Abstract
The Linux kernel adopts a large number of security checks to prevent security-sensitive operations from being executed under unsafe conditions. If a security-sensitive operation is unchecked, a missing-check issue arises. Missing check is a class of severe bugs in software programs especially in operating system kernels, which may cause a variety of security issues, such as out-of-bound accesses, permission bypasses, and privilege escalations. Due to the lack of security specifications, how to automatically identify security-sensitive operations and their required security checks in the Linux kernel becomes a challenge for missing-check analysis. In this paper, we present an accurate missing-check analysis method for Linux kernel, which can automatically infer possible security-sensitive operations. Particularly, we first automatically identify all possible security check functions of Linux. Then according to their callsites, a two-direction analysis method is leveraged to identify possible security-sensitive operations. A missing-check bug is reported when the security-sensitive operation is not protected by its corresponding security check. We have implemented our method as a tool, named AMCheX, on top of the LLVM (Low Level Virtual Machine) framework and evaluated it on the Linux kernel. AMCheX reported 12 new missing-check bugs which can cause security issues. Five of them have been confirmed by Linux maintainers.
Similar content being viewed by others
References
Edwards A, Jaeger T, Zhang X. Runtime verification of authorization hook placement for the Linux security modules framework. In Proc. the 9th ACM Conference on Computer and Communications Security, November 2002, pp.225-234. DOI: https://doi.org/10.1145/586110.586141.
Zhang X, Edwards A, Jaeger T. Using CQUAL for static analysis of authorization hook placement. In Proc. the 11th USENIX Security Symposium, August 2002, pp.33-48.
Zhang T, Shen W, Lee D, Jung C, Azab A M,Wang R. PeX: A permission check analysis framework for Linux kernel. In Proc. the 28th USENIX Security Symposium, August 2019, pp.1205-1220.
Tan L, Zhang X, Ma X, Xiong W, Zhou Y. AutoISES: Automatically inferring security specification and detecting violations. In Proc. the 17th USENIX Security Symposium, July 28-August 1, 2008, pp.379-394.
Wang W, Lu K, Yew P C. Check it again: Detecting lacking-recheck bugs in OS kernels. In Proc. the 2018 ACM SIGSAC Conference on Computer and Communications Security, October 2018, pp.1899-1913. DOI: https://doi.org/10.1145/3243734.3243844.
Situ L, Wang L, Liu Y, Mao B, Li X. Vanguard: Detecting missing checks for prognosing potential vulnerabilities. In Proc. the 10th Asia-Pacific Symposium on Internetware, September 2018, Article No. 5. DOI: https://doi.org/10.1145/3275219.3275225.
Lu K, Pakki A, Wu Q. Detecting missing-check bugs via semantic- and context-aware criticalness and constraints inferences. In Proc. the 28th USENIX Security Symposium, August 2019, pp.1769-1786.
Yamaguchi F, Wressnegger C, Gascon H, Rieck K. Chucky: Exposing missing checks in source code for vulnerability discovery. In Proc. the 2013 ACM SIGSAC Conference on Computer & Communications Security, November 2013, pp.499-510. DOI: https://doi.org/10.1145/2508859.2516665.
Min C, Kashyap S, Lee B, Song C, Kim T. Cross-checking semantic correctness: The case of finding file system bugs. In Proc. the 25th Symposium on Operating Systems Principles, October 2015, pp.361-377. DOI: https://doi.org/10.1145/2815400.2815422.
Lu K, Pakki A, Wu Q. Automatically identifying security checks for detecting kernel semantic bugs. In Proc. the 24th European Symposium on Research in Computer Security, September 2019, pp.3-25. DOI: https://doi.org/10.1007/978-3-030-29962-0_1.
Hunt A, Thomas D. The Pragmatic Programmer: From Journeyman to Master (1st edition). Addison-Wesley Professional, 1999.
Xu M, Qian C, Lu K, Backes M, Kim T. Precise and scalable detection of double-fetch bugs in OS kernels. In Proc. the 2018 IEEE Symposium on Security and Privacy, May 2018, pp.661-678. DOI: https://doi.org/10.1109/SP.2018.00017.
Son S, McKinley K S, Shmatikov V. RoleCast: Finding missing security checks when you do not know what checks are. In Proc. the 2011 ACM International Conference on Object Oriented Programming Systems Languages and Applications, October 2011, pp.1069-1084. DOI: https://doi.org/10.1145/2048066.2048146.
Monshizadeh M, Naldurg P, Venkatakrishnan V N. MACE: Detecting privilege escalation vulnerabilities in web applications. In Proc. the 2014 ACM SIGSAC Conference on Computer and Communications Security, November 2014, pp.690-701. DOI: https://doi.org/10.1145/2660267.2660337.
Sandhu R S, Samarati P. Access control: Principle and practice. IEEE Communications Magazine, 1994, 32(9): 40-48. DOI: https://doi.org/10.1109/35.312842.
Vijayakumar H, Ge X, Payer M, Jaeger T. JIGSAW: Protecting resource access by inferring programmer expectations. In Proc. the 23rd USENIX Security Symposium, August 2014, pp.973-988.
Muthukumaran D, Talele N, Jaeger T, Tan G. Producing hook placements to enforce expected access control policies. In Proc. the 7th International Symposium on Engineering Secure Software and Systems, March 2015, pp.178-195. DOI: 10.1007/978-3-319-15618-7_14.
Petracca G, Capobianco F, Skalka C, Jaeger T. On risk in access control enforcement. In Proc. the 22nd ACM Symposium on Access Control Models and Technologies, June 2017, pp.31-42. DOI: 10.1145/3078861.3078872.
Zhang Y, Kasahara S, Shen Y et al. Smart contract-based access control for the Internet of Things. IEEE Internet of Things Journal, 2018, 6(2): 1594-1605. DOI: https://doi.org/10.1109/JIOT.2018.2847705.
Yun I, Min C, Si X, Jang Y, Kim T, Naik M. APISan: Sanitizing API usages through semantic cross-checking. In Proc. the 25th USENIX Security Symposium, August 2016, pp.363-378.
Wang X, Chen H, Jia Z, Zeldovich N, Kaashoek M. Improving integer security for systems with KINT. In Proc. the 10th USENIX Symposium on Operating Systems Design and Implementation, October 2012, pp.163-177.
Lu K, Song C, Kim T, Lee W. UniSan: Proactive kernel memory initialization to eliminate data leakages. In Proc. the 2016 ACM SIGSAC Conference on Computer and Communications Security, October 2016, pp.920-932. DOI: https://doi.org/10.1145/2976749.2978366.
Machiry A, Spensky C, Corina J, Stephens N, Kruegel C, Vigna G. DR. CHECKER: A soundy analysis for Linux kernel drivers. In Proc. the 26th USENIX Security Symposium, August 2017, pp.1007-1024.
Padioleau Y, Lawall J, Hansen R R, Muller G. Towards documenting and automating collateral evolutions in Linux device drivers. ACM SIGOPS Operating Systems Review, 2008, 42(4): 247-260. DOI: https://doi.org/10.1145/1357010.1352618.
Author information
Authors and Affiliations
Corresponding author
Supplementary Information
ESM 1
(PDF 238 kb)
Rights and permissions
About this article
Cite this article
Wang, YJ., Yin, LZ. & Dong, W. AMCheX: Accurate Analysis of Missing-Check Bugs for Linux Kernel. J. Comput. Sci. Technol. 36, 1325–1341 (2021). https://doi.org/10.1007/s11390-021-1666-4
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11390-021-1666-4