Muhui Jiang,Xiaoye Zheng,Rui Chang,Yajin Zhou,Xiapu Luo

DOI: https://doi.org/10.1109/tse.2024.3406900

IF: 7.4

2024-01-01

IEEE Transactions on Software Engineering

Abstract:Emulators are commonly employed to construct dynamic analysis frameworks due to their ability to perform fine-grained tracing, monitor full system functionality, and run on diverse operating systems and architectures. Nonetheless, the consistency of emulators with the real devices, remains uncertain. To address this issue, our objective is to automatically identify inconsistent instructions that exhibit different behavior between emulators and real devices across distinct privileges, including user-level and system-level privilege.We target the Arm architecture, which provides machine-readable specifications. Based on the specification, we propose a sufficient test case generator by designing and implementing the first symbolic execution engine for the Arm architecture specification language (ASL). We generated 2,774,649 representative instruction streams and developed a differential testing engine, EXAMINER PRO. With this engine, we compared the behavior of real Arm devices across different instruction sets (A32, A64, T16, and T32) with the popular QEMU emulator, both at the user-level and system-level. To demonstrate the generalizability of EXAMINER PRO, we also tested two other emulators, namely Unicorn and Angr. We find that undefined implementation in Arm manual and bugs of emulators are the major causes of inconsistencies. Furthermore, we discover 17 bugs, which influence commonly used instructions (e.g., BLX). With the inconsistent instructions, we build three security applications and demonstrate the capability of these instructions on detecting emulators, anti-emulation, and anti-fuzzing.

Xin Xia,David Lo,Emad Shihab,Xinyu Wang,Bo Zhou

DOI: https://doi.org/10.1007/s10515-014-0162-2

IF: 1.677

2014-01-01

Automated Software Engineering

Abstract:Bug fixing is one of the most time-consuming and costly activities of the software development life cycle. In general, bugs are reported in a bug tracking system, validated by a triage team, assigned for someone to fix, and finally verified and closed. However, in some cases bugs have to be reopened. Reopened bugs increase software maintenance cost, cause rework for already busy developers and in some cases even delay the future delivery of a software release. Therefore, a few recent studies focused on studying reopened bugs. However, these prior studies did not achieve high performance (in terms of precision and recall), required manual intervention, and used very simplistic techniques when dealing with this textual data, which leads us to believe that further improvements are possible. In this paper, we propose ReopenPredictor, which is an automatic, high accuracy predictor of reopened bugs. ReopenPredictor uses a number of features, including textual features, to achieve high accuracy prediction of reopened bugs. As part of ReopenPredictor, we propose two algorithms that are used to automatically estimate various thresholds to maximize the prediction performance. To examine the benefits of ReopenPredictor, we perform experiments on three large open source projects-namely Eclipse, Apache HTTP and OpenOffice. Our results show that ReopenPredictor outperforms prior work, achieving a reopened F-measure of 0.744, 0.770, and 0.860 for Eclipse, Apache HTTP and OpenOffice, respectively. These results correspond to an improvement in the reopened F-measure of the method proposed in the prior work by Shihab et al. by 33.33, 12.57 and 3.12% for Eclipse, Apache HTTP and OpenOffice, respectively.

Dinghao Liu,Qiushi Wu,Shouling Ji,Kangjie Lu,Zhenguang Liu,Jianhai Chen,Qinming He

