SlideShare a Scribd company logo

C format string vulnerability

Download as PPTX, PDF
sluge
sluge

In this presentation described the format string vulnerability

Internet
1 of 40
C Secure Coding: Format String Vulnerability Igor Sobinov 2019 28.03.2019
2 Agenda •Vulnerability definition •Types of format vulnerability •Vulnerability Examples •Mitigations
3 Format String Vulnerability: Overview Format string vulnerability class was discovered in 2001 Format string vulnerabilities are a class of vulnerabilities that take advantage of an easily avoidable programmer error. If the programmer passes an attacker-controlled buffer as an argument to a printf* function, the attacker can perform read and writes access to arbitrary memory addresses.
4 Format String Vulnerability: Overview • Format string vulnerability denial of service attacks are characterized by utilizing multiple instances of the “%s” format specifier to read data off of the stack until the program attempts to read data from an illegal address, which will cause the program to crash. • Format string vulnerability reading attacks typically utilize the %x format specifier to print sections of memory or stack that we do not normally have access to. • Format string vulnerability writing attacks utilize the %d, %u or %x format specifiers to overwrite the Instruction Pointer and force execution of user-supplied shell code.
5 Format String Vulnerability: Statistics
6 Format String Vulnerability: Statistics
7 Format String Vulnerability: Definition A format string is a way of telling the C compiler how it should format numbers and other values when it prints them or store to the buffer. It is a ASCII string used to specify and control the representation of different variables. In the C programming language there are a number of functions which accept a format string as an argument: fprintf, printf, sprintf, snprintf, vfprintf, vprintf, vsprintf, vsnprintf. OS specific: syslog, setproctitle etc.
8 Format String Vulnerability: Definition They called variadic functions: accept variable number of arguments. Arguments are expected to be placed on the stack. Function prototype: int printf(const char *format, ...); printf (“The area code is: %d”, 505);
9 Format String Vulnerability: Format specifiers Format Conversion specifiers: %d The int argument is converted to signed decimal notation %s The const char * argument is expected to be a pointer to an array of character type %x The unsigned int argument is converted to unsigned hexadecimal (x and X) %p The void * pointer argument is printed in hexadecimal (as if by %#x or %#lx) %100x Writes 100 spaces to the output before variable %n The number of characters written so far is stored into the integer pointed to by the corresponding argument. %2$x Ignore the first parameter and prints the second parameter from the argument list
10 С++ Secure Coding: Program Stack Format string vulnerability is very close to the buffer overflow vulnerability. • The stack itself can be viewed as a kind of buffer • The size of that buffer is determined by the number and size of the arguments passed to a function • Providing a incorrect format string thus induces the program to overflow that “buffer”
11 С++ Secure Coding: sprintf sprintf is particularly interesting from a security standpoint because it "prints" formatted data to a buffer. Aside from the possibility of a format-string vulnerability, using this particular function can lead to buffer overflow vulnerabilities and should usually be replaced with its length-checking cousin snprintf.
12 Format String Vulnerability: Examples Format Conversion advantages: • printf(“%1000x”, l); //Space padding is 1000 symbols 0 • printf(“%2$x”, 1, 2, 3); //Direct parameter access. Issues on gcc “invalid %N$ use detected” 2 • printf(“%200$x”) • printf(“%n”, &some_variable); //Writes four bytes • printf(“%hn”, &some_variable); //Writes two bytes • printf(“%100x%2$hn”, 0, &some_variable); //Writes 100 to 2 bytes to “some_variable” 0
13 Format String Vulnerability: Examples • printf(“%s”): prints bytes pointed to by that stack entry :(��• • printf(“%d %d %d %d”): prints a series of stack entries as integers -735270568 0 4195808 1871788256 • printf(“%08x %08x %08x %08x”): same but nicely formatted hex 27e37e68 00000000 004005e0 dadd58e0 • printf(“100% dave”): prints stack entry 4 bytes above the saved %eip because format ignores spaces between “%d” and “d” 100-1973053272ave • printf(“100% no way!”): writes the number 3 to address pointed to by stack entry. %n ignores all spaces between “%” and “n” 100o way!
14 Format String Vulnerability: Attacks • Crashing the program: printf ("%s%s%s%s%s%s%s%s%s%s%s%s"); • Viewing the stack: printf ("%08x %08x %08x %08x %08xn"); • Viewing memory at any location • Writing an integer to nearly any location in the process memory
15 Format String Vulnerability: Program Stack Types of programs memory: Text: This is where the code for the program is. Initialized data: This is where global variables that have been declared and given a value are stored. Uninitialized data/BSS: This is where global variables that have been declared but not given a value are stored. Stack: The stack keeps track of the program execution and stores local variables. We'll talk about the stack more soon. Heap: The heap is where dynamic memory allocation takes place. A programmer can utilize the heap to store variables which are only needed for a short period of time and so can be removed from memory later to optimize the program.
16 Format String Vulnerability: Program Stack Stack keeps track of what function is being executed and the local variables that are defined within that function. When a function is called, a data structure called a stack frame is created. Each function has its own stack frame which contains • local variables for that function, • parameters passed to the function when it was called, • return address which specifies what instruction the program should execute next once the function is done. The ESP register stores current stack pointer
17 Format String Vulnerability: Program Stack (x86) StackGrows MemoryAddresses
18 Format String Vulnerability: Program Stack Layout Stack Grows
19 Format String Vulnerability: Program Stack Layout Stack Grows
20 С++ Secure Coding: Program Stack fmt addr return address saved ebp local_var fmt_string return address void test (void* addr, char* fmt) { int local_var = 0; printf(fmt); }
21 С++ Secure Coding: The exploit arg6 arg5 arg4 arg3 arg2 fmt_string return address addr = 0x41414141; fmt = “%p %p %p %p %p” void test (void* addr, char* fmt) { int local = 0; printf(fmt); }
