Journal of Computer Science and Technology ›› 2021, Vol. 36 ›› Issue (6): 1325-1341.doi: 10.1007/s11390-021-1666-4

Special Issue: Software Systems

• Special Section on Software Systems 2021-Theme: Dependable Software Engineering • Previous Articles     Next Articles

AMCheX: Accurate Analysis of Missing-Check Bugs for Linux Kernel

Ying-Jie Wang, Liang-Ze Yin, Member, CCF, and Wei Dong*, Member, CCF        

  1. Key Laboratory of Software Engineering for Complex Systems, College of Computer Science National University of Defense Technology, Changsha 410073, China
  • Received:2021-06-01 Revised:2021-09-30 Online:2021-11-30 Published:2021-12-01
  • Contact: Wei Dong E-mail:wdong@nudt.edu.cn
  • Supported by:
    This work was supported by the National Nature Science Foundation of China under Grant Nos. 61802415, 62032019 and 62032024.

The Linux kernel adopts a large number of security checks to prevent security-sensitive operations from being executed under unsafe conditions. If a security-sensitive operation is unchecked, a missing-check issue arises. Missing check is a class of severe bugs in software programs especially in operating system kernels, which may cause a variety of security issues, such as out-of-bound accesses, permission bypasses, and privilege escalations. Due to the lack of security specifications, how to automatically identify security-sensitive operations and their required security checks in the Linux kernel becomes a challenge for missing-check analysis. In this paper, we present an accurate missing-check analysis method for Linux kernel, which can automatically infer possible security-sensitive operations. Particularly, we first automatically identify all possible security check functions of Linux. Then according to their callsites, a two-direction analysis method is leveraged to identify possible security-sensitive operations. A missing-check bug is reported when the security-sensitive operation is not protected by its corresponding security check. We have implemented our method as a tool, named AMCheX, on top of the LLVM (Low Level Virtual Machine) framework and evaluated it on the Linux kernel. AMCheX reported 12 new missing-check bugs which can cause security issues. Five of them have been confirmed by Linux maintainers.

Key words: security check function; security-sensitive operation; program analysis; missing-check;