DOI: https://doi.org/10.1145/3460120.3485373

2021-01-01

Abstract:Missing a security operation such as a bound check has been a major cause of security-critical bugs. Automatically checking whether the code misses a security operation in large programs is challenging since it has to understand whether the security operation is indeed necessary in the context. Recent methods typically employ cross-checking to identify deviations as security bugs, which collects functionally similar program slices and infers missed security operations through majority-voting. An inherent limitation of such approaches is that they heavily rely on a substantial number of similar code pieces to enable cross-checking. In practice, many code pieces are unique, and thus we may be unable to find adequate similar code snippets to utilize cross-checking. In this paper, we present IPPO (Inconsistent Path Pairs as a bug Oracle), a static analysis framework for detecting security bugs based on differential checking. IPPO defines several novel rules to identify code paths that share similar semantics with respect to an object, and collects them as similar-path pairs. It then investigates the path pairs for identifying inconsistent security operations with respect to the object. If one path in a path pair enforces a security operation while the other does not, IPPO reports it as a potential security bug. By utilizing on object-based path-similarity analysis, IPPO achieves a higher precision, compared to conventional code-similarity analysis methods. Through differential checking of a similar-path pair, IPPO eliminates the requirement of constructing a large number of similar code pieces, addressing the limitation of traditional cross-checking approaches. We implemented IPPO and extensively evaluated it on four widely used open-source programs: Linux kernel, OpenSSL library, FreeBSD kernel, and PHP. IPPO found 154, 5, 1, and 1 new security bugs in the above systems, respectively. We have submitted patches for all these bugs, and 136 of them have been accepted by corresponding maintainers. The results confirm the effectiveness and usefulness of IPPO in practice.

Jinmeng Zhou,Tong Zhang,Wenbo Shen,Dongyoon Lee,Changhee Jung,Ahmed Azab,Ruowen Wang,Peng Ning,Kui Ren

DOI: https://doi.org/10.1109/tdsc.2022.3165368

2022-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Permission checks play an essential role in operating system security by providing access control to privileged functionalities. However, it is challenging for kernel developers to scalably verify the soundness of existing checks due to the large codebase and complexity of the kernel. In fact, Linux kernel contains millions of lines of code with hundreds of permission checks, and even worse its complexity is fast-growing. This paper presents PeX, a static permission check error detector for Linux, which takes as input a kernel source code and reports any missing, inconsistent, and redundant permission checks. PeX uses KIRIN (Kernel InteRface based Indirect call aNalysis), a novel, precise, and scalable indirect call analysis technique. Over the interprocedural control flow graph built by KIRIN, PeX automatically identifies permission checks and infers the mappings between permission checks and privileged functions. For each privileged function, PeX examines all possible paths to the function to check if necessary permission checks are correctly enforced. We evaluated PeX on the latest stable Linux kernel v4.18.5 for three types of permission checks: Discretionary Access Controls (DAC), Capabilities, and Linux Security Modules (LSM). PeX reported 45 new permission check errors, 17 of which have been confirmed by the kernel developers.

Haoran Liu,Zhouyang Jia,Shanshan Li,Yan Lei,Yue Yu,Yu Jiang,Xiaoguang Mao,Xiangke Liao

DOI: https://doi.org/10.1145/3660787

2024-01-01

Abstract:Error-handling bugs are prevalent in software systems and can result in severe consequences. Existing works on error-handling bug detection can be categorized into template-based and learning-based approaches. The former requires much human effort and is difficult to accommodate the software evolution. The latter usually focuses on errors of API and assumes that error handling should be right after the handled error. Such an assumption, however, may affect both learning and detecting phases. The existing learning-based approaches can be regarded as API-oriented, which starts from an API and learns if the API requires error handling. In this paper, we propose EH-Digger, an ERROR-oriented approach, which starts from an error handling. Our approach can learn why the error occurs and when the error has to be handled. We conduct a comprehensive study on 2,322 error-handling code snippets from 22 widely used software systems across 8 software domains to reveal the limitation of existing approaches and guide the design of EH-Digger. We evaluated EH-Digger on the Linux Kernel and 11 open-source applications. It detected 53 new bugs confirmed by the developers and 71 historical bugs fixed in the latest versions. We also compared EH-Digger with three state-of-the-art approaches, 30.1% of bugs detected by EH-Digger cannot be detected by the existing approaches.

