Canary checks can be misleading #49
Description
I ran into a particular scenario where checksec can provide a false sense of security. Let me try to explain.
- Custom code is written and compiled with -fstack-protector
- Said custom code is linked with a static library that is NOT compiled with -fstack-protector
- checksec is ran against the resulting binary and reports canaries are present
Unfortunately, the static library contains tons of functions that would benefit from stack canaries, but they simply are not present.
Perhaps it would make more sense to report some percentage of functions that contain canaries. However, some functions would not even get them based on compiler heuristics. So perhaps the best signal-to-noise is % of functions that should have them and do have them.
Looking forward to your thoughts...