Transparent Run-Time Prevention of Format-String Attacks Via Dynamic Taint and Flexible Validation

  • Zhiqiang Lin
  • Nai Xia
  • Guole Li
  • Bing Mao
  • Li Xie
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4176)


Format-string attack is one of the few truly threats to software security. Many previous methods for addressing this problem rely on program source code analysis or special recompilation, and hence exhibit limitations when applied to protect the source code unavailable software. In this paper, we present a transparent run-time approach to the defense against format-string attacks via dynamic taint and flexible validation. By leveraging library interposition and ELF binary analysis, we taint all the untrusted user-supplied data as well as their propagations during program execution, and add a security validation layer to the printf-family functions in C Standard Library in order to enforce a flexible policy to detect the format string attack on the basis of whether the format string has been tainted and contains dangerous format specifiers. Compared with other existing methods, our approach offers several benefits. It does not require the knowledge of the application or any modification to the program source code, and can therefore also be used with legacy applications. Moreover, as shown in our experiment, it is highly effective against the most types of format-string attacks and incurs low performance overhead.


Return Address Performance Overhead Format String Default Policy Dangerous Format 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    tf8. Wu-Ftpd Remote Format String Stack Overwrite Vulnerability (2000), At:
  2. 2.
    NIST National Vunerability Database (2006), At:
  3. 3.
    Scut, team teso: Exploiting Format String Vulnerabilities (2001), At:
  4. 4.
    Riq and Gera: Advances in format string exploitation. Phrack Magazine 59(7) (2002), At:
  5. 5.
    Lhee, K., Chapin, S.: Buffer overflow and format string overflow vulnerabilities. Software-Practice & Experience 33(5), 423–460 (2003)CrossRefGoogle Scholar
  6. 6.
    Anley, C.: Advanced SQL Injection In SQL Server Applications. Technical Report, NGSSoftware Insight Security Research (2002)Google Scholar
  7. 7.
    Jacobowitz, D.: Multiple Linux Vendor rpc.statd Remote Format String Vulnerability (2000), At:
  8. 8.
    Kaempf, M.: Splitvt Format String Vulnerability (2001), At:
  9. 9.
    NSI Rwhoisd Remote Format String Vulnerability (2001), At:
  10. 10.
    Pelat, G.: PFinger Format String Vulnerability (2001), At:
  11. 11.
    Goldsmith, D.: TCPflow Format String Vulnerability (2003), At:
  12. 12.
    Xiao, Z.: An Automated Approach to Software Reliability and Security. Department of Computer Science, University of California at Berkeley (2003) (invited Talk)Google Scholar
  13. 13.
  14. 14.
    Tsai, T., Singh, N.: Libsafe 2.0: Detection of Format String Vulnerability Exploits (2001), At:
  15. 15.
    Ringenburg, M., Grossman, D.: Preventing Format-String Attacks via Automatic and Efficient Dynamic Checking. In: Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS 2005), Alexandria, Virginia (2005)Google Scholar
  16. 16.
    Cowan, C., Barringer, M., Beattie, S., Kroah-Hartman, G.: FormatGuard: Automatic protection from printf format string vulnerabilities. In: Proceedings of the 10th USENIX Security Symposium (Security 2001), Washington DC (2001)Google Scholar
  17. 17.
    Shankar, U., Talwar, K., Foster, J.S., Wagner, D.: Detecting format string vulnerabilities with type qualifiers. In: Proceedings of the 10th USENIX Security Symposium (Security 2001), Washington DC (2001)Google Scholar
  18. 18.
    TIS. Executable and Linkable Format Version 1.1, At:
  19. 19.
    Cormen, T., Stein, C., Rivest, R., Leiserson, C.: Introduction to Algorithms, 2nd edn. MIT Press, Cambridge (2002)Google Scholar
  20. 20.
    Smirnov, A., Chiueh, T.: DIRA: Automatic Detection, Identification and Repair of Control-Hijacking Attacks. In: Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS 2005), San Jose, CA (2005)Google Scholar
  21. 21.
    Avijit, K., Gupta, P., Gupta, D.: TIED, LibsafePlus: Tools for Runtime Buffer Overflow Protection. In: Proceedings of the 13th USENIX Security Symposium (Security 2004) (2004)Google Scholar
  22. 22.
    DeKok, A.: PScan: A limited problem scanner for C source files (2000), At:
  23. 23.
    The GNU Compiler Collection. Free Software Foundation, At:
  24. 24.
    Perl security manual page, At:
  25. 25.
    Zhang, X., Edwards, A., Jaeger, T.: Using CQual for static analysis of authorization hook placement. In: Proceedings of the 11th USENIX Security Symposium (Security 2002) (2002)Google Scholar
  26. 26.
    Foster, J., Fahndrich, M., Aiken, A.: A theory of type qualifiers. In: Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 1999) (1999)Google Scholar
  27. 27.
    Evans, D., Larochelle, D.: Improving Security Using Extensible Lightweight Static Analysis. In: IEEE Software (January/February 2002)Google Scholar
  28. 28.
    Tuong, A.N., Guarnieri, S., Greene, D., Shirley, J., Evans, D.: Automatically hardening web applications using precise tainting. In: Proceedings of the 20th IFIP International Information Security Conference (SEC 2005) (2005)Google Scholar
  29. 29.
    Suh, G., Lee, J., Zhang, D., Devadas, S.: Secure program execution via dynamic information flow tracking. In: Proceedings of International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS 2004), Boston, MA (2004)Google Scholar
  30. 30.
    Chen, S., Xu, J., Nakka, N., Kalbarczyk, Z., Iyer, R.K.: Defeating memory corruption attacks via pointer taintedness detection. In: Proceedings of IEEE International Conference on Dependable Systems and Networks (DSN 2005) (2005)Google Scholar
  31. 31.
    Newsome, J., Song, D.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In: Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS 2005), San Jose, CA (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Zhiqiang Lin
    • 1
  • Nai Xia
    • 1
  • Guole Li
    • 1
  • Bing Mao
    • 1
  • Li Xie
    • 1
  1. 1.State Key Laboratory for Novel Software TechnologyNanjing UniversityNanjingChina

Personalised recommendations