Skip to main content
SpringerLink
Log in

Third-Eye: Practical and Context-Aware Inference of Causal Relationship Violations in Commodity Kernels

  • Conference paper
  • First Online:
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2021)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12756))

  • 1277 Accesses

Abstract

A causal relationship implies that a function call should follow another function call. However, causal relationships can be implicit in practice and therefore often missed and violated by developers, causing many serious risks such as memory leaks and crashes. Although a set of works are proposed to mitigate the issue, they fall short in solving two main challenges: the contradiction between bugs in specific paths and intra-function path-explosion, and missing contextual constraints of causal relationships, which leads to high performance cost or failing to detect context-related bugs.

This paper proposes Third-Eye, a practical static analysis tool that infers causal relationship violations for commodity kernels like Linux. Third-Eye leverages the intersection-based call sequence building algorithm to cope with intra-function path-explosion, which can reduce the number of paths while collecting callee information as much as possible. Besides, Third-Eye detects causal relationship violations context-sensitively based on a statistical method. Our experiments show Third-Eye is effective and efficient—successfully identified 60 bugs in Linux 5.3. Of them, 41  have been confirmed and fixed by Linux developers (The accepted patches are in https://ipads.se.sjtu.edu.cn:1312/opensource/third-eye.).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 54.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 69.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Code of include/linux/workqueue.h in linux 5.3. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/inclu de/linux/workqueue.h?h=v5.3

  2. Code of kernel/workqueue.c in linux 5.3. https://git.kernel.org/pub/scm/linux/ker nel/git/torvalds/linux.git/tree/kernel/workqueue.c?h=v5.3

  3. Bai, J., Liu, H., Wang, Y., Hu, S.: Runtime checking for paired functions in device drivers. In: 2014 21st Asia-Pacific Software Engineering Conference, vol. 1, pp. 407–414, December 2014. https://doi.org/10.1109/APSEC.2014.66

  4. Bai, J., Wang, Y., Liu, H., Hu, S.: Automated resource release in device drivers. In: 2015 IEEE 26th International Symposium on Software Reliability Engineering (ISSRE), pp. 172–182, November 2015. https://doi.org/10.1109/ISSRE.2015.7381811

  5. Bai, J.J., Lawall, J., Tan, W., Hu, S.M.: DCNS: automated detection of conservative non-sleep defects in the Linux kernel. In: Proceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2019, New York, NY, USA, pp. 287–299. ACM (2019). https://doi.org/10.1145/3297858.3304065. http://doi.acm.org/10.1145/3297858.3304065

  6. Bai, J.J., Wang, Y.P., Lawall, J., Hu, S.M.: DSAC: Effective static analysis of sleep-in-atomic-context bugs in kernel modules. In: 2018 USENIX Annual Technical Conference (USENIX ATC 2018), Boston, MA, pp. 587–600. USENIX Association, July 2018. https://www.usenix.org/conference/atc18/presentation/bai

  7. Bai, J.J., Wang, Y.P., Liu, H.Q., Hu, S.M.: Mining and checking paired functions in device drivers using characteristic fault injection. Inf. Softw. Technol. 73, 122–133 (2016)

    Article  Google Scholar 

  8. Bai, J.J., Wang, Y.P., Yin, J., Hu, S.M.: Testing error handling code in device drivers using characteristic fault injection. In: 2016 USENIX Annual Technical Conference (USENIX ATC 2016), Denver, CO, pp. 635–647. USENIX Association, June 2016. https://www.usenix.org/conference/atc16/technical-sessions/presentation/bai

  9. Corina, J., et al.: Difuze: interface aware fuzzing for kernel drivers. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, New York, NY, USA, pp. 2123–2138. ACM (2017). https://doi.org/10.1145/3133956.3134069. http://doi.acm.org/10.1145/3133956.3134069

  10. Cui, H., Hu, G., Wu, J., Yang, J.: Verifying systems rules using rule-directed symbolic execution. In: Proceedings of the Eighteenth International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2013, New York, NY, USA, pp. 329–342. ACM (2013). https://doi.org/10.1145/2451116.2451152. http://doi.acm.org/10.1145/2451116.2451152

