I. A. Vakhrushev, V. V. Kaushan, V. A. Padaryan, A. N. Fedotov, “Search method for format string vulnerabilities”, Proceedings of ISP RAS, 27:4 (2015), 23

Proceedings of the Institute for System Programming of the RAS

RUS ENG

JOURNALS PEOPLE ORGANISATIONS CONFERENCES SEMINARS VIDEO LIBRARY PACKAGE AMSBIB

JavaScript is disabled in your browser. Please switch it on to enable full functionality of the website

	General information
	Latest issue
	Archive

	Search papers
	Search references

	RSS
	Latest issue
	Current issues
	Archive issues
	What is RSS

Proceedings of ISP RAS:
Year:
Volume:
Issue:
Page:
	Find

Personal entry:
Login:
Password:
	Save password
	Enter
	Forgotten password?
	Register

Proceedings of the Institute for System Programming of the RAS, 2015, Volume 27, Issue 4, Pages 23–38
DOI: https://doi.org/10.15514/ISPRAS-2015-27(4)-2 (Mi tisp162)

This article is cited in 3 scientific papers (total in 3 papers)

Search method for format string vulnerabilities

I. A. Vakhrushev^a, V. V. Kaushan^a, V. A. Padaryan^ab, A. N. Fedotov^a

^a Institute for System Programming of the Russian Academy of Sciences
^b Lomonosov Moscow State University

Full-text PDF (278 kB) Citations (3)

References:

PDF

HTML

DOI: https://doi.org/10.15514/ISPRAS-2015-27(4)-2

Abstract: In this paper search method for format string vulnerabilities is presented. Format string vulnerabilities can cause serious security problems providing ability to write an arbitrary value to an arbitrary location. Using this opportunity an attacker may hijack the control flow of a program and execute a malicious code. Besides, it is possible to bypass some protection mechanisms such as the stack canary due to exact overwriting of function return address. The method is based on dynamic analysis and symbolic execution. It is applied to program binaries without requiring debug information. We use dynamic analysis to find possible unsafe usage of format string function. If user controls data in a format string parameter, we consider that it is an unsafe usage of format string. Then a path predicate is build. The starting point of path predicate is a place where input data was received, the ending point is an unsafe format string function call. After building the path predicate we need to generate a special format string that provides a control flow hijack and a payload execution. By asserting such constraints on the format string parameter we are able to determine whether unsafe function usage is vulnerable or not. If the generated constraints are solvable, the method produces an exploit. We present a tool implementing this method. We used this tool to detect known vulnerabilities in Linux programs.

Keywords: format string vulnerability, binary code, vulnerability exploitation, dynamic analysis, symbolic execution.

Bibliographic databases:

Document Type: Article

Language: Russian

Citation: I. A. Vakhrushev, V. V. Kaushan, V. A. Padaryan, A. N. Fedotov, “Search method for format string vulnerabilities”, Proceedings of ISP RAS, 27:4 (2015), 23–38

Citation in format AMSBIB

\Bibitem{VakKauPad15}

\by I.~A.~Vakhrushev, V.~V.~Kaushan, V.~A.~Padaryan, A.~N.~Fedotov

\paper Search method for format string vulnerabilities

\jour Proceedings of ISP RAS

\yr 2015

\vol 27

\issue 4

\pages 23--38

\mathnet{http://mi.mathnet.ru/tisp162}

\crossref{https://doi.org/10.15514/ISPRAS-2015-27(4)-2}

\elib{https://elibrary.ru/item.asp?id=24928721}

Linking options:

https://www.mathnet.ru/eng/tisp162

https://www.mathnet.ru/eng/tisp/v27/i4/p23

This publication is cited in the following 3 articles:

Citing articles in Google Scholar: Russian citations, English citations
Related articles in Google Scholar: Russian articles, English articles

Proceedings of the Institute for System Programming of the RAS

Что такое QR-код?

Registration to the website

Logotypes