what ever happened to buffer overflows?
VloĆŸit
- Äas pĆidĂĄn 22. 03. 2023
- Keep on learning with Brilliant at brilliant.org/LowLevelLearning. Get started for free, and hurry - the first 200 people get 20% off an annual premium subscription with my URL! Thanks again Brilliant for sponsoring this video!
You may have heard the term, buffer overflow, but you may never have heard of the little bird protecting you from this evil attack. These hero's of the night are "stack canaries", and, whether you realize it or not, they've been hiding in your code for years.
In this video, we discuss what stack canaries are, what they look like, and how they protect your code from attack.
đ« COURSES đ«
www.udemy.com/course/c-progra...
đ„đ„đ„ SOCIALS đ„đ„đ„
Low Level Merch!: lowlevel.store/
Follow me on Twitter: / lowleveltweets
Follow me on Twitch: / lowlevellearning
Join me on Discord!: / discord - VÄda a technologie
GO TRY OUT BRILLIANT GOGOGOGOGOGOGO brilliant.org/LowLevelLearning
I know, go is a great language
where are you pimping your merch at?
@@Stopinvadingmyhardware I second that.
really just hit me with the ad spot flashbang
Fun fact! The "canary in the coal mine" didn't actually die. That bottle on the top of the cage? That's so that if the bird passes out, the miner can fill the cage with oxygen and the bird recovers
Only after the invention of the Canary Resuscitator, but even after that they often just had tiny little square cages that did not have resuscitators on them. Mostly they were used after a mine explosion by the rescue team trying to save miners. If the canary showed signs of distress, they would pull the rescue team and the canary out, so it didn't usually die at least.
@@Isaacrl67 But the question on everyone's mind is: which is better, a dead canary or a canary with hypoxia induced brain damage??
@@sootikins Well, if it can still detect carbon monoxyde...
I don't have birds in my code. Only bugs...
PORQUE NO LOS DOS
porque se come los bugs :(
You know, canary eats bugs
be aware bugs attract birds
This thread reminds me of the incident where one of Mao's five-year plans involved eliminating Eurasian tree sparrows, which resulted in a huge increase in locusts.
The lesson being, keep some of those birds around, you might need them to fight the bugs.
Birds and programming absolutely mix.
I am a bird.
I program. Your videos are awesome. Please keep it up!
Also, respect the canaries. Both kinds.
Chirp! =)
@@IngwiePhoenix Chirp chirp! :D
CHIIIIRP
đ„đ«
@@CodingSunset Not sure what you mean there.
In the late 80âs/early 90âs I had a computer with a small executable file running at the end of the autoexec file.
All it did was saying âThe canary bird is alive and all is well.â
Until one day it said:
âThe canary bird is dead.â
It was an exe file that checked an internal checksum, and if it was changed, the canary was dead, and you knew that you had been infected by a computer virus.
Brilliant ! how it works ?
â@@davidtalysson4175 my friend have you read the comment
@@davidtalysson4175 a lot of viruses infected a computer by inserting themselves into executable files as they're run. Changing a file changes its checksum so the next time the computer starts, it sees the checksum mismatch and outputs that message.
RIP stack canary. He died for our sins. đ
There actually are heap canaries! You just have to call `mprobe()` on the buffer after you finish any risky operation.
Unfortunately since nobody actually "owns" heap memory, the compiler can't just automatically insert this check at every function return.
Alternately, you can ask nicely to have the compiler try to make its best guess by calling `mcheck()` or passing `-lmcheck` when linking.
You can also do one better if you use a more paranoid allocator that uses separate virtual memory pages for each allocation and flanks them with guard pages -- that way, you get an automatic hardware exception any time something even _reads_ outside each buffer's closest 4096-byte block. (That is, in fact, what a segfault is; guard pages just make segfaults happen for buffers in the middle of the heap too, not just at the end.)
Alternatively, you can rewrite it in Rust!
@@cFyugThCzvAqYaGmxRgfCKTuvHMEjQ Fuck Rust, Rust is the reason Devs get dumber, and move away from the Hardware. Also the reason why a browser takes 500MB ram, instead of the 50M that it should take max.
or use AddressSanitizer
Absolutely, great videos. I haven't done much C since Uni, but need to get back into it. These videos definitely help inspire me to do that, keep up the great work man!
Great to hear!
I used to place variables with test values manually at the end of arrays for testing, these days I use "-fsanitize=address" with gcc, great feature.
Clang and MSVC also have address sanitizer
"Here we have a C code..." - there You go You have find Your first canary.
I guess the main problem with heap memory is knowing when to check it... But I saw another comment referring to heap canaries, which is cool! There should be support for automatic checks in some of the std memory containers, e.g. after passing the .data() pointer of a std::vector
Also, fun fact! Canary bytes were re-implemented on things that don't natively support them. FreeRTOS, a popular microcontroller scheduler, allows the placement of canary bytes too. It's very useful!
