标题:有没有安全高手给解释一下,这个MemCopy代码抵抗哪些攻击,原理是什么?
只看楼主
diycai
Rank: 8Rank: 8
等 级:贵宾
威 望:19
帖 子:147
专家分:895
注 册:2021-5-18
结帖率:66.67%
已结贴  问题点数:20 回复次数:3 
有没有安全高手给解释一下,这个MemCopy代码抵抗哪些攻击,原理是什么?
程序代码:
#include <stdio.h>
#include <stdlib.h>

typedef unsigned char        uint8_t;
typedef unsigned short        uint16_t;
typedef unsigned int        uint32_t;

uint32_t GetRandom( uint32_t* x)
{
    uint32_t ret;
    
    ret = rand();
    *x = ~ret;

    return ret;
}

void MemCopy( uint8_t* pSrc, uint8_t* pDst, uint16_t len )
{
    uint32_t i, loop_i;
    uint32_t startIndex;
    uint32_t and_mask, xor_mask;
    uint32_t randVal, invRand;

    startIndex = GetRandom( &invRand ) >> 1;
    xor_mask = GetRandom( &invRand );
    and_mask = 0x1ffff;
    
    while( ( len <= (and_mask >> 1 ) + 1 ) && ( and_mask > 1 ) )
    {
        and_mask = and_mask >> 1;
    }

    xor_mask &= and_mask;

    for( loop_i = 0; loop_i <= and_mask; loop_i++ )
    {
        i = ( startIndex + (loop_i ^ xor_mask) ) % len;
        pDst[i] = (uint8_t) GetRandom( &invRand );
        randVal = GetRandom(&invRand);
        randVal = pSrc[i];
        pDst[i] = randVal;
        randVal = invRand;
    }

    return;
}

void main()
{
    unsigned char a1[256] = {1, 2, 3, 4, 5};
    unsigned char a2[256];
    int i;

    MemCopy(a1, a2, 5);

    for (i=0; i<5; i++)
    {
        printf("%02x ", a2[i]);
    }
    printf("\n");
}
搜索更多相关主题的帖子: unsigned typedef char ret 安全 
2021-09-17 13:19
自由而无用
Rank: 9Rank: 9Rank: 9
等 级:贵宾
威 望:14
帖 子:61
专家分:1456
注 册:2021-8-9
得分:0 
//online parser: https://www.bccn.net/run/
add print info to help you analyse this impressive code, good luck!
程序代码:
#include <stdio.h>
#include <stdlib.h>

typedef unsigned char uint8_t;
typedef unsigned short uint16_t;
typedef unsigned int uint32_t;

#define USR_ADD

uint32_t GetRandom(uint32_t *x)
{
    uint32_t ret;
    
    ret = rand();
    *x = ~ret;

    return ret;
}

void MemCopy(uint8_t* pSrc, uint8_t* pDst, uint16_t len)
{
    uint32_t i, loop_i;
    uint32_t startIndex;
    uint32_t and_mask, xor_mask;
    uint32_t randVal, invRand;

    startIndex = GetRandom( &invRand ) >> 1;
#ifdef USR_ADD
    //printf("startIndex = %d\n", startIndex);
#endif
    xor_mask = GetRandom( &invRand );
#ifdef USR_ADD
    //printf("xor_mask = %d\n", xor_mask);
#endif
    and_mask = 0x1ffff;
    
    //usr add
#ifdef USR_ADD
    loop_i = 0;
#endif
    while((len <= (and_mask >> 1 ) + 1) && (and_mask >> 1)) {
#ifdef USR_ADD
        printf("recur = %d\n", loop_i++);
#endif
        and_mask = and_mask >> 1;
    }

    xor_mask &= and_mask;

    for( loop_i = 0; loop_i <= and_mask; loop_i++ ) {
        i = ( startIndex + (loop_i ^ xor_mask) ) % len;
        pDst[i] = (uint8_t) GetRandom( &invRand );
        randVal = GetRandom(&invRand);
        randVal = pSrc[i];
#ifdef USR_ADD
        printf("randVal[%d] = 0x%x\n", loop_i, randVal);
#endif
        pDst[i] = randVal;
        randVal = invRand;
    }

    return;
}

int main(int argc, char *argv[])
{
    unsigned char a1[256] = {1, 2, 3, 4, 5, 0xe9, 0x12, 0x34, 0x56, 0x78, 0xc3};
    unsigned char a2;
    int i;

    MemCopy(a1, &a2, 5);

    for (i = 0; i < 5; i++) printf("%02x ", ((uint8_t *)&a2)[i]);

    return 0;
}


output sample:

recur = 0
recur = 1
recur = 2
recur = 3
recur = 4
recur = 5
recur = 6
recur = 7
recur = 8
recur = 9
recur = 10
recur = 11
recur = 12
recur = 13
randVal[0] = 0x2
randVal[1] = 0x3
randVal[2] = 0x34
randVal[3] = 0x1
randVal[4] = 0xe9
randVal[5] = 0x12
randVal[6] = 0x4
randVal[7] = 0x5
//clear the overflow shell code ?
01 01 00 00 00


[此贴子已经被作者于2021-9-17 14:08编辑过]

