Abstract
A causal relationship implies that a function call should follow another function call. However, causal relationships can be implicit in practice and therefore often missed and violated by developers, causing many serious risks such as memory leaks and crashes. Although a set of works are proposed to mitigate the issue, they fall short in solving two main challenges: the contradiction between bugs in specific paths and intra-function path-explosion, and missing contextual constraints of causal relationships, which leads to high performance cost or failing to detect context-related bugs.
This paper proposes Third-Eye, a practical static analysis tool that infers causal relationship violations for commodity kernels like Linux. Third-Eye leverages the intersection-based call sequence building algorithm to cope with intra-function path-explosion, which can reduce the number of paths while collecting callee information as much as possible. Besides, Third-Eye detects causal relationship violations context-sensitively based on a statistical method. Our experiments show Third-Eye is effective and efficient—successfully identified 60 bugs in Linux 5.3. Of them, 41 have been confirmed and fixed by Linux developers (The accepted patches are in https://ipads.se.sjtu.edu.cn:1312/opensource/third-eye.).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Code of include/linux/workqueue.h in linux 5.3. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/inclu de/linux/workqueue.h?h=v5.3
Code of kernel/workqueue.c in linux 5.3. https://git.kernel.org/pub/scm/linux/ker nel/git/torvalds/linux.git/tree/kernel/workqueue.c?h=v5.3
Bai, J., Liu, H., Wang, Y., Hu, S.: Runtime checking for paired functions in device drivers. In: 2014 21st Asia-Pacific Software Engineering Conference, vol. 1, pp. 407–414, December 2014. https://doi.org/10.1109/APSEC.2014.66
Bai, J., Wang, Y., Liu, H., Hu, S.: Automated resource release in device drivers. In: 2015 IEEE 26th International Symposium on Software Reliability Engineering (ISSRE), pp. 172–182, November 2015. https://doi.org/10.1109/ISSRE.2015.7381811
Bai, J.J., Lawall, J., Tan, W., Hu, S.M.: DCNS: automated detection of conservative non-sleep defects in the Linux kernel. In: Proceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2019, New York, NY, USA, pp. 287–299. ACM (2019). https://doi.org/10.1145/3297858.3304065. http://doi.acm.org/10.1145/3297858.3304065
Bai, J.J., Wang, Y.P., Lawall, J., Hu, S.M.: DSAC: Effective static analysis of sleep-in-atomic-context bugs in kernel modules. In: 2018 USENIX Annual Technical Conference (USENIX ATC 2018), Boston, MA, pp. 587–600. USENIX Association, July 2018. https://www.usenix.org/conference/atc18/presentation/bai
Bai, J.J., Wang, Y.P., Liu, H.Q., Hu, S.M.: Mining and checking paired functions in device drivers using characteristic fault injection. Inf. Softw. Technol. 73, 122–133 (2016)
Bai, J.J., Wang, Y.P., Yin, J., Hu, S.M.: Testing error handling code in device drivers using characteristic fault injection. In: 2016 USENIX Annual Technical Conference (USENIX ATC 2016), Denver, CO, pp. 635–647. USENIX Association, June 2016. https://www.usenix.org/conference/atc16/technical-sessions/presentation/bai
Corina, J., et al.: Difuze: interface aware fuzzing for kernel drivers. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, New York, NY, USA, pp. 2123–2138. ACM (2017). https://doi.org/10.1145/3133956.3134069. http://doi.acm.org/10.1145/3133956.3134069
Cui, H., Hu, G., Wu, J., Yang, J.: Verifying systems rules using rule-directed symbolic execution. In: Proceedings of the Eighteenth International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2013, New York, NY, USA, pp. 329–342. ACM (2013). https://doi.org/10.1145/2451116.2451152. http://doi.acm.org/10.1145/2451116.2451152
Engler, D., Chen, D.Y., Hallem, S., Chou, A., Chelf, B.: Bugs as deviant behavior: a general approach to inferring errors in systems code. In: Proceedings of the Eighteenth ACM Symposium on Operating Systems Principles, SOSP 2001, New York, NY, USA, pp. 57–72. ACM (2001). https://doi.org/10.1145/502034.502041. http://doi.acm.org/10.1145/502034.502041
Gens, D., Schmitt, S., Davi, L., Sadeghi, A.R.: K-miner: Uncovering memory corruption in Linux. In: NDSS (2018)
Gu, Z., Wu, J., Li, C., Zhou, M., Jiang, Y., Gu, M., Sun, J.: Vetting API usages in c programs with imchecker. In: 2019 IEEE/ACM 41st International Conference on Software Engineering: Companion Proceedings (ICSE-Companion), pp. 91–94, May 2019. https://doi.org/10.1109/ICSE-Companion.2019.00046
Lawall, J.L., Brunel, J., Palix, N., Hansen, R.R., Stuart, H., Muller, G.: Wysiwib: a declarative approach to finding API protocols and bugs in linux code. In: 2009 IEEE/IFIP International Conference on Dependable Systems Networks, pp. 43–52, June 2009. https://doi.org/10.1109/DSN.2009.5270354
Lawall, J.L., Muller, G., Palix, N.: Enforcing the use of API functions in linux code. In: Proceedings of the 8th Workshop on Aspects, Components, and Patterns for Infrastructure Software, ACP4IS 2009, New York, NY, USA, pp. 7–12. ACM (2009). https://doi.org/10.1145/1509276.1509279. http://doi.acm.org/10.1145/1509276.1509279
Li, Z., Zhou, Y.: PR-Miner: automatically extracting implicit programming rules and detecting violations in large software code. In: Proceedings of the 10th European Software Engineering Conference Held Jointly with 13th ACM SIGSOFT International Symposium on Foundations of Software Engineering, ESEC/FSE-13, New York, NY, USA, pp. 306–315. ACM (2005). https://doi.org/10.1145/1081706.1081755. http://doi.acm.org/10.1145/1081706.1081755
Liu, H., Bai, J., Wang, Y., Bian, Z., Hu, S.: PairMiner: mining for paired functions in kernel extensions. In: 2015 IEEE International Symposium on Performance Analysis of Systems and Software (ISPASS), pp. 93–101, March 2015. https://doi.org/10.1109/ISPASS.2015.7095788
Liu, H., Bai, J., Wang, Y., Hu, S.: BP-Miner: mining paired functions from the binary code of drivers for error handling. In: 2014 21st Asia-Pacific Software Engineering Conference, vol. 1, pp. 415–422, December 2014. https://doi.org/10.1109/APSEC.2014.67
Liu, H., Wang, Y., Jiang, L., Hu, S.: PF-Miner: a new paired functions mining method for android kernel in error paths. In: 2014 IEEE 38th Annual Computer Software and Applications Conference, pp. 33–42, July 2014. https://doi.org/10.1109/COMPSAC.2014.10
Lu, K., Pakki, A., Wu, Q.: Detecting missing-check bugs via semantic- and context-aware criticalness and constraints inferences. In: 28th USENIX Security Symposium (USENIX Security 2019), Santa Clara, CA, pp. 1769–1786. USENIX Association, August 2019. https://www.usenix.org/conference/usenixsecurity19/presentation/lu
Machiry, A., Spensky, C., Corina, J., Stephens, N., Kruegel, C., Vigna, G.: Dr. checker: a soundy analysis for linux kernel drivers. In: Proceedings of the 26th USENIX Conference on Security Symposium, SEC 2017, Berkeley, CA, USA, pp. 1007–1024. USENIX Association (2017). http://dl.acm.org/citation.cfm?id=3241189.3241268
Min, C., Kashyap, S., Lee, B., Song, C., Kim, T.: Cross-checking semantic correctness: the case of finding file system bugs. In: Proceedings of the 25th Symposium on Operating Systems Principles, SOSP 2015, New York, NY, USA, pp. 361–377. ACM (2015). https://doi.org/10.1145/2815400.2815422. http://doi.acm.org/10.1145/2815400.2815422
Monperrus, M., Mezini, M.: Detecting missing method calls as violations of the majority rule. ACM Trans. Softw. Eng. Methodol. 22(1), 7:1–7:25 (2013). https://doi.org/10.1145/2430536.2430541. http://doi.acm.org/10.1145/2430536.2430541
Schumilo, S., Aschermann, C., Gawlik, R., Schinzel, S., Holz, T.: KAFL: hardware-assisted feedback fuzzing for OS kernels. In: Proceedings of the 26th USENIX Conference on Security Symposium, SEC 2017, Berkeley, CA, USA, pp. 167–182. USENIX Association (2017). http://dl.acm.org/citation.cfm?id=3241189.3241204
Wang, W., Lu, K., Yew, P.C.: Check it again: detecting lacking-recheck bugs in OS kernels. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, New York, NY, USA, pp. 1899–1913. ACM (2018). https://doi.org/10.1145/3243734.3243844. http://doi.acm.org/10.1145/3243734.3243844
Wu, Q., Liang, G., Wang, Q., Xie, T., Mei, H.: Iterative mining of resource-releasing specifications. In: Proceedings of the 2011 26th IEEE/ACM International Conference on Automated Software Engineering, ASE 2011, Washington, DC, USA, pp. 233–242. IEEE Computer Society (2011). https://doi.org/10.1109/ASE.2011.6100058
Xu, M., Qian, C., Lu, K., Backes, M., Kim, T.: Precise and scalable detection of double-fetch bugs in OS kernels. In: 2018 IEEE Symposium on Security and Privacy (SP), pp. 661–678, May 2018. https://doi.org/10.1109/SP.2018.00017
Yang, J., Evans, D., Bhardwaj, D., Bhat, T., Das, M.: Perracotta: mining temporal API rules from imperfect traces. In: Proceedings of the 28th International Conference on Software Engineering, ICSE 2006, New York, NY, USA, pp. 282–291. ACM (2006). https://doi.org/10.1145/1134285.1134325. http://doi.acm.org/10.1145/1134285.1134325
Yun, I., Min, C., Si, X., Jang, Y., Kim, T., Naik, M.: APISan: sanitizing API usages through semantic cross-checking. In: Proceedings of the 25th USENIX Conference on Security Symposium, SEC 2016, Berkeley, CA, USA, pp. 363–378. USENIX Association (2016). http://dl.acm.org/citation.cfm?id=3241094.3241123
Acknowledgment
We thank the anonymous reviewers for their insightful comments. This work is supported by the National Natural Science Foundation of China (No. 61925206).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Yuan, C., Du, D., Chen, H. (2021). Third-Eye: Practical and Context-Aware Inference of Causal Relationship Violations in Commodity Kernels. In: Bilge, L., Cavallaro, L., Pellegrino, G., Neves, N. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2021. Lecture Notes in Computer Science(), vol 12756. Springer, Cham. https://doi.org/10.1007/978-3-030-80825-9_10
Download citation
DOI: https://doi.org/10.1007/978-3-030-80825-9_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-80824-2
Online ISBN: 978-3-030-80825-9
eBook Packages: Computer ScienceComputer Science (R0)