- ...
function1
- The name is derived from the coal mining practice of
taking a canary down with the workers. The canary was more sensitive
to poisonous gas than humans, so examining the state of the canary
could reveal a dangerous buildup of poison gas.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
- ... this2
- They both provide
guards against return-into-libc attacks, but they can still
be exploited. For example, we can use the procedure linkage table
entry of system() instead of the address of system() to
bypass the stack patch (where the address of system() can contain
zero bytes) or PaX (where the address of system() are unknown in advance
due to the random mapping of shared libraries).
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
- ...
function3
- This is a gcc feature; constructor functions
run before main() does.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
