Format string vulnerabilities in cryptography and network security

SEED Labs – Format String Vulnerability Lab 1

Format String Vulnerability Lab

Copyright

c 2006 - 2014 Wenliang Du, Syracuse University.

The development of this document is/was funded by three grants from the US National Science Foundation:

Awards No. 0231122 and 0618680 from TUES/CCLI and Award No. 1017771 from Trustworthy Computing.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free

Documentation License, Version 1.2 or any later version published by the Free Software Foundation. A copy

of the license can be found at http://www.gnu.org/licenses/fdl.html.

1 Lab Overview

The learning objective of this lab is for students to gain the first-hand experience on format-string vulnerability

by putting what they have learned about the vulnerability from class into actions. The format-string vulnerability

is caused by code like printf(user input), where the contents of variable of user input

is provided by users. When this program is running with privileges (e.g., Set-UID program), this printf

statement becomes dangerous, because it can lead to one of the following consequences: (1) crash the

program, (2) read from an arbitrary memory place, and (3) modify the values of in an arbitrary memory

place. The last consequence is very dangerous because it can allow users to modify internal variables of a

privileged program, and thus change the behavior of the program.

In this lab, students will be given a program with a format-string vulnerability; their task is to develop

a scheme to exploit the vulnerability. In addition to the attacks, students will be guided to walk through

a protection scheme that can be used to defeat this type of attacks. Students need to evaluate whether the

scheme work or not and explain why.