Canary value: Difference between revisions
imported>Subpagination Bot m (Add {{subpages}} and remove any categories (details)) |
imported>Eric M Gearhart (summarized where Canary value gets its name) |
||
Line 16: | Line 16: | ||
date=Retreived 12-April-2007}} | date=Retreived 12-April-2007}} | ||
</ref> | </ref> | ||
The name "Canary value" is taken from a common practice during the history of mining operations. A Canary is brought into the mine while work is being done, and if the Canary dies (presumably because of something dangerous in the air such as a poisonous gas) the miners know to get out of the mine before they breathe too much of whatever happened to kill the Canary. | |||
==See Also== | ==See Also== |
Revision as of 09:02, 1 July 2009
In computer science, and in particular computer security and code generation, the use of canary values is a strategy to detect buffer overflow attacks at run time, without requiring the programmer to modify any source code. Implemented within a compiler, canary values modify a program's stack frame to detect---but not prevent---buffer overflow attacks, imposing a worst case behavior for the system under attack. Notable examples of canary value systems are StackGuard and ProPolice.
The method is simple. The compiler generates additional instructions, so that the function prologue will add a so-called canary value to the stack frame between the return address and the local variables. This canary value is a random number chosen when the program begins. Then, additional instructions are inserted into the function epilogue which check the canary value, as it appears in the stack frame. If incorrect, the new instructions cause the program to go into a fail-safe mode (usually immediate termination), as to control the program's worst-case behavior while under attack. Canary values can work, because most stack smashing attacks which successfully overwrites the return address will also overwrite the canary value, and it is unlikely that the attacker will be able to guess the canary value. [1]
At least four attacks have been developed against this sort of protection. [2]
The name "Canary value" is taken from a common practice during the history of mining operations. A Canary is brought into the mine while work is being done, and if the Canary dies (presumably because of something dangerous in the air such as a poisonous gas) the miners know to get out of the mine before they breathe too much of whatever happened to kill the Canary.
See Also
References
- ↑ "StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks" (Retreived 12-April-2007).
- ↑ "Four different tricks to bypass StackShield and StackGuard protection" (Retreived 12-April-2007).