If the canary word has been altered when the function returns, and the program responds by emitting an intruder alert into syslog, and then halts what does it indicate?

A simple compiler technique used by programmers is to add a terminator ‘canary word’ containing four letters NULL (0x00), CR (0x0d), LF (0x0a) and EOF (0xff) so that most string operations are terminated. If the canary word has been altered when the function returns, and the program responds by emitting an intruder alert into syslog, and then halts what does it indicate?

A simple compiler technique used by programmers is to add a terminator ‘canary word’ containing four letters NULL (0x00), CR (0x0d), LF (0x0a) and EOF (0xff) so that most string operations are terminated. If the canary word has been altered when the function returns, and the program responds by emitting an intruder alert into syslog, and then halts what does it indicate?

A.
A buffer overflow attack has been attempted

B.
A buffer overflow attack has already occurred

C.
The system has crashed

D.
An intrusion detection system has been triggered

E.
A firewall has been breached and this is logged

Explanation:
Terminator Canaries are based on the observation that most buffer overflows and stack smash attacks are based on certain string operations which end at terminators. The reaction to this observation is that the canaries are built of NULL terminators, CR, LF, and -1. The undesirable result is that the canary is known.



Leave a Reply 1

Your email address will not be published. Required fields are marked *

19 − two =