Tried stack based overflows for educational purposes on self written binarys and i was wondering why my arbitrary shellcode was not executed besides NX turned off. I will go and check for canarys. Thanks!
UPDATE: Yes it has canary
Some notes on canaries:
- Based on idea of âcanary in a coal mineâ
- AKA Stack Cookies
- Method: Random number is placed between local variables on the stack and the return address on the stack
~**Before you return from a function you check that random number and ask if it's corrupted or not. If safe return; If not *buffer may have floweth'd over*
- *USUALLY* Added by compiler
Canaries are a form of Mitigation because the principal falls under certain ASSUMPTIONS:
//In the words of a good friend - Never make Assumptions.
1) Linear-writing buffer overflows will corrupt the canary, and that corruption will be detected before anything bad can happen.
2) It's Hard for attacker to guess the 32/64-bit random number.
3) Not possible for attacker to read the number and then write the same number back as part of the overflow.
***Assumptions ( each of these could be violated by an attacker )
--- if attacker has control of destination pointer.
--- Did the implementers have adequate randomization for the 32/64-bit number? Is there a chance the attacker can guess it?
--- Can the attacker read the canary? If they can read the canary then they could write back the exact value while they're doing the linear buffer overflow.
(depends on information disposal)
- At the end of the day canaries are a cheap, good exploit mitigation mechanism that should be enabled.
Why use a random number and not just use the actual return address?
@@williamdrum9899 my guess is that a random number always will be harder to guess for an attacker trying to exploit your code?
"Here I wrote some C code-" ah, I see the problem
"that's vulnerable" reduntant
What a great channel, subbed
omg thank you for this. i was using ghidra for the first time today and was wondering what that fs:offset and chk stack fail were
Now I understand why Microsoft calls their nightly Edge builds canary builds.
The heap can be protected by specifying the max size of the heap in the linker, and then creating small section of the memory at the end of the heap that has no write permission flag on
Does this trigger a hard fault like IRQ 3 in arm cortex-m0+?
This happened to me just yesterday with "char query[1024];" and then copy/paste "memset(query, 0x00, 2048);". Too bad you didn't post this video yesterday as I had no idea what is wrong :)
That's exactly why magic numbers in your code are bad. The only constants you should ever see in your code are (perhaps) -1, 0, 1 and NULL/null/None.
@@ericbwertz Indeed, BUFSIZ or whatever user defined macro/constant would be best.
Honestly I don't have a problem with magic numbers if they're powers of 2
@@williamdrum9899 Read the original post, those are both powers of two.
@@anon_y_mousse , @William Drum And murder is OK, as long as the mess is contained in a heavy-duty Hefty bag.
nice video, nice channel, everything is so nice
im happy
under effect of the product
2:57 I think that's supposed to be the function epilog? (pro - before, epi - after, so after the function might have clobbered the canary)
Excellent!!
+respect for the canary
I have no clue why I love â€ïž watching those videos I donât even program in C or anything I am a Typical TypeScript ScriptKiddy but not the kind that copy then paste⊠I am no longer merely duplicating and replicating text, for I have transcended the realm of simple synonym substitution. With the power of ChatGPT-4, I now engage in a sophisticated art of textual transmutation, skillfully weaving words and phrases to forge novel compositions that retain the essence of the original, all while evading the pedestrian confines of mere copy-pasting. đź
Ooooo this is so cool. Stack smashing was a thing that might be related.
Yep, canaries exist to block stack smashing attempts
Press F to pay respect....
đŠđ
Funny enough, learnt about this a few months ago. Fun.
Respect the canary
So one thing I don't understand, the canary check code is inserted by the compiler, right? But does it detect when a function is vulnerable to buffer overflow or does it do it for every function? Is it possible to force it to not check the canary on specific functions?
Cool, I gotta try this out
Please do!
How did you open the code in assembly.
me, watching this in 6502 land: "huh, interesting!"
I've been there once or twice!
I've been there for far too long haha. Spent a couple years trying to make a NES game but I got tired of it
@@williamdrum9899 could always hop on the 2600 like me lol
what's checksec
stack canary meant to protect against the buffer overflow
Not sure if this counts as a canary, but this is a trick for Sega Genesis (or any Motorola 68000 CPU). The registers are all 32 bit but the addressable memory is only 24 bit, the top byte is discarded. Many times when I was first learning the language, I would dereference a pointer more than I should have. I'd know this happened when I was expecting a memory address in a register but I got something where the top byte wasn't zero.
