Informative Information for the Uninformed  


Performance CounterThe high 32bits of the performance counter were successfully estimated 100 percent of the time. The low 32bits, on the other hand, show the greatest degree of volatility when compared to the other components. The high order 15 bits of the low 32bits show a bias in terms of accuracy that is not a 50/50 split. The remaining 17 bits were all guessed correctly roughly 50 percent of the time. This makes the low 17 bits the only truly effective source of entropy in the performance counter since there is no bias shown in relation to the estimated versus actual values. Indeed, this is not enough to prove that there aren't observable patterns in the low 17 bits, but it is enough to show that the gencookie.exe utility was not effective in estimating them. Figures 5.8 and 5.9 show the percent accuracy for the high and low order 32bits. This discrepancy actually requires a more detailed explanation. In reality, the estimates made by the gencookie.exe utility are actually not as far off as one might think based on the percent accuracy of each bit as described in the diagrams. Instead, the estimates are, on average, off by only 105,000. This average difference is what leads to the lower 17 bits being so volatile. One thing that's interesting about the difference between the estimated and actual performance counter is that there appears to be a time oriented trend related to how far off the estimates are. The scatter plot diagram in figure 5.7 illustrates the absolute difference between the estimated and actual low 32bits of the performance counter as taken from the 5001 samples. Due to the way that the samples were taken, it's safe to assume that each sample is roughly equivalent to one second worth of time passing (due to a sleep between sample collection). Further study of this apparent relationship may yield better results in terms of estimating the lower 17 bits of the low 32 bits of the performance counter. This is left for future research.
