June 25th, 2002 10:47 PM
buffer overflows vs. format string
Hi! I am a new member and I hope my first question is not too stupid. I have read quite a few tutorials about buffer overflows (stack smashing) and format string attacks and most of them say that it is very easy to detect format string attacks, while on the other hand it may be really tricky to detect a buffer overflow. Also they say that there are a few dozen of format string attacks as opposed to a few thousand buffer overflows. Huh...confusing
I'd appreciate if somebody could explain me how to distinguish if I'm dealing with buffer oveflow or format string attack, by looking at program behavior (other than counting the number of arguments passed to printf) and why is it so much easier to detect format string attacks.