Riding the wind of rebirth

Chapter 1858: Empty Operation Sled

This function can simplify some operations. For example, if you need to logically multiply a number by 2 and then output it, sometimes no operation is required. You only need to output the numbers and then fill in a NOP at the end, so that the receiving area waiting to be filled will automatically fill in a 0 after the number, thus achieving the purpose of multiplying by 2 and carrying.

Another important function is that the NOP instruction can produce a certain delay function.

Although there is no output, the NOP instruction still takes up the computer's execution time. By adding the number of loops, the program can actually achieve the "pause" function during the corresponding number of instruction execution times.

When a computer is executing a program, it often stores data in a shared buffer. This buffer often needs to be cleared and waits for the bus to return to a state without data. By using the NOP instruction skillfully, this function can be achieved.

However, this useful instruction was discovered to have a new "use" by someone with a purpose in mind.

In the operating system, the input and return of instructions are performed through the stack.

Generally speaking, the stack is like a warehouse, which is divided into several areas. Each area is used to store a bunch of "house numbers". Such house numbers are called "registers" in the microcontroller system. When the program is called, it works by reading these house numbers one by one, reading the contents of the registers corresponding to these addresses into the stack, and finally storing the calculation results in the return address.

At this time, someone thought of doing something bad, because the contents of the stack are filled from low address to high address, and the highest position is the result address.

If a variable is filled with a cleverly constructed super-long string in a low-address area, such as a variable area, so that the long string exceeds the high-address area, the second half of the variable will actually be used to replace the "house number" of the return address.

If this "house number" is set to the address of a variable, then the return address will now point to this variable. If this variable contains malicious code, the malicious code will be successfully read into the system.

This method is called "stack buffer overflow". Through buffer overflow, we can change the original normal execution process of the program and execute malicious code prepared by hackers instead.

This set of operations works accurately on WINDOWS systems, and is also the focus of protection of the firewall and anti-virus software developed by Zhou Zhi and his team.

However, this problem does not exist on UNIX-based systems because the UNIX system allocates random addresses to the result buffer, which means that the address of the returned result is not necessarily behind the variable address, and can be easily guessed by hackers and replaced using the buffer overflow function.

The internal system of Clover Group actually uses an independent system based on UNIX architecture, the server version of COS system.

However, in the information technology section of the forum, someone proposed an attack method, which is "nop sled", which translates to "no operation sled".

The paper points out that although the result return address of the UNIX system is random, a large space sequence can be cleared by injecting a long nop instruction before the actual attack code.

Then, the previous buffer overflow method is used to attack. As long as the control flow of the program is directed to any place in the sequence, the program counter will be gradually increased by one until it reaches the address where the attack code exists and is executed.

This is like turning a small target into a huge wall. Previously, you had to shoot the arrow into the target to complete the attack, but now you only need to shoot the arrow into the wall, and the arrow will be automatically sent to the target hanging on the wall. From the perspective of program execution, it is like sledding to the end of the sled, so it is vividly called "empty operation sled".

This idea is feasible in theory, but there are many difficulties in actual operation. The first is that you have to have the opportunity to run malicious code on the system.

After analyzing the Nuwa logs, Hu Tianyu and his team found that the attack started with the new version of the Clover browser.

The new version of the browser uses the JAVA core. In order to encourage everyone's enthusiasm for research and development, the Clover Group also released the research and development tool JDK, which includes the Java runtime compilation environment, as well as a bunch of Java tools and class libraries, and is constantly expanding.

With this, all programming enthusiasts can design some embedded software and embed it in their own homepage so that others can find "surprises" when they visit it.

The web pages viewed by previous browsers were all static. With this embedded tool, some cool animations, short videos, music, and dynamic font effects can be embedded into the web pages. The effect obtained is of course quite amazing.

There are many "software skins" developed with JAVA hanging on the forum now. Almost all the software that young people like to use, such as Clover Player, QQ, input method, etc., have special working groups to develop various fancy skins.

Even some ambitious working groups have started to replace the "skin" themes of large operating systems such as WINDOWS and MAC.

Because JAVA application is a research and development tool that Clover has just launched, there is a high degree of overlap and in-depth cooperation between the company's internal programmers and the program development enthusiasts in the forum. Under such circumstances, it is inevitable that someone will secretly install those small software on the external forum into the internal system of the unit.

Of course, ordinary software skins, which are small gimmicks to make young people happy, may not cause the programmers of Clover Group to violate the company's rules. However, if there is a code writing environment that is very convenient for JAVA development, it will be different.

This hacker is such a master. He released a tool software called JDK NOTEPAD on the forum. It is actually a very convenient tool for JDK program development. It integrates very convenient functions that programmers like very much, such as automatic code arrangement, function error checking, multi-color function head and tail matching, hidden comments, automatic version recording, etc. The most exaggerated thing is that there is also an automatic optimization function, which can adjust the program to be more concise, more reasonable, and the layout is clearer to a certain extent, which can greatly improve the work efficiency of programmers in JAVA program development.

Afterwards, Hu Tianyu secretly investigated and found that quite a few people in the company had installed this software, and it had even become a common phenomenon in some departments.

However, no one expected that there was a piece of malicious code hidden in the automatic optimization function of this software.

Clover has strict institutional regulations. Each program has certain signature specifications and is strictly implemented in accordance with ISO software product standards. There will be standard comments at the beginning of each program, indicating the program's name, author, department, program version number, previous editors, modification time and other information.

This JDK NOTEPAD is also very considerate. It has preset options. As long as you fill in this information as the parameters it manages in advance, when you call the program development template in the future, this information will be written in the program in advance for you. Programmers no longer need to do these repetitive tasks and can start typing code directly in the code area.

However, what they did not expect was that this information was obtained by hackers in a clever way.