  11. Engler, D., Chen, D.Y., Hallem, S., Chou, A., Chelf, B.: Bugs as deviant behavior: a general approach to inferring errors in systems code. In: Proceedings of the Eighteenth ACM Symposium on Operating Systems Principles, SOSP 2001, New York, NY, USA, pp. 57–72. ACM (2001). https://doi.org/10.1145/502034.502041. http://doi.acm.org/10.1145/502034.502041

  12. Gens, D., Schmitt, S., Davi, L., Sadeghi, A.R.: K-miner: Uncovering memory corruption in Linux. In: NDSS (2018)

    Google Scholar 

  13. Gu, Z., Wu, J., Li, C., Zhou, M., Jiang, Y., Gu, M., Sun, J.: Vetting API usages in c programs with imchecker. In: 2019 IEEE/ACM 41st International Conference on Software Engineering: Companion Proceedings (ICSE-Companion), pp. 91–94, May 2019. https://doi.org/10.1109/ICSE-Companion.2019.00046

  14. Lawall, J.L., Brunel, J., Palix, N., Hansen, R.R., Stuart, H., Muller, G.: Wysiwib: a declarative approach to finding API protocols and bugs in linux code. In: 2009 IEEE/IFIP International Conference on Dependable Systems Networks, pp. 43–52, June 2009. https://doi.org/10.1109/DSN.2009.5270354

  15. Lawall, J.L., Muller, G., Palix, N.: Enforcing the use of API functions in linux code. In: Proceedings of the 8th Workshop on Aspects, Components, and Patterns for Infrastructure Software, ACP4IS 2009, New York, NY, USA, pp. 7–12. ACM (2009). https://doi.org/10.1145/1509276.1509279. http://doi.acm.org/10.1145/1509276.1509279

  16. Li, Z., Zhou, Y.: PR-Miner: automatically extracting implicit programming rules and detecting violations in large software code. In: Proceedings of the 10th European Software Engineering Conference Held Jointly with 13th ACM SIGSOFT International Symposium on Foundations of Software Engineering, ESEC/FSE-13, New York, NY, USA, pp. 306–315. ACM (2005). https://doi.org/10.1145/1081706.1081755. http://doi.acm.org/10.1145/1081706.1081755

  17. Liu, H., Bai, J., Wang, Y., Bian, Z., Hu, S.: PairMiner: mining for paired functions in kernel extensions. In: 2015 IEEE International Symposium on Performance Analysis of Systems and Software (ISPASS), pp. 93–101, March 2015. https://doi.org/10.1109/ISPASS.2015.7095788

  18. Liu, H., Bai, J., Wang, Y., Hu, S.: BP-Miner: mining paired functions from the binary code of drivers for error handling. In: 2014 21st Asia-Pacific Software Engineering Conference, vol. 1, pp. 415–422, December 2014. https://doi.org/10.1109/APSEC.2014.67

  19. Liu, H., Wang, Y., Jiang, L., Hu, S.: PF-Miner: a new paired functions mining method for android kernel in error paths. In: 2014 IEEE 38th Annual Computer Software and Applications Conference, pp. 33–42, July 2014. https://doi.org/10.1109/COMPSAC.2014.10

  20. Lu, K., Pakki, A., Wu, Q.: Detecting missing-check bugs via semantic- and context-aware criticalness and constraints inferences. In: 28th USENIX Security Symposium (USENIX Security 2019), Santa Clara, CA, pp. 1769–1786. USENIX Association, August 2019. https://www.usenix.org/conference/usenixsecurity19/presentation/lu

  21. Machiry, A., Spensky, C., Corina, J., Stephens, N., Kruegel, C., Vigna, G.: Dr. checker: a soundy analysis for linux kernel drivers. In: Proceedings of the 26th USENIX Conference on Security Symposium, SEC 2017, Berkeley, CA, USA, pp. 1007–1024. USENIX Association (2017). http://dl.acm.org/citation.cfm?id=3241189.3241268

