cybersecurity · intermediate · ~15 min · safe pentest lab

Detect a glibc-style stack canary pattern

Aligned byte-stride scanning with a composite predicate.

Challenge

Your job

Implement:

#include <stdint.h>
#include <stddef.h>
int has_canary_pattern(const uint8_t *frame, size_t n);

A glibc stack canary on x86_64 has its low byte = 0x00 and the upper 7 bytes random. We treat the frame as 8-byte aligned slots and look for one whose:

byte 0 (the low byte) is 0x00, AND
at least one of bytes 1..7 is non-zero.

Return:

1 if any slot matches.
0 if none does.
-1 if frame == NULL or n % 8 != 0.

Hints

(concept) Walk 8 bytes at a time: for (i = 0; i < n; i += 8).
(common bug) Treating an all-zero slot as a canary. Require byte 0 == 0 AND (byte 1 | byte 2 | … | byte 7) != 0.

Why this matters

Recognising the canary's shape is foundational defensive knowledge — it explains why naive overflows fail and why mitigations matter.

Input format

A const byte buffer + its length (multiple of 8).

Output format

0, 1, or -1.

Constraints

Stride 8. Predicate: low byte zero, upper 7 bytes have at least one non-zero.

Starter code

#include <stdint.h>
#include <stddef.h>
int has_canary_pattern(const uint8_t *frame, size_t n) {
    /* TODO */
    (void)frame; (void)n;
    return -1;
}

Common mistakes

Treating all-zero slot as canary. Ignoring the n % 8 != 0 invariant. Walking unaligned.

Edge cases to handle

Empty frame. Single slot. Canary at the very last slot.

Complexity

O(n).

Background lessons

Detect a stack canary pattern in a memory snapshot

Up next

A libFuzzer-shape target that never crashes

Solve this exercise in the browser editor — compile and run against the test harness, no setup required.