Yeqi Fu,Yongzhi Liu,Qian Zhang,Zhou Yang,Xiarun Chen,Chenglin Xie,Weiping Wen

DOI: https://doi.org/10.1007/978-981-99-7356-9_41

2023-01-01

Abstract:The detection of missing security operations is a complex task in software engineering, mainly due to the semantic and contextual understanding required. Prior research efforts have employed similar path differential analysis to detect missing security operations, but these approaches have been limited in their ability to simultaneously compare the similarity of intra- and inter-procedural paths. To address this limitation, this paper proposes a novel approach called SSD that can detect multiple missing security operation bugs both intra- and inter-procedurally. Our approach collects slices with similar semantics and contexts based on four program slicing criteria, providing more versatile construction of similar slices and more comprehensive detection than previous works. In our experiments, we have identified 65 real bugs in the Linux kernel, of which we have verified 27 as fixed bugs and submitted the remaining 38 for patching. The Linux maintainers have accepted 19 of these patches, confirming the effectiveness and availability of SSD.

Xiong Xin,Tan Xin,Zhang Yuan

DOI: https://doi.org/10.7544/issn1000-1239.202220768

2023-01-01

Journal of Computer Research and Development

Abstract:Reference counting （refcount） bugs in the kernel could cause critical security problems including memory leak and use-after-free vulnerabilities. To detect such defects， this paper proposes a refcount bug detection system based on consistency analysis of error path behavior. Compared with the existing works， our method introduces semantic information of the error paths to infer the appropriate refcount behavior on these paths， thus detecting refcount defects that cannot be covered by the existing works. First， the system identifies all the error paths in the target function based on the function return value and fault handling code. Second， it performs path-sensitive analysis to collect the specific refcount behavior on each error path within the target function， which is aggregated to infer the dominant tendency of refcount behavior of the error paths in the target function. Finally， based on the idea of consistency checking， the error paths whose reference counting behavior is inconsistent with the dominant tendency are identified as potential refcount bugs. In the evaluation， the proposed system found 21 and 9 bugs on Linux kernel version 5.6-rc2 and version 5.17， respectively， most of which have been confirmed by the kernel developers. In addition， on kernel version 5.6-rc2， the system detected 9 new refcount bugs that could not be identified by existing works.

Xin Tan,Yuan Zhang,Xiyu Yang,Kangjie Lu,Min Yang

2021-01-01

Abstract:In the Linux kernel, reference counting (refcount) has become a default mechanism that manages resource objects. A refcount of a tracked object is incremented when a new reference is assigned and decremented when a reference becomes invalid. Since the kernel manages a large number of shared resources, refcount is prevalent. Due to the inherent complexity of the kernel and resource sharing, developers often fail to properly update refcounts, leading to refcount bugs. Researchers have shown that refcount bugs can cause critical security impacts like privilege escalation; however, the detection of refcount bugs remains an open problem. In this paper, we propose CID, a new mechanism that employs two-dimensional consistency checking to automatically detect refcount bugs. By checking if callers consistently use a refcount function, CID detects deviating cases as potential bugs, and by checking how a caller uses a refcount function, CID infers the condition-aware rules for the function to correspondingly operate the refcount, and thus a violating case is a potential bug. More importantly, CID’s consistency checking does not require complicated semantic understanding, interprocedural data-flow tracing, or refcount-operation reasoning. CID also features an automated mechanism that systematically identifies refcount fields and functions in the whole kernel. We implement CID and apply it to the Linux kernel. The tool found 44 new refcount bugs that may cause severe security issues, most of which have been confirmed by the maintainers.

Ling-Yun Situ,Lin-Zhang Wang,Yang Liu,Bing Mao,Xuan-Dong Li

DOI: https://doi.org/10.1007/s11390-019-1955-3

IF: 1.871

2019-01-01

Journal of Computer Science and Technology

Abstract:Missing checks for untrusted inputs used in security-sensitive operations is one of the major causes of various vulnerabilities. Efficiently detecting and repairing missing checks are essential for prognosticating potential vulnerabilities and improving code reliability. We propose a systematic static analysis approach to detect missing checks for manipulable data used in security-sensitive operations of C/C++ programs and recommend repair references. First, customized securitysensitive operations are located by lightweight static analysis. Then, the assailability of sensitive data used in securitysensitive operations is determined via taint analysis. And, the existence and the risk degree of missing checks are assessed. Finally, the repair references for high-risk missing checks are recommended. We implemented the approach into an automated and cross-platform tool named Vanguard based on Clang/LLVM 3.6.0. Large-scale experimental evaluation on open-source projects has shown its effectiveness and efficiency. Furthermore, Vanguard has helped us uncover five known vulnerabilities and 12 new bugs.

