Ming Yuan,Bodong Zhao,Penghui Li,Jiashuo Liang,Xinhui Han,Xiapu Luo,Chao Zhang

2023-01-01

Abstract:Concurrency use-after-free (UAF) vulnerabilities account for a large portion of UAF vulnerabilities in Linux drivers. Many solutions have been proposed to find either concurrency bugs or UAF vulnerabilities, but few of them can be directly applied to efficiently find concurrency UAF vulnerabilities. In this paper, we propose the first concurrency directed greybox fuzzing solution DDRace to discover concurrency UAF vulnerabilities efficiently in Linux drivers. First, we identify candidate use-after-free locations as target sites and extract the relevant concurrency elements to reduce the exploration space of directed fuzzing. Second, we design a novel vulnerability-related distance metric and an interleaving priority scheme to guide the fuzzer to better explore UAF vulnerabilities and thread interleavings. Lastly, to make test cases reproducible, we design an adaptive kernel state migration scheme to assist continuous fuzzing. We have implemented a prototype of DDRace, and evaluated it on upstream Linux drivers. Results show that DDRace is effective at discovering concurrency use-after-free vulnerabilities. It finds 4 unknown vulnerabilities and 8 known ones, which is more effective than other state-of-the-art solutions.

Jia-Ju Bai,Yu-Ping Wang,Julia Lawall,Shi-Min Hu

2018-01-01

Abstract:In a modern OS, kernel modules often use spinlocks and interrupt handlers to monopolize a CPU core to execute concurrent code in atomic context. In this situation, if the kernel module performs an operation that can sleep at runtime, a system hang may occur. We refer to this kind of concurrency bug as a sleep-in-atomic-context (SAC) bug. In practice, SAC bugs have received insufficient attention and are hard to find, as they do not always cause problems in real executions.In this paper, we propose a practical static approach named DSAC, to effectively detect SAC bugs and automatically recommend patches to help fix them. DSAC uses four key techniques: (1) a hybrid of flow-sensitive and -insensitive analysis to perform accurate and efficient code analysis; (2) a heuristics-based method to accurately extract kernel interfaces that can sleep at runtime; (3) a path-check method to effectively filter out repeated reports and false bugs; (4) a pattern-based method to automatically generate recommended patches to help fix the bugs.We evaluate DSAC on kernel modules (drivers, file systems, and network modules) of the Linux kernel, and on the FreeBSD and NetBSD kernels, and in total find 401 new real bugs. 272 of these bugs have been confirmed by the relevant kernel maintainers, and 43 patches generated by DSAC have been applied by kernel maintainers.

Bo Zhou,Iulian Neamtiu,Rajiv Gupta

DOI: https://doi.org/10.1145/2745802.2745807

2015-01-01

Abstract:Concurrency bugs are difficult to find and fix. To help with finding and fixing concurrency bugs, prior research has mostly focused on static or dynamic analyses for finding specific classes of bugs. We present an approach whose focus is understanding the differences between concurrency and non-concurrency bugs, the differences among various concurrency bug classes, and predicting bug quantity, type, and location, from patches, bug reports and bug-fix metrics. First, we show that bug characteristics and bug-fixing processes vary significantly among different kinds of concurrency bugs and compared to non-concurrency bugs. Next, we build a quantitative predictor model to estimate concurrency bugs appearance in future releases. Then, we build a qualitative predictor that can predict the type of concurrency bug for a newly-filed bug report. Finally, we build a bug location predictor to indicate the likely source code location for newly-reported bugs. We validate the effectiveness of our approach on three popular projects, Mozilla, KDE, and Apache.

