드림핵에서 받아온 소스코드다.

//Name: canary.c

#include <unistd.h>

int main() {

	char buf[8];
	read(0, buf, 32);
	return 0;

}

컴파일을 하고 GDB로 분석을 시작해보자.

Canary 적용이 되지 않은 Main

gef➤  disassemble main
Dump of assembler code for function main:
   0x0000000000001149 <+0>:	endbr64
   0x000000000000114d <+4>:	push   rbp
   0x000000000000114e <+5>:	mov    rbp,rsp
   0x0000000000001151 <+8>:	sub    rsp,0x10
   0x0000000000001155 <+12>:	lea    rax,[rbp-0x8]
   0x0000000000001159 <+16>:	mov    edx,0x20
   0x000000000000115e <+21>:	mov    rsi,rax
   0x0000000000001161 <+24>:	mov    edi,0x0
   0x0000000000001166 <+29>:	call   0x1050 <read@plt>
   0x000000000000116b <+34>:	mov    eax,0x0
   0x0000000000001170 <+39>:	leave
   0x0000000000001171 <+40>:	ret
End of assembler dump.

Canary 적용이 된 Main

gef➤  disassemble main
Dump of assembler code for function main:
   0x0000000000001169 <+0>:	endbr64
   0x000000000000116d <+4>:	push   rbp
   0x000000000000116e <+5>:	mov    rbp,rsp
   0x0000000000001171 <+8>:	sub    rsp,0x10
   0x0000000000001175 <+12>:	mov    rax,QWORD PTR fs:0x28
   0x000000000000117e <+21>:	mov    QWORD PTR [rbp-0x8],rax
   0x0000000000001182 <+25>:	xor    eax,eax
   0x0000000000001184 <+27>:	lea    rax,[rbp-0x10]
   0x0000000000001188 <+31>:	mov    edx,0x20
   0x000000000000118d <+36>:	mov    rsi,rax
   0x0000000000001190 <+39>:	mov    edi,0x0
   0x0000000000001195 <+44>:	call   0x1070 <read@plt>
   0x000000000000119a <+49>:	mov    eax,0x0
   0x000000000000119f <+54>:	mov    rcx,QWORD PTR [rbp-0x8]
   0x00000000000011a3 <+58>:	xor    rcx,QWORD PTR fs:0x28
   0x00000000000011ac <+67>:	je     0x11b3 <main+74>
   0x00000000000011ae <+69>:	call   0x1060 <__stack_chk_fail@plt>
   0x00000000000011b3 <+74>:	leave
   0x00000000000011b4 <+75>:	ret
End of assembler dump.

__Stack_chk_fail@plt 함수를 통해 스택을 보호하는 것으로 보인다