NOP slide

In computer security, a NOP slide, NOP sled or NOP ramp is a sequence of NOP (no-operation) instructions meant to "slide" the CPU's instruction execution flow to its final, desired destination whenever the program branches to a memory address anywhere on the slide.

The technique sees common usage in software exploits, where it is used to direct program execution when a branch instruction target is not known precisely. Other notable applications include defensive programming strategies such as EMC-aware programming.

While a NOP slide will function if it consists of a list of canonical NOP instructions, the presence of such code is suspicious and easy to automatically detect. For this reason, practical NOP slides are often composed of non-canonical NOP instructions (such as moving a register to itself or adding zero^[1]), or of instructions that affect program state only inconsequentially, which makes them much more difficult to identify.

The entropy of a NOP slide is dependent upon the constraints placed on it. If it can be determined that certain registers are not in use (that is to say, they will be set to a known value before their next use), instructions which manipulate them arbitrarily may be used in the NOP slide. Additionally, if the alignment of both the NOP slide and the instruction pointer are deterministic, multi-byte instructions can be used in a NOP slide without regard to the results of unaligned execution. If the input providing the attack vector into which the NOP slide and payload are to be introduced are filtered (such as accepting only printable characters), the field of possible instructions for inclusion is limited. While instructions that are part of an architecture extension (such as SSE) may frequently be irrelevant to program state, they cannot be used in a NOP slide targeting a computer on which the extension is not supported.

Detection

Many techniques exist to detect the presence of NOP slides in memory. For example, in 2005, Greek researchers found that they can be easily detected by checking whether a memory image contains a lengthy sequence of bytes such that each starting offset within the sequence is valid and leads execution to the same place.^[2]

References

↑ corelanc0d3r (December 31, 2011). "Exploit writing tutorial part 11 : Heap Spraying Demystified". Corelan Team. Retrieved 15 January 2014.
↑ Akritidis, P.; Markatos, E. P.; Polychronakis, M.; Anagnostakis, K. (2005). "STRIDE: Polymorphic Sled Detection Through Instruction Sequence Analysis". Security and Privacy in the Age of Ubiquitous Computing: IFIP TC11 20th International Information Security Conference May 30 -- June 1, 2005, Chiba, Japan: 375–391. doi:10.1007/0-387-25660-1_25.

External links

Use of a NOP slide to compromise a system
Alan Neville (March 20, 2010). "IDS Logs in Forensics Investigations: An Analysis of a Compromised Honeypot" (PDF). Retrieved September 3, 2011.

This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.

[1] relanc0d3r (December 31, 2011). "Exploit writing tutorial part 11 : Heap Spraying Demystified". Corelan Team. Retrieved 15 January 2014.

[2] Akritidis, P.; Markatos, E. P.; Polychronakis, M.; Anagnostakis, K. (2005). "STRIDE: Polymorphic Sled Detection Through Instruction Sequence Analysis". Security and Privacy in the Age of Ubiquitous Computing: IFIP TC11 20th International Information Security Conference May 30 -- June 1, 2005, Chiba, Japan: 375–391. doi:10.1007/0-387-25660-1_25.

NOP slide

Detection

See also

References

External links