Shixiong Zhao,Rui Gu,Haoran Qiu,Tsz On Li,Yuexuan Wang,Heming Cui,Junfeng Yang

DOI: https://doi.org/10.1109/DSN.2018.00033

2018-01-01

Abstract:Just like bugs in single-threaded programs can lead to vulnerabilities, bugs in multithreaded programs can also lead to concurrency attacks. We studied 31 real-world concurrency attacks, including privilege escalations, hijacking code executions, and bypassing security checks. We found that compared to concurrency bugs' traditional consequences (e.g., program crashes), concurrency attacks' consequences are often implicit, extremely hard to be observed and diagnosed by program developers. Moreover, in addition to bug-inducing inputs, extra subtle inputs are often needed to trigger the attacks. These subtle features make existing tools ineffective to detect concurrency attacks. To tackle this problem, we present OWL, the first practical tool that models general concurrency attacks' implicit consequences and automatically detects them. We implemented OWL in Linux and successfully detected five new concurrency attacks, including three confirmed and fixed by developers, and two exploited from previously known and well-studied concurrency bugs. OWL has also detected seven known concurrency attacks. Our evaluation shows that OWL eliminates 94.1% of the reports generated by existing concurrency bug detectors as false positive, greatly reducing developers' efforts on diagnosis. All OWL source code, concurrency attack exploit scripts, and results are available on github.com/hku-systems/owl.

Huamao Wu,Yuan Chen,Yajin Zhou,Yifei Wang,Lubo Zhang

DOI: https://doi.org/10.1109/dac56929.2023.10247974

2023-01-01

Abstract:Driver-originated vulnerabilities are well-known threats to modern monolithic kernels. However, existing driver isolation solutions either rely on Intel-only or newly-introduced CPU features (e.g., Intel VMFUNC, ARM MTE), or suffer from performance issues, making them unsuitable for existing ARM-based devices. In this work, we leverage a common hardware feature, named hardware watchpoint, to achieve lightweight driver isolation for off-the-shelf ARM devices. Specifically, we utilize watchpoints to prevent the possibly compromised driver from corrupting the rest kernel’s state arbitrarily. We implement a prototype for ARM64 Linux. The security analysis and performance evaluation show the efficiency and practicality of our solution.

Lin Ma,Duoming Zhou,Hanjie Wu,Yajin Zhou,Rui Chang,Hao Xiong,Lei Wu,Kui Ren

DOI: https://doi.org/10.1109/sp46215.2023.10179356

2023-01-01

Abstract:When a device is detached from the system, Use-After-Cleanup (UAC) bugs can occur because a running kernel thread may be unaware of the device detachment and attempt to use an object that has been released by the cleanup thread. Our investigation suggests that an attacker can exploit the UAC bugs to obtain the capability of arbitrary code execution and privilege escalation, which receives little attention from the community. While existing tools mainly focus on well-known concurrency bugs like data race, few target UAC bugs. In this paper, we propose a tool named UACatcher to systematically detect UAC bugs. UACatcher consists of three main phases. It first scans the entire kernel to find target layers. Next, it adopts the context- and flow-sensitive inter-procedural analysis and the points-to analysis to locate possible free (deallocation) sites in the bottom-up cleanup thread and use (dereference) sites in the top-down kernel thread that can cause UAC bugs. Then, UACatcher uses the routine switch point algorithm which counts on the synchronizations and path constraints to detect UAC bugs among these sites and estimate exploitable ones. For exploitable bugs, we leverage the pseudoterminal-based device emulation technique to develop practical exploits. We have implemented a prototype of UACatcher and evaluated it on 5.11 Linux kernel. As a result, our tool successfully detected 346 UAC bugs, which were reported to the community (277 have been confirmed and fixed and 15 CVEs have been assigned). Additionally, 13 bugs are exploitable, which can be used to develop working exploits that gain the arbitrary code execution primitive in kernel space and achieve the privilege escalation. Finally, we discuss UACatcher's limitations and propose possible solutions to fix and prevent UAC bugs.

Jia-Ju Bai,Julia Lawall,Shi-Min Hu

DOI: https://doi.org/10.1145/3381990

2018-01-01

ACM Transactions on Computer Systems

Abstract:Atomic context is an execution state of the Linux kernel in which kernel code monopolizes a CPU core. In this state, the Linux kernel may only perform operations that cannot sleep, as otherwise a system hang or crash may occur. We refer to this kind of concurrency bug as a sleep-in-atomic-context (SAC) bug. In practice, SAC bugs are hard to find, as they do not cause problems in all executions. In this article, we propose a practical static approach named DSAC to effectively detect SAC bugs in the Linux kernel. DSAC uses three key techniques: (1) a summary-based analysis to identify the code that may be executed in atomic context, (2) a connection-based alias analysis to identify the set of functions referenced by a function pointer, and (3) a path-check method to filter out repeated reports and false bugs. We evaluate DSAC on Linux 4.17 and find 1,159 SAC bugs. We manually check all the bugs and find that 1,068 bugs are real. We have randomly selected 300 of the real bugs and sent them to kernel developers. 220 of these bugs have been confirmed, and 51 of our patches fixing 115 bugs have been applied.

