Journal of Computer Science and Technology ›› 2021, Vol. 36 ›› Issue (6): 1248-1268.doi: 10.1007/s11390-021-1593-4

Special Issue: Software Systems

• Special Section on Software Systems 2021-Theme: Dependable Software Engineering • Previous Articles     Next Articles

MEBS: Uncovering Memory Life-Cycle Bugs in Operating System Kernels

Gen Zhang, Peng-Fei Wang, Tai Yue, Xu Zhou, and Kai Lu, Member, CCF        

  1. College of Computer, National University of Defense Technology, Changsha 410073, China
  • Received:2021-05-18 Revised:2021-08-25 Online:2021-11-30 Published:2021-12-01
  • Supported by:
    This work is supported by the National High-Level Personnel for Defense Technology Program of China under Grant No. 2017- JCJQ-ZQ-013, the National Natural Science Foundation of China under Grant Nos. 61902405 and 61902412, the Natural Science Foundation of Hunan Province of China under Grant No. 2021JJ40692, the Parallel and Distributed Processing Research Foundation under Grant No. 6142110190404, and the Research Project of National University of Defense Technology under Grant Nos. ZK20-09 and ZK20-17.

Allocation, dereferencing, and freeing of memory data in kernels are coherently linked. There widely exist real cases where the correctness of memory is compromised. This incorrectness in kernel memory brings about significant security issues, e.g., information leaking. Though memory allocation, dereferencing, and freeing are closely related, previous work failed to realize they are closely related. In this paper, we study the life-cycle of kernel memory, which consists of allocation, dereferencing, and freeing. Errors in them are called memory life-cycle (MLC) bugs. We propose an in-depth study of MLC bugs and implement a memory life-cycle bug sanitizer (MEBS) for MLC bug detection. Utilizing an interprocedural global call graph and novel identification approaches, MEBS can reveal memory allocation, dereferencing, and freeing sites in kernels. By constructing a modified define-use chain and examining the errors in the life-cycle, MLC bugs can be identified. Moreover, the experimental results on the latest kernels demonstrate that MEBS can effectively detect MLC bugs, and MEBS can be scaled to different kernels. More than 100 new bugs are exposed in Linux and FreeBSD, and 12 common vulnerabilities and exposures (CVE) are assigned.

Key words: software security; operating system; memory life-cycle; static analysis; vulnerability detection;

