Skip to main content
SpringerLink
Log in

AMCheX: Accurate Analysis of Missing-Check Bugs for Linux Kernel

  • Regular Paper
  • Published:
Journal of Computer Science and Technology Aims and scope Submit manuscript

Abstract

The Linux kernel adopts a large number of security checks to prevent security-sensitive operations from being executed under unsafe conditions. If a security-sensitive operation is unchecked, a missing-check issue arises. Missing check is a class of severe bugs in software programs especially in operating system kernels, which may cause a variety of security issues, such as out-of-bound accesses, permission bypasses, and privilege escalations. Due to the lack of security specifications, how to automatically identify security-sensitive operations and their required security checks in the Linux kernel becomes a challenge for missing-check analysis. In this paper, we present an accurate missing-check analysis method for Linux kernel, which can automatically infer possible security-sensitive operations. Particularly, we first automatically identify all possible security check functions of Linux. Then according to their callsites, a two-direction analysis method is leveraged to identify possible security-sensitive operations. A missing-check bug is reported when the security-sensitive operation is not protected by its corresponding security check. We have implemented our method as a tool, named AMCheX, on top of the LLVM (Low Level Virtual Machine) framework and evaluated it on the Linux kernel. AMCheX reported 12 new missing-check bugs which can cause security issues. Five of them have been confirmed by Linux maintainers.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Edwards A, Jaeger T, Zhang X. Runtime verification of authorization hook placement for the Linux security modules framework. In Proc. the 9th ACM Conference on Computer and Communications Security, November 2002, pp.225-234. DOI: https://doi.org/10.1145/586110.586141.

  2. Zhang X, Edwards A, Jaeger T. Using CQUAL for static analysis of authorization hook placement. In Proc. the 11th USENIX Security Symposium, August 2002, pp.33-48.

  3. Zhang T, Shen W, Lee D, Jung C, Azab A M,Wang R. PeX: A permission check analysis framework for Linux kernel. In Proc. the 28th USENIX Security Symposium, August 2019, pp.1205-1220.

  4. Tan L, Zhang X, Ma X, Xiong W, Zhou Y. AutoISES: Automatically inferring security specification and detecting violations. In Proc. the 17th USENIX Security Symposium, July 28-August 1, 2008, pp.379-394.

  5. Wang W, Lu K, Yew P C. Check it again: Detecting lacking-recheck bugs in OS kernels. In Proc. the 2018 ACM SIGSAC Conference on Computer and Communications Security, October 2018, pp.1899-1913. DOI: https://doi.org/10.1145/3243734.3243844.

  6. Situ L, Wang L, Liu Y, Mao B, Li X. Vanguard: Detecting missing checks for prognosing potential vulnerabilities. In Proc. the 10th Asia-Pacific Symposium on Internetware, September 2018, Article No. 5. DOI: https://doi.org/10.1145/3275219.3275225.

  7. Lu K, Pakki A, Wu Q. Detecting missing-check bugs via semantic- and context-aware criticalness and constraints inferences. In Proc. the 28th USENIX Security Symposium, August 2019, pp.1769-1786.

  8. Yamaguchi F, Wressnegger C, Gascon H, Rieck K. Chucky: Exposing missing checks in source code for vulnerability discovery. In Proc. the 2013 ACM SIGSAC Conference on Computer & Communications Security, November 2013, pp.499-510. DOI: https://doi.org/10.1145/2508859.2516665.

  9. Min C, Kashyap S, Lee B, Song C, Kim T. Cross-checking semantic correctness: The case of finding file system bugs. In Proc. the 25th Symposium on Operating Systems Principles, October 2015, pp.361-377. DOI: https://doi.org/10.1145/2815400.2815422.

  10. Lu K, Pakki A, Wu Q. Automatically identifying security checks for detecting kernel semantic bugs. In Proc. the 24th European Symposium on Research in Computer Security, September 2019, pp.3-25. DOI: https://doi.org/10.1007/978-3-030-29962-0_1.

  11. Hunt A, Thomas D. The Pragmatic Programmer: From Journeyman to Master (1st edition). Addison-Wesley Professional, 1999.

