问题描述
我找不到可以回答这个问题的好消息来源.我知道 nop sled 是一种用于在缓冲区溢出攻击中规避堆栈随机化的技术,但我无法理解它是如何工作的.
I can't find a good source that answers this question. I know that a nop sled is a technique used to circumvent stack randomization in a buffer overflow attack, but I can't get my head around how it works.
有什么简单的例子来说明这种方法?
What's a simple example that illustrates this method?
128 字节 nop sled 之类的术语是什么意思?
What do terms like 128-byte nop sled mean?
推荐答案
一些攻击包括使程序跳转到特定地址并从那里继续运行.注入的代码必须事先以某种方式加载到该确切位置.
Some attacks consist of making the program jump to a specific address and continue running from there. The injected code has to be loaded previously somehow in that exact location.
堆栈随机化和其他运行时差异可能使程序将跳转的地址无法预测,因此攻击者将 NOP sled 放置在大范围的内存中.如果程序跳转到 sled 中的任何位置,它将运行所有剩余的 NOP,什么都不做,然后将运行有效负载代码,就在 sled 旁边.
Stack randomization and other runtime differences may make the address where the program will jump impossible to predict, so the attacker places a NOP sled in a big range of memory. If the program jumps to anywhere into the sled, it will run all the remaining NOPs, doing nothing, and then will run the payload code, just next to the sled.
攻击者使用 NOP sled 的原因是为了使目标地址更大:代码可以跳转到 sled 中的任何位置,而不是恰好在注入代码的开头.
The reason the attacker uses the NOP sled is to make the target address bigger: the code can jump anywhere in the sled, instead of exactly at the beginning of the injected code.
一个 128 字节的 NOP sled 只是一组 128 字节宽的 NOP 指令.
A 128-byte NOP sled is just a group of NOP intructions 128 bytes wide.
注意 #1:NOP(无操作)是大多数(所有?)架构中可用的指令,除了占用内存和一些运行时之外什么都不做.
NOTE #1: NOP (No-OPeration) is an instruction available in most (all?) architectures that does nothing, other than occupying memory and some runtime.
注意#2:在具有可变长度指令的体系结构中,NOP 指令通常只有一个字节的长度,因此它可以用作方便的指令填充.不幸的是,这也使得制作 NOP 雪橇变得容易.
NOTE #2: in architectures with variable length instructions, a NOP instruction is usually just one byte in length, so it can be used as a convenient instruction padding. Unfortunately, that also makes it easy to do a NOP sled.
这篇关于NOP 雪橇如何工作?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!