Vulnerability Development mailing list archives

Re: stackguard-like embedded protection

From: "Bluefish (P.Magnusson)" <11a () GMX NET>
Date: Fri, 15 Sep 2000 20:32:53 +0200

Yes, int is not a good word talking about "portable" stack protection...
If int is 32bit, than it may be a compromise between performance
and security. 2^32 is a quite large number: it probably saves you
if the brute force is for a remote bug. To spoof a  32bit number
requires a big time in the middle case.


Ah, you make this a complex issue :)

Perhaps we should define the correct length to be:

  There is NO test such as it's resonable to break the application
  on any system where protective mechanism will be run, with a 50% success
  chance in less than half a year.

But I'd wish to point to a flaws in the reasoning:
  - Attacker may have "unlimited" time
  - We may entirely be wrong about what system they will be use, perhaps
    they implement it on some super computer without modifying the source,
    we assumed "avarage" hardware only.

6 years in the middle case, that is a lot of time in an active attack


I see your reasoning, which is OK. But like in the aleged stories of
former employies having setted up logic bombs, an process could be running
for quite some time trying to overflow a protected application. OK, 6
years is unreasonable. But 10 tries a second is pretty low though for a
magnitued of situations.

(we are not talking about cryptography, in which I take the ciphertext
 and try in my cluster for a long time)


Agree, we doesn't have to take into account any "strange" hardware.
However, this is actually very much an application of sciences derived
from cryptography. We have theories on bit-sizes which can be transformed
to this problem, and if any author of a stack-protector believes he can
ignore the reasons for a good prng... Then the tool becomes a obsucrity
feature, not a security feature.

Anyway I agree that 64bit is a number that kills the brute force ghost.
A tester larger than 64bit is paranoia (i.e. how to throw away your CPU).


I believe you are 100% right.

IMHO, what we need is calculations on how much time it takes to
'bruteforce' (if it's a bad PRNG in use, remember they'll keep sending the
most commonly repeated number) a really simple testapplication. Anyay, I
think calculations will simply conclude that 32 bits are dangerous (but as
you say, enough for some situations) and 64 will be enough by far.

..:::::::::::::::::::::::::::::::::::::::::::::::::..
     http://www.11a.nu || http://bluefish.11a.nu
    eleventh alliance development & security team

Current thread:

Re: stackguard-like embedded protection, (continued)
- - Re: stackguard-like embedded protection Bluefish (P.Magnusson) (Sep 07)
    - Re: stackguard-like embedded protection typo (Sep 07)
    - Re: stackguard-like embedded protection Bluefish (P.Magnusson) (Sep 08)
- Re: stackguard-like embedded protection Hiroaki Etoh (Sep 12)
  - Re: stackguard-like embedded protection antirez (Sep 13)
- Re: stackguard-like embedded protection Hiroaki Etoh (Sep 13)
  - Re: stackguard-like embedded protection antirez (Sep 13)
    - Re: stackguard-like embedded protection Crispin Cowan (Sep 13)
  - Re: stackguard-like embedded protection Bluefish (P.Magnusson) (Sep 13)
    - Re: stackguard-like embedded protection antirez (Sep 13)
    - Re: stackguard-like embedded protection Bluefish (P.Magnusson) (Sep 16)
    - Re: stackguard-like embedded protection Crispin Cowan (Sep 16)
    - Re: stackguard-like embedded protection Bluefish (P.Magnusson) (Sep 17)
    - Re: stackguard-like embedded protection Crispin Cowan (Sep 18)
    - The much popular t0rnkit. Masial (Sep 17)
    - Re: The much popular t0rnkit. Neil Sequeira (Sep 19)
- Re: stackguard-like embedded protection Michael Wojcik (Sep 13)