Jia-Ju Bai,Qiu-Liang Chen,Zu-Ming Jiang,Julia Lawall,Shi-Min Hu

DOI: https://doi.org/10.1109/tse.2021.3138735

IF: 7.4

2022-01-01

IEEE Transactions on Software Engineering

Abstract:Data races are often hard to detect in device drivers. According to our study of Linux driver patches that fix data races, about 39% of patches involve a pattern that we call inconsistent locking discipline. Specifically, if a variable is accessed within two concurrently executed functions, the sets of locks held around each access are disjoint, at least one of the locksets is non-empty, and at least one of the involved accesses is a write, then a data race may occur. In this paper, we present a hybrid static-dynamic analysis approach, named SDILP, to detect data races caused by inconsistent locking discipline in device drivers. SDILP has a dynamic lockset analysis to detect data races at runtime, and a static lockset analysis to detect more data races based on the dynamic-analysis results. It also performs a static taint analysis to reduce the number of variable accesses monitored by the dynamic analysis. Compared to our previous dynamic approach DILP (Chen et al., 2019), introducing static analysis allows SDILP to achieve better performance and find more data races. We evaluate SDILP on 12 drivers in Linux 5.4, and find 117 real data races, 50 of which have been confirmed by driver developers.

engineering, electrical & electronic,computer science, software engineering

Manna Wu,Bo Zhou,Wei Shi

DOI: https://doi.org/10.1145/1643823.1643911

2009-01-01

Abstract:In this paper, we describe a new test framework for concurrent programs. Testing on concurrent programs remains difficult due to the non-deterministic nature of concurrent programs. Approaches are proposed to surmount this difficulty. However, few of them are really effective. A new self-adaptive test framework is proposed to alleviate this problem, since it is impossible to solve it completely. This framework which is based on the study of concurrent test points tests each concurrent program like a circuit, while concurrent test points like components of the circuit. The original reason of concurrent bugs stems from the resource sharing among multiple processes or threads. Therefore, a controller is introduced in the framework to increasingly intensify resource competition via test data controlling, aiming to trigger concurrent bugs' emerging sooner once they exist.

Zunchen Huang,Shengjian Guo,Meng Wu,Chao Wang

DOI: https://doi.org/10.48550/arXiv.2212.05438

2022-12-11

Abstract:While there is a large body of work on analyzing concurrency related software bugs and developing techniques for detecting and patching them, little attention has been given to concurrency related security vulnerabilities. The two are different in that not all bugs are vulnerabilities: for a bug to be exploitable, there needs be a way for attackers to trigger its execution and cause damage, e.g., by revealing sensitive data or running malicious code. To fill the gap, we conduct the first empirical study of concurrency vulnerabilities reported in the Linux operating system in the past ten years. We focus on analyzing the confirmed vulnerabilities archived in the Common Vulnerabilities and Exposures (CVE) database, which are then categorized into different groups based on bug types, exploit patterns, and patch strategies adopted by developers. We use code snippets to illustrate individual vulnerability types and patch strategies. We also use statistics to illustrate the entire landscape, including the percentage of each vulnerability type. We hope to shed some light on the problem, e.g., concurrency vulnerabilities continue to pose a serious threat to system security, and it is difficult even for kernel developers to analyze and patch them. Therefore, more efforts are needed to develop tools and techniques for analyzing and patching these vulnerabilities.

