Stack Canary¶
links: ED TOC - Exploit Mitigations - Index
Claim¶
Stack Canary is able to detect overflows and can block them.
General¶
The Stack Canary exploit mitigation is also called SSP (Stack Smashing Protector) or Stack Cookie. Stack Canary is a compile time mitigation strategy.
The Stack Canary is secret bytestring placed between the stack and the instruction pointer (EIP
or RIP
). The secret bytestring must have the following properties:
- Unpredictable: Enemies are not able to predict the Stack Canaries value.
- Non-Accessible: The value of the Stack Canary shall not be accessible to the executable.
- Brute-Force is not eligible: Bruteforcing of the Canary shall not be possible within a meaningful time
- Contains a termination character: Even when the all other properties fail, this property makes sure that functions like
strcpy
will not be able to copy over the boundaries from the Canary because of the termination character.
These properties prevent attackers from overwriting the stack (buffer) and tamper the further execution of the program overwriting the return address stored as the instruction pointer. The Stack Canary is checked after the execution of each function. If the secret bytestring does not match the original string anymore, the program will crash (stack smashing detected
).
When does the stack protector change?
- On
execve()
(replace current process with a ELF file from disk) - NOT on
fork()
(copy current process)!
Breaking Stack Canary¶
Use heap overflow instead of stack overflow (only stack is checked)!
To break the Stack Canary an attacker might try to overwrite the heap instead of the stack (Stack Canary does only prevent stack overflows). Another approach which might be feasible to an attacker is bruteforcing.
Possible attacks: Circumvent, Brute-Force, Leak Stack Canary
links: ED TOC - Exploit Mitigations - Index