More Web Proxy on the site http://driver.im/

Article

Large-scale analysis of format string vulnerabilities in Debian Linux

Authors:

David WagnerAuthors Info & Claims

PLAS '07: Proceedings of the 2007 workshop on Programming languages and analysis for security

Pages 75 - 84

https://doi.org/10.1145/1255329.1255344

Published: 14 June 2007 Publication History

Abstract

Format-string bugs are a relatively common security vulnerability, and can lead to arbitrary code execution. In collaboration with others, we designed and implemented a system to eliminate format string vulnerabilities from an entire Linux distribution, using type-qualifier inference, a static analysis technique that can find taint violations.

We successfully analyze 66% of C/C++ source packages in the Debian 3.1 Linux distribution. Our system finds 1,533 format string taint warnings. We estimate that 85% of these are true positives, i.e., real bugs; ignoring duplicates from libraries, about 75% are real bugs.

We suggest that the technology exists to render format string vulnerabilities extinct in the near future.

References

[1]

Build-Interceptor. Website, 2007. http://freshmeat.net/projects/build-interceptor/.

[2]

Elsa. Website, 2007. http://www.cs.berkeley.edu/¢ smcpeak/elkhound/sources/elsa/.

[3]

Oink. Website, 2007. http://freshmeat.net/projects/oink/.

[4]

Alex Aiken, Jeffrey Foster, John Kodumal, and Tachio Terauchi. Checking and inferring local non-aliasing. In Proc. of the Conference on Programming Language Design and Implementation, 2003.

Digital Library

[5]

David P. Anderson. BOINC: A system for public-resource computing and storage. In Proc. of the Fifth IEEE/ACM International Workshop on Grid Computing (GRID), 2004.

Digital Library

[6]

Dzintars Avots, Michael Dalton, Benjamin Livshits, and Monica Lam. Improving software security a C pointer analysis. In Proc. of the 27th International Conference on Software Engineering, 2005.

Digital Library

[7]

Pete Broadwell, Matt Harren, and Naveen Sastry. Scrash: A system for generating secure crash information. In Proc. of the 12th USENIX Security Symposium, pages 273--284, August 2003.

Digital Library

[8]

William R. Bush, Jonathan D. Pincus, and David J. Sielaff. A static analyzer for finding dynamic programming errors. Software Practice and Experience, 30(7):775--802, 2000.

Digital Library

[9]

Hao Chen, Drew Dean, and David Wagner. Model checking one million lines of c code. In Proc. of the 11th Annual Network and Distributed System Security Symposium (NDSS), 2004.

[10]

Crispin Cowan, Matt Barringer, Steve Beattie, Greg Kroah-Hartman, Mike Frantzen, and Jamie Lokier. FormatGuard: Automatic protection from printf format string vulnerabilities. In Proc. of the 10th USENIX Security Symposium, pages 191--200, 2001.

Digital Library

[11]

Alan DeKok. PScan: A limited problem scanner for C. Website, 2000. http://packages.debian.org/pscan.

[12]

Jeff Dike. User-mode Linux. In Proc. of the 5th Annual Linux Showcase & Conference (ALS). Usenix, November 2001.

Digital Library

[13]

David Evans and David Larochelle. Improving security using extensible lightweight static analysis. IEEE Software, 19(1), 2002.

Digital Library

[14]

Jeffrey S. Foster. Type Qualifiers: Lightweight Specifications to Improve Software Quality. PhD thesis, University of California, Berkeley, December 2002.

Digital Library

[15]

Jeffrey S. Foster, Manuel Fahndrich, and Alexander Aiken. A theory of type qualifiers. In Proc. of the SIGPLAN Conference on Programming Language Design and Implementation (PLDI), 1999.

Digital Library

[16]

Jeffrey S. Foster, Robert T. Johnson, John Kodumal, and Alex Aiken. Flow-insensitive type qualifiers. ACM Transactions on Programming Languages and Systems, pages 1035--1086, November 2006.

Digital Library

[17]

Jeffrey S. Foster, Tachio Terauchi, and Alex Aiken. Flow-sensitive type qualifiers. In Proc. of the SIGPLAN 2002 Conference on Programming language design and implementation (PLDI), 2002.

Digital Library

[18]

David Gay and Alex Aiken. Memory management with explicit regions. In Proc. of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI¿98), 1998.

Digital Library

[19]

David Greenfieldboyce and Jeffrey S. Foster. Type qualifiers for Java. Technical report, University of Maryland, August 2007. http://www.cs.umd.edu/projects/PL/jqual/.

[20]

Samuel Guyer, Emery Berger, and Calvin Lin. Detecting errors with configurable whole-program dataflow analysis. Technical report, University of Texas at Austin, 2002. ftp://ftp.cs.utexas.edu/pub/emery/papers/detecting-errors.pdf.

[21]

Seth Hallem, Benjamin Chelf, Yichen Xie, and Dawson Engler. A system and language for building system-specific, static analyses. In Proc. of the SIGPLAN 2002 Conference on Programming Language Design and Implementation (PLDI), 2002.

Digital Library

[22]

Rob T. Johnson and David Wagner. Finding User/Kernel pointer bugs with type inference. In Proc. of the 13th USENIX Security Symposium, 2004.

Digital Library

[23]

Robert T. Johnson. Verifying Security Properties using Type-Qualifier Inference. PhD thesis, EECS Department, University of California, Berkeley, 2007.

Digital Library

[24]

Nenad Jovanovic, Christopher Krügel, and Engin Kirda. Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In IEEE Symposium on Security and Privacy (Oakland 2006), pages 258--263. IEEE Computer Society, 2006.

Digital Library

[25]

Ben Liblit. Cooperative Bug Isolation. PhD thesis, University of California, Berkeley, 2005.

Digital Library

[26]

V. Livshits and M. Lam. Finding security vulnerabilities in Java applications with static analysis. In Proc. of the 14th USENIX Security Symposium, 2005.

Digital Library

[27]

Scott McPeak and George C. Necula. Elkhound: A fast, practical GLR parser generator. In Proc. of the 13th International Conference on Compiler Constructor (CC), 2004.

[28]

A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically hardening web applications using precise tainting. In 20th IFIP International Information Security Conference, 2005.

[29]

Michael F. Ringenburg and Dan Grossman. Preventing format-string attacks via automatic and efficient dynamic checking. In Proc. of the 12th Conference on Computer and Communications Security, 2005.

Digital Library

[30]

Tim Robbins. Libformat, 2000. http://archives.neohapsis.com/archives/linux/lsap/2000-q3/0444.html.

[31]

Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, and David Wagner. Detecting format string vulnerabilities with type qualifiers. In Proc. of the 10th USENIX Security Symposium, 2001.

Digital Library

[32]

Saurabh Srivastava, Michael Hicks, and Jeffrey S. Foster. Modular information hiding and type-safe linking for C. In Proc. of the 2007 SIGPLAN International Workshop on Types in Languages Design and Implementation (TLDI), pages 3--14. ACM Press, 2007.

Digital Library

[33]

Timothy Tsai and Navjot Singh. Libsafe 2.0: Detection of format string vulnerability exploits. Technical report, Avaya Labs, February 2001. http://pubs.research.avayalabs.com/pdfs/ALR-2001-018-whpaper.pdf.

[34]

John Viega, J. T. Bloch, Tadayoshi Kohno, and Gary McGraw. ITS4: A static vulnerability scanner for C and C++ code. ACM Transactions on Information and System Security, 5(2), 2002.

[35]

Common Vulnerabilities and Exposures. Format string vulnerabilities. Website, 2007. http://www.cve.mitre.org/cgi-bin/cvekey.cgi?keyword=format+string.

[36]

David Wagner, Jeffrey S. Foster, Eric A. Brewer, and Alexander Aiken. A first step towards automated detection of buffer overrun vulnerabilities. In Proc. of the 7th Network and Distributed System Security Symposium (NDSS), 2000.

[37]

Yichen Xie and Alex Aiken. Static detection of security vulnerabilities in scripting languages. In Proc. of the 15th USENIX Security Symposium, 2006.

Digital Library

[38]

Junfeng Yang, Ted Kremenek, Yichen Xie, and Dawson Engler. MECA: an extensible, expressive system and language for statically checking security properties. In Proc. of the 10th ACM Conference on Computer and Communications Security (CCS), 2003.

Digital Library

[39]

Misha Zitser, Richard Lippmann, and Tim Leek. Testing static analysis tools using exploitable buffer overflows from open source code. In Proc. of the 12th ACM SIGSOFT Twelfth International Symposium on Foundations of Software Engineering, 2004.

Digital Library

Cited By

Zou CGao YXue J(2022)Practical Software-Based Shadow Stacks on x86-64ACM Transactions on Architecture and Code Optimization10.1145/355697719:4(1-26)Online publication date: 7-Oct-2022
https://dl.acm.org/doi/10.1145/3556977
Zou CWang XGao YXue J(2022)Buddy Stacks: Protecting Return Addresses with Efficient Thread-Local Storage and Runtime Re-RandomizationACM Transactions on Software Engineering and Methodology10.1145/349451631:2(1-37)Online publication date: 4-Mar-2022
https://dl.acm.org/doi/10.1145/3494516
Manes VHan HHan CCha SEgele MSchwartz EWoo M(2021)The Art, Science, and Engineering of Fuzzing: A SurveyIEEE Transactions on Software Engineering10.1109/TSE.2019.294656347:11(2312-2331)Online publication date: 1-Nov-2021
https://doi.org/10.1109/TSE.2019.2946563
Show More Cited By

