next up previous
Next: 5.1 Metrics Up: Detecting Format String Vulnerabilities Previous: 4.4 const Allows Deep

5 Real-World Tests

We tested the effectiveness of cqual on several popular C programs that are potentially vulnerable to format string attacks. Some of them had known vulnerabilities; others did not. In all cases, attackers from across the network have control over some string input to the program. If this input is used as a format string, a carefully chosen input can crash the program or give the attacker root access.


Umesh Shankar 2001-05-16