Cowan, C., Barringer, M., Beattie, S., Kroah-Hartman, G., Frantzen, M., and Lokier, J. Formatguard: Automatic Protection from Printf Format String Vulnerabilities. USENIX Security Symposium, pp. 191--199, Washington, DC, August 2001.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....the run time stack. When the function returns, the added code checks if this canary value is still in place. If the canary value is no longer present, then a buffer overflow must have occurred that overwrote the value. When this happens, the application terminates with a notification. FormatGuard [10] is used to detect format string vulnerabilities. It provides protection by using a proxy API composed of C macros that intercept predetermined vulnerable functions. These macros count the number of operands in the format string and the number of arguments passed to the function via the variable ....

C. Cowan, M. Barringer, S. Beattie, and G. Kroah-Hartman. FormatGuard: Automatic Protection From printf Format String Vulnerabilities. In Proceedings of the 10th USENIX Security Symposium, August 2001.

....itself is stored on the stack we can view and write on arbitrary memory addresses. 2. 5 Format String Vulnerabilities While the scanf ( family is involved in numerous of buffer overflow exploits [1] the format string attacks published concern the printf ( family of format string functions [25, 7]. For that reason our test only concerns the latter subset of the ANSI C format functions. So we add another eight function calls to our testbed (sprintf ( and vsprintf ( are used differently here than in the buffer overflow case) 16. printf( 20. vprintf( 17. fprintf( 21. vfprintf( ....

Crispin Cowan, Matt Barringer, Steve Beattie, Greg Kroah-Hartman, Mike th'antzen, and Jamie Lokier. FormatGuard: Automatic protection from printf format string vulnerabilities. In Proceedings of the 001 USENIX Security Symposium, Washington DC, USA, August 2001.

....pointer arithmetic with no bounds checking, variadic arguments, dangling pointers, weak types, unions. All provide venues for overwriting other than the intended objects. Currently, the most exploited classes of program bugs involve bu er over ow [46, 13, 8] integer over ow [5] and format string [45, 12] vulnerabilities. These vulnerability classes are reported in respectively 22, 3, and 2 of the CERT advisories [9] for 2002 together with 4 advisories for other program bugs. Bu er over ow vulnerabilities are present when a bu er with weak or no bounds checking is populated with user supplied ....

.... this prev next = this next ; will modify an arbitrary location (controlled by prev) with an arbitrary value (next) Format string vulnerabilities also allow attackers to modify arbitrary memory locations with arbitrary values and often out rank bu er over ows in recent security bulletins [12, 45]. A format string vulnerability occurs if the format string to a function from the printf family (f,f,s,sngprintf, syslog) is provided or constructed from data from an outside source. The most common case is when printf(str) is used instead of printf( s ,str) As another example, a ....

[Article contains additional citation context not shown here]

Crispin Cowan, Matt Barringer, Steve Beattie, and Greg Kroah-Hartman. FormatGuard: Automatic protection from printf format string vulnerabilities, 2001.

....[32] 2. Inserting run time checks. C s assert statements, the Safe C system [1] and debugging versions of libraries, like Electric Fence, cause programs to perform sanity checks as they run. This technique has been used to combat bu er over ows [9, 4, 19] and printf format string attacks [8]. 3. Combining static analysis and run time checks. Systems like CCured [31] perform static analyses to check source code for safety, and automatically insert run time checks where safety cannot be guaranteed statically. These are good techniques Cyclone itself uses the third strategy. ....

Crispin Cowan, Matt Barringer, Steve Beattie, and Greg Kroah-Hartman. Formatguard: Automatic protection from printf format string vulnerabilities. In 10th USENIX Security Symposium, Washington, D.C., August 2001.

.... external (10 ) AppShield [124] Entercept [46] Janus [54] Psionic PortSentry [116] Tripwire [76] AAFID [137] HP IDS 9000 [61] StormWatch [101] Host based internal (8 ) CylantSecure [154] LIDS [68] OpenWall Kernel patch for Linux [105] pH [135] FormatGuard [31] ternal internal) classifications of data collection mechanisms. We discuss the advantages and disadvantages of each one of them. The term monitored component is used in this chapter and in the rest of this dissertation as follows: WORKING DEFINITION 2.1: MONITORED COMPONENT A host or a ....

