Transparent Run-Time Prevention of Format-String Attacks Via Dynamic Taint and Flexible Validation | SpringerLink
Skip to main content
Springer Nature Link
Log in

Transparent Run-Time Prevention of Format-String Attacks Via Dynamic Taint and Flexible Validation

  • Conference paper
Information Security (ISC 2006)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 4176))

Included in the following conference series:

  • 1644 Accesses

Abstract

Format-string attack is one of the few truly threats to software security. Many previous methods for addressing this problem rely on program source code analysis or special recompilation, and hence exhibit limitations when applied to protect the source code unavailable software. In this paper, we present a transparent run-time approach to the defense against format-string attacks via dynamic taint and flexible validation. By leveraging library interposition and ELF binary analysis, we taint all the untrusted user-supplied data as well as their propagations during program execution, and add a security validation layer to the printf-family functions in C Standard Library in order to enforce a flexible policy to detect the format string attack on the basis of whether the format string has been tainted and contains dangerous format specifiers. Compared with other existing methods, our approach offers several benefits. It does not require the knowledge of the application or any modification to the program source code, and can therefore also be used with legacy applications. Moreover, as shown in our experiment, it is highly effective against the most types of format-string attacks and incurs low performance overhead.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. tf8. Wu-Ftpd Remote Format String Stack Overwrite Vulnerability (2000), At: http://www.securityfocus.com/bid/1387

  2. NIST National Vunerability Database (2006), At: http://nvd.nist.gov

  3. Scut, team teso: Exploiting Format String Vulnerabilities (2001), At: http://www.team-teso.net/releases/formatstring-1.2.tar.gz

  4. Riq and Gera: Advances in format string exploitation. Phrack Magazine 59(7) (2002), At: http://www.phrack.org/phrack/59/p59-0x07

  5. Lhee, K., Chapin, S.: Buffer overflow and format string overflow vulnerabilities. Software-Practice & Experience 33(5), 423–460 (2003)

    Article  Google Scholar 

  6. Anley, C.: Advanced SQL Injection In SQL Server Applications. Technical Report, NGSSoftware Insight Security Research (2002)

    Google Scholar 

  7. Jacobowitz, D.: Multiple Linux Vendor rpc.statd Remote Format String Vulnerability (2000), At: http://www.securityfocus.com/bid/1480

  8. Kaempf, M.: Splitvt Format String Vulnerability (2001), At: http://www.securityfocus.com/bid/2210/

  9. NSI Rwhoisd Remote Format String Vulnerability (2001), At: http://www.securityfocus.com/bid/3474

  10. Pelat, G.: PFinger Format String Vulnerability (2001), At: http://www.securityfocus.com/bid/3725

  11. Goldsmith, D.: TCPflow Format String Vulnerability (2003), At: http://www.securityfocus.com/bid/8366

  12. Xiao, Z.: An Automated Approach to Software Reliability and Security. Department of Computer Science, University of California at Berkeley (2003) (invited Talk)

    Google Scholar 

  13. Robbins, T.: Libformat (2001), At: http://www.wiretapped.net/~fyre/software/libformat.html

  14. Tsai, T., Singh, N.: Libsafe 2.0: Detection of Format String Vulnerability Exploits (2001), At: http://www.research.avayalabs.com/project/libsafe/doc/whitepaper-20.pdf

  15. Ringenburg, M., Grossman, D.: Preventing Format-String Attacks via Automatic and Efficient Dynamic Checking. In: Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS 2005), Alexandria, Virginia (2005)

    Google Scholar 

  16. Cowan, C., Barringer, M., Beattie, S., Kroah-Hartman, G.: FormatGuard: Automatic protection from printf format string vulnerabilities. In: Proceedings of the 10th USENIX Security Symposium (Security 2001), Washington DC (2001)

    Google Scholar 

  17. Shankar, U., Talwar, K., Foster, J.S., Wagner, D.: Detecting format string vulnerabilities with type qualifiers. In: Proceedings of the 10th USENIX Security Symposium (Security 2001), Washington DC (2001)

    Google Scholar 

  18. TIS. Executable and Linkable Format Version 1.1, At: ftp://download.intel.com/perftool/tis/elf11g.zip

  19. Cormen, T., Stein, C., Rivest, R., Leiserson, C.: Introduction to Algorithms, 2nd edn. MIT Press, Cambridge (2002)

    Google Scholar 

  20. Smirnov, A., Chiueh, T.: DIRA: Automatic Detection, Identification and Repair of Control-Hijacking Attacks. In: Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS 2005), San Jose, CA (2005)

    Google Scholar 

  21. Avijit, K., Gupta, P., Gupta, D.: TIED, LibsafePlus: Tools for Runtime Buffer Overflow Protection. In: Proceedings of the 13th USENIX Security Symposium (Security 2004) (2004)

    Google Scholar 

  22. DeKok, A.: PScan: A limited problem scanner for C source files (2000), At: http://www.striker.ottawa.on.ca/~aland/pscan/

  23. The GNU Compiler Collection. Free Software Foundation, At: http://gnu.gcc.org/

  24. Perl security manual page, At: http://www.perldoc.com

  25. Zhang, X., Edwards, A., Jaeger, T.: Using CQual for static analysis of authorization hook placement. In: Proceedings of the 11th USENIX Security Symposium (Security 2002) (2002)

    Google Scholar 

  26. Foster, J., Fahndrich, M., Aiken, A.: A theory of type qualifiers. In: Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 1999) (1999)

    Google Scholar 

  27. Evans, D., Larochelle, D.: Improving Security Using Extensible Lightweight Static Analysis. In: IEEE Software (January/February 2002)

    Google Scholar 

  28. Tuong, A.N., Guarnieri, S., Greene, D., Shirley, J., Evans, D.: Automatically hardening web applications using precise tainting. In: Proceedings of the 20th IFIP International Information Security Conference (SEC 2005) (2005)

    Google Scholar 

  29. Suh, G., Lee, J., Zhang, D., Devadas, S.: Secure program execution via dynamic information flow tracking. In: Proceedings of International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS 2004), Boston, MA (2004)

    Google Scholar 

  30. Chen, S., Xu, J., Nakka, N., Kalbarczyk, Z., Iyer, R.K.: Defeating memory corruption attacks via pointer taintedness detection. In: Proceedings of IEEE International Conference on Dependable Systems and Networks (DSN 2005) (2005)

    Google Scholar 

  31. Newsome, J., Song, D.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In: Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS 2005), San Jose, CA (2005)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. State Key Laboratory for Novel Software Technology, Nanjing University, 210093, Nanjing, China

    Zhiqiang Lin, Nai Xia, Guole Li, Bing Mao & Li Xie

Authors
  1. Zhiqiang Lin
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Nai Xia
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Guole Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Bing Mao
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Li Xie
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. University of the Aegean, University Hill, 81100, Mytilene, Greece

    Sokratis K. Katsikas

  2. Department of Information and Communication Technologies, University of A Coruña, Spain

    Javier López

  3. MPI-SWS,  

    Michael Backes

  4. Department of Information and Communication Systems Engineering, University of the Aegean, Karlovassi, Samos, Greece

    Stefanos Gritzalis

  5. Interdisciplinary Institute for BroadBand Technology (IBBT), Belgium

    Bart Preneel

Rights and permissions

Reprints and permissions

Copyright information

© 2006 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Lin, Z., Xia, N., Li, G., Mao, B., Xie, L. (2006). Transparent Run-Time Prevention of Format-String Attacks Via Dynamic Taint and Flexible Validation. In: Katsikas, S.K., López, J., Backes, M., Gritzalis, S., Preneel, B. (eds) Information Security. ISC 2006. Lecture Notes in Computer Science, vol 4176. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11836810_2

Download citation

  • DOI: https://doi.org/10.1007/11836810_2

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-38341-3

  • Online ISBN: 978-3-540-38343-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics