On Fri, 19 Dec 1997, Crispin Cowan wrote: > Regarding guessing the canary value, it is really hard to brute-force a > guess at the canary value. The canary is randomly chosen at exec time; > if you make a repeated attack guessing a new value, the value will have > changed between guesses. The value is 32 bits. So if you made 4 > billion attacks, you would get it right once with probability > approaching one, but you are not guaranteed to get it even then. No, you would get it right once with probability approaching 1-1/e, or about 63.212%. The probability of success on one try is 1/N, where N is the number of possibilities, 2^32 in this case; the probability of failure on one try is 1-1/N; the probability of failure on N tries is (1-1/N)^N, which approaches 1/e as N approaches infinity, which means the probability of success on N tries approaches 1-1/e. It's really quite a good approximation, in this case, good to about ten digits, I think. I just tried this in GNU bc: scale=100 onetry=(2^32-1)/2^32 half=onetry^(2^16) half^(2^16) The result is the probability of failure. Kragen
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:37:14 PDT