Expand description
Per-Thread Stack Canary Management
Provides stack smashing detection via per-thread random canary values. Each thread receives a unique 64-bit canary generated from an xorshift64 PRNG seeded by architecture-specific entropy. The canary is placed at a known location on the thread’s stack and verified periodically or on context switch.
§Design
-
CANARY_TABLE:
RwLock<BTreeMap<u64, u64>>mapping thread ID to its canary value. Protected by RwLock for concurrent read access during verification with exclusive write access for registration. -
Canary generation: Uses xorshift64 PRNG seeded from hardware entropy (RDRAND/TSC on x86_64, CNTPCT on AArch64, cycle on RISC-V).
-
Detection: On canary mismatch, the kernel panics with “stack smashing detected” to prevent exploitation.
§Usage
// During thread creation:
let canary = stack_canary::generate_canary();
stack_canary::set_thread_canary(tid, canary);
// Write canary to thread's stack guard location...
// During context switch or verification:
stack_canary::check_canary(tid); // panics on mismatchFunctions§
- check_
canary - Check a thread’s stack canary.
- generate_
canary - Generate a new random canary value.
- get_
stats - Get diagnostic statistics.
- get_
thread_ canary - Get the expected canary value for a thread.
- init
- Initialize the stack canary subsystem.
- is_
active - Check if the canary subsystem is initialized.
- registered_
count - Get the number of threads with registered canaries.
- remove_
thread_ canary - Remove a thread’s canary from the table.
- set_
thread_ canary - Register a canary value for a thread.
- verify_
stack - Verify a stack canary value against the expected value.