/sataniccanary

A GCC plugin implementing various stack canaries.

Primary LanguageCGNU General Public License v2.0GPL-2.0

Satanic Canary: A GCC plugin implementing various stack canaries.
=================================================================

Summary
-------
The Satanic Canary gcc plugin implements three types of stack canaries.
Two of these are currently enabled, and they are described below.

This plugin is merely for testing/exploring stack canaries and what they can
do for binary runtime security.  I feel safe in saying that the Basic and
TSC Data canaries can be used, but are not perfect.  Canaries are not always
impervious to compromise.  Likewise, they can impart overhead to the program
being executed.

A canary, or stack cookie, is merely a value on the stack which is placed
there at compile time in the function prologue.  During runtime, at function
epilogue,  the sanity of that value is checked.  If the value has been
modified then the canary calls an abort() since the stack has been corrupted
(either through bad programming or a malicious intent).

The canaries are chosen at 'random' for each function being compiled.

The array of structs below in the 'canaries' array are the canaries that can
be enabled/disabled.
 
Canaries Provided by this Plugin
--------------------------------
* Basic Canary: This canary places a random constant value/canary on the
stack and this same value should lie there unmodified upon function
return/epilogue.  This value will be different for each function compiled.

* TSC Canary: This canary places a value on the stack.  This value is
obtained from the more active (low 32bits) of the Timestamp Counter (TSC).
The TSC is dynamic and different for each execution of the function at
runtime.  This is a really craptastic canary and should not be used.  It is
easily compromised if the stack if overrun with the same data.  For each call
to a function with this canary enabled, the TSC value is placed twice on the
stack, back to back.  If, upon prologue, the two values differ, then the
stack is said to be corrupt and the program abort()s out.  Now, if the stack
is overwritten with the same value/pattern, then, these two values will still
be the same, e.g. and the canary will not detect a corruption... bad, bad
canary!

* TSC Data Canary: This canary places a TSC stamp, the low 32-bits, on the
stack and XOR's it against read-only data in the CS segment.  That XOR value,
(DATA xor TSC) is placed on the stack also.  Upon function epilogue, we
verify the stack sanity by XOR'ing the CS data and the (TSC xor DATA) that
was pushed onto the stack.  The result should be the TSC value we pushed on
the stack as the first value.

Contact
-------
Matt Davis (enferex)
mattdavis9@gmail.com