FormatGuard's basic mechanism is to transform printf (and friends) into a CPP macro. The macro uses CPP tricks to count the actual number of arguments presented to printf, and then calls a wrapped printf that parses the format string, and compares the number of % directives to the argument count. If there are more % directives than actual arguments, then a printf format string is deemed to be in progress, a syslog entry to that effect is generated (including the name of the function with the bogus printf call) and the program aborts. This method was originally proposed by Mike Frantzen refined by Jamie Lokier https://gcc.gnu.org/legacy-ml/gcc/2000-09/msg00604.html and implemented by WireX.
A brief description of FormatGuard can be found here FormatGuard is described at length in a paper that will be presented at USENIX Security 2001, August, Washington DC https://www.usenix.org/legacy/events/sec01/ Preprints of the paper are available here
FormatGuard is implemented as an enhancement to glibc, providing the printf-family of macros in stdio.h and the wrapped functions as part of glibc. As such, FormatGuard is distributed under glibc's LGPL. Source can be downloaded here
Despite being packaged as a library, programs only get FormatGuard protection if they are re-compiled with FormatGuard. The resulting binaries only run when statically or dynamically linked to the FormatGuard version of glibc. WireX's Immunix OS 7.0 Linux distribution has been completely built with FormatGuard (as well as StackGuard) and is available for purchase here
We have extensively measured and tested FormatGuard, running it on our servers and workstations for the last several months. The performance impact of FormatGuard is negligible, always below 2%. We have tested the security effectiveness of FormatGuard against real vulnerabilities and live exploits, and found it to be effective. The primary limitation is programs that either make direct calls to vsprintf with hand-constructed varargs argument stacks, or call printf-like functions in non-glibc libraries such as GLib (part of GTK). Details are provided in the USENIX Security paper
Crispin
-- Crispin Cowan, Ph.D. Chief Scientist, WireX Communications, Inc. http://wirex.com/ Security Hardened Linux Distribution: https://immunix.org/ Available for purchase: