ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Preventing format-string attacks via automatic and efficient dynamic checking
Full text PdfPdf (166 KB)
Source Conference on Computer and Communications Security archive
Proceedings of the 12th ACM conference on Computer and communications security table of contents
Alexandria, VA, USA
SESSION: Automated analysis table of contents
Pages: 354 - 363  
Year of Publication: 2005
ISBN:1-59593-226-7
Authors
Michael F. Ringenburg  University of Washington, Seattle, WA
Dan Grossman  University of Washington, Seattle, WA
Sponsors
SIGSAC: ACM Special Interest Group on Security, Audit, and Control
ACM: Association for Computing Machinery
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 5,   Downloads (12 Months): 56,   Citation Count: 2
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1102120.1102166
What is a DOI?

ABSTRACT

We propose preventing format-string attacks with a combination of static dataflow analysis and dynamic white-lists of safe address ranges. The dynamic nature of our white-lists provides the flexibility necessary to encode a very precise security policy---namely, that %n -specifiers in printf-style functions should modify a memory location x only if the programmer explicitly passes a pointer to x. Our static dataflow analysis and source transformations let us automatically maintain and check the white-list without any programmer effort---they merely need to change the Makefile. Our analysis also detects pointers passed to vprintf-style functions through (possibly multiple layers of) wrapper functions. Our results establish that our approach provides better protection than previous work and incurs little performance overhead.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

1
Todd M. Austin , Scott E. Breach , Gurindar S. Sohi, Efficient detection of all pointer and array access errors, Proceedings of the ACM SIGPLAN 1994 conference on Programming language design and implementation, p.290-301, June 20-24, 1994, Orlando, Florida, United States
 
2
William R. Bush , Jonathan D. Pincus , David J. Sielaff, A static analyzer for finding dynamic programming errors, Software—Practice & Experience, v.30 n.7, p.775-802, June 2000  [doi>10.1002/(SICI)1097-024X(200006)30:7<775::AID-SPE309>3.0.CO;2-H]
 
3
Hao Chen, Drew Dean, and David Wagner. Model checking one million lines of C code. In Proceedings of the Network and Distributed System Security Symposium, San Diego, CA, 2004.
 
4
CIL - Infrastructure for C Program Analysis and Transformation, version 1.3.2. Available at http://manju.cs.berkeley.edu/cil/.
5
Jeremy Condit , Matthew Harren , Scott McPeak , George C. Necula , Westley Weimer, CCured in the real world, Proceedings of the ACM SIGPLAN 2003 conference on Programming language design and implementation, June 09-11, 2003, San Diego, California, USA
 
6
C. Cowan, M. Barringer, S. Beattie, and G. Kroah-Hartman. FormatGuard: Automatic protection from printf format string vulnerabilities. In Proceedings of the 10th USENIX Security Symposium, Washington, D.C., Aug. 2001.
 
7
Crispin Cowan, Calton Pu, Dave Maier, Heather Hinton, Jonathan Walpole, Peat Bakke, Steve Beattie, Aaron Grier, Perry Wagle, and Qian Zhang. StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In 7th USENIX Security Symposium, pages 63--78, San Antonio, TX, January 1998.
 
8
Cyclone, version 0.8. Available at http://www.research.att.com/projects/cyclone.
 
9
Alan DeKok. Pscan: A limited problem scanner for C source files, July 2000. Available at www.striker.ottawa.on.ca/~aland/pscan/.
 
10
Dawson Engler, Benjamin Chelf, Andy Chou, and Seth Hallem. Checking system rules using system-specific, programmer-written compiler extensions. In 4th USENIX Symposium on Operating System Design and Implementation, pages 1--16, San Diego, CA, October 2000.
 
11
Free Software Foundation. The GNU compiler collection. Available at http://gnu.gcc.org/.
 
12
S. Z. Guyer, E. D. Berger, and C. Lin. Detecting errors with configurable whole-program dataflow analysis. Technical Report UTCS TR-02-04, UT-Austin, 2002.
 
13
Reed Hastings and Bob Joyce. Purify: Fast detection of memory leaks and access errors. In Winter USENIX Conference, pages 125--138, San Francisco, CA, January 1992.
 
14
Trevor Jim , J. Greg Morrisett , Dan Grossman , Michael W. Hicks , James Cheney , Yanling Wang, Cyclone: A Safe Dialect of C, Proceedings of the General Track: 2002 USENIX Annual Technical Conference, p.275-288, June 10-15, 2002
 
15
Stephen Johnson. Lint, a C program checker. Computer Science Technical Report~65, Bell Laboratories, December 1977.
 
16
Richard Jones and Paul Kelly. Backwards-compatible bounds checking for arrays and pointers in C programs. In AADEBUG'97. Third International Workshop on Automatic Debugging, volume 2(9) of Linköping Electronic Articles in Computer and Information Science, 1997.
 
17
Michel Kaempf. Multiple vulnerabilities in splitvt, January 2001. At www.securityfocus.com/ archive/1/156251.
 
18
Vladimir Kiriansky , Derek Bruening , Saman P. Amarasinghe, Secure Execution via Program Shepherding, Proceedings of the 11th USENIX Security Symposium, p.191-206, August 05-09, 2002
 
19
Gabriel A. Maggiotti. Unreal ircd format string vuln, February 2002. At www.securityfocus.com/ archive/82/258190.
 
20
George C. Necula , Scott McPeak , Shree Prakash Rahul , Westley Weimer, CIL: Intermediate Language and Tools for Analysis and Transformation of C Programs, Proceedings of the 11th International Conference on Compiler Construction, p.213-228, April 08-12, 2002
21
George C. Necula , Scott McPeak , Westley Weimer, CCured: type-safe retrofitting of legacy code, Proceedings of the 29th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, p.128-139, January 16-18, 2002, Portland, Oregon
 
22
T. Newsham. Format string attacks. White Paper, Sept. 2000. At www.securityfocus.com/guest/ 3342.
 
23
Bruce Perens. Electric fence. At www.gnu.org/directory/All_Packages_in_Directory/Electric-Fence.html.
 
24
NGSSoftware Insight Security Research. Pfinger 0.7.8 format string vulnerability, December 2002. http://www.securityfocus.com/archive/1/303555.
 
25
NGSSoftware Insight Security Research. zkfingerd 0.9.1 format string vulnerability, December 2002. http://www.securityfocus.com/archive/1/303557.
 
26
Michael F. Ringenburg and Dan Grossman. www.cs.washington.edu/homes/miker/formatstring/.
 
27
Tim Robbins. libformat, November 2001. At www.wiretapped.net/~fyre/software/libformat.html.
 
28
Rwhoisd remote format string vulnerability, October 2001. At www.securityfocus.com/archive/1/ 222756.
 
29
Jerome H. Saltzer and Michael D. Schroeder. The protection of information in computer systems. Proceedings of the IEEE, 63(9):1278--1308, September 1975.
 
30
VOID.AT Security. isc dhcpd 3.0 format string exploit, January 2003. At www.securityfocus.com/ archive/1/306327.
 
31
U. Shankar, K. Talwar, J. S. Foster, and D. Wagner. Detecting format string vulnerabilities with type qualifiers. In 10th USENIX Security Symposium, pages 201--220, 2001.
 
32
Christopher Small , Margo I. Seltzer, MiSFIT: Constructing Safe Extensible Systems, IEEE Concurrency, v.6 n.3, p.34-41, July 1998  [doi>10.1109/4434.708254]
 
33
Splint manual, version 3.0.6, 2002. http://www.splint.org/manual/.
 
34
@stake, Inc. tcpflow 0.2.0 format string vulnerability, August 2003. At www.securityfocus.com/advi-sories/5686.
 
35
tf8@zolo.freelsd.net. Wu-ftpd remote format string stack overwrite vulnerability, June 2000. At www.securityfocus.com/bid/1387.
 
36
T. Tsai and N. Singh. Libsafe: Protecting critical elements of stacks. Technical Report ALR-2001-019, Avaya Labs, Aug. 2001.
37
Robert Wahbe , Steven Lucco , Thomas E. Anderson , Susan L. Graham, Efficient software-based fault isolation, ACM SIGOPS Operating Systems Review, v.27 n.5, p.203-216, Dec. 1993
 
38
J. Wilander and M. Kamkar. A comparison of publicly available tools for static intrusion prevention. In Proceedings of the 7th Nordic Workshop on Secure IT Systems, pages 68--84, Nov. 2002.
 
39
zillion. nn format string exploit, July 2002. http://www.securityfocus.com/archive/82/280687.

CITED BY  2
Karl Chen , David Wagner, Large-scale analysis of format string vulnerabilities in Debian Linux, Proceedings of the 2007 workshop on Programming languages and analysis for security, June 14-14, 2007, San Diego, California, USA
Zhiqiang Lin , Xuxian Jiang , Dongyan Xu , Bing Mao , Li Xie, AutoPaG: towards automated software patch generation with source code root cause identification and repair, Proceedings of the 2nd ACM symposium on Information, computer and communications security, March 20-22, 2007, Singapore

INDEX TERMS

Primary Classification:
  D. Software
  D.4 OPERATING SYSTEMS
      D.4.6 Security and Protection
          Subjects: Invasive software (e.g., viruses, worms, Trojan horses)

Additional Classification:
  D. Software
  D.2 SOFTWARE ENGINEERING
      D.2.0 General
          Subjects: Protection mechanisms
      D.2.4 Software/Program Verification
          Subjects: Reliability


General Terms:
Security


Keywords:
dynamic checking, format-string attacks, static analysis, white-lists

Collaborative Colleagues:
Michael F. Ringenburg: colleagues
Dan Grossman: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player