|
Calculating Viable Opcode Windows
Once a set of temporal addresses has been located, the next logical
step is to attempt to calculate the windows of time that one or more
viable opcodes can be found within the bytes of the temporal
address. It is also just as important to calculate the duration of
each byte within the temporal address. This is the type of
information that is required in order to determine when a portion of
a temporal address can be used as a return address for an exploit.
The approach taken to accomplish this is to make use of the
equations provided in the previous chapter for calculating the
number of seconds it takes for each byte to change based on the
update period for a given temporal address. By using the
tosec function for each byte index, a table can be created
as illustrated in figure for a 100nanosecond 8 byte
timer.
Byte Index |
Seconds (ext) |
0 | 0 (zero) |
1 | 0 (zero) |
2 | 0 (zero) |
3 | 1 (1 sec) |
4 | 429 (7 mins 9 secs) |
5 | 109951 (1 day 6 hours 32 mins 31 secs) |
6 | 28147497 (325 days 18 hours 44 mins 57 secs) |
7 | 7205759403 (228 years 179 days 23 hours 50 mins 3 secs) |
Figure:
8 byte 100ns per-byte durations in seconds
This shows that any opcodes starting at byte index 4 will have a 7
minute and 9 second window of time. The only thing left to do is
figure out when to strike.
|