Untrusted Hardware Causes Double-fetch Problems in the I/O Memory
Kai Lu1,2,3, Member, CCF, Peng-Fei Wang1,*, Member, CCF, Gen Li1, Xu Zhou1, Member, CCF
1 College of Computer, National University of Defense Technology, Changsha 410073, China;
2 Science and Technology on Parallel and Distributed Processing Laboratory, National University of Defense Technology Changsha 410073, China;
3 Collaborative Innovation Center of High-Performance Computing, National University of Defense Technology Changsha 410073, China
Abstract The double fetch problem occurs when the data is maliciously changed between two kernel reads of supposedly the same data, which can cause serious security problems in the kernel. Previous research focused on the double fetches between the kernel and user applications. In this paper, we present the first dedicated study of the double fetch problem between the kernel and peripheral devices (aka. The Hardware Double Fetch). Operating systems communicate with peripheral devices by reading from and writing to the device mapped I/O (Input and Output) memory, and due to the lack of effective validation of the attached hardware, compromised hardware could flip the data between two reads of the same I/O memory address, causing a double fetch problem. We proposed a static pattern-matching approach to identify the hardware double fetches from the Linux kernel. Our approach can analyze the entire kernel without relying on the corresponding hardware. The results were categorized and each category was analyzed using case studies to discuss the possibility of causing bugs. We also found 4 double-fetch vulnerabilities, which have been confirmed and fixed by the maintainers as a result of our report.
The work is supported by the National Key Research and Development Program of China under Grant No. 2016YFB0200401.
Corresponding Authors: Peng-Fei Wang
About author: Kai Lu received his B.S. degree and Ph.D. degree in 1995 and 1999, respectively, both in computer science and technology, from the College of Computer, National University of Defense Technology, Changsha. He is now a professor in the College of Computer, National University of Defense Technology, Changsha. His research interests include operating systems, parallel computing, and security.
Cite this article:
Kai Lu, Peng-Fei Wang, Gen Li, Xu Zhou.Untrusted Hardware Causes Double-fetch Problems in the I/O Memory[J] Journal of Computer Science and Technology, 2018,V33(3): 587-602
 Tahir R, Hamid Z, Tahir H. Analysis of AutoPlay feature via the USB flash drives. In Proc. the World Congress on Engineering, July 2008. Wang P F, Lu K, Li G, Zhou X. A survey of the doublefetch vulnerabilities. Concurrency and Computation Practice and Experience, 2018, 30(6):e4345. Jurczyk M, Coldwind G. Identifying and exploiting windows kernel race conditions via memory access patterns. Technical Report, Google Research, 2013. http://pdfs.semanticscholar.org/ca60/2e7193f159a56a3559-f08b677abfba60beb2.pdf, Mar. 2018. Wilhelm F. Tracing privileged memory accesses to discover software vulnerabilities[Master's Thesis]. Operating Systems Group, Karlsruhe Institute of Technology (KIT), Germany, 2015. Wang P F, Krinke J, Lu K, Li G, Dodier-Lazaro S. How double-fetch situations turn into double-fetch vulnerabilities:A study of double fetches in the Linux kernel. In Proc. the 26th USENIX Security Symp., August 2017. Chou A, Yang J F, Chelf B, Hallem S, Engler D. An empirical study of operating systems errors. ACM SIGOPS Operating Systems Review, 2011, 35(5):73-88. Palix N, Thomas G, Saha S, Calvès C, Lawall J, Muller G. Faults in Linux:Ten years later. ACM SIGPLAN Notices, 2011, 46(3):305-318. Swift M M, Bershad B N, Levy H M. Improving the reliability of commodity operating systems. ACM Trans. Computer Systems, 2005, 23(1):77-110. Bishop M, Dilger M. Checking for race conditions in file accesses. Computing Systems, 1996, 9(2):131-152. Watson R N M. Exploiting concurrency vulnerabilities in system call wrappers. In Proc. the 1st USENIX Workshop on Offensive Technologies, August 2007. Chen H, Wagner D. MOPS:An infrastructure for examining security properties of software. In Proc. the 9th ACM Conf. Computer and Communications Security, November 2002, pp.235-244. Cowan C, Beattie S, Wright C, Kroah-Hartman G. RaceGuard:Kernel protection from temporary file race vulnerabilities. In Proc. the 10th Conf. USENIX Security Symp., August 2001, pp.165-176. Lhee K S, Chapin S J. Detection of file-based race conditions. International Journal of Information Security, 2005, 4(1/2):105-119. Cai X, Gui Y W, Johnson R. Exploiting Unix file-system races via algorithmic complexity attacks. In Proc. the 30th IEEE Symp. Security and Privacy, May 2009, pp.27-20. Payer M, Gross T R. Protecting applications against TOCTTOU races by user-space caching of file metadata. In Proc. the 8th ACM SIGPLAN/SIGOPS Conf. Virtual Execution Environments, March 2012. Lawall J, Laurie B, Hansen R R, Palix N, Muller G. Finding error handling bugs in OpenSSL using Coccinelle. In Proc. the 2010 European Dependable Computing Conf., April 2010, pp.191-196. Brunel J, Doligez D, Hansen R R, Lawall J L, Muller G. A foundation for flow-based program matching:Using temporal logic and model checking. In Proc. the 36th Annual ACM SIGPLAN-SIGACT Symp. Principles of Programming Languages, January 2009. Lie D, Thekkath C A, Horowitz M. Implementing an untrusted operating system on trusted hardware. ACM SIGOPS Operating Systems Review, 2003, 37(5):178-192. Irvine C E, Levitt K. Trusted hardware:Can it be trustworthy? In Proc. the 44th ACM/IEEE Design Automation Conf., June 2007. Katz J. Universally composable multi-party computation using tamper-proof hardware. In Proc. the 26th Annual Int. Conf. the Theory and Applications of Cryptographic Techniques, May 2007, pp.115-128. Chandran N, Goyal V, Sahai A. New constructions for UC secure computation using tamper-proof hardware. In Proc. the 27th Annual Int. Conf. the Theory and Applications of Cryptographic Techniques, April 2008, pp.545-562. Yang J F, Cui A, Stolfo S, Sethumadhavan S. Concurrency attacks. In Proc. the 4th USENIX Conf. Hot Topics in Parallelism, June 2012. Mulliner C, Michéle B. Read it twice! A mass-storage-based TOCTTOU attack. In Proc. the 6th USENIX Conf. Offensive Technologies, August 2012, pp.105-112.
Copyright 2010 by Journal of Computer Science and Technology