Uninformed: Informative Information for the Uninformed

Vol 7» 2007.May


The ability to reduce the amount of effective entropy in a GS cookie can improve an attacker's chances of guessing the cookie. This paper has described two techniques that may be used to calculate or infer the values of certain bits in a GS cookie. The first approach involves a local attacker's ability to collect information that makes it possible to calculate, with pretty good accuracy, the values of the entropy sources that were used at the time that a cookie was generated. The second approach describes the potential for abusing the limited entropy associated with boot start services.

While the results shown in this paper do not represent a complete break of GS, they do hint toward a general weakness in the way that GS cookies are generated. This is particularly serious given the fact that GS is a compile time solution. If the techniques described in this document are refined, or new and improved techniques are identified, a complete break of GS would require the recompilation of all affected binaries. The implications of this should be obvious. The ability to reliably predict the value of a GS cookie would effectively nullify any benefits that GS adds. It would mean that all stack-based buffer overflows would immediately become exploitable.

To help contribute to the improvement of GS, a few different solutions were described that could either partially or wholly address some of the weakness that were identified. The most interesting of these solutions involves modifying the GS implementation to make use of a external cookie generator, such as the kernel. Going this route would ensure that any weaknesses found in the cookie generation algorithm could be simply addressed through a patch to the kernel. This is much more reasonable than expecting all existing GS enabled binaries to be recompiled.

It's unclear whether the techniques presented in this paper will have any appreciable effect on future exploits. Only time will tell.