動態格式化字串攻擊偵測方法之研究

Abstract

為了避免發生格式化字串弱點所引起的問題，相關字串處理函式的行為必須有所規範，不應有超越界限存取參數的行為。若攻擊者有能力控制格式化字串函式的字串參數，便能利用此弱點，提供超出參數數量的轉換符號，進行不同型態的攻擊。 在本論文中，我們提出一個對printf與vprintf系列函式的偵測攻擊方法，發展一檢查函式存取參數是否超出界限的工具，稱為FormatDefense。此工具對格式化字串函式進行完整保護，藉由在記憶體上定義防禦線的方式，判斷此型態函式存取參數的合法性；若存取參數超越此防禦線則視為攻擊行為。我們將此方法實作在UNIX環境下，建立一個共享函式庫，並分析除錯資訊與追蹤堆疊變化，取得函式存取參數的界限，當程式執行時，只要連結此函式庫，便能保護格式化字串函式的運作。 我們考慮格式化字串儲存位置的變化，共歸納出六種可能的情境，評估偵測方法的有效性。實驗結果顯示，此工具皆能成功偵測到所有情境中的違法存取行為，且超越其他現存的偵測工具，證明我們的方法有更高的精確度；此外，我們將偵測方法應用在已知含有弱點的程式，皆能成功偵測到相關攻擊，驗證此方法的有效性；最後我們利用微型基準測試與巨型基準測試，評估工具所引起的執行負擔，實驗結果發現其負擔是可忽略的，顯示此工具能夠實際應用在真實程式中，防止格式化字串攻擊。

In order to prevent format string vulnerabilities, the behavior of accessing arguments for variadic functions should be regulated. A format string attack occurs because variadic functions rely on the format string argument to determine the number of arguments. Therefore, if an attacker has ability to control the format string argument, he can exploit format string vulnerabilities to attack programs by providing more conversion specifiers than needed. In this thesis, we develop an attack-detecting tool called FormatDefense for printf-like and vprintf-like functions to check if a variadic function accesses arguments outside its argument list. FormatDefense defines the access bound in the memory via offline analysis of debugging information and runtime tracking of the stack. It is implemented as a shared library in the UNIX environment. We consider six scenarios based on format string locations to evaluate the effectiveness of FormatDefense. The result shows that FormatDefense surpasses several existing detection tools in detecting invalid memory access in the six scenarios. Furthermore, FormatDefense can detect exploits successfully on several programs with known format string vulnerabilities. Eventually, we use various microbenchmarks and macrobenchmarks to evaluate the performance overhead. The overhead is negligible so that FormatDefense can be applied to real programs practically to avoid format string attacks.