Advertisement

Reinterpreting and Improving the Cryptanalysis of the Flash Player PRNG

  • George TeşeleanuEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11445)

Abstract

Constant blinding is an efficient countermeasure against just-in-time (JIT) spraying attacks. Unfortunately, this mitigation mechanism is not always implemented correctly. One such example is the constant blinding mechanism found in the Adobe Flash Player. Instead of choosing a strong mainstream pseudo-random number generator (PRNG), the Flash Player designers chose to implement a proprietary one. This led to the discovery of a vulnerability that can be exploited to recover the initial seed used by the PRNG and thus, to bypass the constant blinding mechanism. Using this vulnerability as a starting point, we show that no matter the parameters used by the previously mentioned PRNG it still remains a weak construction. A consequence of this study is an improvement of the seed recovering mechanism from previously known complexity of \(\mathcal O(2^{21})\) to one of \(\mathcal O(2^{11})\).

Supplementary material

References

  1. 1.
    A Full Exploit of CVE-2017-3000 on Flash Player Constant Blinding PRNG. https://github.com/dangokyo/CVE-2017-3000/blob/master/Exploiter.as
  2. 2.
  3. 3.
    Source Code for the Actionscript Virtual Machine. https://github.com/adobe-flash/avmplus/tree/master/core/MathUtils.cpp
  4. 4.
  5. 5.
    Vulnerability Details: CVE-2017-3000. https://www.cvedetails.com/cve/CVE-2017-3000/
  6. 6.
    Athanasakis, M., Athanasopoulos, E., Polychronakis, M., Portokalidis, G., Ioannidis, S.: The devil is in the constants: bypassing defences in browser JIT engines. In: NDSS 2015. The Internet Society (2015)Google Scholar
  7. 7.
    Blazakis, D.: Interpreter exploitation. In: WOOT 2010. USENIX Association (2010)Google Scholar
  8. 8.
    Reshetova, E., Bonazzi, F., Asokan, N.: Randomization can’t stop BPF JIT spray. In: Yan, Z., Molva, R., Mazurczyk, W., Kantola, R. (eds.) NSS 2017. LNCS, vol. 10394, pp. 233–247. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-64701-2_17CrossRefGoogle Scholar
  9. 9.
    Wang, C., Huang, T., Wu, H.: On the weakness of constant blinding PRNG in flash player. In: Naccache, D., et al. (eds.) ICICS 2018. LNCS, vol. 11149, pp. 107–123. Springer, Cham (2018).  https://doi.org/10.1007/978-3-030-01950-1_7CrossRefGoogle Scholar
  10. 10.
    Ward, G.: A recursive implementation of the perlin noise function. In: Graphics Gems II, pp. 396–401. Elsevier (1991)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Department of Computer Science“Al.I.Cuza” University of IaşiIaşiRomania
  2. 2.Advanced Technologies InstituteBucharestRomania

Personalised recommendations