有没有安全高手给解释一下，这个MemCopy代码抵抗哪些攻击，原理是什么？ - 编程论坛

#2

自由而无用2021-09-17 13:38

//online parser: https://www.bccn.net/run/
add print info to help you analyse this impressive code, good luck!

程序代码：

#include <stdio.h>
#include <stdlib.h>

typedef unsigned char uint8_t;
typedef unsigned short uint16_t;
typedef unsigned int uint32_t;

#define USR_ADD

uint32_t GetRandom(uint32_t *x)
{
    uint32_t ret;

    ret = rand();
    *x = ~ret;

    return ret;
}

void MemCopy(uint8_t* pSrc, uint8_t* pDst, uint16_t len)
{
    uint32_t i, loop_i;
    uint32_t startIndex;
    uint32_t and_mask, xor_mask;
    uint32_t randVal, invRand;

    startIndex = GetRandom( &invRand ) >> 1;
#ifdef USR_ADD
    //printf("startIndex = %d\n", startIndex);
#endif
    xor_mask = GetRandom( &invRand );
#ifdef USR_ADD
    //printf("xor_mask = %d\n", xor_mask);
#endif
    and_mask = 0x1ffff;

    //usr add
#ifdef USR_ADD
    loop_i = 0;
#endif
    while((len <= (and_mask >> 1 ) + 1) && (and_mask >> 1)) {
#ifdef USR_ADD
        printf("recur = %d\n", loop_i++);
#endif
        and_mask = and_mask >> 1;
    }

    xor_mask &= and_mask;

    for( loop_i = 0; loop_i <= and_mask; loop_i++ ) {
        i = ( startIndex + (loop_i ^ xor_mask) ) % len;
        pDst[i] = (uint8_t) GetRandom( &invRand );
        randVal = GetRandom(&invRand);
        randVal = pSrc[i];
#ifdef USR_ADD
        printf("randVal[%d] = 0x%x\n", loop_i, randVal);
#endif
        pDst[i] = randVal;
        randVal = invRand;
    }

    return;
}

int main(int argc, char *argv[])
{
    unsigned char a1[256] = {1, 2, 3, 4, 5, 0xe9, 0x12, 0x34, 0x56, 0x78, 0xc3};
    unsigned char a2;
    int i;

    MemCopy(a1, &a2, 5);

    for (i = 0; i < 5; i++) printf("%02x ", ((uint8_t *)&a2)[i]);

    return 0;
}

output sample:

recur = 0
recur = 1
recur = 2
recur = 3
recur = 4
recur = 5
recur = 6
recur = 7
recur = 8
recur = 9
recur = 10
recur = 11
recur = 12
recur = 13
randVal[0] = 0x2
randVal[1] = 0x3
randVal[2] = 0x34
randVal[3] = 0x1
randVal[4] = 0xe9
randVal[5] = 0x12
randVal[6] = 0x4
randVal[7] = 0x5
//clear the overflow shell code ?
01 01 00 00 00

[此贴子已经被作者于2021-9-17 14:08编辑过]

#3

diycai2021-09-18 14:20

回复 2楼自由而无用

The MemCopy is not supported overlap, Memory referenced by pSrc must not overlap with memory referenced by pDst.
The question is how it protect a software against Side Channel Attacks.

#4

自由而无用2021-09-18 14:59

回复 3楼 diycai

well, thats an incredible thinking, fixed overlap, however overhead increased, good to know, thanks a lot.

#5

自由而无用2021-09-18 15:03

oh, by the way, I dont have any background of cs-cryptography, sorry unable to give u a hand...

#6

diycai2021-09-18 15:26

回复 5楼自由而无用

Thanks
Please help analyze this branchless function
uint32_t max( uint32_t a, uint32_t b )
{
    uint32_t mask;
    mask = b ^ (a - b);
    mask = (~mask & b) | (mask & (~a));
    mask = (mask >> 31) - 1;
    return (mask & a) | (~mask & b);
}

#7

自由而无用2021-09-18 17:03

回复 6楼 diycai

tunning a brach prediction is an essential work of compiler which will consider the process context environment and make the best decision in theory, user branchless maybe unreliable in some situations
https://

#8

自由而无用2021-09-18 18:08

this is a way to catch the meaning of these bits/op, test different nums and guess how it works
//online https://www.bccn.net/

程序代码：

#include <stdio.h>

typedef unsigned int uint32_t;
#define TST 1

uint32_t max( uint32_t a, uint32_t b )
{
    uint32_t mask;
#define COMP_MAX(a, b) b ^ (a - b)
    mask = COMP_MAX(a, b);
#if TST == 1
    printf("COMP_MAX = 0x%x\n", mask);
#endif
    mask = (~mask & b) | (mask & (~a));
#if TST == 1
    printf("mask1 = 0x%x\n", mask);
#endif
    mask = (mask >> 31) - 1;
#if TST == 1
    printf("mask2 = 0x%x\n", mask);
    printf("mask3 = 0x%x\n", (mask & a));
    printf("mask4 = 0x%x\n", (~mask & b));
    printf("mask5 = 0x%x\n", (mask & a) | (~mask & b));
#endif
    return (mask & a) | (~mask & b);
}

int main(int argc, char *argv[])
{
    printf("max = 0x%x", max(0xAB, 0xAF));

    return 0;
}

output sample:
COMP_MAX = 0xffffff53
mask1 = 0xfffffffc
mask2 = 0x0
mask3 = 0x0
mask4 = 0xaf
mask5 = 0xaf
max = 0xaf
as you see, the 1st output is 53, and obviously its the complement(50) + offset(F - B + 1= 3) of the bigger arg(0xAF), very lucky I got it, and this is my way

[此贴子已经被作者于2021-9-18 18:48编辑过]

#9

自由而无用2021-09-18 18:47

test procedure to catch readable intel, its really very interesting, try and enjoy it.

#10

自由而无用2021-09-18 20:49

//online https://www.bccn.net/

程序代码：

#include <stdio.h>

typedef unsigned int uint32_t;
#define TST 1

uint32_t max( uint32_t a, uint32_t b )
{
    uint32_t mask;

    printf("----------------------------\n\
    a = 0x%x, b = 0x%x\t", a, b);
#define Diff(a, b) b ^ (a - b)
    mask = Diff(a, b);
#if TST == 1
    printf(">> Diff = 0x%x <<\t", mask);
#endif
#define Delta_comp(m, a, b) (~m & b) | (m & (~a))
    mask = Delta_comp(mask, a, b);
#if TST == 1
    printf(">> Delta_comp = 0x%x <<\n", mask);
#endif
    mask = (mask >> 31) - 1;
#if TST == 1
#define mask_undef1 (mask & a)
    printf(">> mask_undef1 = 0x%x <<  ", mask_undef1);
#define mask_undef2 (~mask & b)
    printf(">> mask_undef2 = 0x%x <<  ", mask_undef2);
#define mask_re (mask & a) | (~mask & b)
    printf(">> mask_re = 0x%x <<\n\n", mask_re);
#endif

    return (mask & a) | (~mask & b);
}

int main(int argc, char *argv[])
{
    int i;

    //test procedure and find the patterns
    for(i = 0; i <= 0x34; i++) max(0x34, i);

    return 0;
}

I cant read any patterns from this segment, maybe you could try another different nums, if still cant read, just let it go

[此贴子已经被作者于2021-9-18 20:54编辑过]

#11

diycai2021-09-23 11:57

回复 10楼自由而无用

只有本站会员才能查看附件，请登录

请教高人分析了这个代码，终于解惑，谢谢。

#12

自由而无用2021-09-23 12:03

回复 11楼 diycai

well done!

how about have a drink