What is security cookie in C++?
Asked Answered
S

2

23

I have read from Google that it is used for controlling buffer overruns at application level and it is called by CRT. It also says that

" Essentially, on entry to an overrun-protected function, the cookie is put on the stack, and on exit, the value on the stack is compared against the global cookie. Any difference between them indicates that a buffer overrun has occurred and results in immediate termination of the program."

But I could not much understand how it works? Please help.

Schermerhorn answered 13/11, 2013 at 4:43 Comment(1)
AFAIK it is just some data that is unlikely to occur in normal code that can be compared against when the function exits to tell if it was overwritten. Other similar guards are often put at both ends of dynamic allocations to check for over/underwrites as well.Bifurcate
T
41

The "cookie" is basically nothing more than an arbitrary value.

So, the basic idea is that you write the chosen value on the stack before calling a function. Although it's probably not a very good value, let's arbitrarily chose 0x12345678 as the value.

Then it calls the function.

When the function returns, it goes back to the correct spot on the stack, and compares that value to 0x12345678. If the value has changed, this indicates that the function that was called wrote outside the area of the stack where it was allowed to write, so it (and that process in general) are deemed untrustworthy, and shut down.

In this case, instead of choosing 0x12345678, the system chooses a different value on a regular basis, such as every time the system is started. This means it's less likely to hit the correct value by accident -- it might happen to do so once, but if it's writing a specific value there, when the correct/chosen value changes, it'll end up writing the wrong value, and the problem will be detected.

It's probably also worth noting that this basic idea isn't particularly new. Just for example, back in the MS-DOS days, both Borland's and Microsoft's compilers would write some known value at the very bottom of the stack before calling main in your program. After main returned, they'd re-check that value. It would then print out an error message (right as the program exited) if the value didn't match what was expected.

Tenement answered 13/11, 2013 at 4:49 Comment(0)
D
12

It's exactly what the explanation says, but you can replace "cookie" with "some value". When the function is called, it puts some value on the stack. When the function returns, it checks it again to see if it changed.

The normal behavior of the function is to not touch the memory location. If the value there changed, it means that function code somehow overwrote it, and this means there was a buffer overflow.

Domino answered 13/11, 2013 at 4:48 Comment(1)
This is very clear to me now. your fist line explained me much. Thanks Zneak.Schermerhorn

© 2022 - 2024 — McMap. All rights reserved.