Lab access:

git clone <https://github.com/TinkAnet/Stack-canary-lab.git>

What Are Stack Canaries？

• Stack canaries are secret values placed in a function’s stack frame.
• They detect accidental or malicious overwrites of the return address.
• A canary is written to the stack at function entry and checked at exit.
• If unchanged, execution continues; if altered, the program aborts. This mechanism protects against classic stack-based buffer overflows.

How They Work on x64

On 64-bit systems, canaries consist of seven random bytes followed by a null byte. The null byte prevents string functions from leaking or overwriting the canary. The canary is positioned between buffers and control data on the stack. Any overflow reaches the canary first, ensuring detection before the return address is corrupted.

How Compilers Insert and Verify the Canary

• Compilers add canaries to functions with stack buffers or potential risk.

  The function loads the canary into the stack at entry and checks it before return.

• If the value matches, execution continues; if not, a failure handler terminates the program.

• This protects the return path from tampering.

Why This Mechanism Matters

• Stack canaries are a simple and widely used mitigation.
• They don’t stop memory corruption but block classic return-address overwrites.
• Since they appear in most binaries, understanding their structure and checks is essential.
• They form the foundation for learning more advanced exploitation and defenses.