1 comment

[ 2.6 ms ] story [ 8.9 ms ] thread
I'm not a security specialist, but I found this summary of a 2014 article accessible and fascinating. As best I understand it, processes include a secret 8-byte "canary" in each stack frame, so that they can detect buffer overflows and simply crash. Normally an 8-byte value is unguessable, but if the process runs under a supervisor the canary is not re-initialized after a crash (I don't understand why?), so if the attacker can perceive a crash vs not-crash, they can guess one byte at a time, which is much faster. It's like breaking a combination bike lock where you can feel if each individual number is right, so you don't have to guess the whole combo at once. Incidentally, isn't this how Hollywood always shows it happening in the movies?: the first number stops spinning, then the second, etc. That has always bugged me, but perhaps they aren't so far off. :-)