NOP slide

From Wikipedia, the free encyclopedia
Jump to: navigation, search

In computer security, a NOP slide, NOP sled or NOP ramp is a sequence of NOP (no-operation) instructions meant to "slide" the CPU's instruction execution flow to its final, desired, destination whenever the program branches to a memory address anywhere on the slide.

The technique sees common usage in software exploits, where it is used to direct program execution when a branch instruction target is not known precisely. Other notable applications include defensive programming strategies such as EMC-aware programming.

While a NOP slide will function if it consists of a list of canonical NOP instructions, the presence of such code is suspicious and easy to automatically detect. For this reason, practical NOP slides are often composed of non-canonical NOP instructions (such as moving a register to itself or adding zero, for example 0x0c0c0c0c[1]), or of instructions that affect program state only inconsequentially, which makes them much more difficult to identify.

The entropy of a NOP slide is dependent upon the constraints placed on it. If it can be determined that certain registers are not in use (that is to say, they will be set to a known value before their next use), instructions which manipulate them arbitrarily may be used in the NOP slide. Additionally, if the alignment of both the NOP slide and the instruction pointer are deterministic, multi-byte instructions can be used in a NOP slide without regard to the results of unaligned execution. If the input providing the attack vector into which the NOP slide and payload are to be introduced are filtered (such as accepting only printable characters), the field of possible instructions for inclusion is limited. While instructions that are part of an architecture extension (such as SSE) may frequently be irrelevant to program state, they cannot be used in a NOP slide targeting a computer on which the extension is not supported.

Detection[edit]

Many techniques exist to detect the presence of NOP slides in memory. For example, in 2005, Greek researchers found that they can be easily detected by checking whether a memory image contains a lengthy sequence of bytes such that each starting offset within the sequence is valid and leads execution to the same place.[2]

See also[edit]

  • Heap spraying, a technique which is complementary to the use of NOP slides

Sources[edit]

  1. ^ corelanc0d3r (December 31, 2011). "Exploit writing tutorial part 11 : Heap Spraying Demystified". Corelan Team. Retrieved 15 January 2014. 
  2. ^ Akritidis, P.; Markatos, E. P.; Polychronakis, M.; Anagnostakis, K. (2005). "STRIDE: Polymorphic Sled Detection Through Instruction Sequence Analysis". Security and Privacy in the Age of Ubiquitous Computing: IFIP TC11 20th International Information Security Conference May 30 -- June 1, 2005, Chiba, Japan: 375–391. doi:10.1007/0-387-25660-1_25.