6. Secure Programming. StackGuard is a compiler-based technique for defending against stack-based buffer overflows. It detects memory corruption using a canary, a known value stored in each function's stack frame immediately before the return address. Before a func- tion returns, it verifies that its canary value hasn't changed; if it has, the program halts (a) In some implementations, the canary value is a 64-bit integer that is randomly generated each time the program runs. Explain why this prevents the basic form of stack-based buffer overflow attack discussed in lecture. (b) What is a security drawback to choosing the canary value at compile time instead of at run time? If the value must be fixed, why is 0 a particularly good choice? 4 (c) No matter how the canary is chosen, StackGuard cannot protect against all buffer over- flow vulnerabilities. List two kinds of bugs that can corrupt the stack and allow the adversary to take control, even with StackGuard in place. ) You are attempting to exploit a buffer overflow in an application which uses the C gets ) function. The program appears to be exploitable, but your attack isn't working. Whatever you do, the process immediately crashes as soon as it jumps to the instruc- tions you injected onto the stack. What's going on? How can you bypass this security measure? (e) You are developing a simple buffer overflow exploit reminiscent of target0 from the Application Security. After lots of trial and error, you finally find an input that succeeds-but then then you try again with exactly the same bytes and it doesn't seem to work anymore! What's going on? How can you bypass this security measure? 6. Secure Programming. StackGuard is a compiler-based technique for defending against stack-based buffer overflows. It detects memory corruption using a canary, a known value stored in each function's stack frame immediately before the return address. Before a func- tion returns, it verifies that its canary value hasn't changed; if it has, the program halts (a) In some implementations, the canary value is a 64-bit integer that is randomly generated each time the program runs. Explain why this prevents the basic form of stack-based buffer overflow attack discussed in lecture. (b) What is a security drawback to choosing the canary value at compile time instead of at run time? If the value must be fixed, why is 0 a particularly good choice? 4 (c) No matter how the canary is chosen, StackGuard cannot protect against all buffer over- flow vulnerabilities. List two kinds of bugs that can corrupt the stack and allow the adversary to take control, even with StackGuard in place. ) You are attempting to exploit a buffer overflow in an application which uses the C gets ) function. The program appears to be exploitable, but your attack isn't working. Whatever you do, the process immediately crashes as soon as it jumps to the instruc- tions you injected onto the stack. What's going on? How can you bypass this security measure? (e) You are developing a simple buffer overflow exploit reminiscent of target0 from the Application Security. After lots of trial and error, you finally find an input that succeeds-but then then you try again with exactly the same bytes and it doesn't seem to work anymore! What's going on? How can you bypass this security measure