> Regarding guessing the canary value, it is really hard to brute-force a > guess at the canary value. The canary is randomly chosen at exec time; > if you make a repeated attack guessing a new value, the value will have > changed between guesses. The value is 32 bits. So if you made 4 > billion attacks, you would get it right once with probability > approaching one, but you are not guaranteed to get it even then. That's a pretty dubious claim; the probability of successfully guessing the "canary" value is highly dependant on the strength of your random number generator, isn't it? What does StackGuard use to generate the random data for it's "canary" values? It seems to me that there's a pretty obvious and major win for beating whatever PRNG StackGuard uses, so it's something I assume you're conscious of. I'd be interested in hearing more about this. > Also note that there is a separate canary value per function, > so a canary-access buffer vulnerability in one function does not help > you to smash a different function. This sounds false. In the previous quote, you state that StackGuard generates the "canary" number at exec time, not per-call. That being the case, all the "canary" values are going to be related, and having one of them is going to make it easy to guess all of them. Is this the case? Thanks for your time. ----------------------------------------------------------------------------- Thomas H. Ptacek Secure Networks, Inc. ----------------------------------------------------------------------------- http://www.enteract.com/~tqbf "mmm... sacrilicious"
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:37:14 PDT