Presentation is loading. Please wait.

Presentation is loading. Please wait.

Format String.

Published byYuliani Setiawan Modified over 5 years ago

Similar presentations

Presentation on theme: "Format String."— Presentation transcript:

1 Format String

2 printf ("The magic number is: %d\n", 1911);
Output: 1911

3 The function retrieves the parameters requested by the format string from the stack

4 the format string asks for 3 arguments, but the program actually provides only two (i.e. a and b).
Can this program pass the compiler? The function printf() is defined as function with variable length of arguments. To find the miss-match, compiler needs to understand how printf() works and what the meaning of the format string is. Sometimes, the format string is generated during the execution of the program. Can printf() detect the miss-match? Unless the stack is marked with a boundary, printf()does not know that it runs out of the arguments that are provided to it. In a miss-match case, printf() will fetch some data that do not belong to this function call.

5 Attacks on Format String Vulnerability
Crashing the program -> printf ("%s%s%s%s%s%s%s%s%s%s%s%s"); the number fetched by printf() might not be an address, the memory pointed by this number might not exist (i.e. no physical memory has been assigned to such an address), and the program will crash. It is also possible that the number happens to be a good address, but the address space is protected (e.g. it is reserved for kernel memory). In this case, the program will also crash. Viewing the Stack printf ("%08x %08x %08x %08x %08x\n"); A possible output may look like: c4 bffff7a c04 Viewing memory at any location We have to supply an address of the memory. However, we cannot change the code; we can only supply the format string If we use printf(%s) without specifying a memory address, the target address will be obtained from the stack anyway by the printf() function. The function maintains an initial stack pointer, so it knows the location of the parameters in the stack. Observation: the format string is usually located on the stack. If we can encode the target address in the format string, the target address will be in the stack.

6 the format string is stored in a buffer, which is located on the stack
If we can force the printf to obtain the address from the format string (also on the stack), we can control the address. printf ("\x10\x01\x48\x08 %x %x %x %x %s"); \x10\x01\x48\x08 are the four bytes of the target address. In C language, \x10 in a string tells the compiler to put a hexadecimal value 0x10 in the current position. The value will take up just one byte. Without using \x, if we directly put "10" in a string, the ASCII values of the characters ’1’ and ’0’ will be stored. Their ASCII values are 49 and 48, respectively.

7 %x causes the stack pointer to move towards the format string
%x causes the stack pointer to move towards the format string. Here is how the attack works if user input[] contains the following format string: "\x10\x01\x48\x08 %x %x %x %x %s". The key challenge in this attack is to figure out the distance between the user input[] and the address passed to the printf() function. This distance decides how many %x you need to insert into the format string, before giving %s.

8 Writing Integer Writing an integer to nearly any location in the process memory %n: The number of characters written so far is stored into the integer indicated by the corresponding argument. Just replace the %s in the above example with %n, and the contents at the address 0x will be overwritten Using this attack, attackers can do the following: Overwrite important program flags that control access privileges Overwrite return addresses on the stack, function pointers, etc.

9 Writing Integer Is it really possible to write arbitrary integer values? Use dummy output characters. To write a value of 1000, a simple padding of 1000 dummy characters would do. To avoid long format strings, we can use a width specification of the format indicators. Countermeasures. Address randomization: just like the countermeasures used to protect against buffer-overflow attacks, address randomization makes it difficult for the attackers to find out what address they want to read/write.

Download ppt "Format String."

Similar presentations

Introduction to C Programming

Introduction to C Programming
What is a pointer? First of all, it is a variable, just like other variables you studied So it has type, storage etc. Difference: it can only store the.

What is a pointer? First of all, it is a variable, just like other variables you studied So it has type, storage etc. Difference: it can only store the.
POINTER Prepared by MMD, Edited by MSY1.  Basic concept of pointers  Pointer declaration  Pointer operator (& and *)  Parameter passing by reference.

POINTER Prepared by MMD, Edited by MSY1.  Basic concept of pointers  Pointer declaration  Pointer operator (& and *)  Parameter passing by reference.
Lecture 2 Introduction to C Programming

Lecture 2 Introduction to C Programming
Introduction to C Programming

Introduction to C Programming
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
Inline Assembly Section 1: Recitation 7. In the early days of computing, most programs were written in assembly code. –Unmanageable because No type checking,

Inline Assembly Section 1: Recitation 7. In the early days of computing, most programs were written in assembly code. –Unmanageable because No type checking,
1 Lecture 2  Input-Process-Output  The Hello-world program  A Feet-to-inches program  Variables, expressions, assignments & initialization  printf()

1 Lecture 2  Input-Process-Output  The Hello-world program  A Feet-to-inches program  Variables, expressions, assignments & initialization  printf()
CSCE 121, Sec 200, 507, 508 Fall 2010 Prof. Jennifer L. Welch.

CSCE 121, Sec 200, 507, 508 Fall 2010 Prof. Jennifer L. Welch.
Chapter 18 I/O in C. Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 18-2 Standard C Library I/O commands.

Chapter 18 I/O in C. Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Standard C Library I/O commands.
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.

University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.
Fortran- Subprograms Chapters 6, 7 in your Fortran book.

Fortran- Subprograms Chapters 6, 7 in your Fortran book.
1 - buttons Click “Step Forward” to execute one line of the program. Click “Reset” to start over. “Play,” “Stop,” and “Step Back” are disabled in this.

1 - buttons Click “Step Forward” to execute one line of the program. Click “Reset” to start over. “Play,” “Stop,” and “Step Back” are disabled in this.
11 Chapter 3 DECISION STRUCTURES CONT’D. 22 FORMATTING FLOATING-POINT VALUES WITH THE DecimalFormat CLASS We can use the DecimalFormat class to control.

11 Chapter 3 DECISION STRUCTURES CONT’D. 22 FORMATTING FLOATING-POINT VALUES WITH THE DecimalFormat CLASS We can use the DecimalFormat class to control.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
CMPE13 Cyrus Bazeghi Chapter 18 I/O in C. CMPE13 18-2 Standard C Library I/O commands are not included as part of the C language. Instead, they are part.

CMPE13 Cyrus Bazeghi Chapter 18 I/O in C. CMPE Standard C Library I/O commands are not included as part of the C language. Instead, they are part.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
A First Book of C++: From Here To There, Third Edition2 Objectives You should be able to describe: Function and Parameter Declarations Returning a Single.

A First Book of C++: From Here To There, Third Edition2 Objectives You should be able to describe: Function and Parameter Declarations Returning a Single.
CP104 Introduction to Programming File I/O Lecture 33 __ 1 File Input/Output Text file and binary files File Input/output File input / output functions.

CP104 Introduction to Programming File I/O Lecture 33 __ 1 File Input/Output Text file and binary files File Input/output File input / output functions.
Mastering Char to ASCII AND DOING MORE RELATED STRING MANIPULATION Why VB.Net ?  The Language resembles Pseudocode - good for teaching and learning fundamentals.

Mastering Char to ASCII AND DOING MORE RELATED STRING MANIPULATION Why VB.Net ?  The Language resembles Pseudocode - good for teaching and learning fundamentals.

Similar presentations

Ads by Google