Xiong Xin,Tan Xin,Zhang Yuan

DOI: https://doi.org/10.7544/issn1000-1239.202220768

2023-01-01

Journal of Computer Research and Development

Abstract:Reference counting （refcount） bugs in the kernel could cause critical security problems including memory leak and use-after-free vulnerabilities. To detect such defects， this paper proposes a refcount bug detection system based on consistency analysis of error path behavior. Compared with the existing works， our method introduces semantic information of the error paths to infer the appropriate refcount behavior on these paths， thus detecting refcount defects that cannot be covered by the existing works. First， the system identifies all the error paths in the target function based on the function return value and fault handling code. Second， it performs path-sensitive analysis to collect the specific refcount behavior on each error path within the target function， which is aggregated to infer the dominant tendency of refcount behavior of the error paths in the target function. Finally， based on the idea of consistency checking， the error paths whose reference counting behavior is inconsistent with the dominant tendency are identified as potential refcount bugs. In the evaluation， the proposed system found 21 and 9 bugs on Linux kernel version 5.6-rc2 and version 5.17， respectively， most of which have been confirmed by the kernel developers. In addition， on kernel version 5.6-rc2， the system detected 9 new refcount bugs that could not be identified by existing works.

Xin Tan,Yuan Zhang,Xiyu Yang,Kangjie Lu,Min Yang

2021-01-01

Abstract:In the Linux kernel, reference counting (refcount) has become a default mechanism that manages resource objects. A refcount of a tracked object is incremented when a new reference is assigned and decremented when a reference becomes invalid. Since the kernel manages a large number of shared resources, refcount is prevalent. Due to the inherent complexity of the kernel and resource sharing, developers often fail to properly update refcounts, leading to refcount bugs. Researchers have shown that refcount bugs can cause critical security impacts like privilege escalation; however, the detection of refcount bugs remains an open problem. In this paper, we propose CID, a new mechanism that employs two-dimensional consistency checking to automatically detect refcount bugs. By checking if callers consistently use a refcount function, CID detects deviating cases as potential bugs, and by checking how a caller uses a refcount function, CID infers the condition-aware rules for the function to correspondingly operate the refcount, and thus a violating case is a potential bug. More importantly, CID’s consistency checking does not require complicated semantic understanding, interprocedural data-flow tracing, or refcount-operation reasoning. CID also features an automated mechanism that systematically identifies refcount fields and functions in the whole kernel. We implement CID and apply it to the Linux kernel. The tool found 44 new refcount bugs that may cause severe security issues, most of which have been confirmed by the maintainers.

Dongxiao Jiang,Chenggang Li,Lixin Ma,Xiaoyu Ji,Yanjiao Chen,Bo Li

DOI: https://doi.org/10.1109/bigdatasecurity-hpsc-ids49724.2020.00015

2020-01-01

Abstract:With the development of network, more and more unkown protocols appear. Network protocols define the rules between network entities and firewall uses network protocol for deep packet detection to prevent intrusions. For detecting these unkown protocols, firewall can’t analyze these protocols, which makes many systems vulnerable. To solve this problem, protocol reverse engineering is getting more and more attention. Protocol reverse engineering is a process that reverses the syntax and grammar of a protocol from its traces of execution codes. It focuses on three protocol features: field boundaries, protocol grammar and state machine. Field boundaries inference is the basis of the protocol reverse engineering, the precision of this process has a big influence on reversing the grammar and state machine. In this paper, we propose a method called ABinfer, which leverage the Field Adjacent information to identify the field boundaries. We evaluate the method on three protocols and the results show that it has a good ability to identify field boundaries of protocols.

Liang He,Purui Su,Chao Zhang,Yan Cai,Jinxin Ma

DOI: https://doi.org/10.1145/3600006.3613162

2023-01-01

Abstract:Reference counting (refcounting) is widely used in Linux kernel. However, it requires manual operations on the related APIs. In practice, missing or improperly invoking these APIs has introduced too many bugs, known as refcounting bugs. To evaluate the severity of these bugs in history and in future, this paper presents a comprehensive study on them. In detail, we study 1,033 refcounting bugs in Linux kernels and present a set of characters and find that most of the bugs can finally cause severe security impacts. Besides, we analyze the root causes at implementation and developer's sides (i.e., human factors), which shows that the careless usages of find-like refcounting-embedded APIs can usually introduce hundreds of bugs. Finally, we propose a set of anti-patterns to summarize and to expose them. On the latest kernel releases, we totally found 351 new bugs and 240 of them have been confirmed. We believe this study can motivate more proactive researches on refcounting problems and improve the quality of Linux kernel.

