Canary-Based Protection StackGuard Soltware Security Idea: Background arg 2 e prologue introduces a arg 1 Cattary Codenas SckGuird canary word between ⑧ return addr StaCianf Waaanat DnG return addr and locals caller's ebp ←-%ebp Pulmnishie Cinin callee-save Data Execution epilogue checks canary Prevention CANARY Dutindan before function returns locals ASLR ASLR %esp57 Software Security Background Control Flow Hijack Control Flow Hijack Defense Canary Defense 11 StackGuard StackGuard Weakness DiffGuard Polymorphic Canary Data Execution Prevention Definition DEP Scorecard Return-to-libc Attack ASLR ASLR Randomization ASLR Dept. of Computer Science, Nanjing University Canary-Based Protection StackGuard