Home page logo

bugtraq logo Bugtraq mailing list archives

From: Crispin Cowan <crispin () wirex com>
Date: Sun, 27 May 2001 02:50:43 -0700

WireX is pleased to announce the broad release of FormatGuard 1.0, the
latest member of the Immunix security tool suite.  Similar to StackGuard
http://immunix.org/stackguard.html , FormatGuard provides run-time
protection against printf format string vulnerabilities

FormatGuard's basic mechanism is to transform printf (and friends) into
a CPP macro.  The macro uses CPP tricks to count the actual number of
arguments presented to printf, and then calls a wrapped printf that
parses the format string, and compares the number of % directives to the
argument count.  If there are more % directives than actual arguments,
then a printf format string is deemed to be in progress, a syslog entry
to that effect is generated (including the name of the function with the
bogus printf call) and the program aborts.  This method was originally
proposed by Mike Frantzen http://www.securityfocus.com/archive/1/72118
refined by Jamie Lokier http://gcc.gnu.org/ml/gcc/2000-09/msg00604.html
and implemented by WireX.

A brief description of FormatGuard can be found here
FormatGuard is described at length in a paper that will be presented at
USENIX Security 2001, August, Washington DC
http://www.usenix.org/events/sec01/  Preprints of the paper are
available here  http://immunix.org/formatguard.pdf

FormatGuard is implemented as an enhancement to glibc, providing the
printf-family of macros in stdio.h and the wrapped functions as part of
glibc.  As such, FormatGuard is distributed under glibc's LGPL.  Source
can be downloaded here

Despite being packaged as a library, programs only get FormatGuard
protection if they are re-compiled with FormatGuard.  The resulting
binaries only run when statically or dynamically linked to the
FormatGuard version of glibc.  WireX's Immunix OS 7.0 Linux
distribution  http://immunix.org/immunix70.html has been completely
built with FormatGuard (as well as StackGuard) and is available for
purchase here  http://www.wirex.com//Products/Immunix/purchase.html

We have extensively measured and tested FormatGuard, running it on our
servers and workstations for the last several months.  The performance
impact of FormatGuard is negligible, always below 2%.  We have tested
the security effectiveness of FormatGuard against real vulnerabilities
and live exploits, and found it to be effective.  The primary limitation
is programs that either make direct calls to vsprintf with
hand-constructed varargs argument stacks, or call printf-like functions
in non-glibc libraries such as GLib (part of GTK).  Details are provided
in the USENIX Security paper http://immunix.org/formatguard.pdf


Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. http://wirex.com
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://www.wirex.com//Products/Immunix/purchase.html

  By Date           By Thread  

Current thread:
  • FormatGuard Crispin Cowan (May 27)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]