22 С++ Secure Coding: Program Stack fmt addr return address saved ebp local fmt_string return address addr = 0x41414141; fmt = “%p %p %p %p %p” void test (void* addr, char* fmt) { int local = 0; printf(fmt); } “0x0, 0xfffca010 0x8040a10 0x41414141 0xfffeafa0”
23 С++ Secure Coding: Program Stack fmt addr return address saved ebp local fmt_string return address addr = 0x41414141; fmt = “%4$p” void test (void* addr, char* fmt) { int local = 0; printf(fmt); } “0x41414141”
24 С++ Secure Coding: Program Stack fmt addr return address saved ebp local fmt_string return address addr = 0x41414141; fmt = “%0100x%4$p” void test (void* addr, char* fmt) { int local = 0; printf(fmt); } “<…100 0..>0x41414141”
25 С++ Secure Coding: Program Stack fmt addr return address saved ebp local fmt_string return address addr = 0x41414141; fmt = “%0100x%4$n” void test (void* addr, char* fmt) { int local = 0; printf(fmt); } “<…100 0..> write 100 to addr” written 100 to 0x41414141
26 Format String Vulnerability: Sudo format string vunerability Feb 2012: “sudo format string vulnerability” CVE-2012-0809 allows to get root shell for any logged in user. Most of Linux distributives were affected: Fedora, Ubuntu, Debian, etc. It looks like sudo creators didn’t use or ignore GCC format-related compilation flags or warnings. Top level projects that were affected to format string vulnerability: Axiom mail server, Pigeon instant messenger, CUPS (Common Unix Printing System)
27 Format String Vulnerability: sudo format string vulnerability void sudo_debug(int level, const char *fmt, ...) { va_list ap; char *fmt2; if (level > debug_level) return; /* Backet fmt with program name and a newline to make it a single write */ easprintf(&fmt2, "%s: %sn", getprogname(), fmt); va_start(ap, fmt); vfprintf(stderr, fmt2, ap); va_end(ap); efree(fmt2); } Here getprogname() is argv[0] and by this user controlled. So argv[0] goes to fmt2 which then gets vfprintf()-ed to stderr. The result is a Format String vulnerability. Exploit.
28 Format String Vulnerability: Demo “Dead beef” #include <stdio.h> int num1 = 0xdead; int main(int argc, char **argv){ int num2 = 0xbeef; int *ptr = &num1; printf(argv[1]); if (0xabc == num1) printf(“Global done"); if(0xdef == num2) printf(“Local done"); printf("n num1: 0x%x [%p] num2: 0x%x [%p]n", num1, &num1, num2, &num2); return 0; }
29 Format String Vulnerability: Mitigations The good thing about format-string vulnerabilities is that they are relatively easy to find in a source-code audit. • Always specify a format string as part of program, not as an input. Most format string vulnerabilities are solved by specifying “%s” as format string and not using the data string as format string. • Number of arguments should be the same as number of format specifiers. • -fstack-protector (alloca and buffers > 8 bytes) • -fstack-protector-all • FormatGuard: Automatic Protection From printf Format String Vulnerabilities
30 Format String Vulnerability: Mitigations Address randomization: just like the countermeasures used to protect against buffer- overflow attacks, address randomization makes it difficult for the attackers to find out what address they want to read/write. # cat /proc/sys/kernel/randomize_va_space 2 # sysctl -a --pattern randomize kernel.randomize_va_space = 2 0 = Disabled 1 = Conservative Randomization 2 = Full Randomization To support ASLR an application should be build against “Position Independent Executable” (PIE) support. GCC “-fPIE” option is used for it
31 Format String Vulnerability: _FORTIFY_SOURCE • _FORTIFY_SOURCE is a kind of GCC feature test macro (man 7 feature_test_macros) • gcc -D_FORTIFY_SOURCE=1 adds checks at compile-time only (some headers are necessary as #include <string.h>) • gcc -D_FORTIFY_SOURCE=2 also adds additional checks at run-time (detected buffer overflow terminates the program)
32 Format String Vulnerability: _FORTIFY_SOURCE *** %n in writable segment detected *** Aborted On x86, use of "%n" in a format string is limited to read-only memory (not stack or heap allocated strings). *** invalid %N$ use detected *** Aborted (core dumped) Format string positional values are being skipped, which means their type (and size on the stack) cannot be checked. This could cause unexpected results including stack content leaks, especially when using %n. This is invalid, for example: printf("%2$sn", 0, "Test"); because position 1 is skipped.
33 Format String Vulnerability: Mitigations • VC: Possible to use VC SAL annotation “_Printf_format_string_” tell compiler to validate the format string: #define FORMAT_STRING(p) _Printf_format_string_ p extern void log_error(FORMAT_STRING(const char* format), ...); • GCC: __attribute__(__format__) format (archetype, string-index, first-to-check) extern int my_printf (void *my_object, const char *my_format, ...) __attribute__ ((format (printf, 2, 3)));
34 Format String Vulnerability: Format security -Wformat: Check calls to printf and scanf, etc., to make sure that the arguments supplied have types appropriate to the format string specified, and that the conversions specified in the format string make sense. -Wformat-security: If -Wformat is specified warns about calls to printf and scanf functions where the format string is not a string literal and there are no format arguments, as in printf (foo) -Wformat-nonliteral:If -Wformat is specified, also warn if the format string is not a string literal and so cannot be checked
35 Format String Vulnerability: Format security Enables compile-time warnings about misuse of format strings, some of which can have security implications. Failure examples: warning: format ‘%s’ expects type ‘char *’, but argument 3 has type ‘int’ For packages that aren't already building with -Wall, format character to argument types will be checked. Verify the correct variables for a given format string.
36 Format String Vulnerability: Format security warning: format not a string literal and no format arguments This is caused by code that forgot to use "%s" for a *printf function. For example: fprintf(stderr,buf); should be: fprintf(stderr,"%s",buf); Disabled with -Wno-format-security or -Wformat=0 in CPPFLAGS.
37 Format String Vulnerability: Automation code scan • RATS, the Rough Auditing Tool for Security is a free source-code scanner • Flawfinder: Open source scanner that examines C/C++ source code and reports possible security weaknesses • Veracode: commercial code scanner
38 Security Design Principles Appendix
39 References Hacking: The Art of Exploitation
40 Security Design Principles