Zhouyang Jia,Shanshan Li,Tingting Yu,Xiangke Liao,Ji Wang,Xiaodong Liu,Yunhuai Liu

DOI: https://doi.org/10.1109/ASE.2019.00029

2019-01-01

Abstract:Most software systems frequently encounter errors when interacting with their environments. When errors occur, error-handling code must execute flawlessly to facilitate system recovery. Implementing correct error handling is repetitive but non-trivial, and developers often inadvertently introduce bugs into error-handling code. Existing tools require correct error specifications to detect error-handling bugs. Manually generating error specifications is error-prone and tedious, while automatically mining error specifications is hard to achieve a satisfying accuracy. In this paper, we propose EH-Miner, a novel and practical tool that can automatically detect error-handling bugs without the need for error specifications. Given a function, EH-Miner mines its error-handling rules when the function is frequently checked by an equivalent condition, and handled by the same action. We applied EH-Miner to 117 applications across 15 software domains. EH-Miner mined error-handling rules with the precision of 91.1% and the recall of 46.9%. We reported 142 bugs to developers, and 106 bugs had been confirmed and fixed at the time of writing. We further applied EH-Miner to Linux kernel, and reported 68 bugs for kernel-4.17, of which 42 had been confirmed or fixed.

Lingyun Situ,Liang Zou,Linzhang Wang,Yang Liu,Bing Mao,Xuandong Li

DOI: https://doi.org/10.1145/3183440.3194949

2018-01-01

Abstract:Missing check for untrusted input used in security-sensitive operations is one of the major causes of various serious vulnerabilities. Thus, efficiently detecting missing checks for realistic software is essential for identify insufficient attack protections. We propose a systematic static approach to detect missing checks in C/C++ programs. An automated and cross-platform tool named Vanguard was implemented on top of Clang/LLVM 3.6.0. And experimental results have shown its effectiveness and efficiency.

Tuo Li,Jia-Ju Bai,Yulei Sui,Shi-Min Hu

DOI: https://doi.org/10.1145/3503222.3507770

2024-01-01

ACM Transactions on Computer Systems

Abstract:Operating system (OS) is the cornerstone for modern computer systems. It manages devices and provides fundamental service for user-level applications. Thus, detecting bugs in OSes is important to improve reliability and security of computer systems. Static typestate analysis is a common technique for detecting different types of bugs, but it is often inaccurate or unscalable for large-size OS code, due to imprecision of identifying alias relationships as well as high costs of typestate tracking and path-feasibility validation. In this paper, we present PATA, a novel path-sensitive and alias-aware typestate analysis framework to detect OS bugs. To improve the precision of identifying alias relationships in OS code, PATA performs a path-based alias analysis based on control-flow paths and access paths. With these alias relationships, PATA reduces the costs of typestate tracking and path-feasibility validation, to boost the efficiency of path-sensitive typestate analysis for bug detection. We have evaluated PATA on the Linux kernel and three popular IoT OSes (Zephyr, RIOT and TencentOS-tiny) to detect three common types of bugs (null-pointer dereferences, uninitialized-variable accesses and memory leaks). PATA finds 574 real bugs with a false positive rate of 28%. 206 of these bugs have been confirmed by the developers of the four OSes. We also compare PATA to seven state-of-the-art static approaches (Cppcheck, Coccinelle, Smatch, CSA, Infer, Saber and SVF). PATA finds many real bugs missed by them, with a lower false positive rate.

Liang He,Purui Su,Chao Zhang,Yan Cai,Jinxin Ma

DOI: https://doi.org/10.1145/3600006.3613162

2023-01-01

Abstract:Reference counting (refcounting) is widely used in Linux kernel. However, it requires manual operations on the related APIs. In practice, missing or improperly invoking these APIs has introduced too many bugs, known as refcounting bugs. To evaluate the severity of these bugs in history and in future, this paper presents a comprehensive study on them. In detail, we study 1,033 refcounting bugs in Linux kernels and present a set of characters and find that most of the bugs can finally cause severe security impacts. Besides, we analyze the root causes at implementation and developer's sides (i.e., human factors), which shows that the careless usages of find-like refcounting-embedded APIs can usually introduce hundreds of bugs. Finally, we propose a set of anti-patterns to summarize and to expose them. On the latest kernel releases, we totally found 351 new bugs and 240 of them have been confirmed. We believe this study can motivate more proactive researches on refcounting problems and improve the quality of Linux kernel.