[1] Akritidis P, Cadar C, Raiciu C, Costa M, Castro M. Preventing memory error exploits with WIT. In Proc. the 2008 IEEE Symposium on Security and Privacy, May 2008, pp.263-277. DOI: 10.1109/SP.2008.30.
[2] Lee B, Song C, Kim T, Lee W. Type casting verification: Stopping an emerging attack vector. In Proc. the 24th USENIX Security Symposium, Aug. 2015, pp.81-96.
[3] Szekeres L, Payer M, Wei T, Song D. SoK: Eternal war in memory. In Proc. the 2013 IEEE Symposium on Security and Privacy, May 2013, pp.48-62. DOI: 10.1109/SP.2013.13.
[4] Xu J, Mu D, Chen P, Xing X, Wang P, Liu P. CREDAL: Towards locating a memory corruption vulnerability with your core dump. In Proc. the 2016 ACM SIGSAC Conference on Computer and Communications Security, Oct. 2016, pp.529-540. DOI: 10.1145/2976749.2978340.
[5] Zhang G. Detecting memory life-cycle bugs with extended define-use chain analysis. IEEE Access, 2020, 8: 114968-114980. DOI: 10.1109/ACCESS.2020.2999351.
[6] He B, Rastogi V, Cao Y, Chen Y, Venkatakrishnan V N, Yang R, Zhang Z. Vetting SSL usage in applications with SSLINT. In Proc. the 2015 IEEE Symposium on Security and Privacy, May 2015, pp.519-534. DOI: 10.1109/SP.2015.38.
[7] Yamaguchi F, Golde N, Arp D, Rieck K. Modeling and discovering vulnerabilities with code property graphs. In Proc. the 2014 IEEE Symposium on Security and Privacy, May 2014, pp.590-604. DOI: 10.1109/SP.2014.44.
[8] Chen H, Wagner D. MOPS: An infrastructure for examining security properties of software. In Proc. the 9th ACM Conference on Computer and Communications Security, Nov. 2002, pp.235-244. DOI: 10.1145/586110.586142.
[9] Yun I, Min C, Si X, Jang Y, Kim T, Naik M. APISan: Sanitizing API usages through semantic cross-checking. In Proc. the 25th USENIX Security Symposium, Aug. 2016, pp.363-378.
[10] Son S, McKinley K S, Shmatikov V. RoleCast: Finding missing security checks when you do not know what checks are. In Proc. the 2011 ACM International Conference on Object Oriented Programming Systems Languages and Applications, Oct. 2011, pp.1069-1084. DOI: 10.1145/2048066.2048146.
[11] Yamaguchi F, Wressnegger C, Gascon H, Rieck K. Chucky: Exposing missing checks in source code for vulnerability discovery. In Proc. the 2013 ACM SIGSAC Conference on Computer and Communications Security, Nov. 2013, pp.499-510. DOI: 10.1145/2508859.2516665.
[12] Lu K, Pakki A, Wu Q. Detecting missing-check bugs via semantic-and context-aware criticalness and constraints inferences. In Proc. the 28th USENIX Security Symposium, Aug. 2019, pp.1769-1786.
[13] Engler D, Chelf B, Chou A, Hallem S. Checking system rules using system-specific, programmer-written compiler extensions. In Proc. the 4th Symposium on Operating System Design and Implementation, Oct. 2000, pp.1-16.
[14] Engler D, Chen D Y, Hallem S, Chou A, Chelf B. Bugs as deviant behavior: A general approach to inferring errors in systems code. ACM SIGOPS Operating Systems Review, 2001, 35(5): 57-72. DOI: /10.1145/502059.502041.
[15] Brown F, Nötzli A, Engler D. How to build static checking systems using orders of magnitude less code. In Proc. the 21st International Conference on Architectural Support for Programming Languages and Operating Systems, April 2016, pp.143-157. DOI: 10.1145/2872362.2872364.
[16] Lu K, Pakki A, Wu Q. Automatically identifying security checks for detecting kernel semantic bugs. In Proc. the 2019 European Symposium on Research in Computer Security, Sept. 2019, pp.3-25. DOI: 10.1007/978-3-030-29962-01.
[17] Xu M, Qian C, Lu K, Backes M, Kim T. Precise and scalable detection of double-fetch bugs in OS kernels. In Proc. the 2018 IEEE Symposium on Security and Privacy, May 2018, pp.661-678. DOI: 10.1109/SP.2018.00017.
[18] Wang W, Lu K, Yew P C. Check it again: Detecting lacking-recheck bugs in OS kernels. In Proc. the 2018 ACM SIGSAC Conference on Computer and Communications Security, Oct. 2018, pp.1899-1913. DOI: 10.1145/3243734.3243844.
[19] Zhang T, Shen W, Lee D, Jung C, Azab A M, Wang R. PeX: A permission check analysis framework for Linux kernel. In Proc. the 28th USENIX Security Symposium, Aug. 2019, pp.1205-1220.
[20] Gens D, Schmitt S, Davi L, Sadeghi A R. K-Miner: Uncovering memory corruption in Linux. In Proc. the 2018 Network and Distributed System Security Symposium, Feb. 2018. DOI: 10.14722/NDSS.2018.23326.
[21] Yan H, Sui Y, Chen S, Xue J. Machine-learningguided typestate analysis for static use-after-free detection. In Proc. the 33rd Annual Computer Security Applications Conference, Dec. 2017, pp.42-54. DOI: 10.1145/3134600.3134620.
[22] Wang H, Xie X, Li Y, Wen C, Li Y, Liu Y, Sui Y. Typestateguided fuzzer for discovering use-after-free vulnerabilities. In Proc. the 42nd IEEE/ACM International Conference on Software Engineering, July 2020, pp.999-1010. DOI: 10.1145/3377811.3380386.
[23] Gao Q, Zhang W, Chen Z, Zheng M, Qin F. 2ndStrike: Toward manifesting hidden concurrency typestate bugs. ACM SIGPLAN Notices, 2011, 46(3): 239-250. DOI: 10.1145/1961296.1950394.
[24] Marriott K, Stuckey P J, Sulzmann M. Resource usage verification. In Proc. the 1st Asian Symposium on Programming Languages and Systems, Nov. 2003, pp.212-229. DOI: 10.1007/978-3-540-40018-915.
[25] Xu Z, Wen C, Qin S. State-taint analysis for detecting resource bugs. Science of Computer Programming, 2018, 162: 93-109. DOI: 10.1016/j.scico.2017.06.010.
[1] Zhi Ma, Lei Qiao, Meng-Fei Yang, Shao-Feng Li, Jin-Kun Zhang. Verification of Real Time Operating System Exception Management Based on SPARCv8 [J]. Journal of Computer Science and Technology, 2021, 36(6): 1367-1387.
[2] Ling-Yun Situ, Zhi-Qiang Zuo, Le Guan, Lin-Zhang Wang, Xuan-Dong Li, Jin Shi, Peng Liu. Vulnerable Region-Aware Greybox Fuzzing [J]. Journal of Computer Science and Technology, 2021, 36(5): 1212-1228.
[3] Feng-Juan Gao, Yu Wang, Lin-Zhang Wang, Zijiang Yang, Xuan-Dong Li. Automatic Buffer Overflow Warning Validation [J]. Journal of Computer Science and Technology, 2020, 35(6): 1406-1427.
[4] Jung-Been Lee, Taek Lee, Hoh Peter In. Topic Modeling Based Warning Prioritization from Change Sets of Software Repository [J]. Journal of Computer Science and Technology, 2020, 35(6): 1461-1479.
[5] Gökçer Peynirci, Mete Eminaǧaoǧlu, Korhan Karabulut. Feature Selection for Malware Detection on the Android Platform Based on Differences of IDF Values [J]. Journal of Computer Science and Technology, 2020, 35(4): 946-962.
[6] André Brinkmann, Kathryn Mohror, Weikuan Yu, Philip Carns, Toni Cortes, Scott A. Klasky, Alberto Miranda, Franz-Josef Pfreundt, Robert B. Ross, Marc-André Vef. Ad Hoc File Systems for High-Performance Computing [J]. Journal of Computer Science and Technology, 2020, 35(1): 4-26.
[7] Marc-André Vef, Nafiseh Moti, Tim Süß, Markus Tacke, Tommaso Tocci, Ramon Nou, Alberto Miranda, Toni Cortes, André Brinkmann. GekkoFS—A Temporary Burst Buffer File System for HPC Applications [J]. Journal of Computer Science and Technology, 2020, 35(1): 72-91.
