[5847] in bugtraq
Re: StackGuard: Automatic Protection From Stack-smashing Attacks
daemon@ATHENA.MIT.EDU (Kragen)
Sat Dec 20 03:15:14 1997
Date: Fri, 19 Dec 1997 20:21:44 -0500
Reply-To: Kragen <kragen@POBOX.COM>
From: Kragen <kragen@POBOX.COM>
X-To: Crispin Cowan <crispin@CSE.OGI.EDU>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199712192159.NAA19224@helix.cse.ogi.edu>
On Fri, 19 Dec 1997, Crispin Cowan wrote:
> Regarding guessing the canary value, it is really hard to brute-force a
> guess at the canary value. The canary is randomly chosen at exec time;
> if you make a repeated attack guessing a new value, the value will have
> changed between guesses. The value is 32 bits. So if you made 4
> billion attacks, you would get it right once with probability
> approaching one, but you are not guaranteed to get it even then.
No, you would get it right once with probability approaching 1-1/e, or
about 63.212%. The probability of success on one try is 1/N, where N is
the number of possibilities, 2^32 in this case; the probability of failure
on one try is 1-1/N; the probability of failure on N tries is (1-1/N)^N,
which approaches 1/e as N approaches infinity, which means the probability
of success on N tries approaches 1-1/e. It's really quite a good
approximation, in this case, good to about ten digits, I think.
I just tried this in GNU bc:
scale=100
onetry=(2^32-1)/2^32
half=onetry^(2^16)
half^(2^16)
The result is the probability of failure.
Kragen
