FormatShield works by intercepting calls to vulnerable functions in libc and identifying vulnerable call sites in a running process. Using binary rewriting, the list of all such vulnerable call sites is dumped into the program's binary, which is available at runtime. Attacks are detected when format specifiers are found in the format strings at these call sites.

FormatShield is capable of defending against all types of format string attacks, i.e. arbitrary memory read attempts and arbitrary memory write attempts, including non-control data attacks. Although, FormatShield can detect crash attempts too, it is not possible to defend against these as the programs are terminated when an attack is detected. Therefore, denial of service (DOS) attacks are still possible. FormatShield requires the programs to be protected to be trained, either by deploying or "synthetically" before it is able to detect attacks, to identify the vulnerable call sites in the program.

FormatShield is implemented as a shared library, preloaded using LD_PRELOAD environment variable (or /etc/ld.so.preload).

Related Publication
P. Kohli, B. Bruhadeshwar: "FormatShield: A Binary Rewriting Defense Against Format String Attacks", ACISP 2008. [PDF]