有没有安全高手给解释一下，这个MemCopy代码抵抗哪些攻击，原理是什么？ - C语言论坛

| 网站首页 | 业界新闻 | 小组 | 威客 | 人才 | 下载频道 | 博客 | 代码贴 | 在线编程 | 编程论坛 |

编程论坛 → 开发语言 → 『 C语言论坛』 → 有没有安全高手给解释一下，这个MemCopy代码抵抗哪些攻击，原理是什么？

我的收件箱(0)

共有 1811 人关注过本帖

标题：有没有安全高手给解释一下，这个MemCopy代码抵抗哪些攻击，原理是什么？

只看楼主加入收藏

diycai

等　级：贵宾
威　望：19
帖　子：147
专家分：895
注　册：2021-5-18
结帖率：66.67%

楼主

已结贴√ 问题点数：20 回复次数：3

有没有安全高手给解释一下，这个MemCopy代码抵抗哪些攻击，原理是什么？

程序代码：

#include <stdio.h>
#include <stdlib.h>

typedef unsigned char        uint8_t;
typedef unsigned short        uint16_t;
typedef unsigned int        uint32_t;

uint32_t GetRandom( uint32_t* x)
{
    uint32_t ret;
    
    ret = rand();
    *x = ~ret;

    return ret;
}

void MemCopy( uint8_t* pSrc, uint8_t* pDst, uint16_t len )
{
    uint32_t i, loop_i;
    uint32_t startIndex;
    uint32_t and_mask, xor_mask;
    uint32_t randVal, invRand;

    startIndex = GetRandom( &invRand ) >> 1;
    xor_mask = GetRandom( &invRand );
    and_mask = 0x1ffff;
    
    while( ( len <= (and_mask >> 1 ) + 1 ) && ( and_mask > 1 ) )
    {
        and_mask = and_mask >> 1;
    }

    xor_mask &= and_mask;

    for( loop_i = 0; loop_i <= and_mask; loop_i++ )
    {
        i = ( startIndex + (loop_i ^ xor_mask) ) % len;
        pDst[i] = (uint8_t) GetRandom( &invRand );
        randVal = GetRandom(&invRand);
        randVal = pSrc[i];
        pDst[i] = randVal;
        randVal = invRand;
    }

    return;
}

void main()
{
    unsigned char a1[256] = {1, 2, 3, 4, 5};
    unsigned char a2[256];
    int i;

    MemCopy(a1, a2, 5);

    for (i=0; i<5; i++)
    {
        printf("%02x ", a2[i]);
    }
    printf("\n");
}

2021-09-17 13:19

自由而无用

等　级：贵宾
威　望：14
帖　子：61
专家分：1456
注　册：2021-8-9

第 2 楼

得分:0

//online parser: https://www.bccn.net/run/
add print info to help you analyse this impressive code, good luck!

程序代码：

#include <stdio.h>
#include <stdlib.h>

typedef unsigned char uint8_t;
typedef unsigned short uint16_t;
typedef unsigned int uint32_t;

#define USR_ADD

uint32_t GetRandom(uint32_t *x)
{
    uint32_t ret;
    
    ret = rand();
    *x = ~ret;

    return ret;
}

void MemCopy(uint8_t* pSrc, uint8_t* pDst, uint16_t len)
{
    uint32_t i, loop_i;
    uint32_t startIndex;
    uint32_t and_mask, xor_mask;
    uint32_t randVal, invRand;

    startIndex = GetRandom( &invRand ) >> 1;
#ifdef USR_ADD
    //printf("startIndex = %d\n", startIndex);
#endif
    xor_mask = GetRandom( &invRand );
#ifdef USR_ADD
    //printf("xor_mask = %d\n", xor_mask);
#endif
    and_mask = 0x1ffff;
    
    //usr add
#ifdef USR_ADD
    loop_i = 0;
#endif
    while((len <= (and_mask >> 1 ) + 1) && (and_mask >> 1)) {
#ifdef USR_ADD
        printf("recur = %d\n", loop_i++);
#endif
        and_mask = and_mask >> 1;
    }

    xor_mask &= and_mask;

    for( loop_i = 0; loop_i <= and_mask; loop_i++ ) {
        i = ( startIndex + (loop_i ^ xor_mask) ) % len;
        pDst[i] = (uint8_t) GetRandom( &invRand );
        randVal = GetRandom(&invRand);
        randVal = pSrc[i];
#ifdef USR_ADD
        printf("randVal[%d] = 0x%x\n", loop_i, randVal);
#endif
        pDst[i] = randVal;
        randVal = invRand;
    }

    return;
}

int main(int argc, char *argv[])
{
    unsigned char a1[256] = {1, 2, 3, 4, 5, 0xe9, 0x12, 0x34, 0x56, 0x78, 0xc3};
    unsigned char a2;
    int i;

    MemCopy(a1, &a2, 5);

    for (i = 0; i < 5; i++) printf("%02x ", ((uint8_t *)&a2)[i]);

    return 0;
}

output sample:

recur = 0
recur = 1
recur = 2
recur = 3
recur = 4
recur = 5
recur = 6
recur = 7
recur = 8
recur = 9
recur = 10
recur = 11
recur = 12
recur = 13
randVal[0] = 0x2
randVal[1] = 0x3
randVal[2] = 0x34
randVal[3] = 0x1
randVal[4] = 0xe9
randVal[5] = 0x12
randVal[6] = 0x4
randVal[7] = 0x5
//clear the overflow shell code ?
01 01 00 00 00

[此贴子已经被作者于2021-9-17 14:08编辑过]

2021-09-17 13:38

diycai

等　级：贵宾
威　望：19
帖　子：147
专家分：895
注　册：2021-5-18

第 3 楼

得分:0

回复 2楼自由而无用

The MemCopy is not supported overlap, Memory referenced by pSrc must not overlap with memory referenced by pDst.
The question is how it protect a software against Side Channel Attacks.

2021-09-18 14:20

自由而无用

等　级：贵宾
威　望：14
帖　子：61
专家分：1456
注　册：2021-8-9

第 4 楼

得分:0

回复 3楼 diycai

well, thats an incredible thinking, fixed overlap, however overhead increased, good to know, thanks a lot.

2021-09-18 14:59

自由而无用

等　级：贵宾
威　望：14
帖　子：61
专家分：1456
注　册：2021-8-9

第 5 楼

得分:0

oh, by the way, I dont have any background of cs-cryptography, sorry unable to give u a hand...

2021-09-18 15:03

diycai

等　级：贵宾
威　望：19
帖　子：147
专家分：895
注　册：2021-5-18

第 6 楼

得分:0

回复 5楼自由而无用

Thanks
Please help analyze this branchless function
uint32_t max( uint32_t a, uint32_t b )
{
    uint32_t mask;
    mask = b ^ (a - b);
    mask = (~mask & b) | (mask & (~a));
    mask = (mask >> 31) - 1;
    return (mask & a) | (~mask & b);
}

2021-09-18 15:26

自由而无用

等　级：贵宾
威　望：14
帖　子：61
专家分：1456
注　册：2021-8-9

第 7 楼

得分:0

回复 6楼 diycai

tunning a brach prediction is an essential work of compiler which will consider the process context environment and make the best decision in theory, user branchless maybe unreliable in some situations
https://

2021-09-18 17:03

自由而无用

等　级：贵宾
威　望：14
帖　子：61
专家分：1456
注　册：2021-8-9

第 8 楼

得分:0

this is a way to catch the meaning of these bits/op, test different nums and guess how it works
//online https://www.bccn.net/

程序代码：

#include <stdio.h>

typedef unsigned int uint32_t;
#define TST 1

uint32_t max( uint32_t a, uint32_t b )
{
    uint32_t mask;
#define COMP_MAX(a, b) b ^ (a - b)
    mask = COMP_MAX(a, b);
#if TST == 1
    printf("COMP_MAX = 0x%x\n", mask);
#endif
    mask = (~mask & b) | (mask & (~a));
#if TST == 1
    printf("mask1 = 0x%x\n", mask);
#endif
    mask = (mask >> 31) - 1;
#if TST == 1
    printf("mask2 = 0x%x\n", mask);
    printf("mask3 = 0x%x\n", (mask & a));
    printf("mask4 = 0x%x\n", (~mask & b));
    printf("mask5 = 0x%x\n", (mask & a) | (~mask & b));
#endif
    return (mask & a) | (~mask & b);
}

int main(int argc, char *argv[]) 
{
    printf("max = 0x%x", max(0xAB, 0xAF));
    
    return 0;
}

output sample:
COMP_MAX = 0xffffff53
mask1 = 0xfffffffc
mask2 = 0x0
mask3 = 0x0
mask4 = 0xaf
mask5 = 0xaf
max = 0xaf
as you see, the 1st output is 53, and obviously its the complement(50) + offset(F - B + 1= 3) of the bigger arg(0xAF), very lucky I got it, and this is my way

[此贴子已经被作者于2021-9-18 18:48编辑过]

2021-09-18 18:08

自由而无用

等　级：贵宾
威　望：14
帖　子：61
专家分：1456
注　册：2021-8-9

第 9 楼

得分:0

test procedure to catch readable intel, its really very interesting, try and enjoy it.

2021-09-18 18:47

自由而无用

等　级：贵宾
威　望：14
帖　子：61
专家分：1456
注　册：2021-8-9

第 10 楼

得分:20

//online https://www.bccn.net/

程序代码：

#include <stdio.h>

typedef unsigned int uint32_t;
#define TST 1

uint32_t max( uint32_t a, uint32_t b )
{
    uint32_t mask;
    
    printf("----------------------------\n\
    a = 0x%x, b = 0x%x\t", a, b);
#define Diff(a, b) b ^ (a - b)
    mask = Diff(a, b);
#if TST == 1
    printf(">> Diff = 0x%x <<\t", mask);
#endif
#define Delta_comp(m, a, b) (~m & b) | (m & (~a))
    mask = Delta_comp(mask, a, b);
#if TST == 1
    printf(">> Delta_comp = 0x%x <<\n", mask);
#endif
    mask = (mask >> 31) - 1;
#if TST == 1
#define mask_undef1 (mask & a)
    printf(">> mask_undef1 = 0x%x <<  ", mask_undef1);
#define mask_undef2 (~mask & b)
    printf(">> mask_undef2 = 0x%x <<  ", mask_undef2);
#define mask_re (mask & a) | (~mask & b)
    printf(">> mask_re = 0x%x <<\n\n", mask_re);
#endif
    
    return (mask & a) | (~mask & b);
}

int main(int argc, char *argv[]) 
{
    int i;
    
    //test procedure and find the patterns
    for(i = 0; i <= 0x34; i++) max(0x34, i);
    
    return 0;
}

I cant read any patterns from this segment, maybe you could try another different nums, if still cant read, just let it go

[此贴子已经被作者于2021-9-18 20:54编辑过]

2021-09-18 20:49

快速回复：有没有安全高手给解释一下，这个MemCopy代码抵抗哪些攻击，原理是什么 ...