Docsity
Log inSign up
Docsity
Prepare for your exams
Prepare for your exams

Study with the several resources on Docsity

Earn points to download
Earn points to download

Earn points by helping other students or get them with a premium plan

Guidelines and tips
Guidelines and tips
Sell on Docsity
Sell on Docsity
Log inSign up

Prepare for your exams

Study with the several resources on Docsity

Find documents

Prepare for your exams with the study notes shared by other students like you on Docsity

Search Store documents

The best documents sold by students who completed their studies

Search through all study resources
Docsity AINEW

Summarize your documents, ask them questions, convert them into quizzes and concept maps

Explore questions

Clear up your doubts by reading the answers to questions asked by your fellow students

Earn points to download

Earn points by helping other students or get them with a premium plan

Share documents
download point icon20 Points

For each uploaded document

Answer questions
download point icon5 Points

For each given answer (max 1 per day)

All the ways to get free points
Get points immediately

Choose a premium plan with all the points you need

Study Opportunities

Choose your next study program

Get in touch with the best universities in the world. Search through thousands of universities and official partners

Community

Ask the community

Ask the community for help and clear up your study doubts

University Rankings

Discover the best universities in your country according to Docsity users

Free resources

Our save-the-student-ebooks!

Download our free guides on studying techniques, anxiety management strategies, and thesis advice from Docsity tutors

From our blog

Exams and Study
Go to the blog

Format String Vulnerabilities: Explanation, Impact, and Prevention, Slides of Software Engineering

Fakir Mohan UniversitySoftware Engineering

An overview of format string vulnerabilities, their impact on security, and methods for exploiting and preventing them. It covers the concept of string formatting, common causes of format string problems, and their effects on access control, confidentiality, and integrity. Examples of incorrect and correct usage are also provided, along with detection and mitigation strategies.

Typology: Slides

2012/2013

Uploaded on 04/26/2013

sharad_984
sharad_984 🇮🇳

4.5

(13)

146 documents

1 / 8

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Format String pROBLEMS
Docsity.com
pf3
pf4
pf5
pf8

Partial preview of the text

Download Format String Vulnerabilities: Explanation, Impact, and Prevention and more Slides Software Engineering in PDF only on Docsity!

Format String pROBLEMS

Overview

  • String Formatting Explained
  • Exploiting string format errors
  • Examples
  • Spotting and correcting the problem

How it affects security

Access Control: Redirect execution to malicious code

Confidentiality: Can expose information about a program that can lead to further exploitation

Integrity: Values can be overwritten in memory

Exploiting string format problems

#include <stdio.h>

int main(int argc, char* argv[]) { If(argc > 1) printf(argv[1]); return 0; }

Sample input: “%x %x” Sample output: 12ffc0 4011e

Source: (Howard, LeBlanc, and Viega 19)

Detecting and spotting the problems

 Luckily the problem is easy to detect and mitigate

 Lexical source code scanners can detect the errors and Crispin Cowan offers FormatGuard a built in compilation tool

 Right: printf(“%s,” user_input); printf(“%d,” user_input);  Wrong: printf(user_input); syslog(LOG_FILE, userText);

Summary

  • Do use fixed format strings
  • Do NOT pass user intput directly as the format

string functions.

  • Do avoid using printf(), scanf() family of

functions if you can.