6548343 2001-05-27 02:50 -0700 /58 rader/ Crispin Cowan <crispin@wirex.com>
Sänt av: sectools-return-7-9599=lyskom.lysator.liu.se@securityfocus.com
Importerad: 2001-05-27 19:07 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM <BUGTRAQ@SECURITYFOCUS.COM>
Extern mottagare: sectools@securityfocus.com
Extern mottagare: Immunix Users <immunix-users@wirex.com>
Extern mottagare: Immunix-announce@wirex.com
Extern mottagare: Security Audit <security-audit@ferret.lmh.ox.ac.uk>
Extern mottagare: linux-security@lists.securityportal.com
Extern mottagare: secprog@securityfocus.com
Extern mottagare: firewall-wizards@nfr.net <firewall-wizards@nfr.net>
Mottagare: SECTOOLS (import) <18>
Mottagare: Bugtraq (import) <17160>
Sänt: 2001-05-27 22:49
Markerad av 1 person.
Ärende: FormatGuard
------------------------------------------------------------
WireX is pleased to announce the broad release of FormatGuard 1.0,
the latest member of the Immunix security tool suite. Similar to
StackGuard http://immunix.org/stackguard.html , FormatGuard provides
run-time protection against printf format string vulnerabilities
http://www.securityfocus.com/archive/1/81565
FormatGuard's basic mechanism is to transform printf (and friends)
into a CPP macro. The macro uses CPP tricks to count the actual
number of arguments presented to printf, and then calls a wrapped
printf that parses the format string, and compares the number of %
directives to the argument count. If there are more % directives
than actual arguments, then a printf format string is deemed to be in
progress, a syslog entry to that effect is generated (including the
name of the function with the bogus printf call) and the program
aborts. This method was originally proposed by Mike Frantzen
http://www.securityfocus.com/archive/1/72118 refined by Jamie Lokier
http://gcc.gnu.org/ml/gcc/2000-09/msg00604.html and implemented by
WireX.
A brief description of FormatGuard can be found here
http://immunix.org/formatguard.html FormatGuard is described at
length in a paper that will be presented at USENIX Security 2001,
August, Washington DC http://www.usenix.org/events/sec01/ Preprints
of the paper are available here http://immunix.org/formatguard.pdf
FormatGuard is implemented as an enhancement to glibc, providing the
printf-family of macros in stdio.h and the wrapped functions as part
of glibc. As such, FormatGuard is distributed under glibc's LGPL.
Source can be downloaded here
http://download.immunix.org/ImmunixOS/7.0/i386/SRPMS/glibc-2.2-12_imnx_7.src.rpm
Despite being packaged as a library, programs only get FormatGuard
protection if they are re-compiled with FormatGuard. The resulting
binaries only run when statically or dynamically linked to the
FormatGuard version of glibc. WireX's Immunix OS 7.0 Linux
distribution http://immunix.org/immunix70.html has been completely
built with FormatGuard (as well as StackGuard) and is available for
purchase here http://www.wirex.com//Products/Immunix/purchase.html
We have extensively measured and tested FormatGuard, running it on
our servers and workstations for the last several months. The
performance impact of FormatGuard is negligible, always below 2%. We
have tested the security effectiveness of FormatGuard against real
vulnerabilities and live exploits, and found it to be effective. The
primary limitation is programs that either make direct calls to
vsprintf with hand-constructed varargs argument stacks, or call
printf-like functions in non-glibc libraries such as GLib (part of
GTK). Details are provided in the USENIX Security paper
http://immunix.org/formatguard.pdf
Crispin
--
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. http://wirex.com
Security Hardened Linux Distribution: http://immunix.org
Available for purchase: http://www.wirex.com//Products/Immunix/purchase.html
(6548343) /Crispin Cowan <crispin@wirex.com>/(Ombruten)