Mengchen Cao,Xiantong Hou,Tao Wang,Hunter Qu,Yajin Zhou,Xiaolong Bai,Fuwei Wang

DOI: https://doi.org/10.1145/3319535.3345654

2019-01-01

Abstract:The use of uninitialized variables is a common issue. It could cause kernel information leak, which defeats the widely deployed security defense, i.e., kernel address space layout randomization (KASLR). Though a recent system called Bochspwn Reloaded reported multiple memory leaks in Windows kernels, how to effectively detect this issue is still largely behind.

Yutian Yang,Jinjiang Tu,Wenbo Shen,Songbo Zhu,Rui Chang,Yajin Zhou

DOI: https://doi.org/10.1109/tdsc.2023.3334268

2024-01-01

Abstract:Nowadays, code reuse attacks impose a substantial threat to the security of operating system kernels. Control-flow graph-based CFI techniques, while effective, bring considerable performance overhead, thus limiting their practical adoption in real-world products. As an alternative approach, recent research suggests safeguarding the integrity of sensitive pointers as a countermeasure against manipulation attempts. Unfortunately, existing pointer integrity protection schemes only protect sensitive pointers partially and ignore assembly code, leaving protection gaps. To fill up these protection gaps, we propose a novel security concept named full life-cycle integrity , which enforces the integrity of a sensitive pointer at every step on its value flow chain. To realize full life-cycle integrity, we propose three novel techniques, including assembly-aware sensitivity for analyzing assembly code, Merkle PAC tree for protecting interrupt context securely and efficiently, and pointer-grained authentication for defeating spatial substitution attacks. We have developed a practical implementation of comprehensive life-cycle integrity for the Linux kernel, called ”kernel Code Pointer Authentication” (kCPA), which leverages the ARM Pointer Authentication (PAuth) mechanism. This implementation has been extended to the Apple M1 architecture for real-world evaluation on PAuth hardware. Our assessment demonstrates that kCPA effectively mitigates a range of real-world attacks while incurring a minimal 2.5% performance overhead for the Phoronix Test Suite and nearly negligible performance impact for SPEC2017 benchmarks.

Muhui Jiang,Jinan Jiang,Tao Wu,Zuchao Ma,Xiapu Luo,Yajin Zhou

DOI: https://doi.org/10.1145/3672452

IF: 3.685

2024-01-01

ACM Transactions on Software Engineering and Methodology

Abstract:The Linux kernel is popular and well-maintained. Over the past decade, around 860 thousand commits were merged with hundreds of vulnerabilities (i.e., 223 on average) disclosed every year, taking the total lines of code to 35.1 million in 2022. Many algorithms have been proposed to detect the vulnerabilities, but few studied how they were induced. To fill this gap, we conduct the first empirical study on the Kernel Vulnerability Inducing Commits (KVIC), the commits that induced vulnerabilities in the Linux kernel. We utilized 6 different methods on identifying the Kernel Vulnerability Fixing Commits (KVFCs), the commits that fix vulnerabilities in the Linux kernel, and proposed the other 4 different methods for identifying KVICs by using the identified KVFCs as a bridge. In total, we constructed the first dataset of KVICs with 1,240 KVICs for 1,335 CVEs. We conducted a thorough analysis on the characteristics, purposes, and involved human factors of the KVICs and obtained many interesting findings and insights. For example, KVICs usually have limited reviewers and can still be induced by experienced authors or maintainers. Based on these insights, we proposed several suggestions to the Linux community to help mitigate the induction of KVICs.

Junjie Mao,Yu Chen,Qixue Xiao,Yuanchun Shi

DOI: https://doi.org/10.1145/2980024.2872389

2016-01-01

Abstract:Reference counts are widely used in OS kernels for resource management. However, reference counts are not trivial to be used correctly in large scale programs because it is left to developers to make sure that an increment to a reference count is always paired with a decrement. This paper proposes inconsistent path pair checking, a novel technique that can statically discover bugs related to reference counts without knowing how reference counts should be changed in a function. A prototype called RID is implemented and evaluations show that RID can discover more than 80 bugs which were confirmed by the developers in the latest Linux kernel. The results also show that RID tends to reveal bugs caused by developersu0027 misunderstanding on API specifications or error conditions that are not handled properly.

Elena Reshetova,Hans Liljestrand,Andrew Paverd,N. Asokan,N.Asokan

DOI: https://doi.org/10.48550/arXiv.1710.06175

2017-10-17

Cryptography and Security

Abstract:The security of billions of devices worldwide depends on the security and robustness of the mainline Linux kernel. However, the increasing number of kernel-specific vulnerabilities, especially memory safety vulnerabilities, shows that the kernel is a popular and practically exploitable target. Two major causes of memory safety vulnerabilities are reference counter overflows (temporal memory errors) and lack of pointer bounds checking (spatial memory errors). To succeed in practice, security mechanisms for critical systems like the Linux kernel must also consider performance and deployability as critical design objectives. We present and systematically analyze two such mechanisms for improving memory safety in the Linux kernel: (a) an overflow-resistant reference counter data structure designed to accommodate typical reference counter usage in kernel source code, and (b) runtime pointer bounds checking using Intel MPX in the kernel.

Liang He,Hong Hu,Purui Su,Yan Cai,Zhenkai Liang

2022-01-01

Abstract:Memory-safety issues in operating systems and popular applications are still top security threats. As one widely exploited vulnerability, Use After Free (UAF) resulted in hundreds of new incidents every year. Existing bug diagnosis techniques report the locations that allocate or deallocate the vulnerable object, but cannot provide sufficient information for developers to reason about a bug or synthesize a correct patch. In this work, we identified incorrect reference counting as one common root cause of UAF bugs: if the developer forgets to increase the counter for a newly created reference, the program may prematurely free the actively used object, rendering other references dangling pointers. We call this problem reference miscounting. By proposing an omission-aware counting model, we developed an automatic method, FREEWILL, to diagnose UAF bugs. FREEWILL first reproduces a UAF bug and collects related execution trace. Then, it identifies the UAF object and related references. Finally, FREEWILL compares reference operations with our model to detect reference miscounting. We evaluated FREEWILL on 76 real-world UAF bugs and it successfully confirmed reference miscounting as root causes for 48 bugs and dangling usage for 18 bugs. FREEWILL also identified five null-pointer dereference bugs and failed to analyze five bugs. FREEWILL can complete its analysis within 15 minutes on average, showing its practicality for diagnosing UAF bugs.

Jia-Ju Bai,Julia Lawall,Wende Tan,Shi-Min Hu

DOI: https://doi.org/10.1145/3297858.3304065

2019-01-01

Abstract:For waiting, the Linux kernel offers both sleep-able and non-sleep operations. However, only non-sleep operations can be used in atomic context. Detecting the possibility of execution in atomic context requires a complete inter-procedural flow analysis, often involving function pointers. Developers may thus conservatively use non-sleep operations even outside of atomic context, which may damage system performance, as such operations unproductively monopolize the CPU. Until now, no systematic approach has been proposed to detect such conservative non-sleep (CNS) defects. In this paper, we propose a practical static approach, named DCNS, to automatically detect conservative non-sleep defects in the Linux kernel. DCNS uses a summary-based analysis to effectively identify the code in atomic context and a novel file-connection-based alias analysis to correctly identify the set of functions referenced by a function pointer. We evaluate DCNS on Linux 4.16, and in total find 1629 defects. We manually check 943 defects whose call paths are not so difficult to follow, and find that 890 are real. We have randomly selected 300 of the real defects and sent them to kernel developers, and 251 have been confirmed.

Nick Roessler,Yi Chien,Lucas Atayde,Peiru Yang,Imani Palmer,Lily Gray,Nathan Dautenhahn

DOI: https://doi.org/10.1145/3456727.3463767

2021-06-14

Abstract:The lack of visibility into Linux's behavior makes it hard to refactor and maintain. To peer inside the box, we present Memorizer, a self-contained, low-level tracing framework that tracks (most) object allocations, data accesses, and function calls within the kernel. The core insight is a low-level object-centric representation that records detailed lifetime information while linking each operation (call/read/write) with its intended target. We evaluate Memorizer using extensive input programs and demonstrate its value by showing how Memorizer can (1) aid in refactoring, (2) extend code coverage with object coverage to improve testing and analysis, and (3) identify leaky abstractions. We also release a large data set, visualization tools, and Memorizer's source. This generic, object-centric approach is the first to provide loss-less instruction-to-object tracing, adding an essential software engineering capability to the overly complex Linux kernel.

Yutian Yang,Songbo Zhu,Wenbo Shen,Yajin Zhou,Jiadong Sun,Kui Ren

DOI: https://doi.org/10.48550/arXiv.1912.10666

2020-10-12

Abstract:Code reuse attacks are still big threats to software and system security. Control flow integrity is a promising technique to defend against such attacks. However, its effectiveness has been weakened due to the inaccurate control flow graph and practical strategy to trade security for performance. In recent years, CPU vendors have integrated hardware features as countermeasures. For instance, ARM Pointer Authentication (PA in short) was introduced in ARMV8-A architecture. It can efficiently generate an authentication code for an address, which is encoded in the unused bits of the address. When the address is de-referenced, the authentication code is checked to ensure its integrity. Though there exist systems that adopt PA to harden user programs, how to effectively use PA to protect OS kernels is still an open research question. In this paper, we shed lights on how to leverage PA to protect control flows, including function pointers and return addresses, of Linux kernel. Specifically, to protect function pointers, we embed authentication code into them, track their propagation and verify their values when loading from memory or branching to targets. To further defend against the pointer substitution attack, we use the function pointer address as its context, and take a clean design to propagate the address by piggybacking it into the pointer value. We have implemented a prototype system with LLVM to identify function pointers, add authentication code and verify function pointers by emitting new machine instructions. We applied this system to Linux kernel, and solved numerous practical issues, e.g., function pointer comparison and arithmetic operations. The security analysis shows that our system can protect all function pointers and return addresses in Linux kernel.

Cryptography and Security,Operating Systems

Yunyun Jiang,Yi Yang,Tian Xiao,Tianwei Sheng,Wenguang Chen

DOI: https://doi.org/10.1007/s11227-016-1691-1

IF: 3.3

2016-01-01

The Journal of Supercomputing

Abstract:Data races in parallel programs are notoriously difficult to detect and resolve. Existing research has mostly focused on data race detection at the user level and significant progress has been made in this regard. However, a very few efforts have attempted to address OS kernel level races. In contrast to user-level applications, the code in kernels uses vastly more complicated synchronization mechanisms, including different kinds of locks, hardware and software interrupts, widely used signal/wait primitives, and various types of low-level shared resources. It is therefore difficult to apply detection methods designed for user-level applications to identify OS kernel level races. In this paper, we present a new detection tool that is able to effectively detect race conditions in the Linux kernel environment. We use a dynamic detection approach, employing hardware debug registers available on commodity processors, to catch races on the fly during runtime. Preliminary experimental results show that our tool can effectively identify real data race instances.

Jia-Ju Bai,Julia Lawall,Shi-Min Hu

DOI: https://doi.org/10.1145/3381990

2018-01-01

ACM Transactions on Computer Systems

Abstract:Atomic context is an execution state of the Linux kernel in which kernel code monopolizes a CPU core. In this state, the Linux kernel may only perform operations that cannot sleep, as otherwise a system hang or crash may occur. We refer to this kind of concurrency bug as a sleep-in-atomic-context (SAC) bug. In practice, SAC bugs are hard to find, as they do not cause problems in all executions. In this article, we propose a practical static approach named DSAC to effectively detect SAC bugs in the Linux kernel. DSAC uses three key techniques: (1) a summary-based analysis to identify the code that may be executed in atomic context, (2) a connection-based alias analysis to identify the set of functions referenced by a function pointer, and (3) a path-check method to filter out repeated reports and false bugs. We evaluate DSAC on Linux 4.17 and find 1,159 SAC bugs. We manually check all the bugs and find that 1,068 bugs are real. We have randomly selected 300 of the real bugs and sent them to kernel developers. 220 of these bugs have been confirmed, and 51 of our patches fixing 115 bugs have been applied.

Brian Belleville,Wenbo Shen,Stijn Volckaert,Ahmed M. Azab,Michael Franz

DOI: https://doi.org/10.1109/tdsc.2019.2915829

2019-01-01

Abstract:Modern operating system kernels deploy Kernel Address Space Layout Randomization (KASLR) to mitigate control-flow hijacking attacks. KASLR randomizes the base addresses of the kernel's code and data segments. However, it randomizes both with a single offset and does not randomize the internal layout of either of these segments, so relative addresses remain known to adversaries. If the kernel discloses a single code or global data pointer, an adversary can therefore infer the entire layout of the kernel's code segment and bypass KASLR. In this paper, we present Kernel Address Leak Detector (KALD), a tool that finds direct disclosure vulnerabilities by statically analyzing the kernel source code. KALD can analyze the source code of modern operating system kernels and find previously unreported leaks. KALD compiles a list of functions that can leak information to user-space accessible locations, and it uses the results of a points-to analysis to determine whether individual invocations of such functions can disclose kernel pointers. We show that KALD successfully detects several direct disclosure vulnerabilities in the Linux kernel and that it is flexible enough to be useful in practice.

