Finite state machine based approach to prevent format string attacks
Pages 1 - 7
Abstract
In the computer field there are many types of input validation attacks that occur, in which "Format String Overflow Attacks" is one of the most important. Format String Overflow Attacks remain the leading reason of software vulnerability or exploits. Format string bugs result in error such as wrong result type, memory access error and crash and security breach. In this paper, we proposed a Finite state machine which prevents Format String Overflow Attacks in a secure way with the help of several states of FSM. Proper checking against format string overflow bugs can avoid consequences due to exploits of format string overflow bugs. The result of our proposed finite state machine is improving the security problem and provides protection to memory access from any unauthorized user.
References
[1]
M. F. Ringenburg and D. Grossman (2005): Preventing format string attacks via automatic and efficient dynamic checking. In Proceedings of the 12th ACM conference on Computer and communication security ACM Press, November 7-11-2005.
[2]
Tsai, T., and Singh, N. (2001) :Libsafe 2.0: Detection of format string vulnerability exploits. Technical report, Avaya Labs, February 2001. Version 3-21-01, PP. 1--5.
[3]
Shuo Chen, Zbigniew Kalbarczyk, Jun Xu, Ravishankar and K. Iyer: A Data-Driven Finite State Machine Model for Analyzing Security Vulnerabilities. Center for Reliable and High-Performance Computing coordinated science laboratory University of Illinois at Urbana Champaign, Urbana.
[4]
Hossain Shahriar and Mohammad Zulkernine (2008): Mutationbased Testing of Format String Bugs. In proceeding of the 11th IEEE High Assurance Systems Engineering Symposium in 2008,pp.229--238.
[5]
Crispin Cowan, Matt Barringer, Steve Beattie, and Greg Kroah-Hartman (2001): FormatGuard: Automatic Protection From printf Format String Vulnerabilities. WireX Communications, Inc. published in the preceeding of the USENIX security Symposium in 15-August-2001, Washington DC.
[6]
Pankaj Kohli and Bezawada Bruhadeshwar (2008): FormatShield: A Binary Rewriting Defense against Format String Attacks. Centre for Security Theory and Algorithmic Research (C-STAR) International Institute of Information Technology Hyderabad, Spinger ACISP 2008,LNCS 5107 pp. 376--390.
[7]
Tim Newsham and Guardent (2000): Format String Attacks.Digital Infrastructure, Inc. September 2000.
[8]
Li, W. and Chiueh, T. (2007): Automated Format String Attack Prevention for Win32/X86 Binaries. In proceedings of the 23rd annual Computer Security Applications Conference (ACSAC), Miami, December 2007, pp. 398--409.
[9]
Scut / team teso(2001): Exploiting Format String Vulnerabilities. September 1, 2001 version 1.2.
[10]
Agrawal, H., DeMillo, R., Hataway, R., Hsu, W., Hsu, W., Krauser, E., Martin, R., Mathur, A., and Spafford, E.(2006): Design of Mutant Operators for C Programming Language. Technical Report SERC-TR41-P, Software Engineering Research Center, Purdue University, April 2006.
[11]
DeKok, A. (2008): Pscan (1.2-8) Format string security checker for C files. http://packages. debian.org/etch/pscan (Accessed January 2008).
[12]
ITS4: Software Security Tool, Accessed from http://www.cigital.com/its4.
[13]
Robbins, T.(2008): Libformat. http://archives.neohapsis.com/archives/linux/lsap/2000-q3/0444.html (Acce-ssed January 2008).
[14]
The Shellcoder handbook, 2nd edition, discovering and exploiting security holes.
[15]
Silva, A. (2005): Format Strings. Gotfault Security Community, Version 2.5, Nov 2005, Accessed from http://www.milw0rm.com/papers/5 (April 2008).
[16]
Agrawal, H., DeMillo, R., Hataway, R., Hsu, W., Hsu, W., Krauser, E., Martin, R., Mathur, A., and Spafford, E. (2006): Design of Mutant Operators for C ProgrammingLanguage. Technical Report SERC-TR41-P, Software Engineering Research Center, Purdue University, April 2006.
[17]
Ellims, M., Ince, D.C., and Petre, M.(2007): The Csaw C Mutation Tool. Initial Results. In Proceedings of 3rd Workshop on Mutation Analysis (Mutation 2007), Cumberland Lodge, Windsor, UK, September 2007, pp.185--192.
[18]
FlawFinder, Accessed from http://www.dwheeler.com/flawfinder.
[19]
Shankar, U., Talwar, K., Foster, J. and Wagner, D. (2001): Detecting Format String Vulnerabilities with Type Qualifiers. In Proceedings of 10th USENIX Security Symposium, August 2001, Washington, D.C., pp. 201--218.
[20]
Chen, K. and Wagner, D.(2007): Large-Scale Analysis of Format String Vulnerabilities in Debian Linux. In Proceedings of the Workshop on Programming Languages and Analysis for Security (PLAS' 07), San Diego, June 2007, pp. 75--84.
[21]
Nagano, F., Tatara, K., Sakuri, K., and Tabata, T.(2006) :An Intrusion Detection System using Alteration of Data. In Proceedings of the 20th International Conference on Advanced Information Networking and Applications (AINA'06), Vienna, April 2006, pp. 243--248.
[22]
Andreas thuemmel, "Analysis of format string bugs," [email protected] 1.0, Format String Buggs and SITE EXEC exploit against wu-ftpd on 15-02-2001.Bowman, M., Debray, S. K., and Peterson, L. L. 1993. Reasoning about naming systems. ACM Trans. Program. Lang. Syst. 15, 5 (Nov. 1993), 795--825.DOI=http://doi.acm.org/10.1145/161468.16147.
Index Terms
- Finite state machine based approach to prevent format string attacks
Recommendations
Adversarial attacks on machine learning-based cyber security systems: a survey of techniques and defences
Machine learning (ML) has been increasingly adopted in the field of cyber security to enhance the detection and prevention of cyber threats. However, recent studies have demonstrated that ML-based cyber security systems are vulnerable to adversarial ...
Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2
CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications SecurityWe introduce the key reinstallation attack. This attack abuses design or implementation flaws in cryptographic protocols to reinstall an already-in-use key. This resets the key's associated parameters such as transmit nonces and receive replay counters. ...
A format string checker for Java
ISSTA 2014: Proceedings of the 2014 International Symposium on Software Testing and AnalysisJava supports format strings, but their use is error prone because: Java’s type system does not find any but the most trivial mistakes, Java’s format methods fail silently, and for- mat methods are often executed infrequently.
This paper presents the ...
Comments
Information & Contributors
Information
Published In
Copyright © 2011 Authors.
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 30 September 2011
Published in SIGSOFT Volume 36, Issue 5
Check for updates
Author Tags
Qualifiers
- Research-article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 35Total Downloads
- Downloads (Last 12 months)2
- Downloads (Last 6 weeks)0
Reflects downloads up to 07 Mar 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in