Attacking GS

At the time of this writing, all publicly disclosed attacks against GS that the author is aware of have relied on getting control of execution before the cookie is checked or by finding some way to leak the value of the cookie back to the attacker. Both of these styles of attack are of great interest and value, but the focus of this paper will be on a different method of attacking GS. Specifically, this chapter will outline techniques that may be used to make it easier to guess the value an image file's GS cookie. Two techniques will be described. The first technique will describe methods for calculating the values that were used as entropy sources when the cookie was generated. These calculations are possible in situations where an attacker has local access to the machine, such as through the console or through terminal services. The second technique describes the general concept of predictable ranges of some values that are used in the context of boot start services, such as lsass.exe. This predictability may make the guessing of a GS cookie more feasible in both local and remote scenarios.

• Calculating Entropy Sources
  • System Time
  • Process and Thread Identifier
  • Tick Count
  • Performance Counter
  • Frame Pointer
  
  
• Predictability of Entropy Sources in Boot Start Services