I was reading the wikipedia article on this subject and it states that when a program starts, the canary is calculated at random, stored in a local variable(which I presume was introduced by the compiler) and is padded by unmapped pages but i'm having problems understanding what that actually means. Is it that this global variable is mapped to a different page than that of the program and therefore has different access flags? If not then why can't an attacker sneak a peek at this value?
Asked
Active
Viewed 251 times
4
-
An attacker _can_ peek at the value if they have an arbitrary read primitive. – forest Aug 18 '19 at 06:41
1 Answers
3
It would be clear to say that the reference copy of the canary value is surrounded by unmapped pages. That is, the page containing the canary value has at least one unmapped page immediately before it and one unmapped page immediately after. The goal is to make it unlikely that an attacker can read or modify this value. To reach this value, an attacker needs to find a vulnerability that allows reads or writes at an arbitrary address. A buffer overflow or underflow can't reach the canary value because it would first access one of these unmapped pages and crash the program.
Gilles 'SO- stop being evil'
- 50,912
- 13
- 120
- 179
-
Just one more thing, since this page would probably contain only the canary value, does it mean that the rest of the page is being wasted? – Trey Aug 20 '19 at 00:44
-
@Trey Maybe. I don't know how common runtimes do it. The page could contain other data that isn't in an array with a risk of a conter overflow. – Gilles 'SO- stop being evil' Aug 20 '19 at 12:59