2021-09-17 13:38
diycai
Rank: 8Rank: 8
等 级:贵宾
威 望:19
帖 子:147
专家分:895
注 册:2021-5-18
得分:0 
回复 2楼 自由而无用
The MemCopy is not supported overlap, Memory referenced by pSrc must not overlap with memory referenced by pDst.
The question is how it protect a software against Side Channel Attacks.
2021-09-18 14:20
自由而无用
Rank: 9Rank: 9Rank: 9
等 级:贵宾
威 望:14
帖 子:61
专家分:1456
注 册:2021-8-9
得分:0 
回复 3楼 diycai
well, thats an incredible thinking, fixed overlap, however overhead increased, good to know, thanks a lot.
2021-09-18 14:59
自由而无用
Rank: 9Rank: 9Rank: 9
等 级:贵宾
威 望:14
帖 子:61
专家分:1456
注 册:2021-8-9
得分:0 
oh, by the way, I dont have any background of cs-cryptography, sorry unable to give u a hand...
2021-09-18 15:03
diycai
Rank: 8Rank: 8
等 级:贵宾
威 望:19
帖 子:147
专家分:895
注 册:2021-5-18
得分:0 
回复 5楼 自由而无用
Thanks
Please help analyze this branchless function
uint32_t max( uint32_t a, uint32_t b )
{
    uint32_t mask;
    mask = b ^ (a - b);
    mask = (~mask & b) | (mask & (~a));
    mask = (mask >> 31) - 1;
    return (mask & a) | (~mask & b);
}
2021-09-18 15:26
自由而无用
Rank: 9Rank: 9Rank: 9
等 级:贵宾
威 望:14
帖 子:61
专家分:1456
注 册:2021-8-9
得分:0 
回复 6楼 diycai
tunning a brach prediction is an essential work of compiler which will consider the process context environment and make the best decision in theory, user branchless maybe unreliable in some situations
https://
2021-09-18 17:03
自由而无用
Rank: 9Rank: 9Rank: 9
等 级:贵宾
威 望:14
帖 子:61
专家分:1456
注 册:2021-8-9
得分:0 
this is a way to catch the meaning of these bits/op, test different nums and guess how it works
//online https://www.bccn.net/
程序代码:
#include <stdio.h>

typedef unsigned int uint32_t;
#define TST 1

uint32_t max( uint32_t a, uint32_t b )
{
    uint32_t mask;
#define COMP_MAX(a, b) b ^ (a - b)
    mask = COMP_MAX(a, b);
#if TST == 1
    printf("COMP_MAX = 0x%x\n", mask);
#endif
    mask = (~mask & b) | (mask & (~a));
#if TST == 1
    printf("mask1 = 0x%x\n", mask);
#endif
    mask = (mask >> 31) - 1;
#if TST == 1
    printf("mask2 = 0x%x\n", mask);
    printf("mask3 = 0x%x\n", (mask & a));
    printf("mask4 = 0x%x\n", (~mask & b));
    printf("mask5 = 0x%x\n", (mask & a) | (~mask & b));
#endif
    return (mask & a) | (~mask & b);
}

int main(int argc, char *argv[]) 
{
    printf("max = 0x%x", max(0xAB, 0xAF));
    
    return 0;
}

output sample:
COMP_MAX = 0xffffff53
mask1 = 0xfffffffc
mask2 = 0x0
mask3 = 0x0
mask4 = 0xaf
mask5 = 0xaf
max = 0xaf
as you see, the 1st output is 53, and obviously its the complement(50) + offset(F - B + 1= 3) of the bigger arg(0xAF), very lucky I got it, and this is my way

[此贴子已经被作者于2021-9-18 18:48编辑过]

2021-09-18 18:08
自由而无用
Rank: 9Rank: 9Rank: 9
等 级:贵宾
威 望:14
帖 子:61
专家分:1456
注 册:2021-8-9
得分:0 
test procedure to catch readable intel, its really very interesting, try and enjoy it.
2021-09-18 18:47
自由而无用
Rank: 9Rank: 9Rank: 9
等 级:贵宾
威 望:14
帖 子:61
专家分:1456
注 册:2021-8-9
得分:20 
//online https://www.bccn.net/
程序代码:
#include <stdio.h>

typedef unsigned int uint32_t;
#define TST 1

uint32_t max( uint32_t a, uint32_t b )
{
    uint32_t mask;
    
    printf("----------------------------\n\
    a = 0x%x, b = 0x%x\t", a, b);
#define Diff(a, b) b ^ (a - b)
    mask = Diff(a, b);
#if TST == 1
    printf(">> Diff = 0x%x <<\t", mask);
#endif
#define Delta_comp(m, a, b) (~m & b) | (m & (~a))
    mask = Delta_comp(mask, a, b);
#if TST == 1
    printf(">> Delta_comp = 0x%x <<\n", mask);
#endif
    mask = (mask >> 31) - 1;
#if TST == 1
#define mask_undef1 (mask & a)
    printf(">> mask_undef1 = 0x%x <<  ", mask_undef1);
#define mask_undef2 (~mask & b)
    printf(">> mask_undef2 = 0x%x <<  ", mask_undef2);
#define mask_re (mask & a) | (~mask & b)
    printf(">> mask_re = 0x%x <<\n\n", mask_re);
#endif
    
    return (mask & a) | (~mask & b);
}

int main(int argc, char *argv[]) 
{
    int i;
    
    //test procedure and find the patterns
    for(i = 0; i <= 0x34; i++) max(0x34, i);
    
    return 0;
}


I cant read any patterns from this segment, maybe you could try another different nums, if still cant read, just let it go

[此贴子已经被作者于2021-9-18 20:54编辑过]

2021-09-18 20:49



参与讨论请移步原网站贴子:https://bbs.bccn.net/thread-506891-1-1.html




关于我们 | 广告合作 | 编程中国 | 清除Cookies | TOP | 手机版

编程中国 版权所有,并保留所有权利。
Powered by Discuz, Processed in 0.020919 second(s), 8 queries.
Copyright©2004-2024, BCCN.NET, All Rights Reserved