Article

Detecting format string vulnerabilities with type qualifiers

Authors:

Jeffrey S. Foster,

David WagnerAuthors Info & Claims

SSYM'01: Proceedings of the 10th conference on USENIX Security Symposium - Volume 10

Article No.: 16

Published: 13 August 2001 Publication History

Abstract

We present a new system for automatically detecting format string security vulnerabilities in C programs using a constraint-based type-inference engine. We describe new techniques for presenting the results of such an analysis to the user in a form that makes bugs easier to find and to fix. The system has been implemented and tested on several real-world software packages. Our tests show that the system is very effective, detecting several bugs previously unknown to the authors and exhibiting a low rate of false positives in almost all cases. Many of our techniques are applicable to additional classes of security vulnerabilities, as well as other type- and constraint-based systems.

References

[1]

{1} Martín Abadi and Luca Cardelli. A Theory of Objects. Springer, 1996.

Digital Library

[2]

{2} Lamagra Argamal. "ftpd: the advisory version." bugtraq mailing list, 23 June 2000. http://www.securityfocus.com/archive/ 1/66544.

[3]

{3} Todd M. Austin, Scott E. Breach, and Gurindar S. Sohi. "Efficient Detection of All Pointer and Array Access Errors." In Proceedings of the ACM SIGPLAN'94 Conference on Programming Language Design and Implementation , June 1994.

Digital Library

[4]

{4} Christophe Bailleux. "Asynchro," bugtraq mailing list, 8 December 2000. http://www.securityfocus.com/archive/ 1/149977.

[5]

{5} D.J. Bernstein, "Re: Logging question." qmail mailing list, 13 September 1996. http://www.ornl.gov/ its/archives/mailing-lists/qmail/ 1996/12/msg00314.html.

[6]

{6} K. J. Biba. "Integrity considerations for secure computer systems." Technical Report ESD-TR-76-372, MTR-3153, The MITRE Corporation, USAF Electronic Systems Division, Bedford, MA, April 1977.

[7]

{7} M. Bishop and M. Dilger. "Checking for Race Conditions in File Accesses." Computing Systems, 9(2):131-152, Spring 1996.

[8]

{8} CERT Advisory CA-2000-13. "Two Input Validation Problems in FTPD." 7 July 2000.

[9]

{9} CERT Advisory CA-2000-17, "Input Validation Problem in rpc.statd." 18 August 2000.

[10]

{10} CERT Incident Note IN-2000-10, "Widespread Exploitation of rpc.statd and wu-ftpd Vulnerabilities." 15 September 2000.

[11]

{11} CERT Advisory CA-2000-22. "Input Validation Problems in LPRng." 12 December 2000.

[12]

{12} Satish Chandra and Thomas W. Reps. "Physical Type Checking for C." In Proceedings of the ACM SIGPLAN/ SIGSOFT Workshop on Program Analysis for Software Tools and Engineering, Toulouse, France, September 1999., pages 66-75.

Digital Library

[13]

{13} Crispin Cowan, Matt Barringer, Steve Beattie, Greg Kroah-Hartman, Mike Frantzen, and Jamie Lokier. "FormatGuard: Automatic Protection From printf Format String Vulnerabilities." This volume.

[14]

{14} B. A. Davey and H. A. Priestley. Introduction to Lattices and Order. Cambridge University Press, 1990.

[15]

{15} Alan DeKok. "PScan: A limited problem scanner for C source files." Available at http://www.striker.ottawa.on.ca/ ~aland/pscan.

[16]

{16} Martin Elsman, Jeffrey S. Foster, and Alexander Aiken. "Carillon--a System to Find Y2K Problems in C Programs." Available at http://www.cs.berkeley.edu/Research/ Aiken/carillon/doc.ps.gz.

[17]

{17} Dawson Engler, Benjamin Chelf, Andy Chou, and Seth Hallem. "Checking System Rules Using System-Specific, Programmer-Written Compiler Extensions." In Proceedings of the Fourth Symposium on Operating Systems Design and Implementation, San Diego, CA, October 2000.

Digital Library

[18]

{18} David Evans. "Static Detection of Dynamic Memory Errors." Proceedings of the 1996 ACM SIGPLAN Conference on Programming Language Design and Implementation , Philadelphia, Pennsylvania, May 1996, pages 44-53.

Digital Library

[19]

{19} Jeffrey S. Foster, Manuel Fähndrich, and Alexander Aiken. "A Theory of Type Qualifiers." In ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI'99), Atlanta, Georgia, May 1999.

Digital Library

[20]

{20} Christopher Harrelson. "Program Analysis Mode." http://www.cs.berkeley.edu/~chrishtr/ pam.

[21]

{21} Fritz Henglein and Jakob Rehof. "The Complexity of Subtype Entailment for Simple Types." In Proceedings, Twelfth Annual IEEE Symposium on Logic in Computer Science, Warsaw, Poland, July 1997, pages 352-361.

Digital Library

[22]

{22} Maxime Henrion. "muh IRC bouncer remote vulnerability." FreeBSD Security Advisory FreeBSD-SA-00:57. http://www.securityfocus.com/ advisories/2741.

