Stack Canary

A few days back, I read about stack canaries. I thought I’d blog about it. So here goes…

A Stack Canary is a mechanism that protects the stack from getting attacked by malicious code. A stack canary is an extra bit that is added to the stack after every buffer or function in the code. In short, it is inserted in the memory wherever there is a return address, right after the buffer. This bit is then followed by the return address. Thus, if a hacker tries to overwrite the return address he would have to surely overwrite the canary bit as well. When before execution goes to the overwritten address it checks if the value of the canary bit has changed or not. If it is found that the value has been changed, the execution of the program stops immediately.

The following figure shows a clear picture of where the canary bit is placed.

However, there are ways by which this mechanism could be exploited as well. The hacker could find out the value of the original value of canary bit and then copy the same value into the location of the canary bit when the return address if being overwritten or the buffer is overflowed. So, when the address in the eip is being overwritten and the value of canary is checked it remains the same.

References :

[1] http://en.wikipedia.org/wiki/Buffer_overflow_protection for data

[2] For the image :  http://www.drdobbs.com/security/anatomy-of-a-stack-smashing-attack-and-h/240001832

4 thoughts on “Stack Canary

  1. An interesting concept. At the end there you did address the potential flaws in the implementation. A method I toyed with in my early years was having extra code at the start and end of my functions/routines which stored & restored the IP – so even if it was overwritten, it’d just be reset before the return. Do you know whether this has a common name?

Leave a Reply to thenewphalls Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s