Proceedings of ISP RAS


Search Method for Format String Vulnerabilities

I.A. Vakhrushev (ISP RAS, Moscow), V.V. Kaushan (ISP RAS, Moscow), V.A. Padaryan (ISP RAS, Moscow; MSU, Moscow), A.N. Fedotov (ISP RAS, Moscow)

Abstract

In this paper search method for format string vulnerabilities is presented. Format string vulnerabilities can cause serious security problems providing ability to write an arbitrary value to an arbitrary location. Using this opportunity an attacker may hijack the control flow of a program and execute a malicious code. Besides, it is possible to bypass some protection mechanisms such as the stack canary due to exact overwriting of function return address. The method is based on dynamic analysis and symbolic execution. It is applied to program binaries without requiring debug information. We use dynamic analysis to find possible unsafe usage of format string function. If user controls data in a format string parameter, we consider that it is an unsafe usage of format string. Then a path predicate is build. The starting point of path predicate is a place where input data was received, the ending point is an unsafe format string function call. After building the path predicate we need to generate a special format string that provides a control flow hijack and a payload execution. By asserting such constraints on the format string parameter we are able to determine whether unsafe function usage is vulnerable or not. If the generated constraints are solvable, the method produces an exploit. We present a tool implementing this method. We used this tool to detect known vulnerabilities in Linux programs.

Keywords

format string vulnerability; binary code; vulnerability exploitation; dynamic analysis; symbolic execution

Edition

Proceedings of the Institute for System Programming, vol. 27, issue 4, 2015, pp. 23-38.

ISSN 2220-6426 (Online), ISSN 2079-8156 (Print).

DOI: 10.15514/ISPRAS-2015-27(4)-2

Full text of the paper in pdf (in Russian) Back to the contents of the volume