
Hacking Blind: Defeating stack overflow canaries - pjungwir
https://blog.acolyer.org/2016/06/22/hacking-blind/
======
pjungwir
I'm not a security specialist, but I found this summary of a 2014 article
accessible and fascinating. As best I understand it, processes include a
secret 8-byte "canary" in each stack frame, so that they can detect buffer
overflows and simply crash. Normally an 8-byte value is unguessable, but if
the process runs under a supervisor the canary is not re-initialized after a
crash (I don't understand why?), so if the attacker can perceive a crash vs
not-crash, they can guess one byte at a time, which is much faster. It's like
breaking a combination bike lock where you can feel if each individual number
is right, so you don't have to guess the whole combo at once. Incidentally,
isn't this how Hollywood always shows it happening in the movies?: the first
number stops spinning, then the second, etc. That has always bugged me, but
perhaps they aren't so far off. :-)

