Transparent run-time prevention of format-string attacks via dynamic taint and flexible validation

Authors:
Zhiqiang Lin;Nai Xia;Guole Li;Bing Mao;Li Xie
Affiliations:
State Key Laboratory for Novel Software Technology, Nanjing University, Nanjing, China;State Key Laboratory for Novel Software Technology, Nanjing University, Nanjing, China;State Key Laboratory for Novel Software Technology, Nanjing University, Nanjing, China;State Key Laboratory for Novel Software Technology, Nanjing University, Nanjing, China;State Key Laboratory for Novel Software Technology, Nanjing University, Nanjing, China
Venue:
ISC'06 Proceedings of the 9th international conference on Information Security
Year:
2006

Citing 11
Cited 1

A theory of type qualifiers

Proceedings of the ACM SIGPLAN 1999 conference on Programming language design and implementation
Introduction to Algorithms

Introduction to Algorithms
Improving Security Using Extensible Lightweight Static Analysis

IEEE Software
Using CQUAL for Static Analysis of Authorization Hook Placement

Proceedings of the 11th USENIX Security Symposium
Buffer overflow and format string overflow vulnerabilities

Software—Practice & Experience - Special issue: Security software
Secure program execution via dynamic information flow tracking

ASPLOS XI Proceedings of the 11th international conference on Architectural support for programming languages and operating systems
Defeating Memory Corruption Attacks via Pointer Taintedness Detection

DSN '05 Proceedings of the 2005 International Conference on Dependable Systems and Networks
Preventing format-string attacks via automatic and efficient dynamic checking

Proceedings of the 12th ACM conference on Computer and communications security
FormatGuard: automatic protection from printf format string vulnerabilities

SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Detecting format string vulnerabilities with type qualifiers

SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
TIED, LibsafePlus: tools for runtime buffer overflow protection

SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13

FormatShield: A Binary Rewriting Defense against Format String Attacks

ACISP '08 Proceedings of the 13th Australasian conference on Information Security and Privacy

Quantified Score

Hi-index	0.00

Visualization

Abstract

Format-string attack is one of the few truly threats to software security. Many previous methods for addressing this problem rely on program source code analysis or special recompilation, and hence exhibit limitations when applied to protect the source code unavailable software. In this paper, we present a transparent run-time approach to the defense against format-string attacks via dynamic taint and flexible validation. By leveraging library interposition and ELF binary analysis, we taint all the untrusted user-supplied data as well as their propagations during program execution, and add a security validation layer to the printf-family functions in C Standard Library in order to enforce a flexible policy to detect the format string attack on the basis of whether the format string has been tainted and contains dangerous format specifiers. Compared with other existing methods, our approach offers several benefits. It does not require the knowledge of the application or any modification to the program source code, and can therefore also be used with legacy applications. Moreover, as shown in our experiment, it is highly effective against the most types of format-string attacks and incurs low performance overhead.