Large-scale analysis of format string vulnerabilities in Debian Linux

Format-string bugs are a relatively common security vulnerability, and can lead to arbitrary code execution. In collaboration with others, we designed and implemented a system to eliminate format string vulnerabilities from an entire Linux distribution, using type-qualifier inference, a static analysis technique that can find taint violations. We successfully analyze 66% of C/C++ source packages in the Debian 3.1 Linux distribution. Our system finds 1,533 format string taint warnings. We estimate that 85% of these are true positives, i.e., real bugs; ignoring duplicates from libraries, about 75% are real bugs. We suggest that the technology exists to render format string vulnerabilities extinct in the near future.

[1]  David A. Wagner,et al.  Finding User/Kernel Pointer Bugs with Type Inference , 2004, USENIX Security Symposium.

[2]  David Gay,et al.  Memory management with explicit regions , 1998, PLDI.

[3]  David Greenfieldboyce,et al.  Type Qualifiers for Java , 2005 .

[4]  Dan Grossman,et al.  Preventing format-string attacks via automatic and efficient dynamic checking , 2005, CCS '05.

[5]  Crispin Cowan,et al.  FormatGuard: Automatic Protection From printf Format String Vulnerabilities , 2001, USENIX Security Symposium.

[6]  Christopher Krügel,et al.  Pixy: a static analysis tool for detecting Web application vulnerabilities , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[7]  David A. Wagner,et al.  Model Checking One Million Lines of C Code , 2004, NDSS.

[8]  Navjot Singh,et al.  Libsafe 2.0: Detection of Format String Vulnerability Exploits , 2003 .

[9]  Alexander Aiken,et al.  Flow-sensitive type qualifiers , 2002, PLDI '02.

[10]  George C. Necula,et al.  Elkhound: A Fast, Practical GLR Parser Generator , 2003, CC.

[11]  David P. Anderson,et al.  BOINC: a system for public-resource computing and storage , 2004, Fifth IEEE/ACM International Workshop on Grid Computing.

[12]  Alex Aiken,et al.  Cooperative Bug Isolation , 2007 .

[13]  Anh Nguyen-Tuong,et al.  Automatically Hardening Web Applications Using Precise Tainting , 2005, SEC.

[14]  Alexander Aiken,et al.  Static Detection of Security Vulnerabilities in Scripting Languages , 2006, USENIX Security Symposium.

[15]  David Evans,et al.  Improving Security Using Extensible Lightweight Static Analysis , 2002, IEEE Softw..

[16]  Richard Lippmann,et al.  Testing static analysis tools using exploitable buffer overflows from open source code , 2004, SIGSOFT '04/FSE-12.

[17]  Alexander Aiken,et al.  A theory of type qualifiers , 1999, PLDI '99.

[18]  Jeffrey S. Foster,et al.  Type qualifiers: lightweight specifications to improve software quality , 2002 .

[19]  Junfeng Yang,et al.  MECA: an extensible, expressive system and language for statically checking security properties , 2003, CCS '03.

[20]  Calvin Lin,et al.  Detecting Errors with Configurable Whole-program Dataflow Analysis , 2002 .

[21]  David A. Wagner,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Detecting Format String Vulnerabilities with Type Qualifiers , 2001 .

[22]  Gary McGraw,et al.  ITS4: a static vulnerability scanner for C and C++ code , 2000, Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).

[23]  Benjamin Livshits,et al.  Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[24]  Michael Hicks,et al.  Modular Information Hiding and Type-Safe Linking for C , 2007, IEEE Transactions on Software Engineering.

[25]  Alexander Aiken,et al.  Checking and inferring local non-aliasing , 2003, PLDI '03.

[26]  Jeff Dike,et al.  User-mode Linux , 2006, Annual Linux Showcase & Conference.

[27]  William R. Bush,et al.  A static analyzer for finding dynamic programming errors , 2000 .

[28]  David A. Wagner,et al.  A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities , 2000, NDSS.

[29]  William R. Bush,et al.  A static analyzer for finding dynamic programming errors , 2000, Softw. Pract. Exp..

[30]  David Wagner,et al.  Verifying security properties using type-qualifier inference , 2006 .

[31]  Jeffrey S. Foster,et al.  Flow-insensitive type qualifiers , 2006, TOPL.

[32]  Peter M. Broadwell,et al.  Scrash: A System for Generating Secure Crash Information , 2003, USENIX Security Symposium.

[33]  Dawson R. Engler,et al.  A system and language for building system-specific, static analyses , 2002, PLDI '02.

[34]  D. Avots,et al.  Improving software security with a C pointer analysis , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..