Skip to main content
SpringerLink
Log in

FormatShield: A Binary Rewriting Defense against Format String Attacks

  • Conference paper
Information Security and Privacy (ACISP 2008)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5107))

Included in the following conference series:

Abstract

Format string attacks allow an attacker to read or write anywhere in the memory of a process. Previous solutions designed to detect format string attacks either require source code and recompilation of the program, or aim to defend only against write attempts to security critical control information. They do not protect against arbitrary memory read attempts and non-control data attacks. This paper presents FormatShield, a comprehensive defense against format string attacks. FormatShield identifies potentially vulnerable call sites in a running process and dumps the corresponding context information in the program binary. Attacks are detected when malicious input is found at vulnerable call sites with an exploitable context. It does not require source code or recompilation of the program and can defend against arbitrary memory read and write attempts, including non-control data attacks. Also, our experiments show that FormatShield incurs minimal performance overheads and is better than existing solutions.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. PaX. Published on World-Wide Web (2001), http://pax.grsecurity.net

  2. PaX Team. PaX address space layout randomization (ASLR), http://pax.grsecurity.net/docs/aslr.txt

  3. CVE - Common Vulnerabilities and Exposures, http://www.cve.mitre.org

  4. Kaempf, M.: Splitvt Format String Vulnerability, http://www.securityfocus.com/bid/2210/

  5. CWE - Vulnerability Type Distributions in CVE, http://cve.mitre.org/docs/vuln-trends/index.html

  6. tf8.: Wu-Ftpd Remote Format String Stack Overwrite Vulnerability, http://www.securityfocus.com/bid/1387

  7. De Kok, A.: PScan: A limited problem scanner for C source files, http://www.striker.ottawa.on.ca/~aland/pscan/

  8. Shankar, U., Talwar, K., Foster, J.S., Wagner, D.: Detecting format string vulnerabilities with type qualifiers. In: Proceedings of the 10th USENIX Security Symposium (Security 2001), Washington, DC (2001)

    Google Scholar 

  9. Jacobowitz, D.: Multiple Linux Vendor rpc.statd Remote Format String Vulnerability, http://www.securityfocus.com/bid/1480

  10. Robbins, T.: Libformat, http://www.wiretapped.net/~fyre/software/libformat.html

  11. Tool Interface Standard (TIS) Committee: Executable and linking format (ELF) specification, version 1.2 (1995)

    Google Scholar 

  12. CERT Incident Note IN-2000-10, Widespread Exploitation of rpc.statd and wu-ftpd Vulnerabilities (September 15, 2000)

    Google Scholar 

  13. Tsai, T., Singh, N.: Libsafe 2.0: Detection of Format String Vulnerability Exploits, http://www.research.avayalabs.com/project/libsafe/doc/whitepaper-20.pdf

  14. Pelat, G.: PFinger Format String Vulnerability, http://www.securityfocus.com/bid/3725

  15. Lin, Z., Xia, N., Li, G., Mao, B., Xie, L.: Transparent Run-Time Prevention of Format-String Attacks Via Dynamic Taint and Flexible Validation. In: De Meuter, W. (ed.) ISC 2006. LNCS, vol. 4406, Springer, Heidelberg (2007)

    Google Scholar 

  16. NSI Rwhoisd Remote Format String Vulnerability, http://www.securityfocus.com/bid/3474

  17. Shacham, H., Page, M., Pfaff, B., Goh, E.-J., Modadugu, N., Boneh, D.: On the effectiveness of address-space randomization. In: Proceedings of the 11th ACM conference on Computer and communications security, Washington DC, USA, October 25-29 (2004)

    Google Scholar 

  18. Cowan, C., Barringer, M., Beattie, S., Kroah-Hartman, G.: FormatGuard: Automatic protection from printf format string vulnerabilities. In: Proceedings of the 10th USENIX Security Symposium (Security 2001), Washington, DC (2001)

    Google Scholar 

  19. Ringenburg, M., Grossman, D.: Preventing Format-String Attacks via Automatic and Efficient Dynamic Checking. In: Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS 2005), Alexandria, Virginia (2005)

    Google Scholar 

  20. Chen, S., Xu, J., Sezer, E.C., Gauriar, P., Iyer, R.K.: Non-control-data attacks are realistic threats. In: Proceedings of the 14th conference on USENIX Security Symposium, Baltimore, MD (2005)

    Google Scholar 

  21. Bhatkar, S., DuVarney, D.C., Sekar, R.: Address obfuscation: An efficient approach to combat a broad range of memory error exploits. In: USENIX Security Symposium, Washington, DC (August 2003)

    Google Scholar 

  22. Avijit, K., Gupta, P., Gupta, D.: TIED, LibsafePlus: Tools for Runtime Buffer Overflow Protection. In: Proceedings of the 13th USENIX Security Symposium, San Diego, CA (2004)

    Google Scholar 

  23. Bhatkar, S., Sekar, R., DuVarney, D.C.: Efficient Techniques for Comprehensive Protection from Memory Error Exploits. In: Proceedings of the 14th USENIX Security Symposium, July 31-August 05, p. 17 (2005)

    Google Scholar 

  24. Barrantes, E.G., Ackley, D.H., Palmer, T.S., Stefanovic, D., Zovi, D.D.: Randomized Instruction Set Emulation to Disrupt Binary Code Injection Attacks. In: Proceedings of the 10th ACM conference on Computer and communications security, Washington D.C, USA (October 27-30, 2003)

    Google Scholar 

  25. You, J.H., Seo, S.C., Kim, Y.D., Choi, J.Y., Lee, S.J., Kim, B.K.: Kimchi: A Binary Rewriting Defense Against Format String Attacks. In: WISA 2005 (2005)

    Google Scholar 

  26. Cowan, C., Pu, C., Maier, D., Hinton, H., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q.: Stackguard: Automatic adaptive detection and prevention of buffer-overflow attacks. In: Proceedings of the 7th USENIX Security Symposium, San Antonio, TX, pp. 63–78 (January 1998)

    Google Scholar 

  27. Kc, G.S., Keromytis, A.D., Prevelakis, V.: Countering Code-Injection Attacks with Instruction-Set Randomization. In: Proceedings of the 10th ACM conference on Computer and Communications Security, Washington D.C, USA, October 27-30 (2003)

    Google Scholar 

  28. @stake, Inc. tcpflow 0.2.0 format string vulnerability (August 2003), http://www.securityfocus.com/advisories/5686

  29. bind: xlockmore User Supplied Format String Vulnerability, http://www.securityfocus.com/bid/1585

  30. Li, W., Chiueh, T.-c.: Automated Format String Attack Prevention for Win32/X86 Binaries. In: Proceedings of 23rd Annual Computer Security Applications Conference, Florida (December 2007)

    Google Scholar 

  31. Xiao, Z.: An Automated Approach to Software Reliability and Security. Invited Talk, Department of Computer Science. University of California at Berkeley (2003)

    Google Scholar 

  32. Durden, T.: Bypassing PaX ASLR protection. Phrack Magazine 59(9) (June 2002), http://www.phrack.org/phrack/59/p59-0x09

  33. Sovarel, N., Evans, D., Paul, N.: Where’s the FEEB? The Effectiveness of Instruction Set Randomization. In: 14th USENIX Security Symposium (August 2005)

    Google Scholar 

  34. Xu, J., Kalbarczyk, Z., Iyer, R.: Transparent Runtime Randomization for Security. In: Fantechi, A. (ed.) Proc. 22nd Symp. on Reliable Distributed Systems –SRDS 2003, pp. 260–269. IEEE Computer Society, Los Alamitos (2003)

    Google Scholar 

  35. Hunt, G., Brubacher, D.: Detours: Binary interception of Win32 functions. In: Proceedings of the 3rd USENIX Windows NT Symposium, Seattle, WA, pp. 135–143 (1999)

    Google Scholar 

  36. Lemos, R.: Internet worm squirms into Linux servers. Special to CNET News.com (January 17, 2001), http://news.cnet.com/news/0-1003-200-4508359.html

Download references

Author information

Authors and Affiliations

  1. Centre for Security, Theory and Algorithmic Research (C-STAR), International Institute of Information Technology, Hyderabad, 500032, India

    Pankaj Kohli & Bezawada Bruhadeshwar

Authors
  1. Pankaj Kohli
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Bezawada Bruhadeshwar
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Yi Mu Willy Susilo Jennifer Seberry

Rights and permissions

Reprints and permissions

Copyright information

© 2008 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Kohli, P., Bruhadeshwar, B. (2008). FormatShield: A Binary Rewriting Defense against Format String Attacks. In: Mu, Y., Susilo, W., Seberry, J. (eds) Information Security and Privacy. ACISP 2008. Lecture Notes in Computer Science, vol 5107. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-70500-0_28

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-70500-0_28

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-69971-2

  • Online ISBN: 978-3-540-70500-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation