Uninformed: Informative Information for the Uninformed

Vol 2» 2005.Sept

Calculating Viable Opcode Windows

Once a set of temporal addresses has been located, the next logical step is to attempt to calculate the windows of time that one or more viable opcodes can be found within the bytes of the temporal address. It is also just as important to calculate the duration of each byte within the temporal address. This is the type of information that is required in order to determine when a portion of a temporal address can be used as a return address for an exploit. The approach taken to accomplish this is to make use of the equations provided in the previous chapter for calculating the number of seconds it takes for each byte to change based on the update period for a given temporal address. By using the tosec function for each byte index, a table can be created as illustrated in figure [*] for a 100nanosecond 8 byte timer.

Byte Index Seconds (ext)
0 0 (zero)
1 0 (zero)
2 0 (zero)
3 1 (1 sec)
4 429 (7 mins 9 secs)
5 109951 (1 day 6 hours 32 mins 31 secs)
6 28147497 (325 days 18 hours 44 mins 57 secs)
7 7205759403 (228 years 179 days 23 hours 50 mins 3 secs)
Figure: 8 byte 100ns per-byte durations in seconds

This shows that any opcodes starting at byte index 4 will have a 7 minute and 9 second window of time. The only thing left to do is figure out when to strike.