Uninformed: Informative Information for the Uninformed

Vol 7» 2007.May

Calculating Entropy Sources

The sources used to generate the GS cookie for a given image file are constant and well-known. They include the current system time, process identifier, thread identifier, tick count, and performance counter. In light of that fact, it only makes sense to investigate the amount of effective entropy each source adds to the cookie. Since it's a requirement that the cookie produced be secret, the ability to guess a value used in the generation of the cookie will allow it to be canceled out of the equation. This is true due to the simple fact that each of the values used to generate the cookie is XOR'd with each other value (XOR is a commutative operation). The ability to guess multiple values can make it possible to seriously impact the overall integrity of the cookie.

While the sources used in the generation of the cookie have long been regarded as satisfactory, the author has found that the majority of the sources actually contribute little to no value toward the overall entropy of the cookie. However, this is currently only true if an attacker has local access to the machine. Being able to know a GS cookie that was used in a privileged process would make it possible to exploit a local privilege escalation vulnerability, for example. There may be some circumstances where the techniques described in this section could be applied remotely, but for the purpose of this document, only the local scenario will be considered. The following subsections will outline methods that can be used to calculate or deterministically find the specific values that were used when a cookie was being generated in a particular process context. As a result of this analysis, it's become clear that the only particular variable source of true entropy for the GS cookie is the low 17 bits of the performance counter. All other sources can be reliably calculated, with some margin of error.

For the following subsections, a modified executable named vulnapp.exe was used to extract the information that was used at the time that a process executable's GS cookie was generated. In particular, __security_init_cookie was modified to jump into a function that saves the information used to generate the cookie. The implementation of this function is shown below for those who are curious:

// The FramePointer is the value of EBP in the context of the
// __security_init_cookie routine.  The cookie is the actual,
// resultant cookie value.  GSContext is a global array.
VOID DumpInformation(
   PULONG FramePointer,
   ULONG  Cookie)
   GSContext[0] = FramePointer[-3];
   GSContext[1] = FramePointer[-4];
   GSContext[2] = FramePointer[-1];
   GSContext[3] = FramePointer[-2];
   GSContext[4] = GetCurrentProcessId();
   GSContext[5] = GetCurrentThreadId();
   GSContext[6] = GetTickCount();
   GSContext[7] = Cookie;