Abstract
In the computer field there are many types of input validation attacks that occur, in which "Format String Overflow Attacks" is one of the most important. Format String Overflow Attacks remain the leading reason of software vulnerability or exploits. Format string bugs result in error such as wrong result type, memory access error and crash and security breach. In this paper , we proposed a Finite state machine which prevents Format String Overflow Attacks in a secure way with the help of several states of FSM. Proper checking against format string overflow bugs can avoid consequences due to exploits of format string overflow bugs. The result of our proposed finite state machine is improving the security problem and provides protection to memory access from any unauthorized user.
- M. F. Ringenburg and D. Grossman (2005): Preventing format string attacks via automatic and efficient dynamic checking. In Proceedings of the 12th ACM conference on Computer and communication security ACM Press, November 7-11-2005. Google ScholarDigital Library
- Tsai, T., and Singh, N. (2001) :Libsafe 2.0: Detection of format string vulnerability exploits. Technical report, Avaya Labs, February 2001. Version 3-21-01, PP. 1--5.Google Scholar
- Shuo Chen, Zbigniew Kalbarczyk, Jun Xu, Ravishankar and K. Iyer: A Data-Driven Finite State Machine Model for Analyzing Security Vulnerabilities. Center for Reliable and High-Performance Computing coordinated science laboratory University of Illinois at Urbana Champaign, Urbana.Google Scholar
- Hossain Shahriar and Mohammad Zulkernine (2008): Mutationbased Testing of Format String Bugs. In proceeding of the 11th IEEE High Assurance Systems Engineering Symposium in 2008,pp.229--238. Google ScholarDigital Library
- Crispin Cowan, Matt Barringer, Steve Beattie, and Greg Kroah-Hartman (2001): FormatGuard: Automatic Protection From printf Format String Vulnerabilities. WireX Communications, Inc. published in the preceeding of the USENIX security Symposium in 15-August-2001, Washington DC. Google ScholarDigital Library
- Pankaj Kohli and Bezawada Bruhadeshwar (2008): FormatShield: A Binary Rewriting Defense against Format String Attacks. Centre for Security Theory and Algorithmic Research (C-STAR) International Institute of Information Technology Hyderabad, Spinger ACISP 2008,LNCS 5107 pp. 376--390. Google ScholarDigital Library
- Tim Newsham and Guardent (2000): Format String Attacks.Digital Infrastructure, Inc. September 2000.Google Scholar
- Li, W. and Chiueh, T. (2007): Automated Format String Attack Prevention for Win32/X86 Binaries. In proceedings of the 23rd annual Computer Security Applications Conference (ACSAC), Miami, December 2007, pp. 398--409.Google ScholarCross Ref
- Scut / team teso(2001): Exploiting Format String Vulnerabilities. September 1, 2001 version 1.2.Google Scholar
- Agrawal, H., DeMillo, R., Hataway, R., Hsu, W., Hsu, W., Krauser, E., Martin, R., Mathur, A., and Spafford, E.(2006): Design of Mutant Operators for C Programming Language. Technical Report SERC-TR41-P, Software Engineering Research Center, Purdue University, April 2006.Google Scholar
- DeKok, A. (2008): Pscan (1.2-8) Format string security checker for C files. http://packages. debian.org/etch/pscan (Accessed January 2008).Google Scholar
- ITS4: Software Security Tool, Accessed from http://www.cigital.com/its4.Google Scholar
- Robbins, T.(2008): Libformat. http://archives.neohapsis.com/archives/linux/lsap/2000-q3/0444.html (Acce-ssed January 2008).Google Scholar
- The Shellcoder handbook, 2nd edition, discovering and exploiting security holes.Google Scholar
- Silva, A. (2005): Format Strings. Gotfault Security Community, Version 2.5, Nov 2005, Accessed from http://www.milw0rm.com/papers/5 (April 2008).Google Scholar
- Agrawal, H., DeMillo, R., Hataway, R., Hsu, W., Hsu, W., Krauser, E., Martin, R., Mathur, A., and Spafford, E. (2006): Design of Mutant Operators for C ProgrammingLanguage. Technical Report SERC-TR41-P, Software Engineering Research Center, Purdue University, April 2006.Google Scholar
- Ellims, M., Ince, D.C., and Petre, M.(2007): The Csaw C Mutation Tool. Initial Results. In Proceedings of 3rd Workshop on Mutation Analysis (Mutation 2007), Cumberland Lodge, Windsor, UK, September 2007, pp.185--192. Google ScholarDigital Library
- FlawFinder, Accessed from http://www.dwheeler.com/flawfinder.Google Scholar
- Shankar, U., Talwar, K., Foster, J. and Wagner, D. (2001): Detecting Format String Vulnerabilities with Type Qualifiers. In Proceedings of 10th USENIX Security Symposium, August 2001, Washington, D.C., pp. 201--218. Google ScholarDigital Library
- Chen, K. and Wagner, D.(2007): Large-Scale Analysis of Format String Vulnerabilities in Debian Linux. In Proceedings of the Workshop on Programming Languages and Analysis for Security (PLAS' 07), San Diego, June 2007, pp. 75--84. Google ScholarDigital Library
- Nagano, F., Tatara, K., Sakuri, K., and Tabata, T.(2006) :An Intrusion Detection System using Alteration of Data. In Proceedings of the 20th International Conference on Advanced Information Networking and Applications (AINA'06), Vienna, April 2006, pp. 243--248. Google ScholarDigital Library
- Andreas thuemmel, "Analysis of format string bugs," [email protected] 1.0, Format String Buggs and SITE EXEC exploit against wu-ftpd on 15-02-2001.Bowman, M., Debray, S. K., and Peterson, L. L. 1993. Reasoning about naming systems. ACM Trans. Program. Lang. Syst. 15, 5 (Nov. 1993), 795--825.DOI=http://doi.acm.org/10.1145/161468.16147. Google ScholarDigital Library
Index Terms
- Finite state machine based approach to prevent format string attacks
Recommendations
Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2
CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications SecurityWe introduce the key reinstallation attack. This attack abuses design or implementation flaws in cryptographic protocols to reinstall an already-in-use key. This resets the key's associated parameters such as transmit nonces and receive replay counters. ...
A format string checker for Java
ISSTA 2014: Proceedings of the 2014 International Symposium on Software Testing and AnalysisJava supports format strings, but their use is error prone because: Java’s type system does not find any but the most trivial mistakes, Java’s format methods fail silently, and for- mat methods are often executed infrequently.
This paper presents the ...
The Impact of Flooding Attacks on Network-based Services
ARES '08: Proceedings of the 2008 Third International Conference on Availability, Reliability and SecurityOne of the most severe threats to Internet security are Denial of Service attacks. Intended to annihilate the availability of a network-based service, this kind of attack troubles all service providers. In this paper we focus on a special type of Denial ...
Comments