NOP slide

In computer security, a NOP slide, NOP sled or NOP ramp is a sequence of NOP (no-operation) instructions meant to "slide" the CPU's instruction execution flow to its final, desired destination whenever the program branches to a memory address anywhere on the slide.

The technique sees common usage in software exploits, where it is used to direct program execution when a branch instruction target is not known precisely. Other notable applications include defensive programming strategies such as EMC-aware programming.

While a NOP slide will function if it consists of a list of canonical NOP instructions, the presence of such code is suspicious and easy to automatically detect. For this reason, practical NOP slides are often composed of non-canonical NOP instructions (such as moving a register to itself or adding zero^[1]), or of instructions that affect program state only inconsequentially, which makes them much more difficult to identify.

A NOP-sled is the oldest and most widely known technique for exploiting stack buffer overflows.^[2] It solves the problem of finding the exact address of the buffer by effectively increasing the size of the target area. To do this, much larger sections of the stack are corrupted with the no-op machine instruction. At the end of the attacker-supplied data, after the no-op instructions, the attacker places an instruction to perform a relative jump to the top of the buffer where the shellcode is located. This collection of no-ops is referred to as the "NOP-sled" because if the return address is overwritten with any address within the no-op region of the buffer, the execution will "slide" down the no-ops until it is redirected to the actual malicious code by the jump at the end. This technique requires the attacker to guess where on the stack the NOP-sled is instead of the comparatively small shellcode.^[3]

Because of the popularity of this technique, many vendors of intrusion prevention systems will search for this pattern of no-op machine instructions in an attempt to detect shellcode in use. It is important to note that a NOP-sled does not necessarily contain only traditional no-op machine instructions; any instruction that does not corrupt the machine state to a point where the shellcode will not run can be used in place of the hardware assisted no-op. As a result, it has become common practice for exploit writers to compose the no-op sled with randomly chosen instructions which will have no real effect on the shellcode execution.^[4]

While this method greatly improves the chances that an attack will be successful, it is not without problems. Exploits using this technique still must rely on some amount of luck that they will guess offsets on the stack that are within the NOP-sled region.^[5] An incorrect guess will usually result in the target program crashing and could alert the system administrator to the attacker's activities. Another problem is that the NOP-sled requires a much larger amount of memory in which to hold a NOP-sled large enough to be of any use. This can be a problem when the allocated size of the affected buffer is too small and the current depth of the stack is shallow (i.e., there is not much space from the end of the current stack frame to the start of the stack). Despite its problems, the NOP-sled is often the only method that will work for a given platform, environment, or situation, and as such it is still an important technique.

The entropy of a NOP slide is dependent upon the constraints placed on it. If it can be determined that certain registers are not in use (that is to say, they will be set to a known value before their next use), instructions which manipulate them arbitrarily may be used in the NOP slide. Additionally, if the alignment of both the NOP slide and the instruction pointer are deterministic, multi-byte instructions can be used in a NOP slide without regard to the results of unaligned execution. If the input providing the attack vector into which the NOP slide and payload are to be introduced are filtered (such as accepting only printable characters), the field of possible instructions for inclusion is limited. While instructions that are part of an architecture extension (such as SSE) may frequently be irrelevant to program state, they cannot be used in a NOP slide targeting a computer on which the extension is not supported.

Detection[edit]

Many techniques exist to detect the presence of NOP slides in memory. For example, in 2005, Greek researchers found that they can be easily detected by checking whether a memory image contains a lengthy sequence of bytes such that each starting offset within the sequence is valid and leads execution to the same place.^[6]

References[edit]

