Abstract
Format string attacks allow an attacker to read or write anywhere in the memory of a process. Previous solutions designed to detect format string attacks either require source code and recompilation of the program, or aim to defend only against write attempts to security critical control information. They do not protect against arbitrary memory read attempts and non-control data attacks. This paper presents FormatShield, a comprehensive defense against format string attacks. FormatShield identifies potentially vulnerable call sites in a running process and dumps the corresponding context information in the program binary. Attacks are detected when malicious input is found at vulnerable call sites with an exploitable context. It does not require source code or recompilation of the program and can defend against arbitrary memory read and write attempts, including non-control data attacks. Also, our experiments show that FormatShield incurs minimal performance overheads and is better than existing solutions.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
PaX. Published on World-Wide Web (2001), http://pax.grsecurity.net
PaX Team. PaX address space layout randomization (ASLR), http://pax.grsecurity.net/docs/aslr.txt
CVE - Common Vulnerabilities and Exposures, http://www.cve.mitre.org
Kaempf, M.: Splitvt Format String Vulnerability, http://www.securityfocus.com/bid/2210/
CWE - Vulnerability Type Distributions in CVE, http://cve.mitre.org/docs/vuln-trends/index.html
tf8.: Wu-Ftpd Remote Format String Stack Overwrite Vulnerability, http://www.securityfocus.com/bid/1387
De Kok, A.: PScan: A limited problem scanner for C source files, http://www.striker.ottawa.on.ca/~aland/pscan/
Shankar, U., Talwar, K., Foster, J.S., Wagner, D.: Detecting format string vulnerabilities with type qualifiers. In: Proceedings of the 10th USENIX Security Symposium (Security 2001), Washington, DC (2001)
Jacobowitz, D.: Multiple Linux Vendor rpc.statd Remote Format String Vulnerability, http://www.securityfocus.com/bid/1480
Robbins, T.: Libformat, http://www.wiretapped.net/~fyre/software/libformat.html
Tool Interface Standard (TIS) Committee: Executable and linking format (ELF) specification, version 1.2 (1995)
CERT Incident Note IN-2000-10, Widespread Exploitation of rpc.statd and wu-ftpd Vulnerabilities (September 15, 2000)
Tsai, T., Singh, N.: Libsafe 2.0: Detection of Format String Vulnerability Exploits, http://www.research.avayalabs.com/project/libsafe/doc/whitepaper-20.pdf
Pelat, G.: PFinger Format String Vulnerability, http://www.securityfocus.com/bid/3725
Lin, Z., Xia, N., Li, G., Mao, B., Xie, L.: Transparent Run-Time Prevention of Format-String Attacks Via Dynamic Taint and Flexible Validation. In: De Meuter, W. (ed.) ISC 2006. LNCS, vol. 4406, Springer, Heidelberg (2007)
NSI Rwhoisd Remote Format String Vulnerability, http://www.securityfocus.com/bid/3474
Shacham, H., Page, M., Pfaff, B., Goh, E.-J., Modadugu, N., Boneh, D.: On the effectiveness of address-space randomization. In: Proceedings of the 11th ACM conference on Computer and communications security, Washington DC, USA, October 25-29 (2004)
Cowan, C., Barringer, M., Beattie, S., Kroah-Hartman, G.: FormatGuard: Automatic protection from printf format string vulnerabilities. In: Proceedings of the 10th USENIX Security Symposium (Security 2001), Washington, DC (2001)
Ringenburg, M., Grossman, D.: Preventing Format-String Attacks via Automatic and Efficient Dynamic Checking. In: Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS 2005), Alexandria, Virginia (2005)
Chen, S., Xu, J., Sezer, E.C., Gauriar, P., Iyer, R.K.: Non-control-data attacks are realistic threats. In: Proceedings of the 14th conference on USENIX Security Symposium, Baltimore, MD (2005)
Bhatkar, S., DuVarney, D.C., Sekar, R.: Address obfuscation: An efficient approach to combat a broad range of memory error exploits. In: USENIX Security Symposium, Washington, DC (August 2003)
Avijit, K., Gupta, P., Gupta, D.: TIED, LibsafePlus: Tools for Runtime Buffer Overflow Protection. In: Proceedings of the 13th USENIX Security Symposium, San Diego, CA (2004)
Bhatkar, S., Sekar, R., DuVarney, D.C.: Efficient Techniques for Comprehensive Protection from Memory Error Exploits. In: Proceedings of the 14th USENIX Security Symposium, July 31-August 05, p. 17 (2005)
Barrantes, E.G., Ackley, D.H., Palmer, T.S., Stefanovic, D., Zovi, D.D.: Randomized Instruction Set Emulation to Disrupt Binary Code Injection Attacks. In: Proceedings of the 10th ACM conference on Computer and communications security, Washington D.C, USA (October 27-30, 2003)
You, J.H., Seo, S.C., Kim, Y.D., Choi, J.Y., Lee, S.J., Kim, B.K.: Kimchi: A Binary Rewriting Defense Against Format String Attacks. In: WISA 2005 (2005)
Cowan, C., Pu, C., Maier, D., Hinton, H., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q.: Stackguard: Automatic adaptive detection and prevention of buffer-overflow attacks. In: Proceedings of the 7th USENIX Security Symposium, San Antonio, TX, pp. 63–78 (January 1998)
Kc, G.S., Keromytis, A.D., Prevelakis, V.: Countering Code-Injection Attacks with Instruction-Set Randomization. In: Proceedings of the 10th ACM conference on Computer and Communications Security, Washington D.C, USA, October 27-30 (2003)
@stake, Inc. tcpflow 0.2.0 format string vulnerability (August 2003), http://www.securityfocus.com/advisories/5686
bind: xlockmore User Supplied Format String Vulnerability, http://www.securityfocus.com/bid/1585
Li, W., Chiueh, T.-c.: Automated Format String Attack Prevention for Win32/X86 Binaries. In: Proceedings of 23rd Annual Computer Security Applications Conference, Florida (December 2007)
Xiao, Z.: An Automated Approach to Software Reliability and Security. Invited Talk, Department of Computer Science. University of California at Berkeley (2003)
Durden, T.: Bypassing PaX ASLR protection. Phrack Magazine 59(9) (June 2002), http://www.phrack.org/phrack/59/p59-0x09
Sovarel, N., Evans, D., Paul, N.: Where’s the FEEB? The Effectiveness of Instruction Set Randomization. In: 14th USENIX Security Symposium (August 2005)
Xu, J., Kalbarczyk, Z., Iyer, R.: Transparent Runtime Randomization for Security. In: Fantechi, A. (ed.) Proc. 22nd Symp. on Reliable Distributed Systems –SRDS 2003, pp. 260–269. IEEE Computer Society, Los Alamitos (2003)
Hunt, G., Brubacher, D.: Detours: Binary interception of Win32 functions. In: Proceedings of the 3rd USENIX Windows NT Symposium, Seattle, WA, pp. 135–143 (1999)
Lemos, R.: Internet worm squirms into Linux servers. Special to CNET News.com (January 17, 2001), http://news.cnet.com/news/0-1003-200-4508359.html
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Kohli, P., Bruhadeshwar, B. (2008). FormatShield: A Binary Rewriting Defense against Format String Attacks. In: Mu, Y., Susilo, W., Seberry, J. (eds) Information Security and Privacy. ACISP 2008. Lecture Notes in Computer Science, vol 5107. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-70500-0_28
Download citation
DOI: https://doi.org/10.1007/978-3-540-70500-0_28
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-69971-2
Online ISBN: 978-3-540-70500-0
eBook Packages: Computer ScienceComputer Science (R0)