[23]

{23} Maxime Henrion. "format string bug in muh." bugtraq mailing list, 09 September 2000. http://www.securityfocus.com/archive/ 1/81367.

[24]

{24} Jarno Huuskonen. "Some possible format string errors." Linux Security Audit Project mailing list, 25 September 2000. http://www2.merton.ox.ac.uk/ ~security/security-audit-200009/ 0118.html.

[25]

{25} Jarno Huuskonen. "syslog(prio, buf) in mars_nwe." Linux Security Audit Project mailing list, 27 September 2000. http://www2.merton.ox.ac.uk/ ~security/security-audit-200009/ 0136.html.

[26]

{26} K. Rustan M. Leino and Greg Nelson. "An Extended Static Checker for Modula-3." In Kai Koskimies, editor, Compiler Construction: 7th International Conference, CC'98, volume 1383 of Lecture Notes in Computer Science, pages 302-305. Springer, April 1998.

Digital Library

[27]

{27} Robert Lemos. "Internet worm squirms into Linux servers." Special to CNET News.com, 17 January 2001. http://news.cnet.com/news/0-1003-200-4508359.html.

[28]

{28} John C. Mitchell. Type inference with simple subtypes. Journal of Functional Programming, 1(3):245-285, July 1991.

[29]

{29} Andrew C. Myers and Barbara Liskov. "Protecting Privacy using the Decentralized Label Model." ACM Transactions on Software Engineering and Methodology, 9(4), April 2001.

Digital Library

[30]

{30} Tim Newsham. "Format String Attacks." Guardent, Inc. September 2000. http://www.guardent.com/ docs/FormatString.PDF.

[31]

{31} Robert O'Callahan and Daniel Jackson. "Lackwit: Practical Program Understanding With Type Inference." In Proceedings of the 19th International Conference on Software Engineering, pp. 338-348, Boston, Massachusetts, May 1997.

Digital Library

[32]

{32} Perl Security. http://www.perl.com/pub/doc/ manual/html/pod/perlsec.html.

[33]

{33} Jakob Rehof and Manuel Fähndrich. "Type-Based Flow Analysis: From Polymorphic Subtyping to CFL-Reachability." In Proceedings of the 28th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, London, United Kingdom, January 2001.

Digital Library

[34]

{34} Tim J. Robbins. libformat. Available at http://box3n.gumbynet.org/~fyre/ software.

[35]

{35} Pekka Savola. "Very probable remote root vulnerability in cfengine." bugtraq mailing list, 1 October 2000. http://www.securityfocus.com/ archive/1/136751.

[36]

{36} Michael Siff, Satish Chandra, Thomas Ball, Thomas Reps, and Krishna Kunchithapadam. "Coping With Type Casts in C." In ACM Conference on Foundations of Software Engineering (FSE), September 1999.

Digital Library

[37]

{37} Bjarne Steensgaard. "Points-to Analysis in Almost Linear Time." In Proceedings of the 23rd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, St. Petersburg Beach, Florida, January 1996, pages 32-41.

Digital Library

[38]

{38} John Viega, J.T. Bloch, Tadayoshi Kohno, and Gary Mc-Graw. "ITS4: A Static Vulnerability Scanner for C and C++ Code." In 16th Annual Computer Security Applications Conference (ACSAC 2000), December 2000.

Digital Library

[39]

{39} D. Volpano, G. Smith, and C. Irvine. "A sound type system for secure flow analysis." Journal of Computer Security , 4(3):1-21, 1996.

Digital Library

[40]

{40} D. Volpano and G. Smith. "A type-based approach to program security." Proceedings of TAPSOFT'97, Colloqium on Formal Approaches in Software Engineering.

Digital Library

[41]

{41} David Wagner, Jeffrey S. Foster, Eric A. Brewer, and Alexander Aiken. "A First Step Toward Automated Detection of Buffer Overrun Vulnerabilities." In Proceedings of the Network and Distributed System Security Symposium , San Diego, California, February 2000.

[42]

{42} LarryWall, Tom Christiansen and Jon Orwant. Programming Perl, 3rd Edition. July 2000. O'Reilly & Associates.

[43]

{43} "WuFTPD: Providing remote root since at least 1994," bugtraq mailing list, June 23, 2000, http://www.securityfocus.com/archive/ 1/66367.