....[105] projects have developed kernel patches for Linux [10] that prevent certain operations defined as dangerous. These patches add checks that constitute internal sensors, but are specifically tuned for preventing those operations. Another example of the use of internal sensors is FormatGuard [31]. This is a specialized tool for detecting and preventing format string based buffer overflows [98, 127] By recompiling the affected programs, code is inserted for checking when a format string attack is attempted against any of the functions instrumented. These pieces of code constitute internal ....

Crispin Cowan, Matt Barringer, Steve Beattie, Greg Kroah-Hartman, Mike Frantzen, and Jamie Lokier. FormatGuard: Automatic protection from printf format string vulnerabilities. In Proceedings of the 2001.

....free, the list update operation this prev next = this next; will modify an arbitrary location with an arbitrary value. Format string vulnerabilities also allow attackers to modify arbitrary memory locations with arbitrary values and often out rank buffer overflows in recent security bulletins [6, 19]. A format string vulnerability occurs if the format string to a function from the printf family (f,f,s,sngprintf, syslog) is provided or constructed from data from an outside source. The most common case is when printf(str) is used instead of printf( s ,str) The first problem is that attackers ....

....execution, it has to be unprotected on each call, and that can be prohibitively expensive (mprotect on Linux on IA 32 is 60 70 times more expensive than an empty function call) Techniques for write protection of stack pages [7] have also shown significant performance penalties. FormatGuard [6] is a library patch for eliminating format string vulnerabilities. It provides wrappers for the printf functions that count the number of arguments and match them to the specifiers. It is applicable only to functions that use the standard library functions directly, and it requires recompilation. ....

Crispin Cowan, Matt Barringer, Steve Beattie, and Greg Kroah-Hartman. FormatGuard: Automatic protection from printf format string vulnerabilities, 2001.

....free, the list update operation this prev next = this next will modify an arbitrary location with an arbitrary value. Format string vulnerabilities also allow attackers to modify arbitrary memory locations with arbitrary values and often out rank buffer overflows in recent security bulletins [6, 19]. A format string vulnerability occurs if the format string to a function from the printf family (f,f,s,sngprintf, syslog) is provided or constructed from data from an outside source. The most common case is when printf(str) is used instead of printf( s ,str) The first problem is that attackers ....

....execution, it has to be unprotected on each call and that can be prohibitively expensive (mprotect on Linux on x86 is 60 70 times more expensive than an empty function call) Techniques for write protection of stack pages [7] have also shown significant performance penalties. FormatGuard [6] is a library patch for eliminating format string vulnerabilities. It provides wrappers for the printf functions that count the number of arguments and match them to the specifiers. It is applicable only to functions that use the standard library functions directly, and it requires recompilation. ....

C. Cowan, M. Barringer, S. Beattie, and G. KroahHartman. FormatGuard: Automatic protection from printf format string vulnerabilities,

....cqual [26] 2. Inserting runtime checks. C s assert statements, the Safe C system [2] and debugging versions of libraries, like Electric Fence, cause programs to perform sanity checks as they run. This technique has been used to combat bu er over ows [8, 5, 17] and printf format string attacks [7]. 3. Combining static analysis and runtime checks. Systems like CCured [25] perform static analyses to check source code for safety, and automatically insert runtime checks where safety cannot be guaranteed statically. These are good techniques Cyclone itself uses the third strategy. However, ....

Crispin Cowan, Matt Barringer, Steve Beattie, and Greg Kroah-Hartman. Formatguard: Automatic protection from printf format string vulnerabilities. In 10th USENIX Security Symposium, Washington, D.C., August 2001.

....mechanism must be kept in perfect synchronization with the libc implementation of all printf like functions. FormatGuard, a compiler modification, injects code to dynamically check and reject all printf like function calls where the number of arguments does not match the number of specifiers [13]. Of course, only applications that are re compiled using FormatGuard will benefit from its protection. Also, one technical shortcoming of FormatGuard is that it does not protect user defined wrapper functions (see, e.g. Figure 1) Moreover, a common limitation of both libformat and FormatGuard ....

Crispin Cowan, Matt Barringer, Steve Beattie, Greg Kroah-Hartman, Mike Frantzen, and Jamie Lokier. "FormatGuard: Automatic Protection From printf Format String Vulnerabilities." This volume.

No context found.

Crispin Cowan, Matt Barringer, Steve Beattie, Greg Kroah-Hartman, Mike Frantzen, and Jamie Lokier. FormatGuard: Automatic Protection From printf Format String Vulnerabilities. In USENIX Security Symposium, Washington, DC, August 2001.

No context found.

Crispin Cowan, Matt Barringer, Steve Beattie, Greg Kroah-Hartman, Mike Frantzen, and Jamie Lokier. FormatGuard: Automatic Protection From printf Format String Vulnerabilities. In USENIX Security Symposium, Washington, DC, August 2001.

....straw man, we felt it necessary to get repeatable experiments. We view the above concessions as largely immaterial to the validity of RaceGuard defense, because they only make the programs more vulnerable. However, it is interesting to note that while exploits for buffer overflow [10] format bug [6], and CGI [8] vulnerabilities are readily available, exploits for race vulnerabilities are extremely rare. We conjecture that the relative scarcity of race exploits is related to the relative difficulty in successfully deploying race attacks: script kiddies aren t interested in attacks that are ....

Crispin Cowan, Matt Barringer, Steve Beattie, Greg Kroah-Hartman, Mike Frantzen, and Jamie Lokier. FormatGuard: Automatic Protection From printf Format String Vulnerabilities. Submitted for review, February 2001.

.... StackGuard: A C compiler enhancement [8] that emits programs resistant to buffer overflow attacks [16, 9] This technology was developed under DARPA contracts F30602 96 1 0331 (Immunix) F30602 96 10302 (Heterodyne) and F30602 01 C 0172 (Sardonix) FormatGuard: A similar C compilation technique [4] that emits programs resistant to printf format string vulnerabilities [18, 2, 15] This technology was developed under DARPA contract N66001 00 C 8032 (Autonomix) RaceGuard: A kernel enhancement [6] to detect and stop temporary file race attacks [1] This technology was developed under DARPA ....

Crispin Cowan, Matt Barringer, Steve Beattie, Greg Kroah-Hartman, Mike Frantzen, and Jamie Lokier. FormatGuard: Automatic Protection From printf Format String Vulnerabilities. In USENIX Security Symposium, Washington, DC, August 2001.

No context found.

Cowan, C., Barringer, M., Beattie, S., Kroah-Hartman, G., Frantzen, M., and Lokier, J. Formatguard: Automatic Protection from Printf Format String Vulnerabilities. USENIX Security Symposium, pp. 191--199, Washington, DC, August 2001.

No context found.

C. Cowan, M. Barringer, S. Beattie, G. Kroah-Hartman, M. Frantzen, and J. Lokier. Formatguard: Automatic protection from printf format string vulnerabilities. In Proceedings of the 10th USENIX Security Symposium, Aug. 2001.

No context found.

C. Cowan, M. Barringer, S. Beattie, and G. Kroah-Hartman. Formatguard: Automatic protection from printf format string vulnerabilities. In USENIX Security Symposium, 2001.

No context found.

C. Cowan, M. Barringer, S. Beattie, and G. Kroah-Hartman. Formatguard: Automatic protection from printf format string vulnerabilities. In Proceedings of the 2001.

No context found.

Crispin Cowan, Matt Barringer, Steve Beattie, Greg Kroah-Hartman, Mike Frantzen, and Jamie Lokier. FormatGuard: Automatic protection from printf format string vulnerabilities. In Proceedings of the 2001.

No context found.

C. Cowan, M. Barringer, S. Beattie, G. Kroah-Hartman, M. Frantzen, and J. Lokier. FormatGuard: Automatic protection from printf format string vulnerabilities. In Proc. of the 10th Usenix Security Symposium, Aug 2001.

No context found.

C. Cowan, M. Barringer, S. Beattie, and G. KroahHartman. FormatGuard: Automatic protection from printf format string vulnerabilities. In 2001.

No context found.

Cowan C, Barringer M, Beattie S, Kroah-Hartman G, Frantzen M, Lokier J. FormatGuard: Automatic Protection From printf Format String Vulnerabilities. Proceedings of the 10th USENIX Security Symposium USENIX: Washington, D.C., August 2001;

No context found.

Cowan, C., Barringer, M., Beattie, S., Kroah-Hartman, G., Frantzen, M., Lokier, J.: FormatGuard: Automatic Protection From printf Format String Vulnerabilities. In: proceedings of the 2001 USENIX Security Symposium, Washington D.C. (2001)

No context found.

