Re: StackGuard: Automatic Protection From

tqbf@JOSHUA.ENTERACT.COM
Fri, 19 Dec 1997 17:32:23 -0600

> Regarding guessing the canary value, it is really hard to brute-force a
> guess at the canary value. The canary is randomly chosen at exec time;
> if you make a repeated attack guessing a new value, the value will have
> changed between guesses. The value is 32 bits. So if you made 4
> billion attacks, you would get it right once with probability
> approaching one, but you are not guaranteed to get it even then.

That's a pretty dubious claim; the probability of successfully guessing
the "canary" value is highly dependant on the strength of your random
number generator, isn't it? What does StackGuard use to generate the
random data for it's "canary" values?

It seems to me that there's a pretty obvious and major win for beating
whatever PRNG StackGuard uses, so it's something I assume you're conscious
of. I'd be interested in hearing more about this.

> Also note that there is a separate canary value per function,
> so a canary-access buffer vulnerability in one function does not help
> you to smash a different function.

This sounds false. In the previous quote, you state that StackGuard
generates the "canary" number at exec time, not per-call. That being the
case, all the "canary" values are going to be related, and having one of
them is going to make it easy to guess all of them. Is this the case?

Thanks for your time.

-----------------------------------------------------------------------------
Thomas H. Ptacek Secure Networks, Inc.
-----------------------------------------------------------------------------
http://www.enteract.com/~tqbf "mmm... sacrilicious"