Stack Corruption Detection using canary value
I'm reading a textbook which describes defense that is be able to detect when a stack has been corrupted. The book says:
Recent versions of gcc incorporate a mechanism known as a stack protector into the generated code to detect buffer overruns. The idea is to store a special canary value in the stack frame between any local buffer and the rest of the stack state, as illustrated in the picture below:
This canary value, also referred to as aguard value, is generated randomly each time the program runs, and so there is no easy way for an attacker to determine what it is. Before restoring the register state and returning from the function, the program checks if the canary has been altered by some operation of this function or one that it has called. If so, the program aborts with an error.
I get the idea but I still think there is a flaw in this design. Yes the attacker might not be able to determine what the value of canary is, but the attacker know the size of canary(8 bytes), so the attacker can manipulate the pointer to bypass this 8 byte area in stack where canary locates then overwrite the return address, so canary actually protects nothing, is my understanding correct?
If the attacker has arbitrary write, then yes, the canary is useless. In fact, there are many ways arbitrary write can invalidate a canary, including overwriting the GOT entry of __stack_chk_fail (the function called when the canary is overwritten), or just not overwriting the canary to begin with. However, arbitrary write isn't always obtainable. It usually only happens when there's a format string vulnerability. When there's just a buffer overflow, to write to an address after the canary, you have to write to the addresses before that address, which includes the canary. This means that the only reasonable way to overwrite the return address with a buffer overflow is to either guess the canary or leak it through another vulnerability.
- How do I convert argv to lpCommandLine parameter of CreateProcess?
- How to calulate CRC of 1 byte using stm32l1 CRC unit
- Can't put values together into struct that is initiated by pointer and malloc
- Using TinyAES to encrypt a decrypt data returns a strange result
- What causes the error "undefined reference to (some function)"?
- What is the difference between memmove and memcpy?
- C compiler for Windows?
- How to setup a shared ccache
- Checking stack usage at compile time
- Static assertion to check if a variable name is defined in the current scope
- Trying to read txt file line by line in C Language
- How do you do exponentiation in C?
- Is it possible to modify the content of a struct pointer inside a function?
- Programmatically retrieving the absolute path of an OS X command-line app
- Should Portable Types Be Used in the Declaration of a Main Function? (C11)
- GCC Linker, bss section symbols equal zero length
- Is there any reasonable initial/invalid value for a pid_t?
- Fork in Linux: Weird infinite loop while freeing condition variable
- Function definition with prototype vs without prototype
- How do I achieve tilde expansion in C?
- Is there really no mremap in Darwin?
- Interpreting the format specifier in printf("%.-1f", 34.14)
- Why is my socket's open port not listed by netstat?
- Why I get bus-error with unused FILE pointer?
- How does strcmp() work?
- Rationale behind declaring FILE * volatile to stdin in C
- Getting actual file name (with proper casing) on Windows
- Is it possible to make a C++ application and use Flutter as the GUI framework?
- Difference between char* and const char*?
- How can I make switch-case statements case insensitive?