Bugtraq mailing list archives
Re: StackGuard: Automatic Protection From Stack-smashing Attacks
From: kragen () POBOX COM (Kragen)
Date: Fri, 19 Dec 1997 20:21:44 -0500
On Fri, 19 Dec 1997, Crispin Cowan wrote:
Regarding guessing the canary value, it is really hard to brute-force a guess at the canary value. The canary is randomly chosen at exec time; if you make a repeated attack guessing a new value, the value will have changed between guesses. The value is 32 bits. So if you made 4 billion attacks, you would get it right once with probability approaching one, but you are not guaranteed to get it even then.
No, you would get it right once with probability approaching 1-1/e, or about 63.212%. The probability of success on one try is 1/N, where N is the number of possibilities, 2^32 in this case; the probability of failure on one try is 1-1/N; the probability of failure on N tries is (1-1/N)^N, which approaches 1/e as N approaches infinity, which means the probability of success on N tries approaches 1-1/e. It's really quite a good approximation, in this case, good to about ten digits, I think. I just tried this in GNU bc: scale=100 onetry=(2^32-1)/2^32 half=onetry^(2^16) half^(2^16) The result is the probability of failure. Kragen
Current thread:
- Re: StackGuard: Automatic Protection From Stack-smashing Attacks Steve Bellovin (Dec 19)
- Re: StackGuard: Automatic Protection From Stack-smashing Attacks Crispin Cowan (Dec 19)
- Re: StackGuard: Automatic Protection From Stack-smashing Attacks Kragen (Dec 19)
- Re: StackGuard: Automatic Protection From Stack-smashing Attacks Tim Newsham (Dec 19)
- Re: StackGuard: Automatic Protection From Stack-smashing Attacks Crispin Cowan (Dec 19)
- Linux vsyslog() overflow Solar Designer (Dec 20)
- Re: Linux vsyslog() overflow Dann Lunsford (Dec 22)
- Re: StackGuard: Automatic Protection From Stack-smashing Attacks Mark Whitis (Dec 30)
- Re: StackGuard: Automatic Protection From Stack-smashing Attacks Ranaur the Elven Warlock (Dec 30)
- Apache memory/process management. MichaĆ Zalewski (Dec 31)
- Re: Apache memory/process management. Dean Gaudet (Dec 31)
- Re: StackGuard: Automatic Protection From Stack-smashing Attacks Crispin Cowan (Dec 19)