Canary-Based Protection Canary Defense Soltware Security "A"x68."IxEF IxBE \xADIxDE" Background Carerf Fies Hpck #include<string.h> int main(int argc,char *argv){ mMeo Cantary Delaree char buf[64]; s0a时 strcpy(buf,argv[1]); argv SOianT weiana argc DnG return addr Puymnishie Cinin Dump of assembler code for function main: Data Execution caller's ebp 0x080483e4<+0>:push Xebp ←一%ebp Prevention Dutidan 8xe80483e5<+1>:m0v %esp,%ebp 0x080483e7<+3>:sub $72,Xesp Bx888483ea<+6>:mov 12(%ebp),%eax ASLR ASL月月uo Bx880483ed(+9>:mov 4(影eax),%eax ASLR 8xe80483f8<+12>:mov eax,4(%esp) 8x080483f4<+16>:1ea -64(%ebp),Xeax buf 0x888483f7<+19>:m0w%eaX,(Xe5p】 (64 bytes) 0x08483fac+22>:ca110x80483e0(strcpy@p1t> argv[1l 8x080483ff《+27,:1eave buf 8x08048408《+28>:ret ←一%esp Nanjng Uivarsiy57 Software Security Background Control Flow Hijack Control Flow Hijack Defense 8 Canary Defense StackGuard StackGuard Weakness DiffGuard Polymorphic Canary Data Execution Prevention Definition DEP Scorecard Return-to-libc Attack ASLR ASLR Randomization ASLR Dept. of Computer Science, Nanjing University Canary-Based Protection Canary Defense