^ corelanc0d3r (2011-12-31). "Exploit writing tutorial part 11: Heap Spraying Demystified". Corelan Team. Archived from the original on 2015-04-25. Retrieved 2014-01-15.{{cite web}}: CS1 maint: numeric names: authors list (link)
^ Vangelis (2004-12-08). "Stack-based Overflow Exploit: Introduction to Classical and Advanced Overflow Technique". Wowhacker via Neworder. Archived from the original (text) on 2007-08-18. {{cite journal}}: Cite journal requires |journal= (help)
^ Balaban, Murat. "Buffer Overflows Demystified" (text). Enderunix.org. {{cite journal}}: Cite journal requires |journal= (help)
^ Akritidis, P.; Markatos, Evangelos P.; Polychronakis, M.; Anagnostakis, Kostas D. (2005). "STRIDE: Polymorphic Sled Detection through Instruction Sequence Analysis" (PDF). Proceedings of the 20th IFIP International Information Security Conference (IFIP/SEC 2005). IFIP International Information Security Conference. Archived from the original (PDF) on 2012-09-01. Retrieved 2012-03-04.
^ Klein, Christian (September 2004). "Buffer Overflow" (PDF). Archived from the original (PDF) on 2007-09-28. {{cite journal}}: Cite journal requires |journal= (help)
^ Akritidis, P.; Markatos, E. P.; Polychronakis, M.; Anagnostakis, K. (2005). "STRIDE: Polymorphic Sled Detection Through Instruction Sequence Analysis". Security and Privacy in the Age of Ubiquitous Computing. IFIP Advances in Information and Communication Technology. Vol. 181. pp. 375–391. doi:10.1007/0-387-25660-1_25. ISBN 978-0-387-25658-0. {{cite book}}: |journal= ignored (help)

External links[edit]

Use of a NOP slide to compromise a system
Neville, Alan (2010-03-20). "IDS Logs in Forensics Investigations: An Analysis of a Compromised Honeypot" (PDF). Archived from the original (PDF) on 2012-03-31. Retrieved 2011-09-03.

[Corelan_2011-1] relanc0d3r (2011-12-31). "Exploit writing tutorial part 11: Heap Spraying Demystified". Corelan Team. Archived from the original on 2015-04-25. Retrieved 2014-01-15.{{cite web}}: CS1 maint: numeric names: authors list (link)

[Vangelis_2004-2] Vangelis (2004-12-08). "Stack-based Overflow Exploit: Introduction to Classical and Advanced Overflow Technique". Wowhacker via Neworder. Archived from the original (text) on 2007-08-18. {{cite journal}}: Cite journal requires |journal= (help)

[Balaban-3] Balaban, Murat. "Buffer Overflows Demystified" (text). Enderunix.org. {{cite journal}}: Cite journal requires |journal= (help)

[Akritidis-Markatos-Polychronakis-Anagnostakis_2005_1-4] Akritidis, P.; Markatos, Evangelos P.; Polychronakis, M.; Anagnostakis, Kostas D. (2005). "STRIDE: Polymorphic Sled Detection through Instruction Sequence Analysis" (PDF). Proceedings of the 20th IFIP International Information Security Conference (IFIP/SEC 2005). IFIP International Information Security Conference. Archived from the original (PDF) on 2012-09-01. Retrieved 2012-03-04.

[Klein_2004-5] Klein, Christian (September 2004). "Buffer Overflow" (PDF). Archived from the original (PDF) on 2007-09-28. {{cite journal}}: Cite journal requires |journal= (help)

[Akritidis-Markatos-Polychronakis-Anagnostakis_2005_2-6] Akritidis, P.; Markatos, E. P.; Polychronakis, M.; Anagnostakis, K. (2005). "STRIDE: Polymorphic Sled Detection Through Instruction Sequence Analysis". Security and Privacy in the Age of Ubiquitous Computing. IFIP Advances in Information and Communication Technology. Vol. 181. pp. 375–391. doi:10.1007/0-387-25660-1_25. ISBN 978-0-387-25658-0. {{cite book}}: |journal= ignored (help)

[1]

[2]

[3]

[4]

[5]

[6]

Detection[edit]

See also[edit]

References[edit]

External links[edit]