Recommended

Format String Attack
Format String AttackFormat String Attack
Format String AttackMayur Mallya
 
Buffer overflow
Buffer overflowBuffer overflow
Buffer overflowقصي نسور
 
Practical Malware Analysis: Ch 15: Anti-Disassembly
Practical Malware Analysis: Ch 15: Anti-DisassemblyPractical Malware Analysis: Ch 15: Anti-Disassembly
Practical Malware Analysis: Ch 15: Anti-DisassemblySam Bowne
 
Buffer overflow
Buffer overflowBuffer overflow
Buffer overflowEvgeni Tsonev
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYCS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYKathirvel Ayyaswamy
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Module 8 System Hacking
Module 8 System HackingModule 8 System Hacking
Module 8 System Hackingleminhvuong
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 

Recommended

Format String Attack
Format String AttackFormat String Attack
Format String AttackMayur Mallya
 
Buffer overflow
Buffer overflowBuffer overflow
Buffer overflowقصي نسور
 
Practical Malware Analysis: Ch 15: Anti-Disassembly
Practical Malware Analysis: Ch 15: Anti-DisassemblyPractical Malware Analysis: Ch 15: Anti-Disassembly
Practical Malware Analysis: Ch 15: Anti-DisassemblySam Bowne
 
Buffer overflow
Buffer overflowBuffer overflow
Buffer overflowEvgeni Tsonev
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYCS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYKathirvel Ayyaswamy
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Module 8 System Hacking
Module 8 System HackingModule 8 System Hacking
Module 8 System Hackingleminhvuong
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Nmap scripting engine
Nmap scripting engineNmap scripting engine
Nmap scripting enginen|u - The Open Security Community
 
Nmap and metasploitable
Nmap and metasploitableNmap and metasploitable
Nmap and metasploitableMohammed Akbar Shariff
 
Ceh v5 module 04 enumeration
Ceh v5 module 04 enumerationCeh v5 module 04 enumeration
Ceh v5 module 04 enumerationVi Tính Hoàng Nam
 
Cs8792 cns - unit v
Cs8792 cns - unit vCs8792 cns - unit v
Cs8792 cns - unit vArthyR3
 
Linux privilege escalation
Linux privilege escalationLinux privilege escalation
Linux privilege escalationSongchaiDuangpan
 
IP Security
IP SecurityIP Security
IP SecurityKeshab Nath
 
Session hijacking
Session hijackingSession hijacking
Session hijackingGayatri Kapse
 
Buffer overflow explained
Buffer overflow explainedBuffer overflow explained
Buffer overflow explainedTeja Babu
 
Buffer overflow
Buffer overflowBuffer overflow
Buffer overflowAbu Juha Ahmed Muid
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security AttacksSajid Hasan
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificatesStephane Potier
 
Secret key cryptography
Secret key cryptographySecret key cryptography
Secret key cryptographyPrabhat Goel
 
Symmetric encryption and message confidentiality
Symmetric encryption and message confidentialitySymmetric encryption and message confidentiality
Symmetric encryption and message confidentialityCAS
 
6 buffer overflows
6 buffer overflows6 buffer overflows
6 buffer overflowsdrewz lin
 
What is Cryptography and Types of attacks in it
What is Cryptography and Types of attacks in itWhat is Cryptography and Types of attacks in it
What is Cryptography and Types of attacks in itlavakumar Thatisetti
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Web Services Hacking and Security
Web Services Hacking and SecurityWeb Services Hacking and Security
Web Services Hacking and SecurityBlueinfy Solutions
 
Security Lifecycle Management Process
Security Lifecycle Management ProcessSecurity Lifecycle Management Process
Security Lifecycle Management ProcessBill Ross
 
Nmap basics
Nmap basicsNmap basics
Nmap basicsitmind4u
 
Topic1 substitution transposition-techniques
Topic1 substitution transposition-techniquesTopic1 substitution transposition-techniques
Topic1 substitution transposition-techniquesMdFazleRabbi18
 
2.Format Strings
2.Format Strings2.Format Strings
2.Format Stringsphanleson
 
Format string
Format stringFormat string
Format stringVu Review
 

More Related Content

What's hot

Cs8792 cns - unit v
Cs8792 cns - unit vCs8792 cns - unit v
Cs8792 cns - unit vArthyR3
 
Linux privilege escalation
Linux privilege escalationLinux privilege escalation
Linux privilege escalationSongchaiDuangpan
 
Buffer overflow explained
Buffer overflow explainedBuffer overflow explained
Buffer overflow explainedTeja Babu
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security AttacksSajid Hasan
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificatesStephane Potier
 
Secret key cryptography
Secret key cryptographySecret key cryptography
Secret key cryptographyPrabhat Goel
 
Symmetric encryption and message confidentiality
Symmetric encryption and message confidentialitySymmetric encryption and message confidentiality
Symmetric encryption and message confidentialityCAS
 
6 buffer overflows
6 buffer overflows6 buffer overflows
6 buffer overflowsdrewz lin
 
What is Cryptography and Types of attacks in it
What is Cryptography and Types of attacks in itWhat is Cryptography and Types of attacks in it
What is Cryptography and Types of attacks in itlavakumar Thatisetti
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Web Services Hacking and Security
Web Services Hacking and SecurityWeb Services Hacking and Security
Web Services Hacking and SecurityBlueinfy Solutions
 
Security Lifecycle Management Process
Security Lifecycle Management ProcessSecurity Lifecycle Management Process
Security Lifecycle Management ProcessBill Ross
 
Nmap basics
Nmap basicsNmap basics
Nmap basicsitmind4u
 
Topic1 substitution transposition-techniques
Topic1 substitution transposition-techniquesTopic1 substitution transposition-techniques
Topic1 substitution transposition-techniquesMdFazleRabbi18
 

What's hot (20)

Nmap scripting engine
Nmap scripting engineNmap scripting engine
Nmap scripting engine
 
Nmap and metasploitable
Nmap and metasploitableNmap and metasploitable
Nmap and metasploitable
 
Ceh v5 module 04 enumeration
Ceh v5 module 04 enumerationCeh v5 module 04 enumeration
Ceh v5 module 04 enumeration
 
Cs8792 cns - unit v
Cs8792 cns - unit vCs8792 cns - unit v
Cs8792 cns - unit v
 
Linux privilege escalation
Linux privilege escalationLinux privilege escalation
Linux privilege escalation
 
IP Security
IP SecurityIP Security
IP Security
 
Session hijacking
Session hijackingSession hijacking
Session hijacking
 
Buffer overflow explained
Buffer overflow explainedBuffer overflow explained
Buffer overflow explained
 
Buffer overflow
Buffer overflowBuffer overflow
Buffer overflow
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security Attacks
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificates
 
