UBITect: a precise and scalable method to detect use-before-initialization bugs in Linux kernel

Use-before-Initialization (UBI) bugs in the Linux kernel have serious security impacts, such as information leakage and privilege escalation. Developers are adopting forced initialization to cope with UBI bugs, but this approach can still lead to undefined behaviors (e.g., NULL pointer dereference). As it is hard to infer correct initialization values, we believe that the best way to mitigate UBI bugs is detection and manual patching. Precise detection of UBI bugs requires path-sensitive analysis. The detector needs to track an associated variable’s initialization status along all the possible program execution paths to its uses. However, such exhaustive analysis prevents the detection from scaling to the whole Linux kernel. This paper presents UBITect, a UBI bug finding tool which combines flow-sensitive type qualifier analysis and symbolic execution to perform precise and scalable UBI bug detection. The scalable qualifier analysis guides symbolic execution to analyze variables that are likely to cause UBI bugs. UBITect also does not require manual effort for annotations and hence, it can be directly applied to the kernel without any source code or intermediate representation (IR) change. On the Linux kernel version 4.14, UBITect reported 190 bugs, among which 78 bugs were deemed by us as true positives and 52 were confirmed by Linux maintainers.

[1]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[2]  David A. Wagner,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Detecting Format String Vulnerabilities with Type Qualifiers , 2001 .

[3]  Herbert Bos,et al.  Safelnit: Comprehensive and Practical Mitigation of Uninitialized Read Vulnerabilities , 2017, NDSS.

[4]  Xi Wang,et al.  Improving Integer Security for Systems with KINT , 2012, OSDI.

[5]  Alexander Aiken,et al.  Flow-sensitive type qualifiers , 2002, PLDI '02.

[6]  Wenke Lee,et al.  UniSan: Proactive Kernel Memory Initialization to Eliminate Data Leakages , 2016, CCS.

[7]  Wenwen Wang,et al.  Check It Again: Detecting Lacking-Recheck Bugs in OS Kernels , 2018, CCS.

[8]  Chao Zhang,et al.  IntPatch: Automatically Fix Integer-Overflow-to-Buffer-Overflow Vulnerability at Compile-Time , 2010, ESORICS.

[9]  Ahmad-Reza Sadeghi,et al.  K-Miner: Uncovering Memory Corruption in Linux , 2018, NDSS.

[10]  Changwoo Min,et al.  Cross-checking semantic correctness: the case of finding file system bugs , 2015, SOSP.

[11]  Christopher Krügel,et al.  DR. CHECKER: A Soundy Analysis for Linux Kernel Drivers , 2017, USENIX Security Symposium.

[12]  Chenxiong Qian,et al.  Precise and Scalable Detection of Double-Fetch Bugs in OS Kernels , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[13]  Wenke Lee,et al.  Unleashing Use-Before-Initialization Vulnerabilities in the Linux Kernel Using Targeted Stack Spraying , 2017, NDSS.

[14]  Ana Milanova,et al.  Type-Based Taint Analysis for Java Web Applications , 2014, FASE.

[15]  ChouAndy,et al.  Bugs as deviant behavior , 2001 .

[16]  David Hovemeyer,et al.  Evaluating and tuning a static analysis to find null pointer bugs , 2005, PASTE '05.

[17]  David A. Wagner,et al.  Finding User/Kernel Pointer Bugs with Type Inference , 2004, USENIX Security Symposium.

[18]  Konstantin Serebryany,et al.  MemorySanitizer: Fast detector of uninitialized memory use in C++ , 2015, 2015 IEEE/ACM International Symposium on Code Generation and Optimization (CGO).

[19]  PughWilliam,et al.  Evaluating and tuning a static analysis to find null pointer bugs , 2005 .

[20]  Dawson R. Engler,et al.  Bugs as deviant behavior: a general approach to inferring errors in systems code , 2001, SOSP.

[21]  Kangjie Lu,et al.  Detecting Missing-Check Bugs via Semantic- and Context-Aware Criticalness and Constraints Inferences , 2019, USENIX Security Symposium.

[22]  Ahmed M. Azab,et al.  PeX: A Permission Check Analysis Framework for Linux Kernel , 2019, USENIX Security Symposium.

[23]  Dawson R. Engler,et al.  Under-Constrained Symbolic Execution: Correctness Checking for Real Code , 2015, USENIX Annual Technical Conference.

[24]  Hanqing Zhao,et al.  Breaking Turtles All the Way Down: An Exploitation Chain to Break out of VMware ESXi , 2019, WOOT @ USENIX Security Symposium.