With the advent of general access computer networks, such as the Internet, people may now easily exchange application data between computer systems. Unfortunately, some people have taken advantage of such easy data exchange by developing various threats, such as malware. One particular type of computing framework that is vulnerable to such malicious acts include run-time libraries and associated routines. Such run-time libraries typically include a program or library of basic code that is used by a particular computer language to manage a program written in such language while it is running.
For example, the C/C++ run-time library provides routines like printf, scanf, etc. which accept a variable number of arguments. When one of these routines is called by a client application, data to be used in association with the routine is pushed onto a stack sequentially, one-by-one, by the client application. Thereafter, control is transferred to the specific C/C++ run-time routine.
When such control is transferred to the run-time routine, the routine reads as much data as is requested to be read from the stack. This happens with no way of knowing how many bytes of data were actually pushed on to the stack by the client application. This means that a hacker may craft the input appropriately such that these routines may be manipulated to access more data than the client application actually requested the routine to read.
Unfortunately, such additional data may be malicious in nature. While there are systems that identify any code and, particularly, malicious code, on the stack to prevent the execution thereof; the instant vulnerability still remains, since this technique requires that such code be identifiable (e.g. utilizing signatures or other identification techniques, etc.).
One specific example will now be set forth illustrating an exploitation of such vulnerability that persists in the prior art. Specifically, in the context of the routine printf( ), a format string is typically accepted which identifies a number of parameters. Unfortunately, compilers are unable to check if the number of parameters mentioned in the format string is less or more than the actual parameters specified.
To this end, a hacker may use this weakness to craft a format string to tell printf( ) to read more parameters than are actually supplied. This, in turn, may result in the printf( ) routine reading more data from the stack than was actually supplied. Thus, using this vulnerability, such hacker may use the printf( ) routine to dump the return address location of the stack. Further, by knowing where such return address location is stored, the hacker may change the return address to execute unwanted code.
There is thus a need for overcoming these and/or other problems associated with the prior art.