Stack Canary
What is Stack Canary?
Stack CanaryA stack canary is a secret value placed between a function's local buffers and its saved return address to detect stack buffer overflows before they hijack control flow.
Stack canaries, introduced by Crispin Cowan and the StackGuard team in 1998, are random values written between local variables and the saved return address on a function's stack frame. The compiler emits code on entry to set the canary and on exit to verify it; a mismatch aborts the program before the corrupted return address is used. Modern toolchains call this -fstack-protector or /GS, and they use a per-process random value plus a terminator byte (often 0x00) to defeat overflows that include the canary in their payload. Canaries complement but do not replace ASLR, DEP, CFI, and memory-safe languages.
● Examples
- 01
GCC's -fstack-protector-strong inserting a canary in functions with arrays.
- 02
MSVC's /GS option detecting an overflow in a strcpy-based exploit.
● Frequently asked questions
What is Stack Canary?
A stack canary is a secret value placed between a function's local buffers and its saved return address to detect stack buffer overflows before they hijack control flow. It belongs to the Application Security category of cybersecurity.
What does Stack Canary mean?
A stack canary is a secret value placed between a function's local buffers and its saved return address to detect stack buffer overflows before they hijack control flow.
How does Stack Canary work?
Stack canaries, introduced by Crispin Cowan and the StackGuard team in 1998, are random values written between local variables and the saved return address on a function's stack frame. The compiler emits code on entry to set the canary and on exit to verify it; a mismatch aborts the program before the corrupted return address is used. Modern toolchains call this -fstack-protector or /GS, and they use a per-process random value plus a terminator byte (often 0x00) to defeat overflows that include the canary in their payload. Canaries complement but do not replace ASLR, DEP, CFI, and memory-safe languages.
How do you defend against Stack Canary?
Defences for Stack Canary typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Stack Canary?
Common alternative names include: StackGuard, Stack cookie, GS cookie.
● Related terms
- appsec№ 064
ASLR
Address Space Layout Randomization randomizes the memory locations of code, stacks, heaps, and libraries so attackers cannot reliably predict target addresses for exploits.
- appsec№ 303
DEP
Data Execution Prevention (also called NX or W^X) marks memory pages as non-executable so attackers cannot run shellcode injected into the stack or heap.
- appsec№ 217
Control-Flow Integrity
Control-Flow Integrity (CFI) constrains a program's indirect calls and returns to a precomputed set of legitimate targets, blocking ROP and JOP exploits that hijack control flow.
- appsec№ 1028
Shadow Stack
A shadow stack is a separate, protected stack that stores copies of return addresses so the CPU can detect tampering with the regular stack and block ROP attacks.
- appsec№ 925
Return-Oriented Programming
Return-Oriented Programming (ROP) is a code-reuse exploit technique that chains short instruction sequences ending in RET to execute arbitrary computation without injecting new code.
- appsec№ 670
Memory Safety
Memory safety is the property that a program never reads, writes, or executes memory it has not legitimately allocated, preventing entire classes of vulnerabilities.
● See also
- № 545Intel CET