Join GitHub today
GitHub is home to over 20 million developers working together to host and review code, manage projects, and build software together.
improve heap canary generation #19
Comments
thestinger
added
the
Type: enhancement
label
Aug 23, 2015
ghost
referenced this issue
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment Hide comment
thestinger
Sep 2, 2015
Contributor
The canaries are now generated with secret_key ^ hash(canary_address) so it's not quite as bad. This still needs improvement.
|
The canaries are now generated with |
thestinger
added
Component: hardened malloc
upstream
labels
Feb 6, 2016
thestinger
closed this
Oct 15, 2016
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment Hide comment|
Need to revisit this based on upstream changes. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
thestinger commentedAug 23, 2015
The canaries are created with
secret_key ^ canary_addressso an attacker with a read overflow could use them to leak information about addresses. Ideally, they would be implemented asmac(secret_key, canary_address)but it needs to be fast. Usingsecret_key ^ hash(canary_address)with the existing hash function would be less bad but it wouldn't provide clear security properties.There's also the option of generating a canary for each chunk_info struct with the same one reused for all chunks within that page. That's a pretty good compromise between a global value and one that may leak pointer data.