English Shell Code Could Make Security Harder

An anonymous reader writes to tell us that finding malicious code might have just become a little harder. Last week at the ACM Conference on Computer and Communications Security, security researchers Joshua Mason, Sam Small, Fabian Monrose, and Greg MacManus presented a method they developed to generate English shell code [PDF]. Using content from Wikipedia and other public works to train their engine, they convert arbitrary x86 shell code into sentences that read like spam, but are natively executable. "In this paper we revisit the assumption that shell code need be fundamentally different in structure than non-executable data. Specifically, we elucidate how one can use natural language generation techniques to produce shell code that is superficially similar to English prose. We argue that this new development poses significant challenges for in-line payload-based inspection (and emulation) as a defensive measure, and also highlights the need for designing more efficient techniques for preventing shell code injection attacks altogether."

This is

[Anrego]

quite terrifying :(

If hackers convert arbitrary x86 shell code into sentences that read like spam, but are natively executable .. we're all screwed :(

We'll either need to tighten up how architectures execute instructions to make it harder to execute shell code in the first place.. or come up with sophisticated AI to help filter out the shell code. Of course, as soon as we do that, hackers will develop AIs which can write convincing (and even compelling) shell code.. and THEN what the hell do we do.

Now where I live you can get a pretty decent hair cut for $17 (they even trim up the beard). You can't get anything fancy.. but a decent, professional-ish type haircut is definitely no problem.

My employer is giving us a pretty generous Christmas vacation.. really looking forward to that!!

Also this time of year is great cause CHRISTMAS is everywhere :D

Re:This is

[StuartHankins]

Did I miss something or did you just totally change topics twice in your post? Haircut? Vacation?

Go outside, you need some fresh air!

Re:This is

[BradleyUffner]

I beleive you missed the virus he just sent you. :)

Re:This is

[aurelianito]

Mode parent insightful. He is showing how this "shellcode" would look like.

Re:This is

[Wovel]

Guess you missed their "compromised" machine assumption. "..After successful exploitation of a software vulnerability, we assume that a pointer to the shellcode..." . The sky is not really falling any faster today than it was yesterday.

Re:This is

[blueg3]

Pinning down terminology use by security researchers is tricky.

In this case, what they mean is that the system has a vulnerability that enables code from a remote source to be executed, and that the input from the remote source is being run through a filter that attempt to identify executable code (in order to block it) versus English text.

On an already-secure system, this makes no difference at all. Those don't exist, much. If you were relying on a "looks like executable code" filter to protect you, this is a tip that it's not that secure. The paranoid should already assume so (based on things that already are available in Metasploit, if nothing else).

Re:This is

[afidel]

Isn't this what NX is supposed to stop, execution of arbitrary data as code?

Re:This is

[blueg3]

Yes -- in theory, could should be W xor X: writable or executable, but never both. This is then solved neatly. However, this is often not the case. It's a little bold on Von Neumann machines, where the code and data are the same, to hope that code and data can be cleanly separated reliably.

The most egregious case is interpreters, where data that's passed around is turned into executable code dynamically. Less egregious but still unsafe is dynamically-generated code, which must be both writable and executable.

Re:This is

[mysidia]

I propose the x86 instruction set be altered to add an additional byte to every instruction, a NUL byte or NUL word, so every instruction will have an additional 2 to 8 bytes of overhead, at least 1 must be set to all bits 0, and the following byte must be set to all bits 1.

Since the NUL byte cannot be expressed in a sentence and commonly causes I/O to terminate (i.e. delineates the end of the string), x86 code can then not be disguised as a sentence.

Also, the following byte being all bits 1, assures that the instruction cannot be transmitted over protocols that do not provide 8-bit support.

Further, the all-bits 1 sequence should be removed from ASCII and banned from use by any network protocol: to transmit such bits, you must encode in Base64.

Re:This is

[Blakey+Rat]

I know, I'm going to have to stop saving and trying to execute all my incoming spam messages.

Maybe I'll try executing my IMs...

Re:This is

[x2A]

Well then that won't be the x86 instruction set, will it?

Re:This is

Did I miss something

Yes.

Re:This is

[mysidia]

No, it won't be the legacy x86 instruction set.

But we can call it the "Secure x86 instruction set" or the "Enhanced x86 instruction set"

Market it properly, and everyone will switch to it, because they think it's faster and safer.

Re:This is

[XDirtypunkX]

But it doesn't have to be both writable and executable at the same time, unless the generated code is self modifying.

Re:This is

[nneonneo]

Unfortunately, this does not fully solve the problem. Say, for instance, that you've managed to get a buffer overflow on a system, and you now have control over the stack (which is marked RW, but not X). Then, you overwrite the return address of the current function to mprotect() and stick some arguments on it which change the stack protection to RX (there are good reasons for doing this in actual practice, e.g. executable compressors like UPX, or executable thunks on the stack); this type of attack is known as a "return-to-libc" attack. If you can successfully overwrite the next lower return address as well, then you can ensure that your shellcode is executed after mprotect returns.

Even if we assume that the stack is permanently fixed at RW, this does not prevent heap spray attacks which place executable code on the heap and overwrite return addresses on the stack to point at the heap. If the heap is marked RW, then we can just repeat the same process as used above to call mprotect.

Prohibiting execution on writable segments seems sensible, but in the face of functions which can change the protection bits, it is ineffective. Further, simply restricting the use of those functions is potentially too restrictive, as in the case of some runtime environments which rely on the ability to execute dynamically generated trampoline code to implement key features (for instance, GCC may generate trampoline code to call nested functions), as you mentioned with your second paragraph.

Re:This is

[blueg3]

Even better: inputs that can overwrite the stack can perform arbitrary code execution even if the stack is never executable, via "return-to-libc" programming.

Re:This is

[x2A]

If you've got the ability to market a processor that won't run peoples old software, and using it makes software slower, take up more memory (think for single byte instructions, a single byte of padding is doubling the space it takes up, which is in effect halving the size of your L1/L2 caches), to a level sufficient enough to get people to actually buy it, then you may as well not even bother with the CPU, just convince them to give you money for nothing, as obviously your marketing team are that good that they could do that!

Re:This is

[wvmarle]

As is being argued all the time: security is about layers. Layer upon layer. One layer to prevent executable code to reach your system in the first place by looking at the content of a message. Another layer to prevent code that does reach your system to be executed at all. Another layer to prevent untrusted code that does manage to be executed to do any damage (sandbox, permissions). Relying on a single layer of defense is not secure, no matter what that layer is or how strong that layer is. Breach that one layer and you're in.

This research gives at the very least a proof-of-concept on how to breach that first layer of security. And that of course is significant.

Of course there are no 100% secure systems - but the more layers of defense, the more secure it becomes. This takes away one layer of defense, thus making a system less secure. So yes it does make a difference even on "already-secure" systems.

Re:This is

[zippthorne]

It's even worse than that. With liberal use of jumps, the hackers can edit the jumped-over text to make sentences that actually mean something, rather than simply superficially looking like English. They could, for instance, combine a fork bomb with a screed about cheap haircuts that really aren't.

Now, if I'm reading right, on page 7 there is a diagram which seems to imply that they also have a solution to the halting problem...

Re:This is

[mysidia]

If you've got the ability to market a ********* that won't run peoples old software, and using it makes software slower, take up more memory

Isn't that what Vista / 7 are?

Re:This is

The obvious question at hand..

Does this kind of double meaning for the resulting text get double copyright protection?

Considering that the resut is a "Literary work", as well as a computer program...

It could also add a whole new dimension to the term "Viral advertising"...

Re:This is

[x2A]

No. We're talking realising that exageration. This CPU wouldn't even run those.

Re:This is

Meh, I only use Polish shell code. Much more secure than the Swedish shell code I used to use:

Bash:$ Sudo Bork | Bork | Bork

Re:This is

[mysidia]

Sure it would... they just wouldn't benefit from the security feature.

Much like running 32-bit binaries on a x86_64 chip doesn't get you 64-bit goodness. And OSes that don't support the NX bit don't get any benefit

It would be up to the compiler to make Secure-Code-protected binaries.

And the OS in question to set the right CPU bit to require the extra padding, before branching into the program..

Keeping in mind every program not supporting the bit installed on a system is a security risk

Re:This is

[x2A]

Well thankfully there are people out there who can think of better ways than up to doubling the length of each instruction just to make it harder to transmit code as plain text while causing all other code to be bigger and slower even if it isn't going to be affected by that...

So what would you do about shared libraries? You'd need padded and non-padded versions for supporting both process types, as you couldn't let padded code call unpadded code (like you can have a non-NX protected process call into NX protected pages of code) because that would just stop the whole thing from working.

Re:This is

[mysidia]

Well thankfully there are people out there who can think of better ways than up to doubling the length of each instruction

Kind of like there are people out there who can think of "better" ways to keep sensitive data safe without encrypting it when transmitting over an untrusted medium?

Ways like... just trust noone wants your data?

The preference would be to make all libraries padded, and allow unpadded code to call padded code but not vice-versa.

Also, the padding could in theory be made optional if the instruction contains something with a high-bit set.

However, that's not as secure as inserting a NUL, which helps protect against buffer overflows (due to the use of NUL for string termination in the C programming language).

Re:This is

[QuoteMstr]

The halting problem can be solved in restricted cases. You can definitely determine whether a program halts after N steps, and you can also tell whether a program running on a restricted-memory machine halts. The theorem applies only to turing machines, of which real-world computers are only an approximation.

Re:This is

[phantomcircuit]

I would seriously like to see you try to defeat both NX and -fstack-protector.

Re:This is

[RAMMS+EIN]

``We'll either need to tighten up how architectures execute instructions to make it harder to execute shell code in the first place..''

This has been done. The problem is that popular operating systems and applications don't make use of these techniques.

