Date: Wed, 2 Nov 2016 16:52:09 -0600 From: Seth Arnold <seth.arnold@...onical.com> To: oss-security@...ts.openwall.com Subject: Re: Stack guard canary massaging [keeping only oss-security] On Mon, Oct 31, 2016 at 11:48:45AM +0100, Florian Weimer wrote: > This is an elaborate way of setting ret.bytes = '\0'. > > The intent (determined from an old commit message) is to make it harder to > obtain the canary value through a read buffer overflow of a NUL-terminated > string: The read overflow will stop at the NUL byte and not include the > random canary value, reducing the risk of inappropriate disclosure. StackGuard used a fixed canary value: CR LF 0x00 0xFF. This was based on the observation that most unsafe stack buffer manipulations were from string operations, and most string-handling functions would trip up on at least one of these values, making it difficult to write the canary with the functions that were used. ftp://gcc.gnu.org/pub/gcc/summit/2003/Stackguard.pdf I suspect the leading 0x00 here is for much the same reason, to trip up string writing operations more than string reading. Thanks Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.