Reinterpreting and Improving the Cryptanalysis of the Flash Player PRNG

Abstract

Constant blinding is an efficient countermeasure against just-in-time (JIT) spraying attacks. Unfortunately, this mitigation mechanism is not always implemented correctly. One such example is the constant blinding mechanism found in the Adobe Flash Player. Instead of choosing a strong mainstream pseudo-random number generator (PRNG), the Flash Player designers chose to implement a proprietary one. This led to the discovery of a vulnerability that can be exploited to recover the initial seed used by the PRNG and thus, to bypass the constant blinding mechanism. Using this vulnerability as a starting point, we show that no matter the parameters used by the previously mentioned PRNG it still remains a weak construction. A consequence of this study is an improvement of the seed recovering mechanism from previously known complexity of \(\mathcal O(2^{21})\) to one of \(\mathcal O(2^{11})\).

A Additional Algorithms

In [9] the algorithm used to invert g is not presented in full. Based on the descriptions found in [1, 9] we present the full algorithm in Algorithm 7. Note that the algorithm works for any generic polynomial g, not only for the one used in the Flash Player PRNG. Note that \( { \& }S\) means that we pass S by reference.

The only algorithm we found for reversing the Flash Player PRNG is described in [1]. We improve their attack in Algorithm 8. To reverse the bit manipulation function f and the polynomial g we use the abstract functions \(Reverse\_bit\_manipulation\) and \(Reverse\_polynomial\), respectively. Remark that Algorithm 8 works for any generic polynomial g and any generic function \(h(x) = p \cdot x \bmod 2^n\) with p odd. In the Flash Player case we have \(p^{-1} \equiv 3811027319 \bmod 2^{32}\).