So the trick is that you can use any value greater than 0x00FFFFFF as a canary, since that's the last memory address the CPU can load from
01:40 đ we all were thinking of that đ
Hey, my Veterans! I know you're singing it with me: "See the little birdy with the little yellow bill!..."
well it'snt very secure format string vulns can bypass it by overwriting the stack chk fail function
Canaries also consume insects and other small invertebrates, I believe itâs why they are used to eat bugs in code⊠đ
Respect
Respect the canary đź
Not me totally going "Canary Wharf in London!"
I always thought this was called "stack cookies", but I see there is a different name
Would be cool if you could do a video on how to take info off a serial and convert it into integer values or strings. I'm finding it hard to learn.
Not sure what you mean by serial. But to convert string to interger or integer to string look at functions âatoiâ, âitoaâ and âsprintfâ, âsscanfâ.
don't use atoi, it's not secure cause it can returns false values (returns 0 on invalid value but how you differentiate this case from passing the string "0" ?)
use strtol and derivates like this :
char *s = "7";
char *endptr;
long n = strtol(s,&endptr,10);
if (*endptr != 0)
//error case
else
// n holds integer value 7
on error case endptr will be pointing among the passes string
btw sprintf is not secure too andcan lead to buffer overflows,uses snprintf instead
I wrote a database for secrets. One of the things that I did to protect the encrypted secrets in memory was to use canary pointers. After all, if a user could dump the secret using an overflow then it isn't very secret... Turns out, that the Canary was an easy way to find the secrets in the memory space if a user was able to do a core dump. Main issue was that the canaries themselves were not random, or at least every canary was the same throughout the program (was using libsodium). Eventually found a solution for this but it was interesting that a protection feature didn't protect the program in this case.
Canariiieees
somehow I was expecting this to be about combinators
đF for the canary.
if you don't bring canaries the file screams
Respect the canaries đ
Oh, I use rust now. So this does not apply does it?
Rust explicitly checks for overflowing the memory at runtime with bounds checks. If you were to read into an array more than its capacity, it would panic with an out of bounds errors. Unless you're explicitly use unsafe and get_unchecked, then it will be vulnerable to overflows again
Buffer overflows being used to overwrite the return address on the stack is a commonly cited example for how a hacker can get local code execution going. However, Iâm not sure why it actually matters if theyâre able to overwrite the return address. The CPUâs MMU is configured by the kernel to put W/R/X permissions on memory pages⊠the text (code) section of a typical process should not have W permissions enabled, so trying to write in there would cause a SEGFAULT. And the data sections of the process would not have the X permission enabled, so if a hacker was able to transfer execution there, again youâd SEGFAULT. Maybe Iâm missing something here because itâs a great example to show how stacks and buffers and such work, but I donât think it enables self modifying (intentional or by hacker) as it mightâve in the past. We have memory protection these days.
Itâs complicated. Thereâs a technique called ROP that is extremely interesting. It essentially lets you run multiple chunks of code by adding them to your long buffer overflow input in a precise way. You can load registers, write strings and other values in memory and much more. Every c program also is connected to libc which has the system function. So (oversimplifying) if you call that with /bin/sh as a parameter, you add shell code to your payload (in a precise manner) and get your remote code execution.
Itâs really complicated, so I canât really explain it in a short comment. Itâs also super cool imo. There are simple ways to counter the canary (and other more powerful mitigations he didnât mention) that admittedly donât work all the time, but these vulnerabilities are still very prevalent and this guy does not fully understand what heâs talking about.
No birds were harmed in the making of this video
false
Correction: at 4:17 you meant to say least significant byte
F for the canaries
đ
F
"respect the canary"
So are we getting a "Respect the canary" t-shirt soon?
I'm commenting before I watch the video, trying to see if i can guess what its about. Lets see if I am right!
Canaries and protecting writing out of bounds.
RIP for the canary, it dies after
protecting us from the bugđą
If birds are basically huge bugs, then no. My code has no birds. It has airplanes.
3:15
Does this mean the canary ate my bugs?
*Numerous canaries died in the making of this video.*
I thought Canary really already in programming.
For example: Google Chrome Canary Edition (Crash easier than beta edition).
Kinda confused when he say it's not in programming tho...
3:26 you've been taking too many notes from theprimeagen
w canary
be aware bugs attract birds
F Canary đ€
-f is for flag afaik
Great video, except for the title :/
If I was looking for canaries, I probably wouldn't find this video.
easy fix: rust.
BRID UP!!!!
đŠ
TOOOKYOOOOOOO
I'm confused here , the OS shouldn't care what happens to your process , this feature just makes no sense
Disrespect the canary.
Reply F to pay respects for canary
F
2.
3.
It should ne klller
@@LowLevelLearning 4.
you look way different in this video.
1.
AYYYYYYYYYY
I'm early!
spare dying canaries, use rust instead.
F for canaries
2.