Cryptography and Security,Software Engineering

Qiu-Liang Chen,Jia-Ju Bai,Zu-Ming Jiang,Julia Lawall,Shi-Min Hu

DOI: https://doi.org/10.1109/saner.2019.8668017

2019-01-01

Abstract:Data races are often hard to detect in device drivers, due to the non-determinism of concurrent execution. According to our study of Linux driver patches that fix data races, more than 38% of patches involve a pattern that we call inconsistent lock protection. Specifically, if a variable is accessed within two concurrently executed functions, the sets of locks held around each access are disjoint, at least one of the locksets is non-empty, and at least one of the involved accesses is a write, then a data race may occur.In this paper, we present a runtime analysis approach, named DILP, to detect data races caused by inconsistent lock protection in device drivers. By monitoring driver execution, DILP collects the information about runtime variable accesses and executed functions. Then after driver execution, DILP analyzes the collected information to detect and report data races caused by inconsistent lock protection. We evaluate DILP on 12 device drivers in Linux 4.16.9, and find 25 real data races.

Jia-Ju Bai,Yu-Ping Wang,Shi-Min Hu

DOI: https://doi.org/10.1145/3168809

2018-01-01

Abstract:Original device drivers are often passive in common operating systems, and they should correctly handle synchronization when concurrently invoked by multiple external threads. However, many concurrency bugs have occurred in drivers due to incautious synchronization. To solve concurrency problems, active driver is proposed to replace original passive driver. An active driver has its own thread and does not need to handle synchronization, thus the occurrence probability of many concurrency bugs can be effectively reduced. But previous approaches of active driver have some limitations. The biggest limitation is that original passive driver code needs to be manually rewritten. In this paper, we propose a practical approach, AutoPA, to automatically generate efficient active driver from original passive driver code. AutoPA uses function analysis and code instrumentation to perform automated driver generation, and it uses an improved active driver architecture to reduce performance degradation. We have evaluated AutoPA on 20 Linux drivers. The results show that AutoPA can automatically and successfully generate usable active drivers from original driver code. And generated active drivers can work normally with or without the synchronization primitives in original driver code. To check the effect of AutoPA on driver reliability, we perform fault injection testing on the generated active drivers, and find that all injected concurrency faults are well tolerated and the drivers can work normally. And the performance of generated active drivers is not obviously degraded compared to original passive drivers.

Jia-Ju Bai,Tuo Li,Shi-Min Hu

2022-01-01

Abstract:Deadlocks in OS kernels can cause critical problems like performance degradation and system hangs. However, detecting deadlocks in OS kernels is quite challenging, due to high complexity of concurrent execution and large code bases of OS kernels. In this paper, we design a practical static analysis approach named DLOS, to effectively detect deadlocks in OS kernels. DLOS consists of three key techniques: (1) a summary-based lock-usage analysis to efficiently extract the code paths containing distinct locking constraints from kernel code; (2) a reachability-based comparison method to efficiently detect locking cycles from locking constraints; (3) a two-dimensional filtering strategy to effectively drop false positives by validating code-path feasibility and concurrency. We have evaluated DLOS on Linux 5.10, and find 54 real deadlocks, with a false positive rate of 17%. We have reported these deadlocks to Linux kernel developers, and 31 of them have been confirmed.

Liang He,Hong Hu,Purui Su,Yan Cai,Zhenkai Liang

2022-01-01

Abstract:Memory-safety issues in operating systems and popular applications are still top security threats. As one widely exploited vulnerability, Use After Free (UAF) resulted in hundreds of new incidents every year. Existing bug diagnosis techniques report the locations that allocate or deallocate the vulnerable object, but cannot provide sufficient information for developers to reason about a bug or synthesize a correct patch. In this work, we identified incorrect reference counting as one common root cause of UAF bugs: if the developer forgets to increase the counter for a newly created reference, the program may prematurely free the actively used object, rendering other references dangling pointers. We call this problem reference miscounting. By proposing an omission-aware counting model, we developed an automatic method, FREEWILL, to diagnose UAF bugs. FREEWILL first reproduces a UAF bug and collects related execution trace. Then, it identifies the UAF object and related references. Finally, FREEWILL compares reference operations with our model to detect reference miscounting. We evaluated FREEWILL on 76 real-world UAF bugs and it successfully confirmed reference miscounting as root causes for 48 bugs and dangling usage for 18 bugs. FREEWILL also identified five null-pointer dereference bugs and failed to analyze five bugs. FREEWILL can complete its analysis within 15 minutes on average, showing its practicality for diagnosing UAF bugs.

