Detect a stack canary pattern in a memory snapshot

Overview

Walk the frame 8 bytes at a time; flag slots where byte 0 is 0 and at least one of bytes 1..7 is non-zero.

Why it matters

Recognising the canary's shape is step one in understanding why naive overflows fail and why mitigations matter.

Lesson

Why this matters

Linux toolchains protect functions with stack canaries: a random machine word inserted between local variables and the return address, checked before the function returns. On glibc x86_64 the canary's low byte is always 0x00 — a deliberate null byte so naive string-write overflows cannot make it through without detection.

We're not writing a stack-smasher. We're writing a detector that recognises the canary's shape: a word whose low byte is zero, in a specific frame slot.

Your job

Implement int has_canary_pattern(const uint8_t *frame, size_t n). Return:

• 1 if any 8-byte aligned slot has its low byte (the first byte of the slot) equal to 0x00 AND the upper 7 bytes contain at least one non-zero byte. That's the glibc canary's signature: low byte zero, rest random.
• 0 if no such slot exists.
• -1 if frame == NULL or n isn't a multiple of 8.

Common mistakes

• Treating an all-zero word as a canary. The whole point is the upper 7 bytes are random; a NULL slot is not a canary.
• Walking unaligned. Stack canaries sit at a word boundary.

What this is NOT

• A bypass. We detect; we don't tamper.
• A definitive identifier. False positives happen — this is a heuristic.

Summary

Aligned 8-byte stride, low-byte-zero + any-nonzero-elsewhere predicate.

Practice with these exercises

• Detect a glibc-style stack canary pattern