research-article

A type system for format strings

Authors:

Konstantin Weitz,

Siwakorn Srisakaokul,

Michael D. ErnstAuthors Info & Claims

ISSTA 2014: Proceedings of the 2014 International Symposium on Software Testing and Analysis

Pages 127 - 137

https://doi.org/10.1145/2610384.2610417

Published: 21 July 2014 Publication History

Abstract

Most programming languages support format strings, but their use is error-prone. Using the wrong format string syntax, or passing the wrong number or type of arguments, leads to unintelligible text output, program crashes, or security vulnerabilities.

This paper presents a type system that guarantees that calls to format string APIs will never fail. In Java, this means that the API will not throw exceptions. In C, this means that the API will not return negative values, corrupt memory, etc.

We instantiated this type system for Java’s Formatter API, and evaluated it on 6 large and well-maintained open-source projects. Format string bugs are common in practice (our type system found 104 bugs), and the annotation burden on the user of our type system is low (on average, for every bug found, only 1.0 annotations need to be written).

References

[1]

ANSI x3.9-1966. FORTRAN, 1966.

[2]

Apache Hadoop. http://hadoop.apache.org/.

[3]

Apache Lucene. http://lucene.apache.org.

[4]

K. Asai. On typing delimited continuations: three new solutions to the printf problem. Higher-Order and Symbolic Computation, 22(3):275–291, 2009.

Digital Library

[5]

G. Chen and M. Kandemir. Verifiable annotations for embedded Java environments. In CASES, 2005.

Digital Library

[6]

C. Cowan, M. Barringer, S. Beattie, G. Kroah-Hartman, M. Frantzen, and J. Lokier. FormatGuard: Automatic protection from printf format string vulnerabilities. In USENIX Security Symposium, 2001.

Digital Library

[7]

CVE wu-ftpd bug. http://cve.mitre.org/cgi-bin/cvename. cgi?name=CVE-2000-0573.

[8]

Daikon. http://plse.cs.washington.edu/daikon.

[9]

O. Danvy. Functional unparsing. Journal of Functional Programming, 8:621–625, 1998.

Digital Library

[10]

A. DeKok. PScan: A limited problem scanner for C source files. http://deployingradius.com/pscan/.

[11]

M. D. Ernst, J. Cockrell, W. G. Griswold, and D. Notkin. Dynamically discovering likely program invariants to support program evolution. In ICSE, 1999.

Digital Library

[12]

FindBugs. http://findbugs.sourceforge.net.

[13]

J. S. Foster, M. Fähndrich, and A. Aiken. A theory of type qualifiers. In SIGPLAN, 1999.

Digital Library

[14]

X. Fu, X. Lu, B. Peltsverger, S. Chen, K. Qian, and L. Tao. A static analysis framework for detecting SQL injection vulnerabilities. In COMPSAC, 2007.

Digital Library

[15]

GCC -Wformat warning option. http: //gcc.gnu.org/onlinedocs/gcc/Warning-Options.html.

[16]

GCC format attribute. http://gcc.gnu.org/onlinedocs/ gcc-4.3.2/gcc/Function-Attributes.html.

[17]

J. Gronski, K. Knowles, A. Tomb, S. N. Freund, and C. Flanagan. Sage: Hybrid checking for flexible specifications. In Scheme and Functional Programming Workshop, 2006.

[18]

R. Hinze. Formatting: a class act. Journal of Functional Programming, 13:935–944, 2003.

Digital Library

[19]

ISO/IEC 14882:2011. Information technology — Programming languages — C++, 2011.

[20]

ISO/IEC 9899:1990. Programming languages — C, 1990.

[21]

Java formatter class documentation. http://docs.oracle. com/javase/7/docs/api/java/util/Formatter.html.

[22]

Java tutorials on internationalization. http://docs.oracle. com/javase/tutorial/i18n/format/messageintro.html.

[23]

JSR 308: Annotations on Java types. https://jcp.org/en/jsr/detail?id=308.

[24]

K. R. M. Leino, G. Nelson, and J. B. Saxe. ESC/Java user’s manual. Technical report, Compaq Systems Research Center, 2000.

[25]

X. Leroy, D. Doligez, A. Frisch, J. Garrigue, D. Rémy, and J. Vouillon. The OCaml system release 4.01. http://caml.inria.fr/pub/docs/manual-ocaml/.

[26]

Ohloh. http://ohloh.net.

[27]

M. M. Papi, M. Ali, T. L. Correa Jr., J. H. Perkins, and M. D. Ernst. Practical pluggable types for Java. In ISSTA, 2008.

Digital Library

[28]

M. F. Ringenburg and D. Grossman. Preventing format-string attacks via automatic and efficient dynamic checking. In Computer and Communications Security, 2005.

Digital Library

[29]

U. Shankar, K. Talwar, J. S. Foster, and D. Wagner. Detecting format string vulnerabilities with type qualifiers. In USENIX Security Symposium, 2001.

Digital Library

[30]

E. Spishak, W. Dietl, and M. D. Ernst. A type system for regular expressions. In FTfJP, 2012.

Digital Library

[31]

F. Spoto. Nullness analysis in Boolean form. In SEFM, 2008.

Digital Library

[32]

Z. Tatlock, C. Tucker, D. Shuffelton, R. Jhala, and S. Lerner. Deep typechecking and refactoring. In OOPSLA, 2008.

Digital Library

[33]

A. Tomb, G. Brat, and W. Visser. Variably interprocedural program analysis for runtime error detection. In ISSTA, 2007.

Digital Library

[34]

T. Tsai and N. Singh. Libsafe 2.0: Detection of format string vulnerability exploits. Avaya Labs, 2001.

Cited By

Gu QKe W(2024)Typing Requirement Model as CoroutinesIEEE Access10.1109/ACCESS.2024.335211512(8449-8460)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3352115
Marron M(2020)Log++ logging for a cloud-native worldACM SIGPLAN Notices10.1145/3393673.327695253:8(25-36)Online publication date: 6-Apr-2020
https://dl.acm.org/doi/10.1145/3393673.3276952
Volanschi NLawall JGrundy JLe Goues CLo D(2020)The impact of generic data structuresProceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering10.1145/3324884.3416635(103-114)Online publication date: 21-Dec-2020
https://dl.acm.org/doi/10.1145/3324884.3416635
Show More Cited By

Index Terms

A type system for format strings

Recommendations

A format string checker for Java
ISSTA 2014: Proceedings of the 2014 International Symposium on Software Testing and Analysis

Java supports format strings, but their use is error prone because: Java’s type system does not find any but the most trivial mistakes, Java’s format methods fail silently, and for- mat methods are often executed infrequently.

This paper presents the ...
Compile-time type-checking for custom type qualifiers in Java
OOPSLA '07: Companion to the 22nd ACM SIGPLAN conference on Object-oriented programming systems and applications companion

We have created a system that enables programmers to add custom type qualifiers to the Java language in a backward-compatible way. The system allows programmers to write type qualifiers in their programs and to create compiler plug-ins that enforce the ...
Compile-time type-checking for custom type qualifiers in Java
OOPSLA '07: Companion to the 22nd ACM SIGPLAN conference on Object-oriented programming systems and applications companion

We have created a system that enables programmers to add custom type qualifiers to the Java language in a backward-compatible way. The system allows programmers to write type qualifiers in their programs and to create compiler plug-ins that enforce the ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ISSTA 2014: Proceedings of the 2014 International Symposium on Software Testing and Analysis

July 2014

460 pages

ISBN:9781450326452

DOI:10.1145/2610384

General Chair:
Corina S. Păsăreanu
NASA Ames, USA
,
Program Chair:
Darko Marinov
University of Illinois at Urbana-Champaign, USA

Copyright © 2014 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering

In-Cooperation

SIGPLAN: ACM Special Interest Group on Programming Languages

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 July 2014

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ISSTA '14

Sponsor:

SIGSOFT

ISSTA '14: International Symposium on Software Testing and Analysis

July 21 - 25, 2014

CA, San Jose, USA

Acceptance Rates

Overall Acceptance Rate 58 of 213 submissions, 27%

Upcoming Conference

ISSTA '25

Sponsor:
sigsoft

34th ACM SIGSOFT International Symposium on Software Testing and Analysis

June 25 - 28, 2025

Trondheim , Norway

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

10
Total Citations
View Citations
194
Total Downloads

Downloads (Last 12 months)12
Downloads (Last 6 weeks)0

Reflects downloads up to 12 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Gu QKe W(2024)Typing Requirement Model as CoroutinesIEEE Access10.1109/ACCESS.2024.335211512(8449-8460)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3352115
Marron M(2020)Log++ logging for a cloud-native worldACM SIGPLAN Notices10.1145/3393673.327695253:8(25-36)Online publication date: 6-Apr-2020
https://dl.acm.org/doi/10.1145/3393673.3276952
Volanschi NLawall JGrundy JLe Goues CLo D(2020)The impact of generic data structuresProceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering10.1145/3324884.3416635(103-114)Online publication date: 21-Dec-2020
https://dl.acm.org/doi/10.1145/3324884.3416635
Marron MFelgentreff T(2018)Log++ logging for a cloud-native worldProceedings of the 14th ACM SIGPLAN International Symposium on Dynamic Languages10.1145/3276945.3276952(25-36)Online publication date: 24-Oct-2018
https://dl.acm.org/doi/10.1145/3276945.3276952
Kechagia MSpinellis DNadi SNguyen TNguyen HAmann S(2017)Type checking for reliable APIsProceedings of the 1st International Workshop on API Usage and Evolution10.5555/3106028.3106036(15-18)Online publication date: 20-May-2017
https://dl.acm.org/doi/10.5555/3106028.3106036
Kechagia MSpinellis D(2017)Type Checking for Reliable APIs2017 IEEE/ACM 1st International Workshop on API Usage and Evolution (WAPI)10.1109/WAPI.2017.5(15-18)Online publication date: May-2017
https://doi.org/10.1109/WAPI.2017.5
Gao ZBird CBarr EUchitel SOrso ARobillard M(2017)To type or not to typeProceedings of the 39th International Conference on Software Engineering10.1109/ICSE.2017.75(758-769)Online publication date: 20-May-2017
https://dl.acm.org/doi/10.1109/ICSE.2017.75
Vakilian MPhaosawasdi AErnst MJohnson RBertolino ACanfora GElbaum S(2015)CascadeProceedings of the 37th International Conference on Software Engineering - Volume 110.5555/2818754.2818785(234-245)Online publication date: 16-May-2015
https://dl.acm.org/doi/10.5555/2818754.2818785
Vakilian MPhaosawasdi AErnst MJohnson R(2015)Cascade: A Universal Programmer-Assisted Type Qualifier Inference Tool2015 IEEE/ACM 37th IEEE International Conference on Software Engineering10.1109/ICSE.2015.44(234-245)Online publication date: May-2015
https://doi.org/10.1109/ICSE.2015.44
Weitz KSrisakaokul SKim GErnst MPăsăreanu CMarinov D(2014)A format string checker for JavaProceedings of the 2014 International Symposium on Software Testing and Analysis10.1145/2610384.2628056(441-444)Online publication date: 21-Jul-2014
https://dl.acm.org/doi/10.1145/2610384.2628056

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents