Editing Buffer overflow protection (section)

==Canaries==
{{Unreferenced section|date=November 2023}}
''Canaries'' or ''canary words'' or ''stack cookies'' are known values that are placed between a buffer and control data on the stack to monitor buffer overflows. When the buffer overflows, the first data to be corrupted will usually be the canary, and a failed verification of the canary data will therefore alert of an overflow, which can then be handled, for example, by invalidating the corrupted data.  A canary value should not be confused with a  [[sentinel value]].

The terminology is a reference to the historic practice of using [[animal sentinel#Toxic gases|canaries in coal mines]], since they would be affected by toxic gases earlier than the miners, thus providing a biological warning system.  Canaries are alternately known as ''stack cookies'', which is meant to evoke the image of a "broken cookie" when the value is corrupted.

There are three types of canaries in use: ''terminator'', ''random'', and ''random [[XOR]]''. Current versions of StackGuard support all three, while ProPolice supports ''terminator'' and ''random'' canaries.

===Terminator canaries===
''Terminator canaries'' use the observation that most buffer overflow attacks are based on certain string operations which end at string terminators. The reaction to this observation is that the canaries are built of [[null character|null]] terminators, [[Carriage return|CR]], LF, and [[Page_break#Form_feed|FF]]. As a result, the attacker must write a null character before writing the return address to avoid altering the canary. This prevents attacks using <code>strcpy()</code> and other methods that return upon copying a null character, while the undesirable result is that the canary is known. Even with the protection, an attacker could potentially overwrite the canary with its known value and control information with mismatched values, thus passing the canary check code, which is executed soon before the specific processor's return-from-call instruction.

===Random canaries===
''Random canaries'' are randomly generated, usually from an [[entropy (computing)|entropy]]-gathering [[daemon (computer software)|daemon]], in order to prevent an attacker from knowing their value. Usually, it is not logically possible or plausible to read the canary for exploiting; the canary is a secure value known only by those who need to know it&mdash;the buffer overflow protection code in this case.

Normally, a random canary is generated at program initialization, and stored in a global variable. This variable is usually padded by unmapped pages so that attempting to read it using any kinds of tricks that exploit bugs to read off RAM cause a segmentation fault, terminating the program. It may still be possible to read the canary if the attacker knows where it is or can get the program to read from the stack.

===Random XOR canaries===
''Random XOR canaries'' are random canaries that are XOR-scrambled using all or part of the control data. In this way, once the canary or the control data is clobbered, the canary value is wrong.

Random XOR canaries have the same vulnerabilities as random canaries, except that the "read from stack" method of getting the canary is a bit more complicated. The attacker must get the canary, the algorithm, and the control data in order to re-generate the original canary needed to spoof the protection.

In addition, random XOR canaries can protect against a certain type of attack involving overflowing a buffer in a structure into a pointer to change the pointer to point at a piece of control data. Because of the XOR encoding, the canary will be wrong if the control data or return value is changed. Because of the pointer, the control data or return value can be changed without overflowing over the canary.

Although these canaries protect the control data from being altered by clobbered pointers, they do not protect any other data or the pointers themselves. Function pointers especially are a problem here, as they can be overflowed into and can execute [[shellcode]] when called.