NOP slide

From Wikipedia, the free encyclopedia
Jump to: navigation, search

In computer security, a NOP slide, NOP sled or NOP ramp is a sequence of NOP (no-operation) instructions meant to "slide" the CPU's instruction execution flow to its final, desired, destination whenever the program branches to a memory address anywhere on the sled.

The technique sees common usage in software exploits, where it is used to direct program execution when a branch instruction target is not known precisely. Other notable applications include defensive programming strategies such as EMC-aware programming.

While a NOP slide will function if it consists of a list of canonical NOP instructions, the presence of such code is suspicious and easy to automatically detect. For this reason, practical NOP slides are often composed of non-canonical NOP instructions (such as moving a register to itself or adding zero, for example 0x0c0c0c0c[1]), or of instructions that affect program state only inconsequentially, which makes them much more difficult to identify.

The entropy of a NOP sled is dependent upon the constraints placed on it. If it can be determined that certain registers are not in use (that is to say, they will be set to a known value before their next use), instructions which manipulate them arbitrarily may be used in the NOP sled. Additionally, if the alignment of both the NOP sled and the instruction pointer are deterministic, multi-byte instructions can be used in a NOP sled without regard to the results of unaligned execution. If the input providing the attack vector into which the NOP sled and payload are to be introduced are filtered (such as accepting only printable characters), the field of possible instructions for inclusion is limited. While instructions that are part of an architecture extension (such as SSE) may frequently be irrelevant to program state, they cannot be used in a NOP sled targeting a computer on which the extension is not supported.

See also[edit]

  • Heap spraying, a technique which is complementary to the use of NOP slides


  1. ^ corelanc0d3r (December 31, 2011). "Exploit writing tutorial part 11 : Heap Spraying Demystified". Corelan Team. Retrieved 15 January 2014.