  22. Min, C., Kashyap, S., Lee, B., Song, C., Kim, T.: Cross-checking semantic correctness: the case of finding file system bugs. In: Proceedings of the 25th Symposium on Operating Systems Principles, SOSP 2015, New York, NY, USA, pp. 361–377. ACM (2015). https://doi.org/10.1145/2815400.2815422. http://doi.acm.org/10.1145/2815400.2815422

  23. Monperrus, M., Mezini, M.: Detecting missing method calls as violations of the majority rule. ACM Trans. Softw. Eng. Methodol. 22(1), 7:1–7:25 (2013). https://doi.org/10.1145/2430536.2430541. http://doi.acm.org/10.1145/2430536.2430541

  24. Schumilo, S., Aschermann, C., Gawlik, R., Schinzel, S., Holz, T.: KAFL: hardware-assisted feedback fuzzing for OS kernels. In: Proceedings of the 26th USENIX Conference on Security Symposium, SEC 2017, Berkeley, CA, USA, pp. 167–182. USENIX Association (2017). http://dl.acm.org/citation.cfm?id=3241189.3241204

  25. Wang, W., Lu, K., Yew, P.C.: Check it again: detecting lacking-recheck bugs in OS kernels. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, New York, NY, USA, pp. 1899–1913. ACM (2018). https://doi.org/10.1145/3243734.3243844. http://doi.acm.org/10.1145/3243734.3243844

  26. Wu, Q., Liang, G., Wang, Q., Xie, T., Mei, H.: Iterative mining of resource-releasing specifications. In: Proceedings of the 2011 26th IEEE/ACM International Conference on Automated Software Engineering, ASE 2011, Washington, DC, USA, pp. 233–242. IEEE Computer Society (2011). https://doi.org/10.1109/ASE.2011.6100058

  27. Xu, M., Qian, C., Lu, K., Backes, M., Kim, T.: Precise and scalable detection of double-fetch bugs in OS kernels. In: 2018 IEEE Symposium on Security and Privacy (SP), pp. 661–678, May 2018. https://doi.org/10.1109/SP.2018.00017

  28. Yang, J., Evans, D., Bhardwaj, D., Bhat, T., Das, M.: Perracotta: mining temporal API rules from imperfect traces. In: Proceedings of the 28th International Conference on Software Engineering, ICSE 2006, New York, NY, USA, pp. 282–291. ACM (2006). https://doi.org/10.1145/1134285.1134325. http://doi.acm.org/10.1145/1134285.1134325

  29. Yun, I., Min, C., Si, X., Jang, Y., Kim, T., Naik, M.: APISan: sanitizing API usages through semantic cross-checking. In: Proceedings of the 25th USENIX Conference on Security Symposium, SEC 2016, Berkeley, CA, USA, pp. 363–378. USENIX Association (2016). http://dl.acm.org/citation.cfm?id=3241094.3241123

Download references

Acknowledgment

We thank the anonymous reviewers for their insightful comments. This work is supported by the National Natural Science Foundation of China (No. 61925206).

Author information

Authors and Affiliations

  1. Shanghai Jiao Tong University, Shanghai, China

    Chuhong Yuan, Dong Du & Haibo Chen

Authors
  1. Chuhong Yuan
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Dong Du
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Haibo Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Haibo Chen .

Editor information

Editors and Affiliations

  1. NortonLifeLock Research Group, Biot, France

    Leyla Bilge

  2. King's College London, London, UK

    Lorenzo Cavallaro

  3. CISPA Helmholtz Center for Information Security, Saarbrücken, Germany

    Giancarlo Pellegrino

  4. University of Lisbon, Lisbon, Portugal

    Nuno Neves

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Yuan, C., Du, D., Chen, H. (2021). Third-Eye: Practical and Context-Aware Inference of Causal Relationship Violations in Commodity Kernels. In: Bilge, L., Cavallaro, L., Pellegrino, G., Neves, N. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2021. Lecture Notes in Computer Science(), vol 12756. Springer, Cham. https://doi.org/10.1007/978-3-030-80825-9_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-80825-9_10

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-80824-2

  • Online ISBN: 978-3-030-80825-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation