2005). IFIP International Information Security Conference. Archived from the original (PDF) on 2012-09-01. Retrieved 2012-03-04.
  5. ^ Klein, Christian (September 2004). (PDF). Archived from the original (PDF) on 2007-09-28. {{cite journal}}: Cite journal requires |journal= (help)
  6. ^ Akritidis, P.; Markatos, E. P.; Polychronakis, M.; Anagnostakis, K. (2005). "STRIDE: Polymorphic Sled Detection Through Instruction Sequence Analysis". Security and Privacy in the Age of Ubiquitous Computing. IFIP Advances in Information and Communication Technology. Vol. 181. pp. 375–391. doi:10.1007/0-387-25660-1_25. ISBN 978-0-387-25658-0. {{cite book}}: |journal= ignored (help)

External links edit

  • to compromise a system
  • Neville, Alan (2010-03-20). (PDF). Archived from the original (PDF) on 2012-03-31. Retrieved 2011-09-03.

January 01, 1970
slide, this, article, needs, additional, citations, verification, please, help, improve, this, article, adding, citations, reliable, sources, unsourced, material, challenged, removed, find, sources, news, newspapers, books, scholar, jstor, january, 2018, learn. This article needs additional citations for verification Please help improve this article by adding citations to reliable sources Unsourced material may be challenged and removed Find sources NOP slide news newspapers books scholar JSTOR January 2018 Learn how and when to remove this message In computer security a NOP slide NOP sled or NOP ramp is a sequence of NOP no operation instructions meant to slide the CPU s instruction execution flow to its final desired destination whenever the program branches to a memory address anywhere on the slide The technique sees common usage in software exploits where it is used to direct program execution when a branch instruction target is not known precisely Other notable applications include defensive programming strategies such as EMC aware programming While a NOP slide will function if it consists of a list of canonical NOP instructions the presence of such code is suspicious and easy to automatically detect For this reason practical NOP slides are often composed of non canonical NOP instructions such as moving a register to itself or adding zero 1 or of instructions that affect program state only inconsequentially which makes them much more difficult to identify A NOP sled is the oldest and most widely known technique for exploiting stack buffer overflows 2 It solves the problem of finding the exact address of the buffer by effectively increasing the size of the target area To do this much larger sections of the stack are corrupted with the no op machine instruction At the end of the attacker supplied data after the no op instructions the attacker places an instruction to perform a relative jump to the top of the buffer where the shellcode is located This collection of no ops is referred to as the NOP sled because if the return address is overwritten with any address within the no op region of the buffer the execution will slide down the no ops until it is redirected to the actual malicious code by the jump at the end This technique requires the attacker to guess where on the stack the NOP sled is instead of the comparatively small shellcode 3 Because of the popularity of this technique many vendors of intrusion prevention systems will search for this pattern of no op machine instructions in an attempt to detect shellcode in use It is important to note that a NOP sled does not necessarily contain only traditional no op machine instructions any instruction that does not corrupt the machine state to a point where the shellcode will not run can be used in place of the hardware assisted no op As a result it has become common practice for exploit writers to compose the no op sled with randomly chosen instructions which will have no real effect on the shellcode execution 4 While this method greatly improves the chances that an attack will be successful it is not without problems Exploits using this technique still must rely on some amount of luck that they will guess offsets on the stack that are within the NOP sled region 5 An incorrect guess will usually result in the target program crashing and could alert the system administrator to the attacker s activities Another problem is that the NOP sled requires a much larger amount of memory in which to hold a NOP sled large enough to be of any use This can be a problem when the allocated size of the affected buffer is too small and the current depth of the stack is shallow i e there is not much space from the end of the current stack frame to the start of the stack Despite its problems the NOP sled is often the only method that will work for a given platform environment or situation and as such it is still an important technique The entropy of a NOP slide is dependent upon the constraints placed on it If it can be determined that certain registers are not in use that is to say they will be set to a known value before their next use instructions which manipulate them arbitrarily may be used in the NOP slide Additionally if the alignment of both the NOP slide and the instruction pointer are deterministic multi byte instructions can be used in a NOP slide without regard to the results of unaligned execution If the input providing the attack vector into which the NOP slide and payload are to be introduced are filtered such as accepting only printable characters the field of possible instructions for inclusion is limited While instructions that are part of an architecture extension such as SSE may frequently be irrelevant to program state they cannot be used in a NOP slide targeting a computer on which the extension is not supported Contents 1 Detection 2 See also 3 References 4 External linksDetection editMany techniques exist to detect the presence of NOP slides in memory For example in 2005 Greek researchers found that they can be easily detected by checking whether a memory image contains a lengthy sequence of bytes such that each starting offset within the sequence is valid and leads execution to the same place 6 See also editHeap spraying a technique which is complementary to the use of NOP slides Buffer overflow NOP sled technique Worm memory testReferences edit corelanc0d3r 2011 12 31 Exploit writing tutorial part 11 Heap Spraying Demystified Corelan Team Archived from the original on 2015 04 25 Retrieved 2014 01 15 a href Template Cite web html title Template Cite web cite web a CS1 maint numeric names authors list link Vangelis 2004 12 08 Stack based Overflow Exploit Introduction to Classical and Advanced Overflow Technique Wowhacker via Neworder Archived from the original text on 2007 08 18 a href Template Cite journal html title Template Cite journal cite journal a Cite journal requires journal help Balaban Murat Buffer Overflows Demystified text Enderunix org a href Template Cite journal html title Template Cite journal cite journal a Cite journal requires journal help Akritidis P Markatos Evangelos P Polychronakis M Anagnostakis Kostas D 2005 STRIDE Polymorphic Sled Detection through Instruction Sequence Analysis PDF Proceedings of the 20th IFIP International Information Security Conference IFIP SEC 2005 IFIP International Information Security Conference Archived from the original PDF on 2012 09 01 Retrieved 2012 03 04 Klein Christian September 2004 Buffer Overflow PDF Archived from the original PDF on 2007 09 28 a href Template Cite journal html title Template Cite journal cite journal a Cite journal requires journal help Akritidis P Markatos E P Polychronakis M Anagnostakis K 2005 STRIDE Polymorphic Sled Detection Through Instruction Sequence Analysis Security and Privacy in the Age of Ubiquitous Computing IFIP Advances in Information and Communication Technology Vol 181 pp 375 391 doi 10 1007 0 387 25660 1 25 ISBN 978 0 387 25658 0 a href Template Cite book html title Template Cite book cite book a journal ignored help External links editUse of a NOP slide to compromise a system Neville Alan 2010 03 20 IDS Logs in Forensics Investigations An Analysis of a Compromised Honeypot PDF Archived from the original PDF on 2012 03 31 Retrieved 2011 09 03 Retrieved from https en wikipedia org w index php title NOP slide amp oldid 1146542923, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.