Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Wed, 2 Nov 2016 16:52:09 -0600
From: Seth Arnold <seth.arnold@...onical.com>
To: oss-security@...ts.openwall.com
Subject: Re: Stack guard canary massaging

[keeping only oss-security]

On Mon, Oct 31, 2016 at 11:48:45AM +0100, Florian Weimer wrote:
> This is an elaborate way of setting ret.bytes[0] = '\0'.
> 
> The intent (determined from an old commit message) is to make it harder to
> obtain the canary value through a read buffer overflow of a NUL-terminated
> string: The read overflow will stop at the NUL byte and not include the
> random canary value, reducing the risk of inappropriate disclosure.

StackGuard used a fixed canary value: CR LF 0x00 0xFF. This was based on
the observation that most unsafe stack buffer manipulations were from
string operations, and most string-handling functions would trip up on at
least one of these values, making it difficult to write the canary with
the functions that were used.

ftp://gcc.gnu.org/pub/gcc/summit/2003/Stackguard.pdf

I suspect the leading 0x00 here is for much the same reason, to trip up
string writing operations more than string reading.

Thanks

Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.