Abstract
We propose a binary rewriting system called Kimchi that modifies binary programs to protect them from format string attacks in runtime. Kimchi replaces the machine code calling conventional printf with code calling a safer version of printf, safe_printf, that prevents its format string from accessing arguments exceeding the stack frame of the parent function. With the proposed static analysis and binary rewriting method, it can protect binary programs even if they do not use the frame pointer register or link the printf code statically. In addition, it reduces the performance overhead of the patched program by not modifying the calls to printf with the format string argument located in the read-only memory segment, which are not vulnerable to the format string attack.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Twillman, T.: Exploit for proftpd 1.2.0pre6 (1999), http://www.securityfocus.com/archive/1/28143/1999-09-16/1999-09-22/0
The MITRE Corporation: CVE dictionary (2004), http://www.cve.mitre.org/cgi-bin/cvekey.cgi?keyword=format+string
tf8: Wu-Ftpd remote format string stack overwrite vulnerability (2000), http://www.securityfocus.com/bid/1387
Osborne, A., McDonald, J.: Isc bind 4 nslookupcomplain() format string vulnerability (2001), http://www.securityfocus.com/bid/2309
Cowan, C., Barringer, M., Beattie, S., Kroah-Hartman, G., Frantzen, M., Lokier, J.: FormatGuard: Automatic protection from printf format string vulnerabilities. In: The 10th USENIX Security Symposium, Washington, DC, pp. 191–200 (2001)
scut / team teso: Exploiting format string vulnerabilities (2001), http://www.cs.ucsb.edu/~jzhou/security/formats-teso.html
Lhee, K.S., Chapin, S.J.: Buffer overflow and format string overflow vulnerabilities. Software: Practice and Experience 33, 423–460 (2003)
gera, riq: Advances in format string exploitation (2002), http://www.phrack.org/phrack/59/p59-0x07.txt
Core Security Team: Vulnerabilities in your code - format strings (2002), http://www.core-sec.com/examples/core_format_strings.pdf
Shankar, U., Talwar, K., Foster, J.S., Wagner, D.: Detecting format string vulnerabilities with type qualifiers. In: Proceedings of the 10th USENIX Security Symposium (SECURITY 2001), pp. 201–220. USENIX Association, Berkeley (2001)
Robbins, T.J.: libformat (2000), http://www.securityfocus.com/data/tools/libformat-1.0pre5.tar.gz
Singh, N., Tsai, T.: Libsafe 2.0: Detection of format string vulnerability exploits (2001), http://www.research.avayalabs.com/project/libsafe/doc/whitepaper-20.ps
Newsome, J., Song, D.: Dynamic taint analysis for automatic detection, analysis, and signature gerneration of exploits on commodity software. In: Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS 2005) (2005)
Prasad, M., Chiueh, T.C.: A binary rewriting defense against stack-based buffer overflow attacks. In: The Proceedings of USENIX 2003 Annual Technical Conference, pp. 211–224 (2003)
Landi, W.: Undecidability of static analysis. ACM Letters on Programming Languages and Systems 1, 323–337 (1992)
Ramalingam, G.: The undecidability of aliasing. ACM Transactions on Programming Languages and Systems 16, 1467–1471 (1994)
Kildall, G.A.: A unified approach to global program optimization. In: ACM Symposium on Principles of Programming Languages, pp. 194–206 (1973)
Aho, A.V., Sethi, R., Ullman, J.D.: Compilers Principles, Techniques, and Tools. Addison-Wesley, Reading (1986)
Tool Interface Standard (TIS) Committee: Executable and linking format (ELF) specification, version 1.2 (1995)
Emmerik, M.V.: Signatures for library functions in executable files. Technical Report FIT-TR-1994-02 (1994)
Guilfanov, I.: DataRescue: Fast library identification and recognition technology (1997)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
You, J.H., Seo, S.C., Kim, Y.D., Choi, J.Y., Lee, S.J., Kim, B.K. (2006). Kimchi: A Binary Rewriting Defense Against Format String Attacks. In: Song, JS., Kwon, T., Yung, M. (eds) Information Security Applications. WISA 2005. Lecture Notes in Computer Science, vol 3786. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11604938_14
Download citation
DOI: https://doi.org/10.1007/11604938_14
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-31012-9
Online ISBN: 978-3-540-33153-7
eBook Packages: Computer ScienceComputer Science (R0)