Cited By

Ma LXu JSun JZhou YXie XShen WChang RRen KGunawi HMa X(2021)Revisiting challenges for selective data protection of real applicationsProceedings of the 12th ACM SIGOPS Asia-Pacific Workshop on Systems10.1145/3476886.3477504(138-145)Online publication date: 24-Aug-2021
https://dl.acm.org/doi/10.1145/3476886.3477504
Huang YAngstadt KLeach KWeimer W(2020)Selective Symbolic Type-Guided Checkpointing and Restoration for Autonomous Vehicle RepairProceedings of the IEEE/ACM 42nd International Conference on Software Engineering Workshops10.1145/3387940.3392201(3-10)Online publication date: 27-Jun-2020
https://dl.acm.org/doi/10.1145/3387940.3392201
Brahmakshatriya AKedia PMcKee DGarg DLal ARastogi ANemati HPanda ABhatu P(2019)ConfLLVMProceedings of the Fourteenth EuroSys Conference 201910.1145/3302424.3303952(1-15)Online publication date: 25-Mar-2019
https://dl.acm.org/doi/10.1145/3302424.3303952
Show More Cited By

Index Terms

Detecting format string vulnerabilities with type qualifiers
1. Security and privacy
  1. Software and application security
    1. Software security engineering
2. Software and its engineering

Recommendations

A theory of type qualifiers

We describe a framework for adding type qualifiers to a language. Type qualifiers encode a simple but highly useful form of subtyping. Our framework extends standard type rules to model the flow of qualifiers through a program, where each qualifier or ...
Detecting format string vulnerabilities with type qualifiers
SSYM'01: Proceedings of the 10th conference on USENIX Security Symposium - Volume 10

We present a new system for automatically detecting format string security vulnerabilities in C programs using a constraint-based type-inference engine. We describe new techniques for presenting the results of such an analysis to the user in a form that ...
Semantic type qualifiers
PLDI '05: Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation

We present a new approach for supporting user-defined type refinements, which augment existing types to specify and check additional invariants of interest to programmers. We provide an expressive language in which users define new refinements and ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

SSYM'01: Proceedings of the 10th conference on USENIX Security Symposium - Volume 10

August 2001

350 pages

Publisher

USENIX Association

United States

Publication History

Published: 13 August 2001

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

127
Total Citations
View Citations
21
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 06 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Ma LXu JSun JZhou YXie XShen WChang RRen KGunawi HMa X(2021)Revisiting challenges for selective data protection of real applicationsProceedings of the 12th ACM SIGOPS Asia-Pacific Workshop on Systems10.1145/3476886.3477504(138-145)Online publication date: 24-Aug-2021
https://dl.acm.org/doi/10.1145/3476886.3477504
Huang YAngstadt KLeach KWeimer W(2020)Selective Symbolic Type-Guided Checkpointing and Restoration for Autonomous Vehicle RepairProceedings of the IEEE/ACM 42nd International Conference on Software Engineering Workshops10.1145/3387940.3392201(3-10)Online publication date: 27-Jun-2020
https://dl.acm.org/doi/10.1145/3387940.3392201
Brahmakshatriya AKedia PMcKee DGarg DLal ARastogi ANemati HPanda ABhatu P(2019)ConfLLVMProceedings of the Fourteenth EuroSys Conference 201910.1145/3302424.3303952(1-15)Online publication date: 25-Mar-2019
https://dl.acm.org/doi/10.1145/3302424.3303952
Du XChen BLi YGuo JZhou YLiu YJiang YAtlee JBultan TWhittle J(2019)LeopardProceedings of the 41st International Conference on Software Engineering10.1109/ICSE.2019.00024(60-71)Online publication date: 25-May-2019
https://dl.acm.org/doi/10.1109/ICSE.2019.00024
Yan HSui YChen SXue J(2017)Machine-Learning-Guided Typestate Analysis for Static Use-After-Free DetectionProceedings of the 33rd Annual Computer Security Applications Conference10.1145/3134600.3134620(42-54)Online publication date: 4-Dec-2017
https://dl.acm.org/doi/10.1145/3134600.3134620
Laguna ISchulz MWest J(2016)Pinpointing scale-dependent integer overflow bugs in large-scale parallel applicationsProceedings of the International Conference for High Performance Computing, Networking, Storage and Analysis10.5555/3014904.3014930(1-12)Online publication date: 13-Nov-2016
https://dl.acm.org/doi/10.5555/3014904.3014930
Anand KElwazeer KKotha ASmithson MBarua RKeromytis A(2016)A Stack Memory Abstraction and Symbolic Analysis Framework for ExecutablesACM Transactions on Software Engineering and Methodology10.1145/289751125:2(1-38)Online publication date: 27-Apr-2016
https://dl.acm.org/doi/10.1145/2897511
Vakilian MPhaosawasdi AErnst MJohnson RBertolino ACanfora GElbaum S(2015)CascadeProceedings of the 37th International Conference on Software Engineering - Volume 110.5555/2818754.2818785(234-245)Online publication date: 16-May-2015
https://dl.acm.org/doi/10.5555/2818754.2818785
Chen QQian ZJia YShao YMao ZRay ILi NKruegel C(2015)Static Detection of Packet Injection VulnerabilitiesProceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security10.1145/2810103.2813643(388-400)Online publication date: 12-Oct-2015
https://dl.acm.org/doi/10.1145/2810103.2813643
Huang WDong YMilanova ADolby JYoung MXie T(2015)Scalable and precise taint analysis for AndroidProceedings of the 2015 International Symposium on Software Testing and Analysis10.1145/2771783.2771803(106-117)Online publication date: 13-Jul-2015
https://dl.acm.org/doi/10.1145/2771783.2771803
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Table of Contents