Re: StackGuard: Automatic Protection From Stack-smashing Attacks

Kragen (kragen@POBOX.COM)
Fri, 19 Dec 1997 20:21:44 -0500

On Fri, 19 Dec 1997, Crispin Cowan wrote:
> Regarding guessing the canary value, it is really hard to brute-force a
> guess at the canary value. The canary is randomly chosen at exec time;
> if you make a repeated attack guessing a new value, the value will have
> changed between guesses. The value is 32 bits. So if you made 4
> billion attacks, you would get it right once with probability
> approaching one, but you are not guaranteed to get it even then.

No, you would get it right once with probability approaching 1-1/e, or
about 63.212%. The probability of success on one try is 1/N, where N is
the number of possibilities, 2^32 in this case; the probability of failure
on one try is 1-1/N; the probability of failure on N tries is (1-1/N)^N,
which approaches 1/e as N approaches infinity, which means the probability
of success on N tries approaches 1-1/e. It's really quite a good
approximation, in this case, good to about ten digits, I think.

I just tried this in GNU bc:

scale=100
onetry=(2^32-1)/2^32
half=onetry^(2^16)
half^(2^16)

The result is the probability of failure.

Kragen