Canary-Based Protection StackGuard Soltware Security Background Idea: arg2 t prologue introduces a Cattary Dodenzs arg 1 SnckGuird canary word between return addr StaCianf Waaanat DnG return addr and locals caller's ebp Puymnishie Cinin ←一%ebp callee-save Data Execution Prevention epilogue checks canary CANARY Dh6的 before function returns locals ASLR ASLR Wrong Canary =Overflow -%esp57 Software Security Background Control Flow Hijack Control Flow Hijack Defense Canary Defense 12 StackGuard StackGuard Weakness DiffGuard Polymorphic Canary Data Execution Prevention Definition DEP Scorecard Return-to-libc Attack ASLR ASLR Randomization ASLR Dept. of Computer Science, Nanjing University Canary-Based Protection StackGuard