[8] Ling-Yun Situ, Student Member, CCF, Lin-Zhang Wang, Distinguished Member, CCF, Yang Liu, Member, ACM, IEEE, Bing Mao, Xuan-Dong Li, Fellow, CCF. Automatic Detection and Repair Recommendation for Missing Checks [J]. Journal of Computer Science and Technology, 2019, 34(5): 972-992.
[9] Ming-Zhe Zhang, Yun-Zhan Gong, Ya-Wen Wang, Da-Hai Jin. Unit Test Data Generation for C Using Rule-Directed Symbolic Execution [J]. Journal of Computer Science and Technology, 2019, 34(3): 670-689.
[10] Zuo-Ning Chen, Kang Chen, Jin-Lei Jiang, Lu-Fei Zhang, Song Wu, Zheng-Wei Qi, Chun-Ming Hu, Yong-Wei Wu, Yu-Zhong Sun, Hong Tang, Ao-Bing Sun, Zi-Lu Kang. Evolution of Cloud Operating System: From Technology to Ecosystem [J]. , 2017, 32(2): 224-241.
[11] Suchakrapani Datt Sharma, Student Member, IEEE, Michel Dagenais, Senior Member, IEEE. Enhanced Userspace and In-Kernel Trace Filtering for Production Systems [J]. , 2016, 31(6): 1161-1178.
[12] Xue-Jun Yang (杨学军), Senior Member, CCF, Member, ACM, IEEE, Xiang-Ke Liao (廖湘科), Senior Member CCF, Member, ACM, Kai Lu . The TianHe-1A Supercomputer: Its Hardware and Software [J]. , 2011, 26(3): 344-351.
[13] Ji Wang, Senior Member, CCF, Xiao-Dong Ma, Wei Dong, Hou-Feng Xu, and Wan-Wei Liu, Member, CCF. Demand-Driven Memory Leak Detection Based on Flow- and Context-Sensitive Pointer Analysis [J]. , 2009, 24(2): 347-356.
[14] Ben Leslie, Peter Chubb, Nicholas Fitzroy-Dale, Stefan Gotz, Charles Gray, Luke Macpherson, Daniel Potts, Yue-Ting Shen, Kevin Elphinstone, and Gernot Heiser. User-Level Device Drivers: Achieved Performance [J]. , 2005, 20(5): 654-664 .
[15] ZHANG WenHui . Combining Static Analysis and Case-Based Search Space Partitioning for Reducing Peak Memory in Model Checking [J]. , 2003, 18(6): 0-0.
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
[1] Zhou Di;. A Recovery Technique for Distributed Communicating Process Systems[J]. , 1986, 1(2): 34 -43 .
[2] Chen Shihua;. On the Structure of Finite Automata of Which M Is an(Weak)Inverse with Delay τ[J]. , 1986, 1(2): 54 -59 .
[3] Feng Yulin;. Recursive Implementation of VLSI Circuits[J]. , 1986, 1(2): 72 -82 .
[4] C.Y.Chung; H.R.Hwa;. A Chinese Information Processing System[J]. , 1986, 1(2): 15 -24 .
[5] Pan Qijing;. A Routing Algorithm with Candidate Shortest Path[J]. , 1986, 1(3): 33 -52 .
[6] Wu Enhua;. A Graphics System Distributed across a Local Area Network[J]. , 1986, 1(3): 53 -64 .
[7] Wang Jianchao; Wei Daozheng;. An Effective Test Generation Algorithm for Combinational Circuits[J]. , 1986, 1(4): 1 -16 .
[8] Chen Zhaoxiong; Gao Qingshi;. A Substitution Based Model for the Implementation of PROLOG——The Design and Implementation of LPROLOG[J]. , 1986, 1(4): 17 -26 .
[9] Huang Heyan;. A Parallel Implementation Model of HPARLOG[J]. , 1986, 1(4): 27 -38 .
[10] Zheng Guoliang; Li Hui;. The Design and Implementation of the Syntax-Directed Editor Generator(SEG)[J]. , 1986, 1(4): 39 -48 .

ISSN 1000-9000(Print)

         1860-4749(Online)
CN 11-2296/TP

Home
Editorial Board
Author Guidelines
Subscription
Journal of Computer Science and Technology
Institute of Computing Technology, Chinese Academy of Sciences
P.O. Box 2704, Beijing 100190 P.R. China
Tel.:86-10-62610746
E-mail: jcst@ict.ac.cn
 
  Copyright ©2015 JCST, All Rights Reserved