GO TRY OUT BRILLIANT GOGOGOGOGOGOGO brilliant.org/LowLevelLearning

Fun fact! The "canary in the coal mine" didn't actually die. That bottle on the top of the cage? That's so that if the bird passes out, the miner can fill the cage with oxygen and the bird recovers

I don't have birds in my code. Only bugs...

Birds and programming absolutely mix. I am a bird. I program. Your videos are awesome. Please keep it up! Also, respect the canaries. Both kinds.

RIP stack canary. He died for our sins. 😔

In the late 80’s/early 90’s I had a computer with a small executable file running at the end of the autoexec file. All it did was saying “The canary bird is alive and all is well.” Until one day it said: “The canary bird is dead.” It was an exe file that checked an internal checksum, and if it was changed, the canary was dead, and you knew that you had been infected by a computer virus.

There actually are heap canaries! You just have to call `mprobe()` on the buffer after you finish any risky operation. Unfortunately since nobody actually "owns" heap memory, the compiler can't just automatically insert this check at every function return. Alternately, you can ask nicely to have the compiler try to make its best guess by calling `mcheck()` or passing `-lmcheck` when linking. You can also do one better if you use a more paranoid allocator that uses separate virtual memory pages for each allocation and flanks them with guard pages -- that way, you get an automatic hardware exception any time something even _reads_ outside each buffer's closest 4096-byte block. (That is, in fact, what a segfault is; guard pages just make segfaults happen for buffers in the middle of the heap too, not just at the end.)

I used to place variables with test values manually at the end of arrays for testing, these days I use "-fsanitize=address" with gcc, great feature.

Absolutely, great videos. I haven't done much C since Uni, but need to get back into it. These videos definitely help inspire me to do that, keep up the great work man!

"Here we have a C code..." - there You go You have find Your first canary.

Tried stack based overflows for educational purposes on self written binarys and i was wondering why my arbitrary shellcode was not executed besides NX turned off. I will go and check for canarys. Thanks! UPDATE: Yes it has canary

I guess the main problem with heap memory is knowing when to check it... But I saw another comment referring to heap canaries, which is cool! There should be support for automatic checks in some of the std memory containers, e.g. after passing the .data() pointer of a std::vector Also, fun fact! Canary bytes were re-implemented on things that don't natively support them. FreeRTOS, a popular microcontroller scheduler, allows the placement of canary bytes too. It's very useful!

"Here I wrote some C code-" ah, I see the problem "that's vulnerable" reduntant

Some notes on canaries: - Based on idea of ‘canary in a coal mine’ - AKA Stack Cookies - Method: Random number is placed between local variables on the stack and the return address on the stack ~**Before you return from a function you check that random number and ask if it's corrupted or not. If safe return; If not *buffer may have floweth'd over* - *USUALLY* Added by compiler Canaries are a form of Mitigation because the principal falls under certain ASSUMPTIONS: //In the words of a good friend - Never make Assumptions. 1) Linear-writing buffer overflows will corrupt the canary, and that corruption will be detected before anything bad can happen. 2) It's Hard for attacker to guess the 32/64-bit random number. 3) Not possible for attacker to read the number and then write the same number back as part of the overflow. ***Assumptions ( each of these could be violated by an attacker ) --- if attacker has control of destination pointer. --- Did the implementers have adequate randomization for the 32/64-bit number? Is there a chance the attacker can guess it? --- Can the attacker read the canary? If they can read the canary then they could write back the exact value while they're doing the linear buffer overflow. (depends on information disposal) - At the end of the day canaries are a cheap, good exploit mitigation mechanism that should be enabled.

Now I understand why Microsoft calls their nightly Edge builds canary builds.

2:57 I think that's supposed to be the function epilog? (pro - before, epi - after, so after the function might have clobbered the canary)

omg thank you for this. i was using ghidra for the first time today and was wondering what that fs:offset and chk stack fail were

The heap can be protected by specifying the max size of the heap in the linker, and then creating small section of the memory at the end of the heap that has no write permission flag on

This happened to me just yesterday with "char query[1024];" and then copy/paste "memset(query, 0x00, 2048);". Too bad you didn't post this video yesterday as I had no idea what is wrong :)

What a great channel, subbed

I have no clue why I love ❤️ watching those videos I don’t even program in C or anything I am a Typical TypeScript ScriptKiddy but not the kind that copy then paste… I am no longer merely duplicating and replicating text, for I have transcended the realm of simple synonym substitution. With the power of ChatGPT-4, I now engage in a sophisticated art of textual transmutation, skillfully weaving words and phrases to forge novel compositions that retain the essence of the original, all while evading the pedestrian confines of mere copy-pasting. 😮