Secret key cryptography
Secret key cryptographySecret key cryptography
Secret key cryptography
 
Symmetric encryption and message confidentiality
Symmetric encryption and message confidentialitySymmetric encryption and message confidentiality
Symmetric encryption and message confidentiality
 
6 buffer overflows
6 buffer overflows6 buffer overflows
6 buffer overflows
 
What is Cryptography and Types of attacks in it
What is Cryptography and Types of attacks in itWhat is Cryptography and Types of attacks in it
What is Cryptography and Types of attacks in it
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Web Services Hacking and Security
Web Services Hacking and SecurityWeb Services Hacking and Security
Web Services Hacking and Security
 
Security Lifecycle Management Process
Security Lifecycle Management ProcessSecurity Lifecycle Management Process
Security Lifecycle Management Process
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Topic1 substitution transposition-techniques
Topic1 substitution transposition-techniquesTopic1 substitution transposition-techniques
Topic1 substitution transposition-techniques
 

Similar to C format string vulnerability

2.Format Strings
2.Format Strings2.Format Strings
2.Format Stringsphanleson
 
Format string
Format stringFormat string
Format stringVu Review
 
Fundamental of C Programming Language and Basic Input/Output Function
Fundamental of C Programming Language and Basic Input/Output Function Fundamental of C Programming Language and Basic Input/Output Function
Fundamental of C Programming Language and Basic Input/Output Functionimtiazalijoono
 
Error correction-and-type-of-error-in-c
Error correction-and-type-of-error-in-cError correction-and-type-of-error-in-c
Error correction-and-type-of-error-in-cMd Nazmul Hossain Mir
 
C programming language tutorial
C programming language tutorial C programming language tutorial
C programming language tutorial javaTpoint s
 
Format string vunerability
Format string vunerabilityFormat string vunerability
Format string vunerabilitynuc13us
 
C data type format specifier
C data type format specifierC data type format specifier
C data type format specifierSandip Sitäulä
 
Managing input and output operations in c
Managing input and output operations in cManaging input and output operations in c
Managing input and output operations in cniyamathShariff
 
miniLesson on the printf() function
miniLesson on the printf() functionminiLesson on the printf() function
miniLesson on the printf() functionChristine Wolfe
 
MANAGING INPUT AND OUTPUT OPERATIONS IN C MRS.SOWMYA JYOTHI.pdf
MANAGING INPUT AND OUTPUT OPERATIONS IN C MRS.SOWMYA JYOTHI.pdfMANAGING INPUT AND OUTPUT OPERATIONS IN C MRS.SOWMYA JYOTHI.pdf
MANAGING INPUT AND OUTPUT OPERATIONS IN C MRS.SOWMYA JYOTHI.pdfSowmyaJyothi3
 
Introduction to c
Introduction to cIntroduction to c
Introduction to camol_chavan
 
Mesics lecture 5 input – output in ‘c’
Mesics lecture 5 input – output in ‘c’Mesics lecture 5 input – output in ‘c’
Mesics lecture 5 input – output in ‘c’eShikshak
 
Mesics lecture 5 input – output in ‘c’
Mesics lecture 5 input – output in ‘c’Mesics lecture 5 input – output in ‘c’
Mesics lecture 5 input – output in ‘c’eShikshak
 

Similar to C format string vulnerability (20)

2.Format Strings
2.Format Strings2.Format Strings
2.Format Strings
 
Format string
Format stringFormat string
Format string
 
Fundamental of C Programming Language and Basic Input/Output Function
Fundamental of C Programming Language and Basic Input/Output Function Fundamental of C Programming Language and Basic Input/Output Function
Fundamental of C Programming Language and Basic Input/Output Function
 
Error correction-and-type-of-error-in-c
Error correction-and-type-of-error-in-cError correction-and-type-of-error-in-c
Error correction-and-type-of-error-in-c
 
C programming language tutorial
C programming language tutorial C programming language tutorial
C programming language tutorial
 
Format string vunerability
Format string vunerabilityFormat string vunerability
Format string vunerability
 
Introduction to Input/Output Functions in C
Introduction to Input/Output Functions in CIntroduction to Input/Output Functions in C
Introduction to Input/Output Functions in C
 
C data type format specifier
C data type format specifierC data type format specifier
C data type format specifier
 
Unit1 C
Unit1 CUnit1 C
Unit1 C
 
Unit1 C
Unit1 CUnit1 C
Unit1 C
 
Managing input and output operations in c
Managing input and output operations in cManaging input and output operations in c
Managing input and output operations in c
 
miniLesson on the printf() function
miniLesson on the printf() functionminiLesson on the printf() function
miniLesson on the printf() function
 