C. Cowan, M. Barringer, S. Beattie, and G. Kroah-Hartman. Formatguard: Automatic protection from printf format string vulnerabilities. In USENIX Security Symposium, 2001.

No context found.

Crispin Cowan, Matt Barringer, Steve Beattie, and Greg Kroah-Hartman. Formatguard: Automatic protection from printf format string vulnerabilities. In USENIX Security Symposium, 2001.

No context found.

C. Cowan, M. Barringer, S. Beattie, G. Kroah-Hartman, M. Frantzen, and J. Lokier. FormatGuard: Automatic protection from printf format string vulnerabilities. In Proc. of the 10th Usenix Security Symposium, Aug 2001.

No context found.

Crispin Cowan, Matt Barringer, Steve Beattie, Greg Kroah-Hartman, Mike Frantzen, and Jamie Lokier. FormatGuard: Automatic Protection From printf Format String Vulnerabilities. In Proceedings of the 10th USENIX Security Symposium, pages 191--200, Washington, District of Columbia, U.S.A., August 2001. USENIX Association. (Cited on pages 55 and 64.)

No context found.

C. Cowan, M. Barringer, S. Beattie, and G. Kroah-Hartman, M. Frantzen, and J. Lokier. FormatGuard: Automatic Protection From printf Format String Vulnerabilities. In USENIX Security Symposium, 2001.

No context found.

C. Cowan, M. Barringer, S. Beattie, and G. Kroah-Hartman. Formatguard: Automatic protection from printf format string vulnerabilities. In Proceedings of the 10th USENIX Security Symposium, Aug. 2001.

No context found.

Cowan, C., Barringer, M., Beattie, S., Kroah-Hartman, G.: FormatGuard: Automatic Protection From printf Format String Vulnerabilities. In: Proceedings of the 10th USENIX Security Symposium. (2001) 191-199

No context found.

C. Cowan, M. Barringer, S. Beattie, and G. Kroah-Hartman. FormatGuard: Automatic Protection From printf Format String Vulnerabilities. In Proceedings of the 10th USENIX Security Symposium, pages 191--199, August 2001.

No context found.

Cowan, C., Barringer, M., Beattie, S., Kroah-Hartman, G., Frantzen, M., Lokier, J.: FormatGuard: Automatic Protection From printf Format String Vulnerabilities. In: proceedings of the 2001 USENIX Security Symposium, Washington D.C. (2001)

No context found.

C. Cowan, M. Barringer, S. Beattie, G. Kroah-Hartman, M. Frantzen, and J. Lokier. FormatGuard: Automatic protection from printf format-string vulnerabilities. In 10 USENIX Security Symposium, August 2001.

No context found.

Crispin Cowan, Matt Barringer, Steve Beattie, and Greg Kroah-Hartman. FormatGuard: Automatic Protection From printf Format String Vulnerabilities. In Proceedings of the 10th Usenix Security Symposium, Washington, D.C., August 2001.

No context found.

C. Cowan, M. Barringer, S. Beattie, and G. Kroah-Hartman. Formatguard: Automatic protection from printf format string vulnerabilities. In Proceedings of the 10th USENIX Security Symposium, Aug. 2001.

No context found.

C. Cowan, M. Barringer, S. Beattie, and G. Kroah-Hartman. Formatguard: Automatic protection from printf format string vulnerabilities. In Proceedings of the 10th USENIX Security Symposium, Aug. 2001.

No context found.

Crispin Cowan, Matt Barringer, Steve Beattie, and Greg Kroah-Hartman. Formatguard: Automatic protection from printf format string vulnerabilities. In 10th USENIX Security Symposium, Washington, D.C., August 2001.

No context found.

Crispin Cowan, Matt Barringer, Steve Beattie, Greg Kroah-Hartman, Mike Frantzen, and Jamie Lokier. Formatguard: Automatic protection from printf format string vulnerabilities. [USE01].

No context found.

C. Cowan, M. Barringer, S. Beattie, and G. Kroah-Hartman. Format guard: Automatic protection from printf format string vulnerabilities. In Proceedings of the 2001.

No context found.

C. Cowan et al., "FormatGuard: Automatic Protection from printf Format String Vulnerabilities," Usenix Secu- rity Symp., Usenix Assoc., 2001, pp. 191--199.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC