oss-sec mailing list archives
Re: Stack guard canary massaging
From: Seth Arnold <seth.arnold () canonical com>
Date: Wed, 2 Nov 2016 16:52:09 -0600
[keeping only oss-security] On Mon, Oct 31, 2016 at 11:48:45AM +0100, Florian Weimer wrote:
This is an elaborate way of setting ret.bytes[0] = '\0'. The intent (determined from an old commit message) is to make it harder to obtain the canary value through a read buffer overflow of a NUL-terminated string: The read overflow will stop at the NUL byte and not include the random canary value, reducing the risk of inappropriate disclosure.
StackGuard used a fixed canary value: CR LF 0x00 0xFF. This was based on the observation that most unsafe stack buffer manipulations were from string operations, and most string-handling functions would trip up on at least one of these values, making it difficult to write the canary with the functions that were used. ftp://gcc.gnu.org/pub/gcc/summit/2003/Stackguard.pdf I suspect the leading 0x00 here is for much the same reason, to trip up string writing operations more than string reading. Thanks
Attachment:
signature.asc
Description:
Current thread:
- Stack guard canary massaging Florian Weimer (Oct 31)
- Re: Stack guard canary massaging Solar Designer (Oct 31)
- Re: [kernel-hardening] Re: Stack guard canary massaging Daniel Micay (Oct 31)
- Re: Stack guard canary massaging Seth Arnold (Nov 02)
- Re: Stack guard canary massaging Solar Designer (Oct 31)