Abstract
Although Format String Attacks (FSAs) are known for many years there is still a number of applications that have been found to be vulnerable to such attacks in the recent years. According to the CVE database, the number of FSA vulnerabilities is stable over the last 5 years, even as FSA vulnerabilities are assumingly easy to detect. Thus we can assume, that this type of bugs will still be present in future. Current compiler-based or system-based protection mechanisms are helping to restrict the exploitation this kind of vulnerabilities, but are insufficient to circumvent an attack in all cases.
Currently FSAs are mainly used to leak information such as pointer addresses to circumvent protection mechanisms like Address Space Layout Randomization (ASLR). So current attacks are also interested in the output of the format string. In this paper we present a novel method for attacking format string vulnerabilities in a blind manner. Our method does not require any memory leakage or output to the attacker. In addition, we show a way to exploit format string vulnerabilities on the heap, where we can not benefit from direct destination control, i.e. we can not place arbitrary addresses onto the stack, as is possible in stack-based format string.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
e.g. printf(“id: %d, size:%d, name: %s”,id,size,name) consumes three arguments.
- 2.
An input to a buffer like “\(\backslash x78\backslash x4f\backslash x9e\backslash xbf\)”,“\(\%5u\)”,“\(\%10\$hhn\)” will, for example, write the value 0x9 to the least significant byte at the address 0xbf9e4f78, because in this example the tenth value on the stack is containing our user input.
- 3.
\(\delta \) = false positive count * 4 (\(\#\) of verification tests).
References
Homepage of the pax team. http://pax.grsecurity.net/. Accessed 15 November 2013
Baratloo, A., Singh, N., Tsai, T.K.: Transparent run-time defense against stack-smashing attacks. In: USENIX Annual Technical Conference, General Track, pp. 251–262 (2000)
Bhatkar, S., DuVarney, D.C., Sekar, R.: Address obfuscation: an efficient approach to combat a broad range of memory error exploits. In: Proceedings of the 12th USENIX Security Symposium, vol. 120, Washington, D.C. (2003)
Bhatkar, S., Sekar, R., DuVarney, D.C.: Efficient techniques for comprehensive protection from memory error exploits. In: Proceedings of the 14th USENIX Security Symposium, pp. 271–286 (2005)
Bletsch, T., Jiang, X., Freeh, V.W., Liang, Z.: Jump-oriented programming: a new class of code-reuse attack. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2011, pp. 30–40. ACM, New York (2011)
Cowan, C., Barringer, M., Beattie, S., Kroah-Hartman, G., Frantzen, M., Lokier, J.: Formatguard: automatic protection from printf format string vulnerabilities. In: USENIX Security Symposium, vol. 91, Washington, D.C. (2001)
Cowan, C., Beattie, S., Beattie, S., Kroah-Hartman, G., Frantzen, M., Lokier, J.: Pointguardtm: protecting pointers from buffer overflow vulnerabilities. In: USENIX Security Symposium, vol. 91, Washington, D.C. (2001)
Gadaleta, F., Younan, Y., Jacobs, B., Joosen, W., De Neve, E., Beosier, N.: Instruction-level countermeasures against stack-based buffer overflow attacks. In: Proceedings of the 1st EuroSys Workshop on Virtualization Technology for Dependable Systems, pp. 7–12. ACM (2009)
Haas, P.: Advanced format string attacks. DEFCON 18 (2010)
Müller, T.: Aslr smack & laugh reference. In: Seminar on Advanced Exploitation Techniques (2008)
Newsham, T.: Format string attacks. Guardent Inc., September 2000
Payer, M., Gross, T.: String oriented programming. In: Proceedings of the 2nd ACM SIGPLAN Program Protection and Reverse Engineering Workshop, PPREW 2013. ACM (2013)
Planet, C.: A eulogy for format strings. Phrack magazine, 14(67), November 2010
Scut. Exploiting format string vulnerability. http://crypto.stanford.edu/cs155/papers/formatstring-1.2.pdf
Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS 2007, pp. 552–561. ACM, New York (2007)
Shacham, H., Page, M., Pfaff, B., Goh, E.-J., Modadugu, N., Boneh, D.: On the effectiveness of address-space randomization. In: Proceedings of the 11th ACM Conference on Computer and Communications Security, pp. 298–307. ACM (2004)
The MITRE Corporation: Common vulnerabilities and exposures. https://cve.mitre.org/data/downloads/allitems.csv
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Kilic, F., Kittel, T., Eckert, C. (2015). Blind Format String Attacks. In: Tian, J., Jing, J., Srivatsa, M. (eds) International Conference on Security and Privacy in Communication Networks. SecureComm 2014. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 153. Springer, Cham. https://doi.org/10.1007/978-3-319-23802-9_23
Download citation
DOI: https://doi.org/10.1007/978-3-319-23802-9_23
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-23801-2
Online ISBN: 978-3-319-23802-9
eBook Packages: Computer ScienceComputer Science (R0)