Index Terms

Large-scale analysis of format string vulnerabilities in Debian Linux
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Systems security
    1. Operating systems security

Recommendations

Linux kernel vulnerabilities: state-of-the-art defenses and open problems
APSys '11: Proceedings of the Second Asia-Pacific Workshop on Systems

Avoiding kernel vulnerabilities is critical to achieving security of many systems, because the kernel is often part of the trusted computing base. This paper evaluates the current state-of-the-art with respect to kernel protection techniques, by ...
Static Analysis of Format String Vulnerabilities
SSNE '11: Proceedings of the 2011 First ACIS International Symposium on Software and Network Engineering

This paper presents a novel approach, based on static analysis, to detect format string vulnerabilities in C programs. Format string vulnerability is viewed as a finite state safety property. The analysis is expressed as a system of constraint ...
Automatic detection of printf format string vulnerabilities in software applications using static analysis
CUBE '12: Proceedings of the CUBE International Information Technology Conference

1. Much of the blame for security violations goes to bad software and that too at the coding level. Even the best security algorithms can be broken due to incorrect programs. The firstpublished reports of format string bugs appeared in 2000, followed by ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

PLAS '07: Proceedings of the 2007 workshop on Programming languages and analysis for security

June 2007

122 pages

ISBN:9781595937117

DOI:10.1145/1255329

General Chair:
Michael Hicks
University of Maryland, College Park, USA

Copyright © 2007 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 14 June 2007

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

PLAS07

Sponsor:

PLAS07: Programming Languages and Analysis for Security Workshop

June 14, 2007

California, San Diego, USA

Acceptance Rates

Overall Acceptance Rate 43 of 77 submissions, 56%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

26
Total Citations
View Citations
613
Total Downloads

Downloads (Last 12 months)16
Downloads (Last 6 weeks)1

Reflects downloads up to 30 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Zou CGao YXue J(2022)Practical Software-Based Shadow Stacks on x86-64ACM Transactions on Architecture and Code Optimization10.1145/355697719:4(1-26)Online publication date: 7-Oct-2022
https://dl.acm.org/doi/10.1145/3556977
Zou CWang XGao YXue J(2022)Buddy Stacks: Protecting Return Addresses with Efficient Thread-Local Storage and Runtime Re-RandomizationACM Transactions on Software Engineering and Methodology10.1145/349451631:2(1-37)Online publication date: 4-Mar-2022
https://dl.acm.org/doi/10.1145/3494516
Manes VHan HHan CCha SEgele MSchwartz EWoo M(2021)The Art, Science, and Engineering of Fuzzing: A SurveyIEEE Transactions on Software Engineering10.1109/TSE.2019.294656347:11(2312-2331)Online publication date: 1-Nov-2021
https://doi.org/10.1109/TSE.2019.2946563
Champion KHill B(2021)Underproduction: An Approach for Measuring Risk in Open Source Software2021 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)10.1109/SANER50967.2021.00043(388-399)Online publication date: Mar-2021
https://doi.org/10.1109/SANER50967.2021.00043
Zou CXue JRothermel GBae D(2020)Burn after readingProceedings of the ACM/IEEE 42nd International Conference on Software Engineering10.1145/3377811.3380439(258-270)Online publication date: 27-Jun-2020
https://dl.acm.org/doi/10.1145/3377811.3380439
Mitropoulos DSpinellis D(2017)Fatal injection: a survey of modern code injection attack countermeasuresPeerJ Computer Science10.7717/peerj-cs.1363(e136)Online publication date: 27-Nov-2017
https://doi.org/10.7717/peerj-cs.136
Ivanishin VKudryashov EMonakov AMelnik DLee J(2017)System-Wide Elimination of Unreferenced Code and Data in Dynamically Linked Programs2017 Ivannikov ISPRAS Open Conference (ISPRAS)10.1109/ISPRAS.2017.00007(1-5)Online publication date: Nov-2017
https://doi.org/10.1109/ISPRAS.2017.00007
Weiss CRubio-González CLiblit BBertolino ACanfora GElbaum S(2015)Database-backed program analysis for scalable error propagationProceedings of the 37th International Conference on Software Engineering - Volume 110.5555/2818754.2818827(586-597)Online publication date: 16-May-2015
https://dl.acm.org/doi/10.5555/2818754.2818827
Weiss CRubio-Gonzalez CLiblit B(2015)Database-Backed Program Analysis for Scalable Error Propagation2015 IEEE/ACM 37th IEEE International Conference on Software Engineering10.1109/ICSE.2015.75(586-597)Online publication date: May-2015
https://doi.org/10.1109/ICSE.2015.75
Younan YJoosen WPiessens F(2012)Runtime countermeasures for code injection attacks against C and C++ programsACM Computing Surveys10.1145/2187671.218767944:3(1-28)Online publication date: 14-Jun-2012
https://dl.acm.org/doi/10.1145/2187671.2187679
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents