Uninformed: Informative Information for the Uninformed

Vol 9» 2008.Jan

Temporal Keys

The concept of a temporal address was previously introduced by the paper entitled Temporal Return Addresses: Exploitation Chronomancy[16, 3]. In summary, a temporal address is a location in memory which holds timer data of some form. Potential types of timer data stored at a temporal address include such data as the system date and time, number of seconds since boot, or a counter of some other form.

The research presented in the aforementioned paper focused on leveraging the timer data found at such addresses as the return address used for vulnerability exploitation. As such, the viability of the data found at the temporal address was constrained by two properties of the data defined as scale, and period. These two properties dictate the window of time during which the data found at the temporal address will equate to the desired instructions. Another potential constraint for use of a temporal address as an exploit return address stems from the fact that the value contained at the temporal address is called directly for use as an executable instruction. If the memory range it is contained within is marked as non-executable such as with the more recent versions of Windows[16, 19], attempting use in this manner will cause an exception.

For the purpose that temporal addresses will be employed here, such strict constraints as those previously mentioned do not exist. Rather, the only desired property of the data stored at the temporal address which will be used as a context-key is that it does not change, or as in the case of temporal data, does not change during the time window in which we intend to use it. Due to this difference in requirements, the actual content of the temporal address is somewhat irrelevant and therefore is not constrained to a time-window in either the future or the past during which the data found at the temporal address will be fit for purpose. The viable time-window in the case of use for contextual keying is entirely constrained by duration rather than location along the time-line. Due to the values at different byte offsets within data found at a temporal address having differing update frequencies, selection of key data from these values produces varying duration time-windows during which the values will remain constant. By using single byte, dual byte, or otherwise relatively short context-keys, and carefully selecting from the available byte values stored within the timer found at the temporal address, the viable time-window chosen can be made to be quite lengthy.