MANAGING INPUT AND OUTPUT OPERATIONS IN C MRS.SOWMYA JYOTHI.pdf
MANAGING INPUT AND OUTPUT OPERATIONS IN C MRS.SOWMYA JYOTHI.pdfMANAGING INPUT AND OUTPUT OPERATIONS IN C MRS.SOWMYA JYOTHI.pdf
MANAGING INPUT AND OUTPUT OPERATIONS IN C MRS.SOWMYA JYOTHI.pdf
 
CPU INPUT OUTPUT
CPU INPUT OUTPUT CPU INPUT OUTPUT
CPU INPUT OUTPUT
 
Introduction to c
Introduction to cIntroduction to c
Introduction to c
 
SPL 4 | printf in C
SPL 4 | printf in CSPL 4 | printf in C
SPL 4 | printf in C
 
Input And Output
Input And Output Input And Output
Input And Output
 
Mesics lecture 5 input – output in ‘c’
Mesics lecture 5 input – output in ‘c’Mesics lecture 5 input – output in ‘c’
Mesics lecture 5 input – output in ‘c’
 
Mesics lecture 5 input – output in ‘c’
Mesics lecture 5 input – output in ‘c’Mesics lecture 5 input – output in ‘c’
Mesics lecture 5 input – output in ‘c’
 
CInputOutput.ppt
CInputOutput.pptCInputOutput.ppt
CInputOutput.ppt
 

Recently uploaded

一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制pxcywzqs
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...kajalverma014
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"growthgrids
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdfMatthew Sinclair
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdfMatthew Sinclair
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirtrahman018755
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdfMatthew Sinclair
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Roommeghakumariji156
 
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...kumargunjan9515
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsPriya Reddy
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查ydyuyu
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样ayvbos
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge GraphsEleniIlkou
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理F
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoilmeghakumariji156
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasDigicorns Technologies
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsMonica Sydney
 

Recently uploaded (20)

一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency Dallas
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
 

