![[LWN Logo]](/images/lcorner.png)
![[LWN.net]](/images/Included.png)
|
|
|
|
From: Crispin Cowan <crispin@wirex.com> To: lwn@lwn.net Subject: FormatGuard Date: Sun, 27 May 2001 13:09:38 -0700 WireX is pleased to announce the broad release of FormatGuard 1.0, the latest member of the Immunix security tool suite. Similar to StackGuard http://immunix.org/stackguard.html , FormatGuard provides run-time protection against printf format string vulnerabilities http://www.securityfocus.com/archive/1/81565 FormatGuard's basic mechanism is to transform printf (and friends) into a CPP macro. The macro uses CPP tricks to count the actual number of arguments presented to printf, and then calls a wrapped printf that parses the format string, and compares the number of % directives to the argument count. If there are more % directives than actual arguments, then a printf format string is deemed to be in progress, a syslog entry to that effect is generated (including the name of the function with the bogus printf call) and the program aborts. This method was originally proposed by Mike Frantzen http://www.securityfocus.com/archive/1/72118 refined by Jamie Lokier http://gcc.gnu.org/ml/gcc/2000-09/msg00604.html and implemented by WireX. A brief description of FormatGuard can be found here http://immunix.org/formatguard.html FormatGuard is described at length in a paper that will be presented at USENIX Security 2001, August, Washington DC http://www.usenix.org/events/sec01/ Preprints of the paper are available here http://immunix.org/formatguard.pdf FormatGuard is implemented as an enhancement to glibc, providing the printf-family of macros in stdio.h and the wrapped functions as part of glibc. As such, FormatGuard is distributed under glibc's LGPL. Source can be downloaded here http://download.immunix.org/ImmunixOS/7.0/i386/SRPMS/glibc-2.2-12_imnx_7.src.rpm Despite being packaged as a library, programs only get FormatGuard protection if they are re-compiled with FormatGuard. The resulting binaries only run when statically or dynamically linked to the FormatGuard version of glibc. WireX's Immunix OS 7.0 Linux distribution http://immunix.org/immunix70.html has been completely built with FormatGuard (as well as StackGuard) and is available for purchase here http://www.wirex.com//Products/Immunix/purchase.html We have extensively measured and tested FormatGuard, running it on our servers and workstations for the last several months. The performance impact of FormatGuard is negligible, always below 2%. We have tested the security effectiveness of FormatGuard against real vulnerabilities and live exploits, and found it to be effective. The primary limitation is programs that either make direct calls to vsprintf with hand-constructed varargs argument stacks, or call printf-like functions in non-glibc libraries such as GLib (part of GTK). Details are provided in the USENIX Security paper http://immunix.org/formatguard.pdf Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX Communications, Inc. http://wirex.com Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://www.wirex.com//Products/Immunix/purchase.html