Zuxing Gu,Jiecheng Wu,Chi Li,Min Zhou,Yu Jiang,Ming Gu,Jiaguang Sun

DOI: https://doi.org/10.1109/icse-companion.2019.00046

2019-01-01

Abstract:Libraries offer reusable functionality through application programming interfaces (APIs) with usage constraints such as call conditions and orders. Constraint violations, i.e., API misuses, commonly lead to bugs and even security issues. In this paper, we introduce IMChecker, a constraint-directed static analysis toolkit to vet API usages in C programs powered by a domain-specific language (DSL) to specify the API usages. First, we propose a DSL, which covers most API usage constraint types and enables straightforward but precise specification by studying real-world API-misuse bug patches. Then, we design and implement a static analysis engine to automatically parse specifications into checking targets, identify potential API misuses and prune the false positives with rich semantics. We have instantiated IMChecker for C programs with user-friendly graphic interfaces and evaluated the widely used benchmarks and real-world projects. The results show that IMChecker outperforms 4.78-36.25% in precision and 40.25-55.21% w.r.t. state-of-the-arts toolkits. We also found 75 previously unknown bugs in Linux kernel, OpenSSL and applications of Ubuntu, 61 of which have been confirmed by the corresponding development communities. Video: https://youtu.be/YGDxeyOEVIM.

Hao Sun,Yiru Xu,Jianzhong Liu,Yuheng Shen,Nan Guan,Yu Jiang

DOI: https://doi.org/10.1145/3627703.3629562

2024-01-01

Abstract:eBPF is an inspiring technique in Linux that allows user space processes to extend the kernel by dynamically injecting programs. However, it poses security issues, since the untrusted user code is now executed in the kernel space. eBPF utilizes a verifier to validate the safety of the provided programs, thus its correctness is of paramount importance as attackers may exploit vulnerabilities within it to inject malicious programs. Bug-finding tools like kernel fuzzers currently can detect memory bugs in eBPF system calls, but they experience difficulties in finding correctness bugs in the verifier, e.g., incorrect validations that allow the loading of unsafe programs. Because, unlike detecting memory bugs, where sanitizers can capture such errors once observed, automatically uncovering correctness bugs is very difficult, without an effective test oracle that determines if the verifier behaves correctly for given programs.

Tong Zhang,Wenbo Shen,Dongyoon Lee,Changhee Jung,Ahmed M. Azab,Ruowen Wang

2019-01-01

Abstract:Permission checks play an essential role in operating system security by providing access control to privileged functionalities. However, it is particularly challenging for kernel developers to correctly apply new permission checks and to scalably verify the soundness of existing checks due to the large code base and complexity of the kernel. In fact, Linux kernel contains millions of lines of code with hundreds of permission checks, and even worse its complexity is fast-growing. This paper presents PeX, a static Permission check error detector for LinuX, which takes as input a kernel source code and reports any missing, inconsistent, and redundant permission checks. PeX uses KIRIN (Kernel InteRface based Indirect call aNalysis), a novel, precise, and scalable indirect call analysis technique, leveraging the common programming paradigm used in kernel abstraction interfaces. Over the interprocedural control flow graph built by KIRIN, PeX automatically identifies all permission checks and infers the mappings between permission checks and privileged functions. For each privileged function, PeX examines all possible paths to the function to check if necessary permission checks are correctly enforced before it is called. We evaluated PeX on the latest stable Linux kernel v4.18.5 for three types of permission checks: Discretionary Access Controls (DAC), Capabilities, and Linux Security Modules (LSM). PeX reported 36 new permission check errors, 14 of which have been confirmed by the kernel developers.

Jia-Ju Bai,Yu-Ping Wang,Julia Lawall,Shi-Min Hu

2018-01-01

Abstract:In a modern OS, kernel modules often use spinlocks and interrupt handlers to monopolize a CPU core to execute concurrent code in atomic context. In this situation, if the kernel module performs an operation that can sleep at runtime, a system hang may occur. We refer to this kind of concurrency bug as a sleep-in-atomic-context (SAC) bug. In practice, SAC bugs have received insufficient attention and are hard to find, as they do not always cause problems in real executions.In this paper, we propose a practical static approach named DSAC, to effectively detect SAC bugs and automatically recommend patches to help fix them. DSAC uses four key techniques: (1) a hybrid of flow-sensitive and -insensitive analysis to perform accurate and efficient code analysis; (2) a heuristics-based method to accurately extract kernel interfaces that can sleep at runtime; (3) a path-check method to effectively filter out repeated reports and false bugs; (4) a pattern-based method to automatically generate recommended patches to help fix the bugs.We evaluate DSAC on kernel modules (drivers, file systems, and network modules) of the Linux kernel, and on the FreeBSD and NetBSD kernels, and in total find 401 new real bugs. 272 of these bugs have been confirmed by the relevant kernel maintainers, and 43 patches generated by DSAC have been applied by kernel maintainers.

Junjie Mao,Yu Chen,Qixue Xiao,Yuanchun Shi

DOI: https://doi.org/10.1145/2980024.2872389

2016-01-01

Abstract:Reference counts are widely used in OS kernels for resource management. However, reference counts are not trivial to be used correctly in large scale programs because it is left to developers to make sure that an increment to a reference count is always paired with a decrement. This paper proposes inconsistent path pair checking, a novel technique that can statically discover bugs related to reference counts without knowing how reference counts should be changed in a function. A prototype called RID is implemented and evaluations show that RID can discover more than 80 bugs which were confirmed by the developers in the latest Linux kernel. The results also show that RID tends to reveal bugs caused by developersu0027 misunderstanding on API specifications or error conditions that are not handled properly.

Hao Zhang,Ji Luo,Mengze Hu,Jun Yan,Jian Zhang,Zongyan Qiu

DOI: https://doi.org/10.1109/icse48619.2023.00098

2023-01-01

Abstract:Exception handling is a mechanism in modern programming languages. Studies have shown that the exception handling code is error-prone. However, there is still limited research on detecting exception handling bugs, especially for C++ programs. To tackle the issue, we try to precisely represent the exception control flow in C++ programs and propose an analysis method that makes use of the control flow to detect such bugs. More specifically, we first extend control flow graph by introducing the concepts of five different kinds of basic blocks, and then modify the classic symbolic execution framework by extending the program state to a quadruple and properly processing try, throw and catch statements. Based on the above techniques, we develop a static analysis tool on the top of Clang Static Analyzer to detect exception handling bugs. We run our tool on projects with high stars from GitHub and find 36 exception handling bugs in 8 projects, with a precision of 84%. We compare our tool with four state-of-the-art static analysis tools (Cppcheck, Clang Static Analyzer, Facebook Infer and IKOS) on projects from GitHub and handmade benchmarks. On the GitHub projects, other tools are not able to detect any exception handling bugs found by our tool. On the handmade benchmarks, our tool has a significant higher recall.

Zheng-yi LU,Yong DING,Xian-miao QU,Yun-hai SHANG

2017-01-01

Abstract:Single event upsetswill cause transient faults of system,the error detection technique based on control flow judges whether errors exit through signature verify by hardware or software in basic blocks at runtime.Signatures will cause expansion of size of code and reduction of performance,and there are also some blind spots of detections.The technique of error-correction after error-detection is not mature.This paper proposes an error-tolerant technique bases on hybrid of hardware and software to cover most of the detection blind spots.To decrease the size of code and improve performance,the paper introduces granularity verify mode.Aim to correcterrors,the paper propose an error-correction technique based on hardware.We use CK-CPU as the platform experiment,experiment shows that the hybrid method will increase the coverage of error detection at lower system cost,and can correct the errors for full verify mode.