C format string vulnerability

  • 1. C Secure Coding: Format String Vulnerability Igor Sobinov 2019 28.03.2019
  • 2. 2 Agenda •Vulnerability definition •Types of format vulnerability •Vulnerability Examples •Mitigations
  • 3. 3 Format String Vulnerability: Overview Format string vulnerability class was discovered in 2001 Format string vulnerabilities are a class of vulnerabilities that take advantage of an easily avoidable programmer error. If the programmer passes an attacker-controlled buffer as an argument to a printf* function, the attacker can perform read and writes access to arbitrary memory addresses.
  • 4. 4 Format String Vulnerability: Overview • Format string vulnerability denial of service attacks are characterized by utilizing multiple instances of the “%s” format specifier to read data off of the stack until the program attempts to read data from an illegal address, which will cause the program to crash. • Format string vulnerability reading attacks typically utilize the %x format specifier to print sections of memory or stack that we do not normally have access to. • Format string vulnerability writing attacks utilize the %d, %u or %x format specifiers to overwrite the Instruction Pointer and force execution of user-supplied shell code.
  • 7. 7 Format String Vulnerability: Definition A format string is a way of telling the C compiler how it should format numbers and other values when it prints them or store to the buffer. It is a ASCII string used to specify and control the representation of different variables. In the C programming language there are a number of functions which accept a format string as an argument: fprintf, printf, sprintf, snprintf, vfprintf, vprintf, vsprintf, vsnprintf. OS specific: syslog, setproctitle etc.
  • 8. 8 Format String Vulnerability: Definition They called variadic functions: accept variable number of arguments. Arguments are expected to be placed on the stack. Function prototype: int printf(const char *format, ...); printf (“The area code is: %d”, 505);
  • 9. 9 Format String Vulnerability: Format specifiers Format Conversion specifiers: %d The int argument is converted to signed decimal notation %s The const char * argument is expected to be a pointer to an array of character type %x The unsigned int argument is converted to unsigned hexadecimal (x and X) %p The void * pointer argument is printed in hexadecimal (as if by %#x or %#lx) %100x Writes 100 spaces to the output before variable %n The number of characters written so far is stored into the integer pointed to by the corresponding argument. %2$x Ignore the first parameter and prints the second parameter from the argument list
  • 10. 10 С++ Secure Coding: Program Stack Format string vulnerability is very close to the buffer overflow vulnerability. • The stack itself can be viewed as a kind of buffer • The size of that buffer is determined by the number and size of the arguments passed to a function • Providing a incorrect format string thus induces the program to overflow that “buffer”
  • 11. 11 С++ Secure Coding: sprintf sprintf is particularly interesting from a security standpoint because it "prints" formatted data to a buffer. Aside from the possibility of a format-string vulnerability, using this particular function can lead to buffer overflow vulnerabilities and should usually be replaced with its length-checking cousin snprintf.
  • 12. 12 Format String Vulnerability: Examples Format Conversion advantages: • printf(“%1000x”, l); //Space padding is 1000 symbols 0 • printf(“%2$x”, 1, 2, 3); //Direct parameter access. Issues on gcc “invalid %N$ use detected” 2 • printf(“%200$x”) • printf(“%n”, &some_variable); //Writes four bytes • printf(“%hn”, &some_variable); //Writes two bytes • printf(“%100x%2$hn”, 0, &some_variable); //Writes 100 to 2 bytes to “some_variable” 0
  • 13. 13 Format String Vulnerability: Examples • printf(“%s”): prints bytes pointed to by that stack entry :(��• • printf(“%d %d %d %d”): prints a series of stack entries as integers -735270568 0 4195808 1871788256 • printf(“%08x %08x %08x %08x”): same but nicely formatted hex 27e37e68 00000000 004005e0 dadd58e0 • printf(“100% dave”): prints stack entry 4 bytes above the saved %eip because format ignores spaces between “%d” and “d” 100-1973053272ave • printf(“100% no way!”): writes the number 3 to address pointed to by stack entry. %n ignores all spaces between “%” and “n” 100o way!
  • 14. 14 Format String Vulnerability: Attacks • Crashing the program: printf ("%s%s%s%s%s%s%s%s%s%s%s%s"); • Viewing the stack: printf ("%08x %08x %08x %08x %08xn"); • Viewing memory at any location • Writing an integer to nearly any location in the process memory
  • 15. 15 Format String Vulnerability: Program Stack Types of programs memory: Text: This is where the code for the program is. Initialized data: This is where global variables that have been declared and given a value are stored. Uninitialized data/BSS: This is where global variables that have been declared but not given a value are stored. Stack: The stack keeps track of the program execution and stores local variables. We'll talk about the stack more soon. Heap: The heap is where dynamic memory allocation takes place. A programmer can utilize the heap to store variables which are only needed for a short period of time and so can be removed from memory later to optimize the program.
  • 16. 16 Format String Vulnerability: Program Stack Stack keeps track of what function is being executed and the local variables that are defined within that function. When a function is called, a data structure called a stack frame is created. Each function has its own stack frame which contains • local variables for that function, • parameters passed to the function when it was called, • return address which specifies what instruction the program should execute next once the function is done. The ESP register stores current stack pointer
  • 17. 17 Format String Vulnerability: Program Stack (x86) StackGrows MemoryAddresses
  • 18. 18 Format String Vulnerability: Program Stack Layout Stack Grows
  • 19. 19 Format String Vulnerability: Program Stack Layout Stack Grows
  • 20. 20 С++ Secure Coding: Program Stack fmt addr return address saved ebp local_var fmt_string return address void test (void* addr, char* fmt) { int local_var = 0; printf(fmt); }
  • 21. 21 С++ Secure Coding: The exploit arg6 arg5 arg4 arg3 arg2 fmt_string return address addr = 0x41414141; fmt = “%p %p %p %p %p” void test (void* addr, char* fmt) { int local = 0; printf(fmt); }