Shellcode crash course: shellcode is basically code which an attacker feeds to a program, which the program then executes, even though it is not supposed to. Getting the program to execute the shellcode thus relies on exploiting a security vulnerability. The canonical scenario is exploiting a buffer overflow, where the attacker feeds data to the program that is larger than the buffer the program has allocated for it. Programs that don't check for this will happily overwrite their own memory, including the return address of the current function. Overwrite the return address so that it points into the data you fed the program and presto, you now control the machine.

This relies on two things:

1. The program actually overwriting memory outside the buffer when reading data into the buffer
2. The machine actually executing the data as code

1 is dependent on the function used to read the input. C provides several functions that allow buffer overflows, and allows the programmer to write his own. I wrote an essay years ago where I advocated using higher level programming languages for most development specifically to avoid these dangers, and, frankly, I'm baffled that we're still using C so much. Sure, if you program carefully enough, you can avoid the pitfalls, but Real World data shows that this isn't happening. Besides, there are other good reasons for using other languages, for example more powerful abstractions that lead to more productivity. But, for this discussion, what is relevant is that shellcode would not be such a problem if it wasn't for so many programs being written using unsafe constructs in C and C++.

2 is easily prevented on most architectures by marking data as non-executable. There are actually some efforts to do this: OpenBSD has W^X, Linux has PaX, and Windows nowadays has Data Execution Prevention. However, most Linux distributions do not include PaX, and the default setting for DEP in Windows is opt-in, which means that programs that do not explicitly request it don't get it. Besides W^X, there are other mechanisms, such as address space layout randomization. ASLR makes executing shellcode hard by making it hard to predict at which address shellcode and library functions reside. It is enabled by default on OpenBSD. On Linux, it is provided by PaX, which, most distributions don't include. On Windows, it has been enabled by default since Vista, but only in a very limited form.

As far as I am concerned, the ability of an attacker to inject shellcode into a system would be a solved problem, if only the world adopted the solutions.

Re:This is

[x2A]

"Kind of like there are people out there who can think of "better" ways to keep sensitive data safe without encrypting it when transmitting over an untrusted medium?"

No, nothing like that.

"and allow unpadded code to call padded code but not vice-versa"

What about callbacks?

"the padding could in theory be made optional if the instruction contains something with a high-bit set"

So instead of using a sledgehammer to crack a walnut, use a different sledgehammer. You do realise that most data/communications isn't pre-limited to 7bit, and can go higher than 8bit when you need to support other alphabets using UTF8/Unicode etc, with much exploitable code having been found in stream processing code (like ssl, compression or image libraries, A/V codecs), and that this rewritten instruction set where you waste 1/8bits per instruction (remember how many of those get processed per second) would do nothing in all those cases, meaning you'd've done all that and you're still not secured by it.

(due to the use of NUL for string termination in the C programming language)

So instead of just using functions where you pass the length of the buffer along with your string pointers so it doesn't overrun, or functions that store the length of the buffer and automatically allocate larger buffers if the string does overrun, you'd prefer to just fill up to half of your memory used for code with zeroes? So that it affects all code, rather than just the code that can potentially cause overflows? Do you really think that's the better solution? Really? Do you really? Really do you?

The idea's full of NULLs!

Re:This is

What is "shell code" supposed to be? Bourne shell scripts?

Re:This is

[c1t1z3nk41n3]

I think this will have nasty applications for web email providers. GMail and I'm guessing the other major ones filter out executable attachments to prevent spread of email worms. If this can beat their filters there are surely plenty of people still unwary enough to run programs emailed to them.

Re:This is

[V!NCENT]

How about, I don't know, making sure you just can't automagically execute shellcode and make sure that there's at least nothing skippabble, and if so, return an error?

For fsck sake... If anything. This type of exploit doesn't even work on modern Ubuntu, unless you are a complete fscking tetard.

PEBKAC.

Re:This is

Why you talking about trimming beards? Hold on, there is a bunch of outgoing smtp traffic on machine suddenly...

Re:This is

[mysidia]

Yeah, it's a better idea, because you can never know what types of instructions might be used to attempt to exploit a string buffer overflow.

It's impossible to completely prevent a string buffer overflow in advance, and even NX bit can't prevent arbitrary code injection through such overflows.

Re:This is

[Goaway]

This attacks one layer of security. NX provides another layer of security. The two are not related in any way except for being layers of security.

Re:This is

[Goaway]

PEBKAC

I'd say that keyboard and computer are yours.

Re:This is

[fulldecent]

Why not buy an iPhone that executes TXTs?

Re:This is

[maxwell+demon]

This research gives at the very least a proof-of-concept on how to breach that first layer of security. And that of course is significant.

However, given that it explicitly looks like spam, it actually made sure that it won't get through any decent spam filter.

Re:This is

[mcgrew]

The sky is not really falling any faster today than it was yesterday

Yes it is, here anyway. Yesterday it was sunny, today it's raining.

Re:This is

[maxwell+demon]

If designing a processor instruction set to prevent this attack, I'd make sure that any code doing anything interesting has to contain a sequence that violates the rules of UTF8. Then a system could prevent the attack by just converting any text to valid UTF8, which then would by design not allow to do anything interesting.

Prime candidates for the invalid UTF8 route would be all instructions which change the control flow (jump, conditional jump, call, return).

Candidates for invalid UTF8 would be the bytes 0xFE and 0xFF, the byte range 0xC0 to 0xC3, the byte 0xE0 followed by any byte not in the range of 0xA0 to 0xBF, any byte in the range 0x00 to 0x7F followed by any byte in the range of 0x80 to 0xBF, ...

So we have available 6 single bytes and plenty of 2-byte sequences which simply cannot appear in any well-formed UTF8. For example, you could encode call as 0xFE, return as 0xFF, the most important jump instructions in 0xC0 to 0xC3, and the other jumps into non-UTF8 two-byte instructions.

Re:This is

[Locke2005]

Of course there are no 100% secure systems I've got a system that is unplugged, had the memory removed, and is locked in an airtight vault. I'm pretty sure it's at least 99.9% secure. The correct phrase should be, "There is no such thing as a 100% secure system that can still be used to do useful work."

Re:This is

[jc42]

The correct phrase should be, "There is no such thing as a 100% secure system that can still be used to do useful work."

The problem with that is that at least 80% of the population is incapable of handling such nested constructs, and only remember that you said "There is no such thing as a 100% secure system". They may or may not remember that you said something after that, but they won't remember what was in your follow-on phrase. When you get to political and media people, the fraction rises to around 99%. You can see this phenomenon a lot here on /., though it's possible that computer geeks are somewhat more able to handle such nesting due to their experience with programming languages.

It's similar to how most people ignore clauses that start with "If ...", and only remember the B part of "If A then B". I've seen this repeatedly, where they'll quote me or someone else as having said B, when I know that the original statement had a conditional attached. Others will remember the A without the initial "if", with B as a separate and independent statement. Preventing this is hopeless, because the typical human brain can't handle syntax that's that deep.

(And I can already see the flames from the people who now know that I claimed that "the typical human brain can't handle syntax". ;-)

Re:This is

[Locke2005]

The point I was trying to make was that in planning or designing a system, there is always a trade-off between security and usability. E.g. requiring non-dictionary passwords makes them harder to remember, and frequently results in users simply writing the password down somewhere. (I once broke security on my University's system by simply opening the top desk drawer of an Admissions and Records employee and reading the password off a post-it.)

Re:This is

[V!NCENT]

Goaway: Hello V!NCENT's computer, I'd like to-
Policykit: Fsck you!
Goaway: Ok but then I'd go through the backdoo-
Firewall: All closed...
Goaway: But then I will just-
V!NCENT: Not gonna click on it...

And then you say?

Re:This is

[Goaway]

What exactly is it you think you are preventing with policykit or firewalls there?

Re:This is

[nneonneo]

Heap spray vulnerabilities don't require manipulating the stack at all; for an example, see iFrame exploit in IE, so this will happily exploit your NX -fstack-protector application, if you have such a vulnerability.

A program compiled with -fstack-protector is indeed more secure from stack attacks, but it doesn't prevent all such attacks: if you compile against a vulnerable library, the library will not get protection (unless it too was compiled this way), and your program could still be compromised.

Re:This is

[x2A]

It won't solve you much though. Firstly, if you've got the ability to dump your string into a bit of memory where it can be executed from, then there's nothing stopping you from using a couple of bitwise operations to modify the code ahead and put the codes in. Secondly, where people do manage to dump a string somewhere it'll be executed it's because something's not checking its inputs, eg, making sure that a string isn't longer than its buffer, such as maybe an image or a compressed chunk of data with a header that's saying it needs less memory than it does, and the software's just blindly taking it at its word and reading/unpacking it in memory overflowing its buffer. You're not going to have an easier time getting people to check their strings for valid UTF8 sequences than to just get them to do basic bounds checking to stop those strings being executed in the first place.

Re:This is

[perew]

Computer architectures have existed since at least the early 60s which strictly segregate data from authorized instructions. The original Burroughs B5000 systems, and its modern descendants, the Unisys Clearpath MCP Libra Series, are immune to this kind of attack. It's a shame that the world has adopted the far inferior x86 architecture.

Re:This is

[maxwell+demon]

But if the input is not checked, there's no point in making it look like English text. That only makes sense if it first has to pass a filter which filters out non-text. And that filter would do the conversion to UTF8 or, if the input is already expected to be UTF8, would filter out the invalid UTF8.

Re:This is

[x2A]

No what it's saying is that filtering the content to make sure that only certain types of characters (alphabet, punctuation etc) can't be relied on to improve your security, you have to make sure that the incoming data doesn't end up somewhere where it's going to get executed, because once the code is being executed, it can decode the instructions that it couldn't get past the filter in place. Filter for English words only, or filter or UTF8 sequences only, the only difference is the initial machine language vocabulary you have to start with to build your decoder with. And, even if your UTF8 filter does remove some illegal sequences so the code no longer gains shell access, the fact that you're running it could still result in data corruption or crashing the application - not as bad as unauthorised shell access, but it's hardly a great second best.

Re:This is

[V!NCENT]

Remote code execution maybe?

Re:This is

[Goaway]

Those don't stop the most common attack vector, embedding an exploit in a webpage.

Oh great - that love letter from the IRS

[rcpitt]

just formatted my hard disk and installed Windows 7 - how low can you get :(

Re:Oh great - that love letter from the IRS

[mysidia]

That's nothing... I typed "The quick brown fox jumps over the lazy dog" into an e-mail message I was sending on my iPhone, and it suddenly morphed into a Zune..

I guess a similar technique works on the ARM processor also :-(

Re:Oh great - that love letter from the IRS

[roguetrick]

You think thats exceptional, after I read that my head morphed into a facsimile of Ballmer's 0:`-( ))

Re:Oh great - that love letter from the IRS

[snspdaarf]

You think thats exceptional, after I read that my head morphed into a facsimile of Ballmer's 0:`-( ))

Ah, the "Night Elf Chair Grenade"

Re:The syntax should not matter..

[benjamindees]

They don't mean shell commands. They mean code that exploits a vulnerability in order to start a shell.

Confused

[MichaelSmith]

Does TFA talk about shell code or assembler code?

Re:Confused

There the same thing, shell code is assembly code injected into a security vulnerability (like a buffer overrun) to start a shell.

Re:Confused

[icebraining]

It's a shellcode; it's actually written in machine code.

Re:Confused

[blueg3]

Shellcode is machine code. That is, compiled assembler.

It's just a logical extension of the shellcode filters that Metasploit already provides. If you hadn't thought it through, though, it's an important proof-of-concept.

Re:Confused

[The+MAZZTer]

Nope, you're confusing assembly code and shell/machine code, which are two different things.

Assembly is text-based, and is readable for people who know the language. Each operation is a keyword, and some take arguments. It's basically the lightest-weight possible programming language (although it's not really considered a programming language, it's so light weight!) A computer cannot run assembly code directly.

Machine code is what you get if you take the assembly and run it through an assembler to produce code that the computer can understand. The computer can then execute it. It is not human readable unless you've memorized which opcodes correspond to which assembly keywords. Far easier to pipe it through a disassembler to get the assembly code back and read that.

To answer the GP's question this sounds like they mean shell code. It wouldn't be very useful as assembly code anyway. ("To claim your free iPod, run this sentence through masm and run the resulting EXE file.") Most people don't have an assembler and the ones who do aren't usually susceptible to malware anyway.

Re:Confused

[MichaelSmith]

Its a bit like people who put obscure perl code in their sig, waiting for somebody to run it out of curiosity.

Re:Confused

[Blakey+Rat]

Shellembler code.

Common mistake.

Re:Confused

[Nazlfrag]

This is machine code that is restricted to only those opcodes found in English phrases with tricks to get other opcodes via self modification. Quite nifty really.

Re:Confused

[Ungrounded+Lightning]

TFA uses the security community's special term "(a) shellcode", which means something other than what it sounds like to ordinary programmers.

"A shellcode" is the infection head of an exploit - the thing you try to get to run on the target to make the rest of the exploit work. It's in the machine language of the target, not a shell language.

It's called "a shellcode" because it typically (but not necessarily) tries to sucker the system into launching a shell to run the rest of the exploit. The rest of the exploit may be in a shell language (depending on the shell to interpret it), a machine language executable, etc. Or "the shellcode" may do something else than launch a shell.

This is one of the latter cases. It's a chunk of self-modifying code (due to the limits of what instructions you can get out of English-looking text) that bootstraps its own internals into something that can act as an interpreter (or other executor) for the rest of the English-looking exploit code, then runs though that code and "makes it happen".

You can think of it as a binary executable program that depends on self-modification to get away with consisting only of combinations of bytes that look enough like English to fool spam filters which are trying to recognize executable code.

So it's a very goofy binary and there are no shells or shell languages involved. Instead (if I read this right) the researchers built a very screwy assembler that takes as input an assembler source program and produces as output some VERY screwy machine code that looks like English and ends up doing the same job in a roundabout way, rather than being the direct translation of the assembler code input.

Re:Confused

[KingKiki217]

I saw :(){:|:&};: floating around for years before I knew what it meant, but I never did work up the curiosity/courage/idiocy to dump it into a command line.

Re:Confused

This wouldn't work! Most people that know how to run masm own an iPod already. They would briefly consider owning two iPods, find it inefficient and delete the message. DUH!

Re:Confused

[mcgrew]

Machine code is what you get if you take the assembly and run it through an assembler to produce code that the computer can understand. The computer can then execute it. It is not human readable unless you've memorized which opcodes correspond to which assembly keywords.

I don't know, I'm sure there's someone out there who has actually memorized it. I wrote machine code for a Z-80 Timex-Sinclair back in the early eighties, as there were no assemblers for that machine I knew of. I had to write the assembly, then translate it byte by byte, looking up the opcodes by hand, then test each small module before stitching them together.

I only did it a couple of times as it was very tedious, and only when I needed blazing speed, but I was pretty proud when I wrote a "battle tanks" game that ran fast enough on its 1 mHz processor that I had to put NOP loops init to slow it down somewhat. It was quite a challenge and a learning experience, but I'm sure someone smarter than me could breeze through it.

Of course, the Z-80 was a primitive processor that wasn't anywhere near as complex as an x86. I'm pretty sure it would be impossible for me to do with a modern processor (and I'm not nearly as patient as I used to be), but like I said, someone smarter than me could accomplish it, maybe even considering it trivial.

Re:Confused

Back in the days when I was coding assembly/machine code I used a so called "monitor" on the C64. All this monitor did was dumping the memory to screen and letting you change it live, but instead of just printing raw hex codes, it converted the opcodes to assembler-like commands.

We all called it machine code, and I still consider it machine code. The big difference betweeen that and assembler was that all addresses were real and absolute. Today it will seem absurd to have to move code in memory to be able to insert new code, rather than just adding the lines in an assembler and reassembling the code.

Re:The syntax should not matter..

Indeed, colour and shape should be irrevelant to the toxicity of our shells!

Btw, I, for one, welcome our new incisive literary overlords!

Re:In other news...

[blueg3]

Good job not reading the article.

It's not that shellcode can be written in text and then compiled to an executable form. It's not that shellcode can be compiled to an intermediary form, translated or compiled into machine instructions by a piece of code (this is common in malware now, to pass input restrictions -- as the article says). It's that the executed machine instructions themselves -- the compiled binary data that can be run raw on an x86 processor -- looks like English text.

This very comment

[ewg]

Why, this very comment prints a list of prime numbers less than one hundred!

Re:This very comment

[The+MAZZTer]

Where do the numbers print out I don't see325072$OGO^%$#G@!!)%@^)&@!^%$$36PEER TIMEOUT

Re:This very comment

[lazybeam]

Heh, reminds me of emailing out "+++ATH" that used to disconnect people using my uni's modems.

Re:This very comment

Oh, so when did we stop using "NO CARRIER"?

Re:This very comment

[GameboyRMH]

We've switched to a stateless network protocol, it's only stateful at the application level. No carrier signal necessary. It's way more effici^H^H^C PEER TIMEOUT

OMG!

[mhajicek]

Now your brain can catch a virus just by reading!!!1

Re:OMG!

[Nethead]

Leave the bible out of this!

Re:OMG!

[enoz]

The English language is infected, do not translate this message.

Re:OMG!

[MBCook]

Ah, The Funniest Joke in the World. Oddly topical for this topic, eh?

Re:OMG!

[wizardforce]

You joke but what is a meme (religions are "memes") really other than a self replicating piece of language? The *extreme* bits act in many ways like a virus does: self replication, performing specific tasks, adapting to their environment (like some of the more insidious malware) and neither viruses nor memes can replicate on their own; they need a "host."

Re:OMG!

[Nethead]

So now that you've explained my joke, do you get it?

Re:OMG!

Shades of Neal Stephenson's "Snow Crash", in which the language of ancient Sumeria was not merely a spoken language, but a sort of programming (of the human brain) language as well, which made it possible to create a "virus" that could spread just by seeing a certain bit pattern or hearing a particular phrase.

Re:OMG!

...

Re:OMG!

[roguetrick]

Thanks for the sub-wikipedia summary level class on memes, professor. Maybe next you can present to us your grand theory on how girls don't like nice guys, or some other such bullshit.

Re:OMG!

[enoz]

I was referencing Pontypool but that Monty Python skit is also relevant.

Re:OMG!

[Vyse+of+Arcadia]

You read a lot of Neal Stephenson, don't you?

Re:OMG!

[NotQuiteReal]

No, I Say "OMG", You Say "Ponies!".

Re:OMG!

Funny you mentioned that.. I have that giant brick of a book Cryptonomicon sitting on the shelf right now.

Re:OMG!

[Concerned+Onlooker]

Yes, its' a simple head code. Any English schoolboy could catch it.

Re:OMG!

[elfprince13]

hey man, you want to try some snow crash?

Re:OMG!

[damburger]

Its not outside the realms of possibility... you make a bit of malicious code that hides in a very meme-y bit of text, then it can as easily replicate by people typing it in or C+Ping it to each other.

Re:OMG!

[Mortice]

Dear parent,

You won't get modded up because understanding the subject and moderating the comments are mutually exclusive round here, but I just want you to know that your comment was hilarious.

Re:OMG!

[arndawg]

Thank you nethead. Double win for you and also you made my day; twice :...

Re:OMG!

[Vintermann]

Indeed, indeed. I am very glad you took this opportunity to inject a debate about religion in this discussion by comparing religions to viruses. Really, slashdot doesn't have nearly enough of them!

But for the next time, may I suggest you add a comment to clarify that Scientology is no different from all other religions in any significant way. You get even more upmods that way.

Re:OMG!

[Migala77]

Now your brain can catch a virus just by reading!!!1

Nothing new there... check The Catcher in the Rye

Re:OMG!

[jggimi]

=That= book is definitely worth the read.

Re:OMG!

No its an offical Mormon Jigsaw - erm, no - a German Mixup Code!

Re:OMG!

[mdmkolbe]

I guess that makes Science a virus too!

Re:OMG!

[wizardforce]

If I wanted to compare all religion to viruses and malware, I wouldn't have mentioned the extreme sects in particular.

Re:OMG!

I haven't seen weather like this since I was a kid in Ohio.

Re:OMG!

Explaining a joke is like vivisecting a frog. You understand it better, but it dies in the process.

Re:The syntax should not matter..

[Wovel]

Thanks, I read the article after I posted. So they discovered a way to attack machines that have already been compromised..If your security is relying on an inline inspection for specific commands, you have already lost. All that reading to change three words.

That was rather pretty

[jaymz2k4]

I just have to point out how well that PDF looked from a purely graphic point of view... That is all. Interesting content to boot.

Re:That was rather pretty

[Wovel]

I actually agree it was good looking and a fairly interesting read.

Re:That was rather pretty

[sten+ben]

Looks like LaTeX with a CHI template. But maybe that was what you were getting at? Pretty it is.

Re:That was rather pretty

[gzipped_tar]

The PDF file itself was generated using Adobe Distiller for Mac. Not sure what is used to generate the original. Since they were using Adobe, it's not likely that they were using LaTeX.

Re:That was rather pretty

[sten+ben]

Since they were using Adobe, it's not likely that they were using LaTeX.

Except the .dvi file extension. And: Creator: dvips(k) 5.97 Copyright 2008 Radical Eye Software

Acrobat was probably only used to convert the ps to pdf.

Re:That was rather pretty

[dubaiguy]

It's latex with an ACM template. I'm pretty sure their workflow was latex (.dvi) to dvips (.ps) to Acrobat Distiller (.pdf).

Re:That was rather pretty

[sten+ben]

I stand corrected, it seems CHI uses ACM with some tweaks.

Re:That was rather pretty

[moyix]

I also had a paper at this year's CCS conference, so perhaps I can shed some light on the process. The publisher had some fairly picky requirements for the PDFs, and warned that most PDFs created by (for example) pdflatex would probably not pass muster. So along with a PDF we had to submit a Postscript file so that they could distill it into a PDF that met their requirements if necessary. That's likely what happened here--the final Acrobat Distiller step was probably done by the publisher to make everything fit their publishing requirements.

Re:In other news...

[Knightman]

And how do you suppose they generate the text then? They have a system they train with text pulled from various sources, then they use it to generate an innocent looking text that can be executed with a predicted result, no? In other words, an assembler/compiler....

See, I did read the pdf....

Btw, I missed that there where 4 researchers, not 3...

Re:The syntax should not matter..

[istartedi]

Yes, but if a machine on your network has "already lost", you'd probably like to know that.

Re:The syntax should not matter..

[Wovel]

And nothing in their article is helping with that. They assume they are exploiting a software vulnerability. If I know there is a software vulnerability, there are 1 million and 1 less complex ways for me to blow right by any inline scanner. (One stupid enough not to look and see what the actual bytes were anyway)

Re:In other news...

[blueg3]

No, an assembler or compiler takes as input text in a high-level language and generates executable machine code.

This takes as input executable machine code and generates executable machine code with a very narrowly-defined statistical property. (Simpler, but important, statistical properties have been done previously -- e.g., the Metasploit filters.)

Re:In other news...BAN THE PARENT

[HEbGb]

This is the sixth spam message this user has posted, will SLASHDOT please BAN this guy already? Come on.

oblig

Has anyone really been far even as decided to use even go want to do look more like?

Re:In other news...

[Knightman]

An assembler/compiler doesn't necessarily use a high-level language input.

In this instance they (as you say) 'takes as input executable machine code and generates executable machine code with a very narrowly-defined statistical property' which tells me they have an assembler that reads executable code and assembles executable code that looks like English text, in other words an assembler.

Re:In other news...BAN THE PARENT

[Tynin]

This is the sixth spam message this user has posted, will SLASHDOT please BAN this guy already? Come on.

He must be making new logins. I've seen him posting for a few weeks, he surely has more than 6 spams that I've seen alone. Going on that idea... lets see:
http://slashdot.org/~coolforsale117
http://slashdot.org/~coolforsale116
http://slashdot.org/~coolforsale115
http://slashdot.org/~coolforsale114
http://slashdot.org/~coolforsale112
http://slashdot.org/~coolforsale110

No doubt there is a TON of them. So I'd guess they are banning him, he just keeps making new uids (and siphoning a ton of moderation points to keep him marked at troll / offtopic). I know I've used many mod points keeping this bastard down.

Re:In other news...BAN THE PARENT

[ColdWetDog]

Maybe we should slashdot his sight. Or give him to /b/

Re:In other news...

[calmofthestorm]

No, it translates assembly to different assembly that's also English. This is actually a rather interesting piece of work. They didn't just write a program that converts assembly to English assembly, they wrote one in English assembly.

OK this explains a lot

[gzipped_tar]

Newsflash: It's not the elusive and mystified http://hardware.slashdot.org/comments.pl?sid=1196619&cid=27553143SlashDotFS. Those gibberish spam posts here are actually designed to crash and pwn Windoze suxx0rs...

Re:OK this explains a lot

[mysidia]

I don't think it's a SlashdotFS but a SlashdotDHT.

Used for file distribution (DHTs indicating IP address, and such, maybe)

Or a more nefarios possibility: for botnet command and control / reconassaince. E.g. communications back channel... master node posts on various websites

But yeah, they could contain shell code, even digitally signed shell code, and we'd never know for sure, I guess.

Re:In other news...

[mysidia]

FAIL. It cannot be an assembler if the input is not assembly.

It's a translator.

Re:In other news...

[blueg3]

Technically, machine code -- assembly is the pseudo-English text version of machine code.

But otherwise, yes.

Re:In other news...

[mysidia]

It is indeed a translator.

It doesn't translate assembler code.. it translates x86 machine code.

(Which also implies that it cannot be an assembler, since assemblers only accept Assembly code as input)

Best place to hide a tree

[Cryacin]

Is in a forest...

And now for a car analogy...

Binaries that opt out of NX

[tepples]

Isn't this what NX is supposed to stop, execution of arbitrary data as code?

Then you compromise a binary that has opted out of strict NX, such as a Java virtual machine that needs to dynamically recompile JVM bytecode to x86 bytecode.

Re:Binaries that opt out of NX

[afidel]

Yes, but that should dramatically reduce your attack surface, well except for stupid Flash Player and Acrobat, Adobe can't code their way out of a paper bag.

Re:Binaries that opt out of NX

[jonadab]

> Then you compromise a binary that has opted out of strict NX,
> such as a Java virtual machine that needs to dynamically
> recompile JVM bytecode to x86 bytecode.

Great, now we're all going to have to patch our befunge compilers.

Antelope museum

[beej]

Consume more trains, Elvis! He, and snorkels, drink elephant's sock puppet master. Steamed cabbage can reverse big piles of ducks. Additionally, cheese log cabin nightmare.

You're screwed now, x86 suckas!

Re:Antelope museum

[Dogbertius]

I remember in an assembler course on HC12's: -Remember, when ACCumulator A and ACCumulator B get togther, the SEX operation takes places to make ACCumulator D, and pray to the FSM that the next operation isn't STD!!!!!! http://www.prenhall.com/pack/appendices/Pack-barbappA_FF.pdf

Re:Antelope museum

[Twide]

Two Words. Google Translate Clearly I have been receiving infestation after infestation for years, now I FINALLY know what's going on here.. So much for Don't be Evil !!!!

Re:Antelope museum

[Tablizer]

Steamed cabbage can reverse big piles of ducks.

I have ways to mod you to 10 if you can produce a Youtube vid of that.
         

Re:Antelope museum

The scariest thing about this comment is that the bit about the steamed cabbage is obviously true. Nobody will suspect.

Re:Antelope museum

[slashqwerty]

For those that are curious, here is some actual exploit code from the paper:

There is a major center of economic activity, such as Star Trek, including The Ed Sullivan Show. The former Soviet Union. International organization participation Asian Development Bank, established in the United States Drug Enforcement Administration, and the Palestinian territories, the International Telecommunication Union, the first ma

The bold characters are code. The rest have no net effect.

Their strategy is to break the exploit into two pieces, a small executable decoder, and the payload. As you might imagine, the decoder decodes the payload. The payload is encoded in a benign-looking format which is simple enough. Their goal was make the decoder also look like benign data. To achieve that, their tool takes an existing decoder and automatically converts it to English-looking prose like the paragraph above. The tool is able to convert a decoder is less than an hour on commodity hardware.

Re:Antelope museum

You're screwed now, x86 suckas!

Okay, that's a joke but this screams self justifying for choosing something less common and more difficult to work with, what is it? SPARC? PPC?

I would like to point out that every CPU architecture is vulnerable to this sort of an attack, that's kind of the point with this sort of design. The obvious solution is strongly enforced memory permissions (ie. No-Execute on everything that isn't code from disk, and have the OS refuse all writes to executable files [and declaring a file to be executable] without superuser privileges).

Re:Antelope museum

What?? My mother was a saint!

Re:Antelope museum

Help my mouse is moving itself

Re:Antelope museum

[wdef]

Now I'm going to have nightmares thinking about that elephant's sock puppet master. Will I ever get out of the cheese log cabin? Look, it's clear that you're influenced by the French symbolists but can we please have less terrifying poetry?

Re:Antelope museum

In fact x86 is one of the strongest architectures against this attack, it is a mess of prefixes and variable length codes, with many impossible combinations. I bet it is far easier to write executable code in English using a RISC CPU where everything should be executable.!!$%&'|[;1223;sendmail

Re:Antelope museum

[ihavnoid]

Well, I'm not quite sure if it will work well on ARM ISA. Most instructions starts with 0xe (unconditional operation), and 0xe[0-9a-f] isn't an alphanumerical character. Maybe instructions can be encoded using only conditional executions, but probably much more difficult (if possible) than x86.

Re:In other news...BAN THE PARENT

[spud603]

Is it spam, or is it shellcode? things like "this treatementOur goal" look fishy to me.

I'm screwed

[nedlohs]

Since the first thing I do with all my emails is save the text and run it as a binary executable.

Re:I'm screwed

Exactally... i dont understand this at all. Sure I guess there are stupid linux systems where they don't use file extensions so they try to 'figure out' if a file is exe or data, but this is just rediculous. Alot of things don't look like programs. Even if it was random A..Z it would still not look like a binary program. How does this have anything to do with getting the PC to execute the data?

Re:I'm screwed

You are completely lost here because you either don't understand that this is used in code-injection attacks and/or you don't understand how code-injection works.

they [linux] try to 'figure out' if a file is exe or data.

Also, calling linux stupid while simultaneously demonstrating that you have no idea how linux works is frustrating, if not mildly entertaining.

Re:The syntax should not matter..

[x2A]

It's a research paper, not an exploit, not instructions on how to make an exploit, not recommendations on how to make an exploit. God what's with you people on this site, you can't just see something for what it is, you have to see it for how it serves no purpose to you or how you can do it so much better.

If they could exploit a machine by sending a point across, they'd get it past you lot every time, you'd never detect that huh.

Re:The syntax should not matter..

[istartedi]

There are indeed times when I think that we built the Internet, and that it taught us only one lesson:

I'm right and you're wrong.

This is not quite as concise as "42". Also, a second Internet will have to be built to determine who is "I" and who is "you".

Re:The syntax should not matter..

[dubaiguy]

If they could exploit a machine by sending a point across, they'd get it past you lot every time, you'd never detect that huh.

Haha. I love this. Spot on.

Re:In other news...

[DoctorBit]

It's a translator that takes any arbitrary x86 machine code as input, and produces as output functionally equivalent self-modifying machine code that starts off looking like English text. The same approach also works with other non-x86 machine codes, and other languages, such as Russian, French, etc... Very interesting work. It goes to show that for an OS to allow any code to self-modify can produce results that are very difficult to predict. Self-modifying code has an almost biological nature.

I CAN BE PLAYED ON RECORD PLAYER X

[rpresser]

Let the T-C wars continue!

Re:I CAN BE PLAYED ON RECORD PLAYER X

Hofstadter reference!
MU

We're doomed!

[REggert]

Oh noes! If only we had a way to detect and filter text that looks like spam....

Re:We're doomed!

[dubaiguy]

Except they're not sending SPAM (i.e., email). The OP just says that it "reads" like SPAM. Their shell code is delivered via an exploit. Good luck running a SPAM filter on every byte stream sent to your computer.

Re:We're doomed!

[maxwell+demon]

But if it's coming through an unfiltered data stream anyway, what sense does it make to make it look like English text?

Re:In other news...

[thePowerOfGrayskull]

And how do you suppose they generate the text then? They have a system they train with text pulled from various sources, then they use it to generate an innocent looking text that can be executed with a predicted result, no? In other words, an assembler/compiler....See, I did read the pdf....

You really see nothng noteworthy about this? (Or are you just trying to cover up from getting called out in not reading TFA with a hasty skim and blasé attitude - I've done that myself a time or two...)

This still means there's an interpreter

[uuddlrlrab]

...so, as the article suggests, AV's/firewalls will look for that. And if there's a library of some sort that contains the translations, mightn't the executable portion of the payload bear some similarities to an unpacker? I'd assume they'd be unpacking (probably into the same hidden portion of memory as it) some sort of lookup table/library in order to function properly, as, presumably, they wouldn't want to include the lookup values in the exe as it would increase size & risk of detection.

Re:This still means there's an interpreter

[Slashcrap]

The interpreter is your CPU. I don't see how looking for that is going to help. It's almost certainly there, and if it isn't, you don't really have that much of a problem.

Re:In other news...BAN THE PARENT

[negRo_slim]

in b4 not your personal army

So what?

[Fnord666]

I guess I don't see the big deal in this paper. Yes, they can encode the shell code into English sentences. It's still meaningless to the recipient and should raise suspicion. It would be far easier to use simple steganographic techniques to embed the shell code into any image transmitted between two systems. The recipient would not suspect any alteration and filters would not have the original image for comparison. Just a thought. Maybe I should write a response paper.

Re:So what?

[nneonneo]

When the recipient is a computer system and no humans are involved, this becomes far more dangerous (and besides, these messages look like educated spam rather than total gibberish, and would probably even pass a simple spam filter).

Basically, the paper is talking about defeating signature or heuristic analysis of shellcode. Normal shellcode looks nothing like English text, whereas this code has a very similar statistical distribution to real English text, meaning that heuristics likely would not flag the code as suspicious. Once it's in the system, all it takes is an exploit of almost any form to compromise a system.

Re:So what?

[StrongAxe]

This isn't about making English prose that humans are expected to read and make sense of. Rather, it's about making English prose that anti-spam and anti-virus filters won't automatically flag and delete. If somebody has a web page or an email that exploits a vulnerablity, a good anti-spam or anti-virus filter could prevent it from loading based on the payload alone, without even having to know about the vulnerability itself (While vulnerabilities constantly change, the rules governing what is valid x86 code do not). Now, however, this is no longer the case.

Linux version

[noidentity]

They also came up with a Linux version, which even works on non-x86 architectures, all the while looking like plain English:

"Please type the following on your command-line:

rm -rf *

Thank you."

Re:Linux version

You forgot the part about emailing the instructions to you entire address book first.

Re:Linux version

[TeamSPAM]

come on. if you're gonna help people shoot themselves in the foot, do it right:
rm -rf ./*
location is important to.

Re:Linux version

[amnezick]

You forgot to forget the dot:

rm -rf /*

Re:Linux version

[naturaverl]

Did you kids mean

rm -rf /

Re:Linux version

[moonbender]

My rm preserves root.

Re:Linux version

[Chapter80]

"Please type the following on your command-line:

rm -rf *

Thank you."

You forgot to forget the dot:

rm -rf /*

I guess I have to try each one to see which is correct. I'll report back.

Re:Linux version

[selven]

Don't you mean
sudo rm -rf /

Re:Linux version

[maxume]

I thought all you Linux types like to make fun of Windows for having names like "My Documents" and what not?

Re:Linux version

They also came up with a Linux version, which even works on non-x86 architectures, all the while looking like plain English:

"Please type the following on your command-line:

rm -rf *

Thank you."

And there's the really interesting version:

"Please type the following on your command-line, as root:

rm -rf /*

Thank you."

Re:Linux version

[HyperQuantum]

Actually, the second line doesn't look like plain English to me :)

Re:In other news...BAN THE PARENT

[Ethanol-fueled]

At least the /b/ spammers are polite enough to do their homework and know the demographic (all /b/ spams are porn). Air Jordans and POLO hoodies for Slashdot? And handbags and UGG boots, even though there are no women on Slashdot. At least try to sell us motherboards and shit...

This is sooo old

That you could do this was shown waaaay back in letter submissions to PC Magazine back in the 80's. This is not new AT ALL.

Re:In other news...BAN THE PARENT

[Falconhell]

Blinding him seems a little harsh!

We could all look at his SITE simataneously at some point though!

I have also wasted a ton of mod points on this idiot.

Its hard to think of a worse place for trying to spam than Slashdot eh?

Excellent Presentation

[rochberg]

This talk was probably my favorite at CCS this year. Unlike MANY researchers, the lead author of this paper was quite entertaining. Regarding the work itself, there are a few details that the current discussion has missed.

First, I would not say that they can convert arbitrary shell code to English-like prose. Rather, the only instructions that can be used are the ones that are identical to the ASCII encoding of the alphabet. For instance, the ASCII encoding of the letter "r" is identical to the binary for the unconditional jmp instruction. Granted, the authors showed that you can do a lot with this limited set of instructions, but I still wouldn't call it arbitrary.

Second, he showed several examples of the sentences created. They make about as much sense as "Lorem ipsum dolor sit amet..." The tight constraints on the instructions that can be encoded into ASCII make crafting decent English syntax nearly impossible. Spam filters based on natural language processing could probably detect and flag them.

While disguising the binary as ASCII is cool, I don't see that it's all that different than other exploits. Once a sentence containing an exploit is detected, you'll have signatures just like any other type of virus/trojan. I highly doubt that contemporary anti-virus scanners stop working on data that looks like ASCII. Rather, they look for tell-tale signs of particular instructions that appear in particular orders, etc.

And, as many others have pointed out, this code is only harmful if it is executed in the right context (i.e., you have a vulnerability to exploit). Disguising the code as ASCII doesn't really make it different than any other type of zero-day attack.

This work was very sophisticated, and there's no way that script kiddies could build something like this. I don't know that more advanced attackers would bother, because I really don't see all that much of a payoff given the amount of work that this attack requires. It's a whole lot easier to take over a vulnerable web server and launch a XSS attack. The incentives simply do not seem to suggest that this technique will become widespread.

So, no, I don't think the sky is falling because of this attack. Having said that, though, this was a very cool piece of work.

Re:Excellent Presentation

[dubaiguy]

First, I would not say that they can convert arbitrary shell code to English-like prose. Rather, the only instructions that can be used are the ones that are identical to the ASCII encoding of the alphabet. For instance, the ASCII encoding of the letter "r" is identical to the binary for the unconditional jmp instruction. Granted, the authors showed that you can do a lot with this limited set of instructions, but I still wouldn't call it arbitrary.

According to the PDF it does convert arbitrary shell code. FTA: What follows is a brief description of the method we have developed for encoding arbitrary shellcode as English text... It looks like they can encode anything once they have built an English-like decoder (judging by their language and the 3rd figure).

The tight constraints on the instructions that can be encoded into ASCII make crafting decent English syntax nearly impossible. Spam filters based on natural language processing could probably detect and flag them.

If they were sending SPAM... which they aren't.

Re:Excellent Presentation

[npcompleat]

I'm surprised that they don't seem to be aware of the EICAR test file. From Wikipedia "The EICAR test file (official name: EICAR Standard Anti-Virus Test File) is a file, developed by the European Institute for Computer Antivirus Research, to test the response of computer antivirus (AV) programs. ... The file is simply a text file of either 68 or 70 bytes that is a legitimate executable file ..."

The actual test file contents are "X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*". It's a COM file that when run will print "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!"

Re:Excellent Presentation

[rochberg]

First, I would not say that they can convert arbitrary shell code to English-like prose. Rather, the only instructions that can be used are the ones that are identical to the ASCII encoding of the alphabet. For instance, the ASCII encoding of the letter "r" is identical to the binary for the unconditional jmp instruction. Granted, the authors showed that you can do a lot with this limited set of instructions, but I still wouldn't call it arbitrary.

According to the PDF it does convert arbitrary shell code. FTA: What follows is a brief description of the method we have developed for encoding arbitrary shellcode as English text... It looks like they can encode anything once they have built an English-like decoder (judging by their language and the 3rd figure).

Ah, I forgot about that part. Yes, the first part of the shell code decodes the remaining message so that they are no longer limited to just typical ASCII characters. You are correct.

The tight constraints on the instructions that can be encoded into ASCII make crafting decent English syntax nearly impossible. Spam filters based on natural language processing could probably detect and flag them.

If they were sending SPAM... which they aren't.

Here, you missed my point. I was not implying that they were actually sending spam. The sentences they crafted are essentially identical to the kinds of sentences you see in spam. My point was that NLP techniques could be applied to flag these sentences just as they are with spam.

Re:Excellent Presentation

[rabtech]

Indeed, think about the one instruction set computer or languages like Brainf*ck; you can do a lot with just a few simple instructions, especially if you accept that no human being will be able to follow control flow by looking at the assembly. You may end up with a *lot* of instructions to encode relatively simple programs, but it certainly will work.

There has been work done in this sort of area before. Look at the EICAR virus test file http://www.eicar.org/anti_virus_test_file.htm/. Although it isn't english prose, it is all upper-case letters and symbols (printable ASCII), and when executed it prints its message and exits.

Kudos to the researchers here for their hard work.

You have...

[slimjim8094]

You have
a virus
Didn't you know?
You shouldn't be
running Windows
Burma Shave

Re:You have...

[slimjim8094]

The preceding comment is actually a virus. As is this.

OK, useful comment.

It's not actually new to have executable ASCII. See the famous EICAR test:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

It's entirely written in ASCII characters, but is also an executable .COM file which, by necessity, self-modifies in order to run the proper instructions (which contain 0x0, '\0' bytes so they're untypable)

If these researchers are able to do this, but with (almost) meaningful strings, that's pretty cool. Aren't Markov chains amazing?

Re:This is UNICODE

Mysidia is making a sarcastic reference to UNICODE; wooosh...

Re:The syntax should not matter..

Also, a second Internet
will have to be built to determine who is "I" and who is "you".

In which case you will need Prolog to solve that query. ;-)

summary title

[yanyan]

"English Shell Code Could Make Security Harder"

I was disappointed to find after reading the summary and article that english shell code doesn't improve security after all. What a misleading title.

Hello, World!

[nneonneo]

There is a major center of economic activity, such as Star Trek, including The Ed Sullivan Show. The former Soviet Union. International organization participation Asian Development Bank, established in the United States Drug Enforcement Administration, and the Palestinian territories, the International Telecommunication Union, the result of the collapse of large portions of the three provinces to have a syntax which can be found in the case of Canada and the UK, for the carriage of goods were no doubt first considered by the British, and the government, and the Soviet Union operated on the basis that they were the US Navys interpretation of the state to which he was subsequently influenced by the new government was established in 1951, when the new constitution approved it you King, he now had the higher than that the M.G.u, and soul shouters like Diane. There's a mama maggot including the major justifications that the test led to his own. This is usually prepared by the infection of the Sinai to the back and the Star Destroyers in the parliament, by the speed of these books and the revival of environmental problems of their new Arab states of the Arctic as a more and they possess power to the effort she was especially valuable as the Union and that would have said, as to note that the goods, which the night that if ever I rode after the word Father upon His Church to claim that the peace that had permitted him the city are as a hand of one into I thought of Mr. Crow and the Jews by the days of the C.Cs front garden which had first to St Cyriacus. All of a theology in the setting in a human heart as the tale of this day. I have it to friendship and the States that the way the English of the St Lawrence seven miles of an adjutant...

Now, would you have guessed that this is executable machine code (shellcode)? Honestly, it looks more like the garbage that spammers use to defeat statistical analysis (indeed, this is code generated with a similar goal).

(P.S. this particular sample is merely an amalgamation of the code which was reproduced in the paper; it is not complete, and will therefore not execute).

Re:Hello, World!

[bioZci]

I was wondering why nobody was curious about the code...probably because nobody has read the article and very few know what it is about.

Re:Hello, World!

[LarrySDonald]

Kind of thinking the same thing. Useful in the wild? Perhaps. Sometimes. Major blow for security? Hardly. Mindblowingly cool, especially given how frustrating much lesser limitations get? Totally. I've seen quite a few awesome "x86-with-harsh-limitations" (many just because, same reason as coding in brainfuck) but that's just out there. Hope they at least make an RSA poem..

Re:In other news...BAN THE PARENT

[Ethanol-fueled]

Just goes to show that the Chinese are as reckless with their advertising process as they are with their manufacturing process.

Re:The syntax should not matter..

[x2A]

Your sig: I think you mean "for all intents and purposes" *lol* intensive purposes haha "I REALLY REALLY MEAN TO DO THIS!!!!!!!!!" with eyes bulging out and raised veins... that would be a pretty intensive purpose...

Anyway... what were you saying about the "I'm right/you're wrong" attitude of the internet? :-p

Re:In other news...BAN THE PARENT

[hairyfeet]

yeah no shit. You think he'd at least offer us Counterfeit CPUs or dodgy RAM or something. If you are gonna spam then spam correctly. It is as bad as showing nerds a bunch of ads for jock products and tampons. Total waste of spam if you ask me.

Re:In other news...BAN THE PARENT

not your personal army

also, rules 1&2 faggot

Re:In other news...

[Lumpy]

But it still does not do what they try to fearmonger...

A page of text will run on your Computer! OMG! just scanning an infected page will infect your PC! a randomly worded email can infect your computer!!!!

Well only if Outlook add's a compile and execute all text in the email function, I' am sure Microsoft is adding that.

Re:In other news...

Dude, you're wrong. Let it go.

Re:In other news...Christmas gifts

[polymeris]

It really reads like spam...Tried it and seems it's decss!

Re:In other news...BAN THE PARENT

[Falconhell]

It hope none of you are thinking of subscribing coolforsale's email address zminring@gmail.com to a lot of spam lists.

That would be very wrong.

Very very wrong.

Re:In other news...

[rnturn]

"the compiled binary data that can be run raw on an x86 processor -- looks like English text."

I had brought something like this up during an after-work, Friday night beer session back in the late '80s when a co-worker mentioned the odd snippets of text that one would see while examining programs using the debugger. (No... we weren't talking about strings of text defined in the source code.) I wondered whether it was possible to come up with a program whose machine code formed English text that actually performed a useful function; like some bizaare entry in an Obfuscated Assembly Language contest. Looks like it was possible though I still am not sure that malware actually meets my definition of "useful". Eye of the beholder, I guess.

Re:In other news...

[TheLink]

There's a difference, an assembly language representative of a machine code program doesn't normally execute on the target machine. It has to be "assembled" to the object code before it can be executed.

What these bunch have done is created a program that "massages" (which could include expanding and alteration) source machine code to a new arrangement of _machine_code_ that can execute on the target as is. That new arrangement happens to resemble English text (in a computer format).

It's only an assembler if you're thinking of machine code as the "assembly language" and the "english looking" machine code as the assembled object code.

But that's stretching things a lot. Like saying you've actually been right all along, that is if wrong is right. ;)

Re:In other news...

And who defines what the assembly is? The ones writing the assembler. Sheesh..

Sheesh indeed.

A compiler traditionally takes a high-level set of instructions and translates them into a lower-level set of instructions. What they have done is take a low-level set of instructions and found a way to make them high-level... looking... but still able to execute at a low level.
So technically this is more of an obfuscator than a compiler. I'm not saying you're entirely wrong, but to try and sum it up as just another x86 assembler is glossing it over a good bit. As well as missing the underlying point that this type of thing could be used for some pretty nasty purposes in the right scenario.

Re:The syntax should not matter..

While your language detector seems to be working, I'd suggest taking your sarcasm detector in for a lube/oil/filter before Winter.

Slap me five

Great. I'll look forward to installing McAfee Jive.

Apple already did this

[syousef]

If hackers convert arbitrary x86 shell code into sentences that read like spam, but are natively executable .. we're all screwed :(

It's called Hypercard.

Re:In other news...BAN THE PARENT

[Culture20]

At least try to sell us motherboards and shit...

yeah no shit. [...]

I concur. Just motherboards. I don't create my own motherboards.

Much better idea

[istartedi]

Profile his IP, and present what appear to be angry responses and modded-down posts when serving pages to that IP. Otherwise, just don't display his posts at all. Then again... mayyyyybe we already did that.

Re:The syntax should not matter..

[tjstork]

you can't just see something for what it is,

Kinda tough with all the hype.

Re:The syntax should not matter..

[x2A]

With a little practice I'm sure you'll get it nailed, I don't find it that difficult and I'm sure I'm not particularly special, and it's a very useful skill to have if you're interested in reality. If you're not, then follow the hype, maybe it's exciting, but if you are, it's very easy to seperate the two, and it will serve you well, because there is always somebody who would love to share their biases with you... which perhaps wouldn't serve you so well.

Shit!!

Execute this!

eNodzMENgDAMA8C2lKhBBCT23xXQ5XEf27mf3t7/BieDi8mDJ4sXW7diMFnsQ8qdwWRxbDoMJott+sPJYLL4AQqYgLI=

Re:The syntax should not matter..

[tjstork]

it's a very useful skill to have if you're interested in reality

See, I'm not really all that interested in it. Our obsession with reality is overrated because it is culturally acidic. Reality is all about looking down and sometimes humanity needs to be looking up.

Re:In other news...BAN THE PARENT

[seandiggity]

I can think of a ton of ways to filter out spammers that just keep generating new UUIDs, especially if they post links to the same website and the UUIDs have that same website in their name...

Re:The syntax should not matter..

[x2A]

Perhaps you could tell me where you take your :-p detector in for its workover, ya know... so I can make sure I avoid the same place?

Re:The syntax should not matter..

[x2A]

"Reality is all about looking down and sometimes humanity needs to be looking up"

In your non-reality world that may be true, but in reality it's not.

Re:In other news...

Feeding the trolls here.
To answer your question: An assembler has a (mostly) 1:1 mapping between the source and the output. They do perform some additional tasks, like calculating addresses for jumps and such, and they usually have some form of macro support, but at the end of the day, the assembler can't decide to change the order in which you execute the machine instructions. aka "I define what the assembly is"

re: zero day exploit

#!/bin/bash
Roses are red; violets are blue.
In Soviet Russia, all our base are belong to you.

Obvious meatspace vector:

[DamnStupidElf]

"MZBlahBlah... Hello, please save the text of this email as blahblah.pif and open it to enable the images/porn/bonzai buddy/whatever you think is important enough to go through minor hoops to get"

Re:In other news...

Well, since an assembler would be a special case of compiler (compiles machine code from assembly) and a compiler would be a special case of interpreter (interprets source by compiling something), why don't we just call this thing they made an interpreter? Sure, it probably qualifies as some sort of compiler, but surely it must qualify as an interpreter.

Re:The syntax should not matter..

[tjstork]

In your non-reality world that may be true, but in reality it's not.In your non-reality world that may be true, but in reality it's not.

No, in the objective world, I'm right, and I can prove it by pointing at any number of reduced human aspirations in recent generations. Ever since the 1960s, humanity has gone south.

This is far more interesting!

[Terje+Mathisen]

I for one is very impressed by what they've done, even if it is somewhat similar to what I did nearly 15 years ago:

At that time I wrote what's probably the "best" executable text encoder for MsDos, it uses the absolute minimum possible amount of self-modification (a single 2-byte Jcc opcode) while staying entirely within the MIME text character set, and survives all the most usual forms of reformatting/reflowing of the text. (Replacing CRLF with a single CR (Mac) or LF (unix) or turning each paragraph into a single line.)

The initial bootstrap looks like this:

ZRYPQIQDYLRQRQRRAQX,2,NPPa,R0Gc,.0Gd,PPu.F2,QX=0+r+E=0=tG0-Ju E=
EE(-(-GNEEEEEEEEEEEEEEEF 5BBEEYQEEEE=DU.COM=======(c)TMathisen95

(The uppercase 'E's are my NOP fillers, they execute as INC BP, a register I don't use.)

Terje

PS. Unlike the current guys, I wrote the code above by hand, on paper, during the evenings of a ski vacation. I had brought with me a listing of the ascii encoding of all instructions that would use MIME characters only. :-)

Re:This is far more interesting!

[coinreturn]

Yeah, but yours doesn't look like English; theirs does.

Re:This is far more interesting!

[Terje+Mathisen]

I know, and that's exactly what's makes it so interesting:

They have effectively defined a small subset of the entire instruction set while allowing all other instructions that doesn't produce a side effect which would crash their "real" code.

Terje

Re:In other news...BAN THE PARENT

We could just go through the list of options on the spam-solution form letter and see which one works the best against the party in question. I vote we start at vigilantism and work our way backwards to blacklisting. :)

The Zork Attack

[tjstork]

That's research?

Wow... my system is insecure, once I have a hooptie that can convert XYZ into assembly language, and run it, on my machine. OMFG!!

Why do that like that? Hell, we could even claim that all shell systems are vulnerable to Zork! I could just as easily have a tiny resident thing that can translate text adventure commands to native assembly language and compromise a machine.

r0 = the mail box
r1 = the white house
r2 = flood control dam #1

leave house. take letter from mail box.
it's very dark, you are likely to be eaten by a grue... [oh no, my victim's machine has detected my zork attack! I must do something...]
light torch.
you have been eaten by a grue! [they kicked me out of the account]

maybe I will have to have a planetfall attack next.

we map floyd to r0

give floyd the...

Re:In other news...BAN THE PARENT

[Hurricane78]

Isn’t this why CAPTCHA was invented?

I mean just add captchas an a place where is slows him down too much for spamming to still make sense.

And freakin’ use reCAPTCHA, if you don’t want to get laughed at! ^^

Re:In other news...BAN THE PARENT

Look on the bright side... Slashdot could auto-ban anyone who tries to post a link to coolforsale.com

Re:The syntax should not matter..

[x2A]

Ever since the 60s? And that's when reality was invented was it?

Dude I'm from a country where people were hung, drawn and quartered, as much as nostalgia can paint a picture of a rose tinted past, I can find you so many things that show the oposite. But, you cherry pick to support your opinion all you want, using facts "in reality" to prove how "not reality" is somehow better... if it was that much better you wouldn't need this "objective world" but the fact of the matter is you do, truth matters, and playing your platinum denial card will get you nowhere fast, and that's certainly not the humanity I wish to subscribe to. Thankfully, I'm not alone, because reality can be shared :-)

This brings back memories

When I was a kid in the 80's, me and some class mates used to do this by hand. The game was to make as much text as possible in executable code, i.e. not just filling that was jumped over. Using a language with a more flexible grammar and word order, more available words and few more characters than English propably helped a lot, but the longest program anyone wrote in 100% runnable code/readable text was still less then 1/3 of an A4 (and quite a lot of JMPs and RETs). As I recall, that particular program particular made the hard drive sounds say "fitta" ("cunt" in Swedish).

Re:In other news...BAN THE PARENT

[CrashandDie]

Thing is, I remember hearing that spammers had factories in China making fake Viagra pills, to send them to the vic. Surely, if one were to buy from such a source, and then receive pills, try them, and have them not work, they wouldn't buy again, right?

Why bother sending anything at all?

Re:In other news...

[psp]

Good job not reading the article.

Welcome to Slashdot!

I hope that you find your stay here while not informative at least enjoyable!

Re:In other news...

[jimicus]

The whole point is that the compilation step isn't necessary, you could attach it to an email and it'd get clean through most filters. All you need to do then is socially engineer a person into running it by first renaming it to .exe.

Of course, this will fail horribly against anyone who's set up their email system with the aid of more than two or three brain cells. Any sensible system will look directly at the file, not its extension.

English Shell Code...?

[kirill.s]

unzip; strip; touch; finger; grep; mount; fsck; more; yes; fsck; fsck; fsck; umount; sleep;

Perhaps Cockney English shell code could be used?

[fantomas]

Better security solution. Because me old china, even if a whole bunch of yer muckers take a butchers they won't have a scoobie about you're rabbitting on about.

Get informed Knightman

[Antiocheian]

You really need to read at least this book

http://nostarch.com/assembly.htm

Before talking about definitions.

HTH

Re:In other news...

[Chrisq]

Of course, this will fail horribly against anyone who's set up their email system with the aid of more than two or three brain cells. Any sensible system will look directly at the file, not its extension.

This will be very worrying to governments then

Re:In other news...

[maevius]

Actually it will fail because the text is executable code, not executable file

Why run the code?

[YourExperiment]

I've skimmed the article, but I still don't get the idea of this.

I understand the part where machine-language is carefully crafted so that the bytes resemble ASCII text. But how is this an exploit? Why should I take an email that has somehow evaded my spam filter (despite reading like utter gibberish), save it to a file on my local machine, and run that file as an executable? Even if I wanted to run arbitrary code from an unknown third party, how would I even know that the contents of this email consisted of code in the first place? Could someone explain what I'm missing here?

Re:Why run the code?

You don't. It defeats IDS-type systems that (not how things work, but you'll get the gist) check to make sure that there's no shellcode inside (say) a strcpy() call. So, it's looking for 0x90 0x90 0x90 0x90 etc, and it it finds something that looks like English, *exactly what you'd expect in a strcpy() call.*

Also, it's damned cool.

Re:Why run the code?

[Gleapsite]

Its a stenographic method. It requires some executing code (malware, software vunerability, w/e) to jump to the ASCII text and begin executing it. Its like camouflaging the battering ram to look like the countryside. You still need someone on the inside to lower the drawbridge.

HP had it in 1986

I think this is interesting, but hardly break-through.

In the mid 80's, we did the same thing at a field Hewlett-Packard office, although not aimed at viruses. Our target was to enable users to key in x86 code in text form. In other words, sit down at a PC, open EDLIN (the DOS equivalent of Notepad), or some simple text editor, and key in human readable words (i.e. meaningful text that humans - HP Engineers - could easily transcribe from paper or a phone call). Then save the file as a .com file (which was a DOS executable), and then run it.

Think back to the days of stand-alone PC's, no USB, etc. If the field engineer was at a customer site, and needed to run a small diagnostic program on the PC, but didn't have the tool, then they'd simply call the office, and have the secretary ("coordinator") read them the human-readable sentences to key in. The engineer keys it in, and launches a diagnostic program. Our version even had a check-sum built into the words, so as long as you got the first few sentences exactly right (which were the boot part), then the rest of the "code" (sentences) were examined for check-sums, and would generate a location-specific error (e.g. "Checksum error in the sentence 'Many frightened capsules trigger captain mole".)

I remember this well, because I wrote the boot part, and the checksum algorithm. I made it fairly resilient to normal human typing habits (i.e. don't worry about capitalization, multiple spaces between words, apostrophes, etc). And I tried to choose some easy sentences (manually) for the boot part, since that had to be entered exactly right each time.

The system was made up of a "compiler" which would take a simple .com file (that is, an executable file, not a dot-com website), and convert it to "sentences" (which made little sense). We used a spelling dictionary English words, removing homonyms, as we wanted the words to be "read aloud". We tried to compile into short sentences of specific noun-phrase / verb-phrase formats, but they rarely made any sense. Some were outright silly, like: "The crazed orange melts to school."

It worked great! But it was only practical for very short utilities. Still, it was FAR easier to key in sentences of nonsense, rather than hex code. Our experience was that a typical engineer could key in nonsense sentences about 5 times faster than hex code (even considering that the words had to have extra boot code to analyze the text), although the results varied depending on the length of the overall program.

Then networks came along and rendered it fairly useless.

Re:HP had it in 1986

I think this is interesting, but hardly break-through.

In the mid 80's, we did the same thing at a field Hewlett-Packard office, although not aimed at viruses.

Sorry. What you describe in your post is nothing like what the article discusses at all.

Re:HP had it in 1986

Maybe you didn't read the same article I did. The concept is identical: English words that are also machine executable. The only difference is that the "payload" for HP was a utility, and the payload for the article is a virus.

Thanks

[turgid]

What is "shell code" supposed to be? Bourne shell scripts?

Someone had to ask it!

From the wikipedia: In computer security, a shellcode is a small piece of code used as the payload in the exploitation of a software vulnerability. It is called "shellcode" because it typically starts a command shell from which the attacker can control the compromised machine. Shellcode is commonly written in machine code, but any piece of code that performs a similar task can be called shellcode. Because the function of a payload is not limited to merely spawning a shell, some have suggested that the name shellcode is insufficient.[1] However, attempts at replacing the term have not gained wide acceptance.

So it's a poor piece of new terminology that has stuck, unfortunately.

Re:Thanks

So it's a poor piece of new terminology that has stuck, unfortunately.

Hardly new terminology. I have issues of Phrack from over a decade ago that discuss shellcode.

Re:Thanks

[turgid]

Hardly new terminology. I have issues of Phrack from over a decade ago that discuss shellcode.

Well, I still consider a kilobyte to be 1024 bytes and I've never heard of "shellcode."

At first sight, I thought this had something to do with lusers downloading and running (as root) malicious sh scripts.

0x20

0x20 Space is AND?

That's surreal! It's almost as if x86 were designed for this! O_O

Re:In other news...

[wisty]

Note, the above post will decode the latest BlueRay DRM. But you didn't know that until it was pointed out.

(No, not really, but that's one possible application).

Re:In other news...

[jimicus]

That only becomes an issue if someone finds a way of persuading the email client to attempt to execute the text of the message.

Which is not to say there isn't some obscure bug somewhere which does this, but I don't think this is the end of the world.

Change .txt to .exe

[EdgeyEdgey]

So all that needs to be done is change a file extension and you have a executable virus?
Or alternatively, extra code can be hidden on public webpages which get downloaded by a small executable, bypassing filters?

Re:Change .txt to .exe

No. You are confused because unfortunately, executable code and an "executable" file sound like the same thing, but they are not. When an attacker exploits a program that has a buffer overflow vulnerability, he will typically "inject" code in to the program and hijack the control-flow of the program to run his code. This is shellcode. Some intrusion detection systems try to prevent this attack by filtering out suspicious-looking program input from the network. This article shows that this filtering approach is ultimately a weak defense.

Whippersnappers

[fnj]

Jeeze, if these guys are going to play with computers they should learn the lingo. The shell is, like, the Bourne shell or C shell or bash. Shell code is scripts.

Re:Whippersnappers

[arndawg]

sure? http://en.wikipedia.org/wiki/Shellcode

Re:Whippersnappers

[Tim+C]

Now I know I'm being picky, but I can't help it, as so is my compiler and I'm used to talking to it. That said, I can't help but notice that the wikipedia article you link to is about "shellcode", while the title and summary here refer to "shell code".

I think the GP is entirely reasonable, as my first thought was also that this was about making bourne/bash/etc shell code look like English text.

Re:Whippersnappers

Perhaps, but one should tread careful when being smug.

Re:In other news...BAN THE PARENT

[arndawg]

I get a raging hard-on just for THINKING i took viagra. Placebo is king.

YAWN

Let me know when I can simply send someone an email with the text "open goatse" and it has the desired effect of opening a browser window and surfing to goatse.

Re:YAWN

[Sulphur]

If you attain goatse, your malprocessor will be updated to run macros. Smurf over now.

Re:In other news...

[Fred_A]

The same approach also works with other non-x86 machine codes, and other languages, such as Russian, French, etc... Very interesting work.

Especially since you can only do French with ARM binaries. It's very strange.

My, he is right again

Obligatory XKCD anyone?

Interesting work

[Stan+Vassilev]

But I'd venture a guess it's far easier to hide such code in the noise of an innocent looking image.

Greatest line ever...

[coinreturn]

If they could exploit a machine by sending a point across, they'd get it past you lot every time, you'd never detect that huh.

I salute you for the best zinger ever.

Re:In other news...

[Goaway]

That's how pretty much every single remote exploit works, you know. Tricking a client to execute part of the sent data as code. That's the whole point of exploits.

That's what she said..

"Language is a virus." -- Laurie Anderson

Re:In other news...

[blueg3]

You're confusing their paper with things you're imagining their paper might say.

All this demonstrates is that input sanitization that checks for statistical properties (looks like English) is insufficient to prevent executing useful code when there is a buffer overflow vulnerability: the payload can be made to conform to the sanitization requirements while still containing arbitrary code.

Re:In other news...

[blueg3]

I hope that you find your stay here while not Informative at least Funny!

ftfy

some real world examples

[rs232]

Did they include links to some real world examples of this shell code and can it be executed by clicking on an URL or openong an email attachment.

Interesting delivery...

So there's two pieces here. Mapping ASCII to executable code, which is in itself fairly interesting (and the researchers should be lauded for taking the time to figure some of those maps out), and the second point that requires a machine to have the interpreter to translate the english code to machine code.

So, in reality, its another programming language with a pseudo-cipher built in.

Why does this matter? It would be a fantastic way to deliver instructions via spam to already compromised systems running the interpreter. This further obfuscates the criminals from the bot networks, and would even make shutting them down hard.

Computer Sleepercells. Crazy, huh?

Re:In other news...

[mdf356]

I don't buy that it will work on non-x86. Or at least not PowerPC, which is the only instruction set I'm familiar with at the machine code level. I only skimmed the article, but I didn't see the authors drawing any such conclusions.

For PPC at least, IIRC most of the useful instructions like stack manipulation involve some byte sequences that are non-ASCII. OTOH, ARM and x86 are the only platforms worth targeting, given their prevalence.

English Shell Code -- cup of tea, old boy?

[zhiwenchong]

When I read the phrase English Shell Code, the first thought that came to my mind was:

% Oh I say, can I see a list of files, old top?

-rwxrwxrwx 1 alfred staff 192 7 Mar 2008 teacosy.txt
drwxr-xr-x 37 alfred staff 1258 25 Nov 2008 cricketscores
-rwxr-xr-x 1 alfred staff 260 28 Aug 2008 cucumbersandwiches.py

% Spiffing, just spiffing. Shall we have a peek at the processes?

    PID TTY TIME CMD
    380 ttys000 0:00.01 -bash

Re: Christmas

[TaoPhoenix]

Are your last three sentences product placements or shell code? : )

Question

[GameboyRMH]

Did the virus make the same WHOOSHing sound as a joke? Just doing some security research.

Re:I say ...

[TaoPhoenix]

"DJ Talent" from Britain's Got Talent has prior art.

You're wrong about Adobe

[GameboyRMH]

On the contrary, they can't code their way into a paper bag. I'm pretty sure Adobe could code their way out of the Boeing assembly building.

Re:Perhaps Cockney English shell code could be use

[Locke2005]

china=mate
muckers=mates
butchers=look
scoobie=clue
rabbit=talk
Not as obscure as you'd like to think; I can decode it, and I've never even been to the UK.

Too bad IBM went with the 8088

[Megane]

This sort of shellcode is probably a bit harder to write for the 68000, with its 16-bit instructions that have an "operand mode" field that spans between the two bytes. While a lot of useful instructions are in the 2xxx-7xxx range, and branches are in the 6xxx range, the instructions that do any sort of math are outside it.

It would be interesting to see what can be done with other CPUs as well. In particular, I recall that OS X PPC missed a chance to resist shellcode by ignoring two of the four bytes of the OS trap instruction, rather than forcing them to be nulls.

Re:In other news...BAN THE PARENT

[mcgrew]

there are no women on Slashdot

There are a few. Not many, true, but there is such a thing as a female nerd and there are some here. Actually I'd guess that 99% of female nerds at least lurk.

Re:In other news...BAN THE PARENT

I'll check it out for you...yep it appears to be harmle*

Re:In other news...

[Ritchie70]

So, not most major corporations?

I work for a roughly Fortune 200 firm. My peers at other companies and I routinely email "forbidden" file types by changing the file extension.

MDB forbidden? That's OK, MP3 is allowed.

EXE forbidden? Eh, just call it .TXT. Nothing checks.

Re:In other news...

[DaVince21]

He obviously won if you suddenly can't reason back anymore.