Ping Chen,Hao Han,Yi Wang,Xiaobin Shen,Xinchun Yin,Bing Mao,Li Xie

DOI: https://doi.org/10.1007/978-3-642-11145-7_26

2009-01-01

Abstract:Recently, Integer bugs have been increasing sharply and become the notorious source of bugs for various serious attacks. In this paper, we propose a tool, IntFinder, which can automatically detect Integer bugs in a x86 binary program. We implement IntFinder based on a combination of static and dynamic analysis. First, IntFinder decompiles a x86 binary code, and creates the suspect instruction set. Second, IntFinder dynamically inspects the instructions in the suspect set and confirms which instructions are actual Integer bugs with the error-prone input. Compared with other approaches, IntFinder provides more accurate and sufficient type information and reduces the instructions which will be inspected by static analysis. Experimental results are quite encouraging: IntFinder has detected the integer bugs in several practical programs as well as one new bug in slocate-2.7, and it achieves a low false positives and negatives.

Jiang YY,Yang Y,Xiao T,Sheng TW,Chen WG

DOI: https://doi.org/10.1109/CoolChips.2014.6842953

2014-01-01

Abstract:Data races in parallel programs are notoriously difficult to detect and resolve. Existing research has mostly focused on data race detection at the user level and significant progress has been made in this regard. It is difficult to apply detection methods designed for user-level applications to identify OS kernel level races. In this paper, we present a new detection tool that is able to effectively detect race conditions in the Linux kernel environment. We use a dynamic detection approach, employing hardware debug registers available on commodity processors, to catch races on the fly during runtime. Preliminary experimental results show that our tool can effectively identify real data race instances.

Daniel Anderson,Guy E. Blelloch,Yuanhao Wei

DOI: https://doi.org/10.48550/arXiv.2204.05985

2022-04-12

Distributed, Parallel, and Cluster Computing

Abstract:Safe memory reclamation (SMR) schemes are an essential tool for lock-free data structures and concurrent programming. However, manual SMR schemes are notoriously difficult to apply correctly, and automatic schemes, such as reference counting, have been argued for over a decade to be too slow for practical purposes. A recent wave of work has disproved this long-held notion and shown that reference counting can be as scalable as hazard pointers, one of the most common manual techniques. Despite these tremendous improvements, there remains a gap of up to 2x or more in performance between these schemes and faster manual techniques such as epoch-based reclamation (EBR). In this work, we first advance these ideas and show that in many cases, automatic reference counting can in fact be as fast as the fastest manual SMR techniques. We generalize our previous Concurrent Deferred Reference Counting (CDRC) algorithm to obtain a method for converting any standard manual SMR technique into an automatic reference counting technique with a similar performance profile. Our second contribution is extending this framework to support weak pointers, which are reference-counted pointers that automatically break pointer cycles by not contributing to the reference count, thus addressing a common weakness in reference-counted garbage collection. Our experiments with a C++-library implementation show that our automatic techniques perform in line with their manual counterparts, and that our weak pointer implementation outperforms the best known atomic weak pointer library by up to an order of magnitude on high thread counts. All together, we show that the ease of use of automatic memory management can be achieved without significant cost to practical performance or general applicability.

René Helmke,Johannes vom Dorp

DOI: https://doi.org/10.48550/arXiv.2209.05217

2022-09-12

Abstract:In vulnerability assessments, software component-based CVE attribution is a common method to identify possibly vulnerable systems at scale. However, such version-centric approaches yield high false-positive rates for binary distributed Linux kernels in firmware images. Not filtering included vulnerable components is a reason for unreliable matching, as heterogeneous hardware properties, modularity, and numerous development streams result in a plethora of vendor-customized builds. To make a step towards increased result reliability while retaining scalability of the analysis method, we enrich version-based CVE matching with kernel-specific build data from binary images using automated static firmware analysis. We open source an attribution pipeline that gathers kernel configuration and target architecture to dry build the present kernel version and filter CVEs based on affected file references in record descriptions. In a case study with 127 router firmware images, we show that in comparison to naive version matching, our approach identifies 68% of all version CVE matches as false-positives and reliably removes them from the result set. For 12% of all matches it provides additional evidence of issue applicability. For 19.4%, our approach does not improve reliability because required file references in CVEs are missing.

Cryptography and Security