  • 22. 22 С++ Secure Coding: Program Stack fmt addr return address saved ebp local fmt_string return address addr = 0x41414141; fmt = “%p %p %p %p %p” void test (void* addr, char* fmt) { int local = 0; printf(fmt); } “0x0, 0xfffca010 0x8040a10 0x41414141 0xfffeafa0”
  • 23. 23 С++ Secure Coding: Program Stack fmt addr return address saved ebp local fmt_string return address addr = 0x41414141; fmt = “%4$p” void test (void* addr, char* fmt) { int local = 0; printf(fmt); } “0x41414141”
  • 24. 24 С++ Secure Coding: Program Stack fmt addr return address saved ebp local fmt_string return address addr = 0x41414141; fmt = “%0100x%4$p” void test (void* addr, char* fmt) { int local = 0; printf(fmt); } “<…100 0..>0x41414141”
  • 25. 25 С++ Secure Coding: Program Stack fmt addr return address saved ebp local fmt_string return address addr = 0x41414141; fmt = “%0100x%4$n” void test (void* addr, char* fmt) { int local = 0; printf(fmt); } “<…100 0..> write 100 to addr” written 100 to 0x41414141
  • 26. 26 Format String Vulnerability: Sudo format string vunerability Feb 2012: “sudo format string vulnerability” CVE-2012-0809 allows to get root shell for any logged in user. Most of Linux distributives were affected: Fedora, Ubuntu, Debian, etc. It looks like sudo creators didn’t use or ignore GCC format-related compilation flags or warnings. Top level projects that were affected to format string vulnerability: Axiom mail server, Pigeon instant messenger, CUPS (Common Unix Printing System)
  • 27. 27 Format String Vulnerability: sudo format string vulnerability void sudo_debug(int level, const char *fmt, ...) { va_list ap; char *fmt2; if (level > debug_level) return; /* Backet fmt with program name and a newline to make it a single write */ easprintf(&fmt2, "%s: %sn", getprogname(), fmt); va_start(ap, fmt); vfprintf(stderr, fmt2, ap); va_end(ap); efree(fmt2); } Here getprogname() is argv[0] and by this user controlled. So argv[0] goes to fmt2 which then gets vfprintf()-ed to stderr. The result is a Format String vulnerability. Exploit.
  • 28. 28 Format String Vulnerability: Demo “Dead beef” #include <stdio.h> int num1 = 0xdead; int main(int argc, char **argv){ int num2 = 0xbeef; int *ptr = &num1; printf(argv[1]); if (0xabc == num1) printf(“Global done"); if(0xdef == num2) printf(“Local done"); printf("n num1: 0x%x [%p] num2: 0x%x [%p]n", num1, &num1, num2, &num2); return 0; }
  • 29. 29 Format String Vulnerability: Mitigations The good thing about format-string vulnerabilities is that they are relatively easy to find in a source-code audit. • Always specify a format string as part of program, not as an input. Most format string vulnerabilities are solved by specifying “%s” as format string and not using the data string as format string. • Number of arguments should be the same as number of format specifiers. • -fstack-protector (alloca and buffers > 8 bytes) • -fstack-protector-all • FormatGuard: Automatic Protection From printf Format String Vulnerabilities
  • 30. 30 Format String Vulnerability: Mitigations Address randomization: just like the countermeasures used to protect against buffer- overflow attacks, address randomization makes it difficult for the attackers to find out what address they want to read/write. # cat /proc/sys/kernel/randomize_va_space 2 # sysctl -a --pattern randomize kernel.randomize_va_space = 2 0 = Disabled 1 = Conservative Randomization 2 = Full Randomization To support ASLR an application should be build against “Position Independent Executable” (PIE) support. GCC “-fPIE” option is used for it
  • 31. 31 Format String Vulnerability: _FORTIFY_SOURCE • _FORTIFY_SOURCE is a kind of GCC feature test macro (man 7 feature_test_macros) • gcc -D_FORTIFY_SOURCE=1 adds checks at compile-time only (some headers are necessary as #include <string.h>) • gcc -D_FORTIFY_SOURCE=2 also adds additional checks at run-time (detected buffer overflow terminates the program)
  • 32. 32 Format String Vulnerability: _FORTIFY_SOURCE *** %n in writable segment detected *** Aborted On x86, use of "%n" in a format string is limited to read-only memory (not stack or heap allocated strings). *** invalid %N$ use detected *** Aborted (core dumped) Format string positional values are being skipped, which means their type (and size on the stack) cannot be checked. This could cause unexpected results including stack content leaks, especially when using %n. This is invalid, for example: printf("%2$sn", 0, "Test"); because position 1 is skipped.
  • 33. 33 Format String Vulnerability: Mitigations • VC: Possible to use VC SAL annotation “_Printf_format_string_” tell compiler to validate the format string: #define FORMAT_STRING(p) _Printf_format_string_ p extern void log_error(FORMAT_STRING(const char* format), ...); • GCC: __attribute__(__format__) format (archetype, string-index, first-to-check) extern int my_printf (void *my_object, const char *my_format, ...) __attribute__ ((format (printf, 2, 3)));
  • 34. 34 Format String Vulnerability: Format security -Wformat: Check calls to printf and scanf, etc., to make sure that the arguments supplied have types appropriate to the format string specified, and that the conversions specified in the format string make sense. -Wformat-security: If -Wformat is specified warns about calls to printf and scanf functions where the format string is not a string literal and there are no format arguments, as in printf (foo) -Wformat-nonliteral:If -Wformat is specified, also warn if the format string is not a string literal and so cannot be checked
  • 35. 35 Format String Vulnerability: Format security Enables compile-time warnings about misuse of format strings, some of which can have security implications. Failure examples: warning: format ‘%s’ expects type ‘char *’, but argument 3 has type ‘int’ For packages that aren't already building with -Wall, format character to argument types will be checked. Verify the correct variables for a given format string.
  • 36. 36 Format String Vulnerability: Format security warning: format not a string literal and no format arguments This is caused by code that forgot to use "%s" for a *printf function. For example: fprintf(stderr,buf); should be: fprintf(stderr,"%s",buf); Disabled with -Wno-format-security or -Wformat=0 in CPPFLAGS.
  • 37. 37 Format String Vulnerability: Automation code scan • RATS, the Rough Auditing Tool for Security is a free source-code scanner • Flawfinder: Open source scanner that examines C/C++ source code and reports possible security weaknesses • Veracode: commercial code scanner