6

/GS compiler option Micorsoft developed added an extra cookie before the return address and before returning the cookie is checked, if it is intact then return address is safe

why ever would this assumption hold ? In my understanding this just makes hacker's lives a bit harder to now keeping the cookie intact.

zinking
  • 161
  • 1
  • 1
  • 5

2 Answers2

7

The stack cookie (also known as "canary") does not prevent the return address from being overwritten, but it increases the chances that the code notices the overwrite before fatefully following the overwritten return address.

This is heuristic: the idea is that most buffer overflows which end up with overwriting the return address proceed sequentially from a stack buffer, one the "other side" of the cookie slot, thus will also overwrite the cookie. "Keeping the cookie intact" requires that the attacker can somehow make a "jumping overflow" (it happens, but rarely) or can obtain the cookie value so that he can overwrite the cookie value with itself. Obtaining the cookie value is hard since it is normally chosen randomly at execution time (details vary depending on the OS and OS version), and not advertised; in some rare situations, the attacker can obtain the cookie value indirectly from the consequences of another exploitable vulnerability.

In practice the stack cookie makes the attacker's life a bit harder, but for a quite big bit. It is not 100% effective, as a defence mechanism, but it is not trivially worked around either.

Tom Leek
  • 170,038
  • 29
  • 342
  • 480
0

A stack canary protects the return address on the stack by first checking the canary value before moving the return address from the stack to the EIP. In order to overwritten the return address on the stack with a stack based buffer overflow the canny must be over written. If it is known that the return address on the stack was overwritten then program can exit safely without passing the flow of execution to the attacker.

rook
  • 47,004
  • 10
  • 94
  • 182