[1] Edwards A, Jaeger T, Zhang X. Runtime verification of authorization hook placement for the Linux security modules framework. In Proc. the 9th ACM Conference on Computer and Communications Security, November 2002, pp.225-234. DOI: 10.1145/586110.586141.
[2] Zhang X, Edwards A, Jaeger T. Using CQUAL for static analysis of authorization hook placement. In Proc. the 11th USENIX Security Symposium, August 2002, pp.33-48.
[3] Zhang T, Shen W, Lee D, Jung C, Azab A M, Wang R. PeX: A permission check analysis framework for Linux kernel. In Proc. the 28th USENIX Security Symposium, August 2019, pp.1205-1220.
[4] Tan L, Zhang X, Ma X, Xiong W, Zhou Y. AutoISES: Automatically inferring security specification and detecting violations. In Proc. the 17th USENIX Security Symposium, July 28-August 1, 2008, pp.379-394.
[5] Wang W, Lu K, Yew P C. Check it again: Detecting lacking-recheck bugs in OS kernels. In Proc. the 2018 ACM SIGSAC Conference on Computer and Communications Security, October 2018, pp.1899-1913. DOI: 10.1145/3243734.3243844.
[6] Situ L, Wang L, Liu Y, Mao B, Li X. Vanguard: Detecting missing checks for prognosing potential vulnerabilities. In Proc. the 10th Asia-Pacific Symposium on Internetware, September 2018, Article No. 5. DOI: 10.1145/3275219.3275225.
[7] Lu K, Pakki A, Wu Q. Detecting missing-check bugs via semantic-and context-aware criticalness and constraints inferences. In Proc. the 28th USENIX Security Symposium, August 2019, pp.1769-1786.
[8] Yamaguchi F, Wressnegger C, Gascon H, Rieck K. Chucky: Exposing missing checks in source code for vulnerability discovery. In Proc. the 2013 ACM SIGSAC Conference on Computer & Communications Security, November 2013, pp.499-510. DOI: 10.1145/2508859.2516665.
[9] Min C, Kashyap S, Lee B, Song C, Kim T. Crosschecking semantic correctness: The case of finding file system bugs. In Proc. the 25th Symposium on Operating Systems Principles, October 2015, pp.361-377. DOI: 10.1145/2815400.2815422.
[10] Lu K, Pakki A, Wu Q. Automatically identifying security checks for detecting kernel semantic bugs. In Proc. the 24th European Symposium on Research in Computer Security, September 2019, pp.3-25. DOI: 10.1007/978-3-030-29962-01.
[11] Hunt A, Thomas D. The Pragmatic Programmer: From Journeyman to Master (1st edition). Addison-Wesley Professional, 1999.
[12] Xu M, Qian C, Lu K, Backes M, Kim T. Precise and scalable detection of double-fetch bugs in OS kernels. In Proc. the 2018 IEEE Symposium on Security and Privacy, May 2018, pp.661-678. DOI: 10.1109/SP.2018.00017.
[13] Son S, McKinley K S, Shmatikov V. RoleCast: Finding missing security checks when you do not know what checks are. In Proc. the 2011 ACM International Conference on Object Oriented Programming Systems Languages and Applications, October 2011, pp.1069-1084. DOI: 10.1145/2048066.2048146.
[14] Monshizadeh M, Naldurg P, Venkatakrishnan V N. MACE: Detecting privilege escalation vulnerabilities in web applications. In Proc. the 2014 ACM SIGSAC Conference on Computer and Communications Security, November 2014, pp.690-701. DOI: 10.1145/2660267.2660337.
[15] Sandhu R S, Samarati P. Access control: Principle and practice. IEEE Communications Magazine, 1994, 32(9): 40-48. DOI: 10.1109/35.312842.
[16] Vijayakumar H, Ge X, Payer M, Jaeger T. JIGSAW: Protecting resource access by inferring programmer expectations. In Proc. the 23rd USENIX Security Symposium, August 2014, pp.973-988.
[17] Muthukumaran D, Talele N, Jaeger T, Tan G. Producing hook placements to enforce expected access control policies. In Proc. the 7th International Symposium on Engineering Secure Software and Systems, March 2015, pp.178-195. DOI: 10.1007/978-3-319-15618-714.
[18] Petracca G, Capobianco F, Skalka C, Jaeger T. On risk in access control enforcement. In Proc. the 22nd ACM Symposium on Access Control Models and Technologies, June 2017, pp.31-42. DOI: 10.1145/3078861.3078872.
[19] Zhang Y, Kasahara S, Shen Y et al. Smart contractbased access control for the Internet of Things. IEEE Internet of Things Journal, 2018, 6(2): 1594-1605. DOI: 10.1109/JIOT.2018.2847705.
[20] Yun I, Min C, Si X, Jang Y, Kim T, Naik M. APISan: Sanitizing API usages through semantic cross-checking. In Proc. the 25th USENIX Security Symposium, August 2016, pp.363-378.
[21] Wang X, Chen H, Jia Z, Zeldovich N, Kaashoek M. Improving integer security for systems with KINT. In Proc. the 10th USENIX Symposium on Operating Systems Design and Implementation, October 2012, pp.163-177.
[22] Lu K, Song C, Kim T, Lee W. UniSan: Proactive kernel memory initialization to eliminate data leakages. In Proc. the 2016 ACM SIGSAC Conference on Computer and Communications Security, October 2016, pp.920-932. DOI: 10.1145/2976749.2978366.
[23] Machiry A, Spensky C, Corina J, Stephens N, Kruegel C, Vigna G. DR. CHECKER: A soundy analysis for Linux kernel drivers. In Proc. the 26th USENIX Security Symposium, August 2017, pp.1007-1024.
[24] Padioleau Y, Lawall J, Hansen R R, Muller G. Towards documenting and automating collateral evolutions in Linux device drivers. ACM SIGOPS Operating Systems Review, 2008, 42(4): 247-260. DOI: 10.1145/1357010.1352618.
[1] Xu-Zhou Zhang, Yun-Zhan Gong, Ya-Wen Wang, Ying Xing, Ming-Zhe Zhang. Automated String Constraints Solving for Programs Containing String Manipulation Functions [J]. , 2017, 32(6): 1125-1135.
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
[1] Zhou Di;. A Recovery Technique for Distributed Communicating Process Systems[J]. , 1986, 1(2): 34 -43 .
[2] Chen Shihua;. On the Structure of Finite Automata of Which M Is an(Weak)Inverse with Delay τ[J]. , 1986, 1(2): 54 -59 .
[3] Li Wanxue;. Almost Optimal Dynamic 2-3 Trees[J]. , 1986, 1(2): 60 -71 .
[4] C.Y.Chung; H.R.Hwa;. A Chinese Information Processing System[J]. , 1986, 1(2): 15 -24 .
[5] Zhang Cui; Zhao Qinping; Xu Jiafu;. Kernel Language KLND[J]. , 1986, 1(3): 65 -79 .
[6] Wang Jianchao; Wei Daozheng;. An Effective Test Generation Algorithm for Combinational Circuits[J]. , 1986, 1(4): 1 -16 .
[7] Chen Zhaoxiong; Gao Qingshi;. A Substitution Based Model for the Implementation of PROLOG——The Design and Implementation of LPROLOG[J]. , 1986, 1(4): 17 -26 .
[8] Huang Heyan;. A Parallel Implementation Model of HPARLOG[J]. , 1986, 1(4): 27 -38 .
[9] Zheng Guoliang; Li Hui;. The Design and Implementation of the Syntax-Directed Editor Generator(SEG)[J]. , 1986, 1(4): 39 -48 .
[10] Huang Xuedong; Cai Lianhong; Fang Ditang; Chi Bianjin; Zhou Li; Jiang Li;. A Computer System for Chinese Character Speech Input[J]. , 1986, 1(4): 75 -83 .

ISSN 1000-9000(Print)

         1860-4749(Online)
CN 11-2296/TP

Home
Editorial Board
Author Guidelines
Subscription
Journal of Computer Science and Technology
Institute of Computing Technology, Chinese Academy of Sciences
P.O. Box 2704, Beijing 100190 P.R. China
Tel.:86-10-62610746
E-mail: jcst@ict.ac.cn
 
  Copyright ©2015 JCST, All Rights Reserved