Sabotaging the system boundary: A study of the inter-boundary vulnerability
Introduction
The hierarchical structure is the foundation of the computer system, which facilitates system design and implementation. However, owing to the complex functionality, such as data exchange, privilege isolation, and error disposal, the interaction part between different system layers is usually the weakness of the system. Besides, modern optimization schemes, such as concurrent processing and asynchrionization communication, also enlarge the security risks. Thus, communication between different system layers tends to have security flaws.
Shared memory is a fundamental and widespread communication scheme for the inter-domain communication of modern computer systems. The main reason for its popularity is the performance advantage compared to the other message-based communication mechanisms. However, the shared memory scheme is also vulnerable when used for cross-layer communication. Communication-based on shared memory usually requires additional synchronization, such as locks and mutexes. Otherwise, concurrent access to shared data can cause memory corruption errors. These synchronization methods require all communication partners to participate, otherwise, the synchronization cannot be enforced. This usually is not a problem when all communication participants operate on the same privilege level, such as communication between normal processes or between threads. However, when one side of the communication is less privileged, the shared memory interface becomes a trust boundary, and the situation becomes complicated [1]. Since high-level synchronization methods are not enforced in shared memory interfaces, they can simply be ignored, causing data inconsistency. Such data inconsistency can sabotage the trust boundary and cause security vulnerability, which can lead to severe consequences, such as memory corruption errors and sensitive information disclosure. We call it the “inter-boundary vulnerability”.
The inter-boundary vulnerability exists in the communication between different system layers (or domains). Different from the concurrency bugs, the inter-boundary vulnerability usually occurs where there is a privilege gap, known as the trust boundary. Consequently, the misuse of synchronization primitives by one communication partner (usually the privileged one) gives a chance to the less privileged (malicious) partner to cause harmful results to the privileged one. Although there is a large amount of research on the safe use of shared resources, such as the race conditions [2], [3], [4], [5], [6], [7], [8] and concurrency bugs [9], [10], [11], [12], [13], [14], [15], they usually focus on the insecure behavior caused by the misuse of synchronization primitives. They do not take the existence of a malicious communication partner into account, thus, hardly applicable to the detection of security vulnerabilities in the thrust boundary. Therefore, inter-boundary vulnerability is a new research point that supplements these researches.
Previous research has raised the awareness of the double-fetch vulnerability [16], [17], [18], [19], [20]. The double-fetch vulnerability is a subclass of the inter-boundary vulnerability, which is caused by the violation of the read-after-read data dependency between the kernel address space and user address space. However, as we have mentioned above, such vulnerability is theoretically not limited to the kernel-user boundary nor the read-after-read data dependency. Thus, in this paper, we propose the concept of inter-boundary vulnerability and give the first in-depth study of it. We broaden the scope of this topic by studying more system boundary types and analyzing more data dependency types, aiming to light the future research on this topic. In summary, we make the following contributions.
- We extract three system boundaries that inter-boundary vulnerabilities are prone to occur, including the kernel-user boundary, the hardware-OS boundary, and the VMM-guest OS boundary.
- We investigate 115 real-world inter-boundary vulnerability cases and categorize four inter-boundary vulnerability types based on the analysis of these cases. We have made the collected vulnerabilities available online for the security community for further research.
- We review the state-of-the-art techniques that are relevant to the detection, exploitation, and prevention of the inter-boundary vulnerability, and point out challenges for the future work.
The rest of the paper is organized as follows: Section 2 reviews the background knowledge of this topic and introduces the vulnerability-prone boundaries in the system. Section 3 classifies the inter-boundary vulnerabilities and analyzes related works on detection, exploitation, and prevention. Section 4 gives an in-depth analysis of this topic. Section 5 discusses the perspectives and challenges for the future work, followed by conclusions.
Section snippets
The shared memory scheme
Shared memory is a fundamental and widespread communication scheme for the inter-domain communication of modern computer systems. The main reason for its popularity is the performance advantage compared to the other message-based communication mechanisms, such as pipes or message queues, which are implemented on top of system calls [1].
When the data is transferred between two processes, a message-oriented approach requires at least two additional copies into the kernel as the pipe and message
Introduction to the inter-boundary vulnerability
The inter-boundary vulnerability occurs when different system layers (or domains) communicating via the shared memory scheme. Communication partners access the shared data without proper use of the required synchronization can violate the data consistency and cause memory corruption errors. The privilege gap between the communication partners can turn such memory errors to security vulnerabilities that breach the trust boundary. As Fig. 4 shows, an inter-boundary vulnerability consists of the
Statistics
We investigated 115 known inter-boundary vulnerabilities collected from academic works [1], [17], [28], [36] and the CVE (Common Vulnerabilities and Exposures) database. For some of the vulnerabilities, we also tried to obtain the buggy source code and corresponding patches from the relevant repositories and archives, which includes the Linux repository on Github, the Linux Kernel Mailing List Archive, and the Kernel Bugzilla. We have made the vulnerabilities we collected available for the
Perspective
In this paper, we choose the kernel-user boundary, the hardware-OS boundary, and the VMM-guest OS boundary as representatives to illustrate the inter-boundary vulnerability. However, in addition to these three boundary types, other boundaries in the system can also cause inter-boundary vulnerabilities. For instance, the wrapped interfaces, such as the syscall wrapper functions, handle parameters from the user application and introduce a new boundary between the syscall and the user application
Conclusions
The inter-boundary vulnerability is a new research point that worth dedicated study. In this paper, we gave the first in-depth study of it. We investigated three commonly seen boundaries in the system that inter-boundary vulnerabilities are prone to occur. We extracted four inter-boundary vulnerability types based on the investigation of 115 real-world cases and illustrated the principle of each type. We also discussed the state-of-the-art techniques that are relevant to the detection,
CRediT authorship contribution statement
Pengfei Wang: Conceptualization, Methodology, Investigation, Writing - review & editing. Xu Zhou: Supervision, Project administration. Kai Lu: Funding acquisition.
Declaration of Competing Interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.
Acknowledgement
The authors would like to sincerely thank all the reviewers for your time and expertise on this paper. Your insightful comments help us improve this work. This work is partially supported by the National High-level Personnel for Defense Technology Program (2017-JCJQ-ZQ-013), the Tianhe Supercomputer Project 2018YFB0204301, the Natural Science Foundation of Hunan Province (2017RS3045, 2019JJ50729), and the National Natural Science Foundation of China (61472437, 61902412, 61902416).
Pengfei Wang received his B.S., M.S. degrees, and Ph.D. in 2011, 2013, and 2018, respectively, from the College of Computer, National University of Defense Technology, Changsha. He is now an assistant professor in the College of Computer, National University of Defense Technology. His research interests include operating systems and software testing.
References (46)
Tracing privileged memory accesses to discover software vulnerabilities
(2015)- et al.
Relay: static race detection on millions of lines of code
Proceedings of the 6th joint meeting of the European software engineering conference and the ACM SIGSOFT symposium on The foundations of software engineering
(2007) - et al.
Locksmith: practical static race detection for c
ACM Trans Programm Lang Syst (TOPLAS)
(2011) - et al.
Towards a better collaboration of static and dynamic analyses for testing concurrent programs
Proceedings of the 6th workshop on Parallel and distributed systems: testing, analysis, and debugging
(2008) - et al.
Racerx: effective, static detection of race conditions and deadlocks
ACM SIGOPS operating systems review
(2003) Race directed random testing of concurrent programs
ACM SIGPLAN Notice
(2008)- et al.
Racemob: crowdsourced data race detection
Proceedings of the twenty-fourth ACM symposium on operating systems principles
(2013) - et al.
Racechecker: efficient identification of harmful data races
2015 23rd Euromicro International Conference on Parallel, Distributed, and Network-Based Processing
(2015) - et al.
Finding atomicity-violation bugs through unserializable interleaving testing
IEEE Trans Softw Eng
(2012) - et al.
AVIO: detecting atomicity violations via access interleaving invariants
Architectural support for programming languages and operating systems
(2006)
A serializability violation detector for shared-memory server programs
Programming language design and implementation
Atomizer: a dynamic atomicity checker for multithreaded programs
Symposium on principles of programming languages
Maple: a coverage-driven testing tool for multithreaded programs
Object oriented programming systems languages and applications
Persuasive prediction of concurrency access anomalies
Proceedings of the 2011 international symposium on software testing and analysis
Avpredictor: comprehensive prediction and detection of atomicity violations
Concurren Comput: Pract Exper
How double-fetch situations turn into double-fetch vulnerabilities: A study of double fetches in the linux kernel
26th USENIX security symposium (USENIX Security 17)
A survey of the double-fetch vulnerabilities
Concurren Comput: Pract Exper
Dftracker: detecting double-fetch bugs by multi-taint parallel tracking
Frontier Comput Sci
Precise and scalable detection of double-fetch bugs in os kernels
2018 IEEE symposium on security and privacy (SP)
Automated detection, exploitation, and elimination of double-fetch bugs using modern cpu features
arXiv preprint arXiv:171101254
Unix network programming, volume 2
Addison-Wesley Professional
Identifying and exploiting windows kernel race conditions via memory access patterns
Tech. Rep.
Cited by (2)
Testing and Exploiting Tools to Improve OWASP Top Ten Security Vulnerabilities Detection
2022, Proceedings - 2022 14th IEEE International Conference on Computational Intelligence and Communication Networks, CICN 2022Research on Operating System Kernel Security Based on Mandatory Behavior Control Mechanism (MBC)
2021, ACM International Conference Proceeding Series
Pengfei Wang received his B.S., M.S. degrees, and Ph.D. in 2011, 2013, and 2018, respectively, from the College of Computer, National University of Defense Technology, Changsha. He is now an assistant professor in the College of Computer, National University of Defense Technology. His research interests include operating systems and software testing.
Xu Zhou received his B.S., M.S. degrees, and Ph.D. in 2007, 2009, and 2014, respectively, from the College of Computer, National University of Defense Technology, Changsha. He is now an assistant professor in the College of Computer, National University of Defense Technology. His research interests include operating systems and parallel computing.
Kai Lu received his B.S. degree and Ph.D. in 1995 and 1999, respectively, from the College of Computer, National University of Defense Technology, Changsha. He is now a professor in the College of Computer, National University of Defense Technology. His research interests include operating systems, parallel computing, and security.
- 1
wpengfei.github.io