Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: StackGuard: Automatic Protection From Stack-smashing Attacks

From: kragen () POBOX COM (Kragen)
Date: Fri, 19 Dec 1997 20:21:44 -0500

On Fri, 19 Dec 1997, Crispin Cowan wrote:

Regarding guessing the canary value, it is really hard to brute-force a
guess at the canary value.  The canary is randomly chosen at exec time;
if you make a repeated attack guessing a new value, the value will have
changed between guesses.  The value is 32 bits.  So if you made 4
billion attacks, you would get it right once with probability
approaching one, but you are not guaranteed to get it even then.


No, you would get it right once with probability approaching 1-1/e, or
about 63.212%.  The probability of success on one try is 1/N, where N is
the number of possibilities, 2^32 in this case; the probability of failure
on one try is 1-1/N; the probability of failure on N tries is (1-1/N)^N,
which approaches 1/e as N approaches infinity, which means the probability
of success on N tries approaches 1-1/e. It's really quite a good
approximation, in this case, good to about ten digits, I think.

I just tried this in GNU bc:

scale=100
onetry=(2^32-1)/2^32
half=onetry^(2^16)
half^(2^16)

The result is the probability of failure.

Kragen
Previous By Date Next
Previous By Thread Next

Current thread: