Abstract
OS kernels enforce a large number of security checks to validate system states. We observe that security checks are in fact very informative in inferring critical semantics in OS kernels. Specifically, security checks can reveal (1) whether an operation or a variable is critical but can be erroneous, (2) what particular errors may occur, and (3) constraints that should be enforced for the uses of a variable or a function. Such information is particularly valuable for detecting kernel semantic bugs because the detection typically requires understanding critical semantics. However, identifying security checks is challenging due to not only the lack of clear criteria but also the diversity of security checks.
In this paper, we first systematically study security checks and propose a mostly-automated approach to identify security checks in OS kernels. Based on the information offered by the identified security checks, we then develop multiple analyzers that detect three classes of common yet critical semantic bugs in OS kernels, including NULL-pointer dereferencing, missing error handling, and double fetching. We implemented both the identification and the analyzers as LLVM passes and evaluated them using the Linux kernel and the FreeBSD kernel. Evaluation results show that our security-check identification has very low false-negative and false-positive rates. We also have found 164 new semantic bugs in both kernels, 88 of which have been fixed with our patches. The evaluation results confirm that our system can accurately identify security checks, which helps effectively identify numerous critical semantic bugs in complex OS kernels.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
References
Dautenhahn, N., Kasampalis, T., Dietz, W., Criswell, J., Adve, V.: Nested kernel: an operating system architecture for intra-kernel privilege separation. In: ACM SIGPLAN Notices, vol. 50, pp. 191–206. ACM (2015)
Dillig, I., Dillig, T., Aiken, A.: Static error detection using semantic inconsistency inference. In: Proceedings of the 28th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2007 (2007)
Gan, S., et al.: CollAFL: path sensitive fuzzing. In: 2018 IEEE Symposium on Security and Privacy (SP), pp. 679–696. IEEE (2018)
Gunawi, H.S., Rubio-González, C., Arpaci-Dusseau, A.C., Arpaci-Dusseau, R.H., Liblit, B.: EIO: error handling is occasionally correct. In: FAST, vol. 8, pp. 1–16 (2008)
Hardekopf, B., Lin, C.: The ant and the grasshopper: fast and accurate pointer analysis for millions of lines of code. In: ACM SIGPLAN Notices, vol. 42, pp. 290–299. ACM (2007)
InfoSec Institute: Exploiting Windows Drivers: Double-fetch Race Condition Vulnerability (2016). http://resources.infosecinstitute.com/exploiting-windows-drivers-double-fetch-race-condition-vulnerability
Jana, S., Kang, Y.J., Roth, S., Ray, B.: Automatically detecting error handling bugs using error specifications. In: USENIX Security Symposium, pp. 345–362 (2016)
Kang, Y., Ray, B., Jana, S.: APEx: automated inference of error specifications for C APIs. In: Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering, pp. 472–482. ACM (2016)
Kim, S.Y., et al.: CAB-FUZZ: practical concolic testing techniques for COTS operating systems. In: 2017 USENIX Annual Technical Conference (USENIX ATC 2017), pp. 689–701 (2017)
Klees, G., Ruef, A., Cooper, B., Wei, S., Hicks, M.: Evaluating fuzz testing. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 2123–2138. ACM (2018)
Koning, K., Chen, X., Bos, H., Giuffrida, C., Athanasopoulos, E.: No need to hide: protecting safe regions on commodity hardware. In: Proceedings of the Twelfth European Conference on Computer Systems, pp. 437–452. ACM (2017)
Kremenek, T., Twohey, P., Back, G., Ng, A., Engler, D.: From uncertainty to belief: inferring the specification within. In: Proceedings of the 7th Symposium on Operating Systems Design and Implementation, OSDI 2006 (2006)
Lu, K., Walter, M.T., Pfaff, D., Nümberger, S., Lee, W., Backes, M.: Unleashing use-before-initialization vulnerabilities in the Linux kernel using targeted stack spraying. In: NDSS (2017)
Mao, J., Chen, Y., Xiao, Q., Shi, Y.: RID: finding reference count bugs with inconsistent path pair checking. ACM SIGARCH Comput. Archit. News 44(2), 531–544 (2016)
Min, C., Kashyap, S., Lee, B., Song, C., Kim, T.: Cross-checking semantic correctness: the case of finding file system bugs. In: Proceedings of the 25th Symposium on Operating Systems Principles, pp. 361–377. ACM (2015)
Mogosanu, L., Rane, A., Dautenhahn, N.: MicroStache: a lightweight execution context for in-process safe region isolation. In: Bailey, M., Holz, T., Stamatogiannakis, M., Ioannidis, S. (eds.) RAID 2018. LNCS, vol. 11050, pp. 359–379. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-00470-5_17
Monshizadeh, M., Naldurg, P., Venkatakrishnan, V.: MACE: detecting privilege escalation vulnerabilities in web applications. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 690–701. ACM (2014)
Nagarakatte, S., Zhao, J., Martin, M.M., Zdancewic, S.: SoftBound: highly compatible and complete spatial memory safety for C. ACM SIGPLAN Not. 44(6), 245–258 (2009)
Niu, B., Tan, G.: Modular control-flow integrity. In: ACM SIGPLAN Notices, vol. 49, pp. 577–587. ACM (2014)
Peng, H., Shoshitaishvili, Y., Payer, M.: T-FUZZ: fuzzing by program transformation. In: 2018 IEEE Symposium on Security and Privacy (SP), pp. 697–710. IEEE (2018)
Rubio-González, C., Gunawi, H.S., Liblit, B., Arpaci-Dusseau, R.H., Arpaci-Dusseau, A.C.: Error propagation analysis for file systems. In: ACM SIGPLAN Notices, vol. 44, pp. 270–280. ACM (2009)
Saha, S., Lozi, J.P., Thomas, G., Lawall, J.L., Muller, G.: Hector: detecting resource-release omission faults in error-handling code for systems software. In: 2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 1–12. IEEE (2013)
Schwarz, M., et al.: Automated detection, exploitation, and elimination of double-fetch bugs using modern CPU features. In: Proceedings of the 2018 on Asia Conference on Computer and Communications Security, pp. 587–600. ACM (2018)
Serebryany, K., Bruening, D., Potapenko, A., Vyukov, D.: AddressSanitizer: a fast address sanity checker. Presented as part of the 2012 USENIX Annual Technical Conference (USENIX ATC 2012), pp. 309–318 (2012)
Situ, L., Wang, L., Liu, Y., Mao, B., Li, X.: Vanguard: detecting missing checks for prognosing potential vulnerabilities. In: Proceedings of the Tenth Asia-Pacific Symposium on Internetware, p. 5. ACM (2018)
Son, S., McKinley, K.S., Shmatikov, V.: RoleCast: finding missing security checks when you do not know what checks are. In: ACM SIGPLAN Notices, vol. 46, pp. 1069–1084. ACM (2011)
Song, C., Lee, B., Lu, K., Harris, W., Kim, T., Lee, W.: Enforcing kernel security invariants with data flow integrity. In: NDSS (2016)
Tan, L., Zhang, X., Ma, X., Xiong, W., Zhou, Y.: AutoISES: automatically inferring security specification and detecting violations. In: USENIX Security Symposium, pp. 379–394 (2008)
Tian, Y., Ray, B.: Automatically diagnosing and repairing error handling bugs in C. In: Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering, pp. 752–762. ACM (2017)
Van Der Veen, V., et al.: A tough call: mitigating advanced code-reuse attacks at the binary level. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 934–953. IEEE (2016)
Wang, P., Krinke, J., Lu, K., Li, G., Dodier-Lazaro, S.: How double-fetch situations turn into double-fetch vulnerabilities: a study of double fetches in the Linux kernel. In: 26th USENIX Security Symposium (USENIX Security 2017), pp. 1–16 (2017)
Wang, W., Lu, K., Yew, P.C.: Check it again: detecting lacking-recheck bugs in OS kernels. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 1899–1913. ACM (2018)
Wikibooks: C Programming/Program flow control (2017). https://en.wikibooks.org/wiki/C_Programming/Program_flow_control
Xu, M., Qian, C., Lu, K., Backes, M., Kim, T.: Precise and scalable detection of double-fetch bugs in OS kernels. In: 2018 IEEE Symposium on Security and Privacy (SP), pp. 661–678. IEEE (2018)
Yamaguchi, F., Wressnegger, C., Gascon, H., Rieck, K.: Chucky: exposing missing checks in source code for vulnerability discovery. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 499–510. ACM (2013)
Yee, B., et al.: Native client: a sandbox for portable, untrusted x86 native code. In: 2009 30th IEEE Symposium on Security and Privacy, pp. 79–93. IEEE (2009)
Acknowledgment
We would like to thank the anonymous reviewers for their helpful suggestions and comments. This research was supported in part by the NSF award CNS-1815621. Any opinions, findings, conclusions, or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of NSF.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Appendix
A Appendix
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Lu, K., Pakki, A., Wu, Q. (2019). Automatically Identifying Security Checks for Detecting Kernel Semantic Bugs. In: Sako, K., Schneider, S., Ryan, P. (eds) Computer Security – ESORICS 2019. ESORICS 2019. Lecture Notes in Computer Science(), vol 11736. Springer, Cham. https://doi.org/10.1007/978-3-030-29962-0_1
Download citation
DOI: https://doi.org/10.1007/978-3-030-29962-0_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-29961-3
Online ISBN: 978-3-030-29962-0
eBook Packages: Computer ScienceComputer Science (R0)