NOP slide

This article needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed. (April 2009)

In computer CPUs, a NOP slide, NOP sled or NOP ramp is a sequence of NOP (no-operation) instructions (on Intel x86, this is the opcode 0x90) meant to "slide" the CPU's instruction execution flow to its final, desired, destination. Generally a NOP slide will be used in cases where execution will branch into a position that cannot be determined with absolute accuracy; "padding" the memory area before and after the approximate branch address is performed in the hope of avoiding an exception which would cause the program or system to crash. Once the CPU branches anywhere within the NOP slide, its instruction pointer (IP) will "slide" to its final destination, where there is valid code to be executed. This payload code may consist of executable instructions, a register spring, some return-oriented code, etc.

While a NOP slide will serve its intended purpose if it consists of only NOP instructions (the trivial case of a NOP slide), the presence of such code can be very easily determined. For this reason, NOP slides are often composed of non-canonical NOP instructions (such as moving a register to itself or adding zero), or of instructions that affect immaterial aspects of program state. NOP slides may also include operations that are both desirable and idempotent (such as zeroing a register which the payload will zero later anyway). This technique will increase the entropy of the NOP sled and make detection in both input and memory more difficult.

The entropy of a NOP sled is dependent upon the constraints placed on it. If it can be determined that certain registers are not in use (that is to say, they will be set to a known value before their next use), instructions which manipulate them arbitrarily may be used in the NOP sled. Additionally, if the alignment of both the NOP sled and the instruction pointer are deterministic, multi-byte instructions can be used in a NOP sled without regard to the results of unaligned execution. If the input providing the attack vector into which the NOP sled and payload are to be introduced are filtered (such as accepting only printable characters), the field of possible instructions for inclusion is limited. While instructions part of an architecture extension (such as SSE) may frequently be irrelevant to program state, they cannot be used in a NOP sled targeting a computer on which the extension is not supported.

NOP slides can be used in buffer overflow and similar exploits designed to take over a program's execution path, or in defensive programming such as in EMC aware programming.