Run-time Techniques.

Another defense against format string vulnerabilities is to dynamically prevent exploits through appropriate modifications to the C run-time [3], compiler, or libraries. libformat, a library designed to halt execution of any program that might be susceptible to a format string bug, follows this approach: it intercepts calls to printf-like functions and aborts the application if the format string specifier contains %n and the format string is in a writable portion of the address space [34]. However, this approach is fragile, since the libformat mechanism must be kept in perfect synchronization with the libc implementation of all printf-like functions.

FormatGuard, a compiler modification, injects code to dynamically check and reject all printf-like function calls where the number of arguments does not match the number of ``%'' specifiers [13]. Of course, only applications that are re-compiled using FormatGuard will benefit from its protection. Also, one technical shortcoming of FormatGuard is that it does not protect user-defined wrapper functions (see, e.g., Figure 1).

Moreover, a common limitation of both libformat and FormatGuard is that programs with format string vulnerabilities remain vulnerable to denial of service attacks. Nonetheless, an important advantage of these run-time techniques is that they are cheap and require almost no human intervention. Thus, we feel that run-time and static measures are both useful and complement each other well.