Not sure if this counts as a canary, but this is a trick for Sega Genesis (or any Motorola 68000 CPU). The registers are all 32 bit but the addressable memory is only 24 bit, the top byte is discarded. Many times when I was first learning the language, I would dereference a pointer more than I should have. I'd know this happened when I was expecting a memory address in a register but I got something where the top byte wasn't zero. So the trick is that you can use any value greater than 0x00FFFFFF as a canary, since that's the last memory address the CPU can load from

nice video, nice channel, everything is so nice im happy under effect of the product

+respect for the canary

Canaries also consume insects and other small invertebrates, I believe it’s why they are used to eat bugs in code… 😅

So one thing I don't understand, the canary check code is inserted by the compiler, right? But does it detect when a function is vulnerable to buffer overflow or does it do it for every function? Is it possible to force it to not check the canary on specific functions?

Funny enough, learnt about this a few months ago. Fun.

Ooooo this is so cool. Stack smashing was a thing that might be related.

Excellent!!

what's checksec stack canary meant to protect against the buffer overflow

Press F to pay respect....

well it'snt very secure format string vulns can bypass it by overwriting the stack chk fail function

Cool, I gotta try this out

01:40 😐 we all were thinking of that 😂

How did you open the code in assembly.

Respect the canary

Hey, my Veterans! I know you're singing it with me: "See the little birdy with the little yellow bill!..."

Respect

me, watching this in 6502 land: "huh, interesting!"

Would be cool if you could do a video on how to take info off a serial and convert it into integer values or strings. I'm finding it hard to learn.

I wrote a database for secrets. One of the things that I did to protect the encrypted secrets in memory was to use canary pointers. After all, if a user could dump the secret using an overflow then it isn't very secret... Turns out, that the Canary was an easy way to find the secrets in the memory space if a user was able to do a core dump. Main issue was that the canaries themselves were not random, or at least every canary was the same throughout the program (was using libsodium). Eventually found a solution for this but it was interesting that a protection feature didn't protect the program in this case.

Buffer overflows being used to overwrite the return address on the stack is a commonly cited example for how a hacker can get local code execution going. However, I’m not sure why it actually matters if they’re able to overwrite the return address. The CPU’s MMU is configured by the kernel to put W/R/X permissions on memory pages… the text (code) section of a typical process should not have W permissions enabled, so trying to write in there would cause a SEGFAULT. And the data sections of the process would not have the X permission enabled, so if a hacker was able to transfer execution there, again you’d SEGFAULT. Maybe I’m missing something here because it’s a great example to show how stacks and buffers and such work, but I don’t think it enables self modifying (intentional or by hacker) as it might’ve in the past. We have memory protection these days.

I always thought this was called "stack cookies", but I see there is a different name

Respect the canary 😮

somehow I was expecting this to be about combinators

Correction: at 4:17 you meant to say least significant byte

Oh, I use rust now. So this does not apply does it?

Not me totally going "Canary Wharf in London!"

Canariiieees

👍F for the canary.

RIP for the canary, it dies after protecting us from the bug😢

Respect the canaries 👍

if you don't bring canaries the file screams

I'm commenting before I watch the video, trying to see if i can guess what its about. Lets see if I am right! Canaries and protecting writing out of bounds.

3:15

F for the canaries

So are we getting a "Respect the canary" t-shirt soon?

If birds are basically huge bugs, then no. My code has no birds. It has airplanes.

I thought Canary really already in programming. For example: Google Chrome Canary Edition (Crash easier than beta edition). Kinda confused when he say it's not in programming tho...

3:26 you've been taking too many notes from theprimeagen

No birds were harmed in the making of this video

*Numerous canaries died in the making of this video.*

"respect the canary"

Does this mean the canary ate my bugs?

Great video, except for the title :/ If I was looking for canaries, I probably wouldn't find this video.

-f is for flag afaik

easy fix: rust.

be aware bugs attract birds

w canary

BRID UP!!!!

F Canary 🐤

I'm confused here , the OS shouldn't care what happens to your process , this feature just makes no sense

TOOOKYOOOOOOO

Disrespect the canary.

Reply F to pay respects for canary

you look way different in this video.

2.

1.

I'm early!

spare dying canaries, use rust instead.

F for canaries

2.