Jia-Ju Bai,Hu-Qiu Liu,Yu-Ping Wang,Shi-Min Hu

DOI: https://doi.org/10.1109/apsec.2014.66

2014-01-01

Abstract:Device drivers usually invoke functions to allocate resources for managing hardware devices and communicating with the kernel, and these resources should be released by functions when the work is finished. Thus allocating functions and releasing functions must be invoked in pairs. However, many developers ignore this vital rule, and some allocated resources are not released in time, which may cause resource related problems like deadlocks and memory leak. For improving the resource management of device drivers, we propose an approach named Pair Dyn to check these paired functions during runtime. When the driver runs, Pair Dyn records the runtime information of allocating functions such as key parameters and return value, and dynamically detects whether the relevant releasing functions are invoked to free allocated resources during runtime. Before the driver exits, Pair Dyn automatically attempts to invoke the related releasing functions which are lacked in runtime, in order to free the allocated resources of the operation system. We have implemented Pair Dyn with the LLVM compiler infrastructure, and make the evaluation with four real device drivers in Linux version 3.10.1. The experimental result shows that with the low extra overhead, Pair Dyn can provide effective runtime checking for allocate-release paired functions. Moreover, 9 potential bugs are found in the four drivers, which are all fixed automatically before exiting. Finally, no manual modification of the source code is needed with Pair Dyn.

Jia-Ju Bai,Yu-Ping Wang,Shi-Min Hu

DOI: https://doi.org/10.1016/j.jss.2017.06.004

IF: 3.5

2017-01-01

Journal of Systems and Software

Abstract:In a modern operating system, device drivers acquire system resources to work. The acquired resources should be explicitly released by the drivers, because the operating system never reclaims them. Moreover, improper resource release can cause system crashes or hangs. Thus resource release is very important to driver reliability. However, according to our study on Linux driver mailing lists, many applied patches involve the modifications of resource release. Thus current resource management in drivers is not reliable enough. In this paper, we propose a novel approach named AutoRR, which can automatically and reliably release resources based on dynamic analysis. To identify resource handling operations, we use the dynamic specification-mining technique to mine resource acquiring and releasing functions. During execution, we maintain a resource-state list by intercepting the mined functions. If the driver fails to release acquired resources, AutoRR will report bugs and call corresponding releasing functions to safely release the resources. Dynamic analyses of resource dependency, allocation hierarchy, error handling form and releasing time are performed to avoid introducing new bugs when releasing resources. The evaluation on 12 Linux drivers shows that 40 detected bugs are all successfully and safely tolerated, and the overhead is only 7.84%. (C) 2017 Published by Elsevier Inc.

Jia-Ju Bai,Julia Lawall,Wende Tan,Shi-Min Hu

DOI: https://doi.org/10.1145/3297858.3304065

2019-01-01

Abstract:For waiting, the Linux kernel offers both sleep-able and non-sleep operations. However, only non-sleep operations can be used in atomic context. Detecting the possibility of execution in atomic context requires a complete inter-procedural flow analysis, often involving function pointers. Developers may thus conservatively use non-sleep operations even outside of atomic context, which may damage system performance, as such operations unproductively monopolize the CPU. Until now, no systematic approach has been proposed to detect such conservative non-sleep (CNS) defects. In this paper, we propose a practical static approach, named DCNS, to automatically detect conservative non-sleep defects in the Linux kernel. DCNS uses a summary-based analysis to effectively identify the code in atomic context and a novel file-connection-based alias analysis to correctly identify the set of functions referenced by a function pointer. We evaluate DCNS on Linux 4.16, and in total find 1629 defects. We manually check 943 defects whose call paths are not so difficult to follow, and find that 890 are real. We have randomly selected 300 of the real defects and sent them to kernel developers, and 251 have been confirmed.

