Proceedings of ISP RAS

Search Method for Format String Vulnerabilities

I.A. Vakhrushev (ISP RAS, Moscow), V.V. Kaushan (ISP RAS, Moscow), V.A. Padaryan (ISP RAS, Moscow; MSU, Moscow), A.N. Fedotov (ISP RAS, Moscow)


In this paper search method for format string vulnerabilities is presented. Format string vulnerabilities can cause serious security problems providing ability to write an arbitrary value to an arbitrary location. Using this opportunity an attacker may hijack the control flow of a program and execute a malicious code. Besides, it is possible to bypass some protection mechanisms such as the stack canary due to exact overwriting of function return address. The method is based on dynamic analysis and symbolic execution. It is applied to program binaries without requiring debug information. We use dynamic analysis to find possible unsafe usage of format string function. If user controls data in a format string parameter, we consider that it is an unsafe usage of format string. Then a path predicate is build. The starting point of path predicate is a place where input data was received, the ending point is an unsafe format string function call. After building the path predicate we need to generate a special format string that provides a control flow hijack and a payload execution. By asserting such constraints on the format string parameter we are able to determine whether unsafe function usage is vulnerable or not. If the generated constraints are solvable, the method produces an exploit. We present a tool implementing this method. We used this tool to detect known vulnerabilities in Linux programs.


format string vulnerability; binary code; vulnerability exploitation; dynamic analysis; symbolic execution


Proceedings of the Institute for System Programming, vol. 27, issue 4, 2015, pp. 23-38.

ISSN 2220-6426 (Online), ISSN 2079-8156 (Print).

DOI: 10.15514/ISPRAS-2015-27(4)-2

For citation

I.A. Vakhrushev, V.V. Kaushan, V.A. Padaryan, A.N. Fedotov Search Method for Format String Vulnerabilities. Proceedings of the Institute for System Programming, vol. 27, issue 4, 2015, pp. 23-38. DOI: 10.15514/ISPRAS-2015-27(4)-2.

Full text of the paper in pdf (in Russian) Back to the contents of the volume