  12. Xu M, Qian C, Lu K, Backes M, Kim T. Precise and scalable detection of double-fetch bugs in OS kernels. In Proc. the 2018 IEEE Symposium on Security and Privacy, May 2018, pp.661-678. DOI: https://doi.org/10.1109/SP.2018.00017.

  13. Son S, McKinley K S, Shmatikov V. RoleCast: Finding missing security checks when you do not know what checks are. In Proc. the 2011 ACM International Conference on Object Oriented Programming Systems Languages and Applications, October 2011, pp.1069-1084. DOI: https://doi.org/10.1145/2048066.2048146.

  14. Monshizadeh M, Naldurg P, Venkatakrishnan V N. MACE: Detecting privilege escalation vulnerabilities in web applications. In Proc. the 2014 ACM SIGSAC Conference on Computer and Communications Security, November 2014, pp.690-701. DOI: https://doi.org/10.1145/2660267.2660337.

  15. Sandhu R S, Samarati P. Access control: Principle and practice. IEEE Communications Magazine, 1994, 32(9): 40-48. DOI: https://doi.org/10.1109/35.312842.

    Article  Google Scholar 

  16. Vijayakumar H, Ge X, Payer M, Jaeger T. JIGSAW: Protecting resource access by inferring programmer expectations. In Proc. the 23rd USENIX Security Symposium, August 2014, pp.973-988.

  17. Muthukumaran D, Talele N, Jaeger T, Tan G. Producing hook placements to enforce expected access control policies. In Proc. the 7th International Symposium on Engineering Secure Software and Systems, March 2015, pp.178-195. DOI: 10.1007/978-3-319-15618-7_14.

  18. Petracca G, Capobianco F, Skalka C, Jaeger T. On risk in access control enforcement. In Proc. the 22nd ACM Symposium on Access Control Models and Technologies, June 2017, pp.31-42. DOI: 10.1145/3078861.3078872.

  19. Zhang Y, Kasahara S, Shen Y et al. Smart contract-based access control for the Internet of Things. IEEE Internet of Things Journal, 2018, 6(2): 1594-1605. DOI: https://doi.org/10.1109/JIOT.2018.2847705.

    Article  Google Scholar 

  20. Yun I, Min C, Si X, Jang Y, Kim T, Naik M. APISan: Sanitizing API usages through semantic cross-checking. In Proc. the 25th USENIX Security Symposium, August 2016, pp.363-378.

  21. Wang X, Chen H, Jia Z, Zeldovich N, Kaashoek M. Improving integer security for systems with KINT. In Proc. the 10th USENIX Symposium on Operating Systems Design and Implementation, October 2012, pp.163-177.

  22. Lu K, Song C, Kim T, Lee W. UniSan: Proactive kernel memory initialization to eliminate data leakages. In Proc. the 2016 ACM SIGSAC Conference on Computer and Communications Security, October 2016, pp.920-932. DOI: https://doi.org/10.1145/2976749.2978366.

  23. Machiry A, Spensky C, Corina J, Stephens N, Kruegel C, Vigna G. DR. CHECKER: A soundy analysis for Linux kernel drivers. In Proc. the 26th USENIX Security Symposium, August 2017, pp.1007-1024.

  24. Padioleau Y, Lawall J, Hansen R R, Muller G. Towards documenting and automating collateral evolutions in Linux device drivers. ACM SIGOPS Operating Systems Review, 2008, 42(4): 247-260. DOI: https://doi.org/10.1145/1357010.1352618.

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Key Laboratory of Software Engineering for Complex Systems, College of Computer Science National University of Defense Technology, Changsha, 410073, China

    Ying-Jie Wang, Liang-Ze Yin & Wei Dong

Authors
  1. Ying-Jie Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Liang-Ze Yin
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Wei Dong
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Wei Dong.

Supplementary Information

ESM 1

(PDF 238 kb)

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Wang, YJ., Yin, LZ. & Dong, W. AMCheX: Accurate Analysis of Missing-Check Bugs for Linux Kernel. J. Comput. Sci. Technol. 36, 1325–1341 (2021). https://doi.org/10.1007/s11390-021-1666-4

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11390-021-1666-4

Keywords

Search

Navigation