Jia-Ju Bai,Tuo Li,Kangjie Lu,Shi-Min Hu

2021-01-01

Abstract:Direct Memory Access (DMA) is a popular mechanism for improving hardware I/O performance, and it has been widely used by many existing device drivers. However, DMA accesses can be unsafe, from two aspects. First, without proper synchronization of DMA buffers with hardware registers and CPU cache, the buffer data stored in CPU cache and hardware registers can be inconsistent, which can cause unexpected hardware behaviors. Second, a malfunctioning or untrusted hardware device can write bad data into system memory, which can trigger security bugs (such as buffer overflow and invalid-pointer access), if the driver uses the data without correct validation. To detect unsafe DMA accesses, some key challenges need to be solved. For example, because each DMA access is implemented as a regular variable access in the driver code, identifying DMA accesses is difficult. In this paper, we propose a static-analysis approach named SADA, to automatically and accurately detect unsafe DMA accesses in device drivers. SADA consists of three basic steps. First, SADA uses a field-based alias analysis to identify DMA accesses, according to the information of DMA-buffer creation. Second, SADA uses a flow-sensitive and patternbased analysis to check the safety of each DMA access, to detect possible unsafe DMA accesses. Finally, SADA uses an SMT solver to validate the code-path condition of each possible unsafe DMA access, to drop false positives. We have evaluated SADA on the driver code of Linux 5.6, and found 284 real unsafe DMA accesses. Among them, we highlight that 121 can trigger buffer-overflow bugs and 36 can trigger invalid-pointer accesses causing arbitrary read or write. We have reported these unsafe DMA accesses to Linux driver developers, and 105 of them have been confirmed.

Jia-Ju Bai,Yu-Ping Wang,Hu-Qiu Liu,Shi-Min Hu

DOI: https://doi.org/10.1016/j.infsof.2016.01.018

IF: 3.9

2016-01-01

Information and Software Technology

Abstract:Context: Device drivers often call specific kernel interface functions in pairs to allocate and release resources, and these functions can be called as paired functions. But due to poor documentation and carelessness, developers sometimes misuse paired functions in drivers, which causes resource-usage violations.Objective: Many dynamic approaches have been proposed to mine API rules and check resource usage for user-mode applications, but they are rarely applied to kernel-mode device drivers due to their designs. Meanwhile, most existing dynamic approaches lack systematic mechanisms to cover error handling code, which limits their availability and scalability. Our goal is to improve dynamic analysis to solve these problems.Method: In this paper, we propose PairCheck, a novel approach for mining and checking paired functions in device drivers, using three techniques. Firstly, we design a characteristic fault injection framework to generate test cases, which simulates occasional errors and covers most error handling code with little effort. Secondly, complete runtime information is recorded through call interception during test-case execution. Thirdly, we mine and check paired functions based on collected runtime information, name patterns and statistical analysis.Result: To validate the availability of PairCheck, we evaluate it on 11 Linux Ethernet card drivers. PairCheck mines 37 and 43 real paired functions in Linux 3.1.1 and 3.17.2, respectively. With these mined paired functions, it finds 10 violations in Linux 3.1.1 which have been fixed in 3.17.2, and 35 new violations in 3.17.2. The replies from developers indicate the false positive rate is low. Compared to normal execution, code coverage increases by 8.3% on average.Conclusion: Our work shows that it is possible to precisely mine API rules of resource usage by using characteristic fault injection. The mined rules are useful for improving the reliability of device drivers. (C) 2016 Elsevier B.V. All rights reserved.

Zhuo-Fang DAI,Wei-Hua ZHANG

DOI: https://doi.org/10.3969/j.issn.1003-3254.2014.10.001

2014-01-01

Abstract:The popularity of multiple-core devices has made parallel programming a necessity to harness the abundant hardware resources. However, due to the non-determinism of parallel software, writing robust parallel software is notoriously hard. Therefore, how to debug concurrency bugs efficiently has become an issue that needs to be urgently deal with. In this paper, we have surveyed the parallel debugging technologies systematically. Further, based on the survey, we have made classifications and comparisons. At last, we have presented the prospects of the possible development direction of concurrency bug debugging approaches.