Uninformed: Informative Information for the Uninformed

Vol 2» 2005.Sept


Conclusion

Temporal addresses are locations in memory that are tied to a timer of some sort, such as a variable storing the number of seconds since 1970. Like a clock, temporal addresses have an update period, meaning the rate at which its contents are changed. They also have an inherent storage capacity which limits the amount of time they can convey before being rolled back over to the start. Finally, temporal addresses will also always have a scale associated with them that indicates the unit of measure for the contents of a temporal address, such as whether it's simply being used as a counter or whether it's measuring the number of seconds since 1970. These three attributes together can be used to predict when certain byte combinations will occur within a temporal address.

This type of prediction is useful because it can allow an exploitation chronomancer the ability to wait until the time is right and then strike once predicted byte combinations occur in memory on a target machine. In particular, the byte combinations most useful would be ones that represent useful opcodes, or instructions, that could be used to gain control over execution flow and allow an attacker to exploit a vulnerability. Such an ability can give the added benefit of providing an attacker with universal return addresses in situations where a temporal address is found at a static location in memory across multiple operating system and application revisions.

An exploitation chronomancer is one who is capable of divining the best time to exploit something based on the alignment of certain bytes that occur naturally in a process' address space. By making use of the techniques described in this document, or perhaps ones that have yet to be described or disclosed, those who have yet to dabble in the field of chronomancy can begin to get their feet wet. Viable opcode windows will come and go, but the usefulness of temporal addresses will remain for eternity...or at least as long as computers as they are known today are around.

The fact of the matter is, though, that while the subject matter discussed in this document may have an inherent value, the likelihood of it being used for actual exploitation is slim to none due to the variance and delay between viable opcode windows for different periods and scales of temporal addresses. Or is it really that unlikely? Vlad902 suggested a scenario where an attacker could compromise an NTP server and configure it to constantly return a time that contains a useful opcode for exploitation purposes. All of the machines that synchronize with the compromised NTP server would then eventually have a predictable system time. While not completely fool proof considering it's not always known how often NTP clients will synchronize (although logs could be used), it's nonetheless an interesting approach. Regardless of feasibility, the slave that is knowledge demands to be free, and so it shall.