Uninformed: Informative Information for the Uninformed

Vol 7» 2007.May

Experimental Results

This chapter describes some of the initial results that were collected using a utility developed by the author named gencookie.exe. This utility attempts to calculate the value of the cookie that was generated for the executable image associated with an arbitrary process, such as lsass.exe. While the results of this utility were limited to attempting to calculate the cookie of a process' executable, the techniques described in previous chapters are nonetheless applicable to the cookies generated in the context of dependent DLLs. The results described in this chapter illustrate the tool's ability to accurately obtain specific bits within the different components that compose the cookie, including specific bits of the cookie itself. This helps to paint a picture of the amount of true entropy that is reduced through the techniques described in this document.

The data set that was used to calculate the overall results included 5001 samples which were collected from a single machine. The samples were collected through a few simple steps. First, a program called vulnapp.exe that was compiled with /GS was modified to have its __security_init_cookie routine save information about the cookie that was generated and the values that contributed to its generation. Following that, the gencookie.exe utility was launched against the running process in an attempt to calculate vulnapp.exe's GS cookie. A comparison between the expected and actual value of each component was then saved. These steps were repeated 5001 times. The author would be interested in hearing about independent validation of the findings presented in this chapter.

The following sections describe the bit-level predictability of each of the components that are used to generate the GS cookie, including the overall predictability of the bits of the GS cookie itself. The diagrams describe the predictability in terms of the percent of the time that each bit was correctly calculated by gencookie.exe. The diagram in figure 5.1 shows with what percentage accuracy each individual component was successfully calculated. For example, the value used for the low 32-bits of the system time component was successfully determined 77 percent of the time. The low 32-bits of the performance counter and the cookie itself were never calculated exactly. The reason for this discrepancy will be discussed in the following sections.

Figure 5.1: Percentage of the time that all bits of individual components were accurately calculated
Image ds_overall