Chapter 1858 No-Operation Sled
This function can simplify some operations. For example, logically you need to multiply a number by 2 and then output it. In some cases, there is no need for operation. You only need to output these numbers and then Fill in a NOP at the end, so that the receiving area waiting to be filled will automatically fill in a 0 after the number, so that the purpose of multiplying by 2 can be achieved.
Another important function is that a certain delay function can be generated through the NOP instruction.
Although there is no output, the NOP instruction also takes up the execution time of the computer. Adding the number of loops, the program can actually implement the "pause" function during the corresponding number of instruction execution times.
When a computer executes a program, it often stores data in a shared buffer. This buffer often needs to be cleared and waits for the bus to return to a data-free state. This can be achieved by cleverly using the NOP instruction. function.
However, for such a useful instruction, new "uses" were discovered by thoughtful people.
In the operating system, the input and return of instructions are performed through the stack.
Generally speaking, a stack is like a warehouse. The warehouse is divided into several areas. Each area is used to store a bunch of "house numbers". Such house numbers are called "registers" in the microcontroller system. Programs When calling, the working method is to read these house numbers next to each other, read the contents of the registers corresponding to these addresses into the stack, and finally store the calculation results in the return address.
At this time, someone thought that something was wrong, because the content of the stack is filled from low address to high address, and the highest position is the result address.
If you fill a variable in a low address area, such as a variable area, with a cleverly constructed super-long string, so that the long string exceeds the high address area, the second half of the variable's content will actually be taken. The "house number" of the return address has been replaced.
Set this "house number" to the address of a certain variable, then the current return address becomes pointing to this variable. If this variable contains malicious code, then the malicious code is successfully read into the system. inside.
This method is called "stack buffer overflow". Through buffer overflow, we can change the original normal execution flow of the program and instead execute the malicious code prepared by the hacker.
This set of operations can be used accurately on the WINDOWS system, and it is also the focus of the protection of the firewall and anti-virus software developed by Zhou Zhi.
But this problem does not exist on UNIX-based systems, because the UNIX system allocates the address of the result buffer randomly, which means that the address of the returned result is not necessarily the variable address. behind can be easily guessed by hackers and easily replaced using the buffer overflow function.
The internal system of Clover Group actually uses an independent system based on UNIX architecture, the server version of the COS system.
However, in the information technology section of the forum, someone proposed an attack method, which is "nopsled", which translates to "no-op sled".
The paper points out that although the result return address of the UNIX system is random, a large space sequence can be cleared by simply injecting a long nop instruction before the actual attack code.
Then the previous buffer overflow method is used to attack. As long as the control flow of the program is pointed to any part of the sequence, the program counter gradually increases by one until it reaches the address where the attack code exists and executes it.
This is similar to turning a small target into a huge wall. Before, you needed to shoot the arrow into the target to complete the attack. Now you only need to shoot the arrow into the wall, and the arrow will be Automatically sent to the target hanging on the wall. From the execution of the program, it is like sledding to the end of the sled, so it is vividly called "empty operation sled".
This idea is feasible in theory, but there are many difficulties in actual operation. The first is that you need to have the opportunity to run malicious code on the system.
After Hu Tianyu and others analyzed Nuwa’s logs, they found that they were affected by the new version of the Clover browser.
The new version of the browser uses the JAVA core. In order to encourage everyone's enthusiasm for research and development, Clover Group also released the research and development tool JDK, which includes a Java running and compilation environment, as well as a bunch of Java tools and class libraries, and is constantly being expanded.
With this, all program enthusiasts can design some embedded software and embed it in their own homepages so that others can find "surprises" when they visit.
The web pages seen by previous browsers were all static. With this embedded tool, you can embed some cool animations, short videos, music, and dynamic font effects into web pages. The results obtained are certainly quite astonishing.
Now there are many "software skins" developed using JAVA on the forum. Almost all the software that young people like to use, such as Clover Player, QQ, input method, etc., have dedicated working groups to develop all kinds of fancy skins. Come.
Even ambitious working groups have begun to replace the themes of "skin" for large operating systems such as WINDOWS and MAC.
Because JAVA application is a research and development tool just launched by Clover Company, there is a high degree of overlap and in-depth cooperation between the company's internal programmers and the program development enthusiasts in the forum. Under such circumstances, it is inevitable that Some people secretly install small software from external forums to the internal system of the unit.
Of course, ordinary software skins, a small gimmick to make young people happy, cannot induce Clover Group programmers to violate the company's system, but if there is a coding environment that is very convenient for JAVA development, That's different.
This hacker is such a master. He released a tool called JDKNOTEPAD on the forum. It is actually a very convenient tool for JDK program development. It integrates the automatic arrangement that programmers like very much. Code, function error checking, multi-color Matching the first and last functions, hiding comments, automatic version recording and other very convenient functions. The most exaggerated thing is that there is an automatic optimization function, which can make the program more concise, more reasonable, and the layout clearer to a certain extent. It greatly improves the work efficiency of programmers in JAVA program development.
Afterwards, Hu Tianyu secretly investigated and found that many people in the company had installed this software, and it had even become a common phenomenon in some departments.
However, no one thought that there was a piece of malicious code hidden in the automatic optimization function of this software.
Clover Company has strict system regulations. Each program has certain signature specifications and is strictly implemented in accordance with ISO software product standards. There will be a standard comment at the beginning of each program to indicate the name of the program. , author, department, program version number, previous revisions, modification time and other information.
This JDKNOTEPAD is also very considerate. It has set up preset options. As long as you fill in this information into the parameters it manages in advance, when you call the program development template in the future, all this information will be given to you. If the program is written in advance, programmers no longer need to do these repetitive tasks and can just start typing code directly in the code area.
However, what they did not expect was that the information was obtained by hackers in a clever way.