Matt Davis - Utilizing High Entropy Stack Canaries for Locating Function Return Addresses

enferex (enferex) Canaries, threads, and split-stacks! This presentation will describe a technique that I stumbled into for identifying a return address within an opaque memory space. Stack canaries of high entropy can be used to locate stack information, thus rendering a security mechanism as a tool for compromising a memory space. Of course, once a return address is located, it can be overwritten to allow for the execution of malicious code. This return address identification technique can be used to compromise the stack environment in a multi-threaded Linux environment. While the operating system and compiler are mere specificities, the logic discussed here can be considered for other execution environments. Bit flipper, coffee guzzler, horrible fixie rider.