Detecting Missing-Check Bugs via Semantic- and Context-Aware Criticalness and Constraints Inferences

Missing a security check is a class of semantic bugs in software programs where erroneous execution states are not validated. Missing-check bugs are particularly common in OS kernels because they frequently interact with external untrusted user space and hardware, and carry out error-prone computation. Missing-check bugs may cause a variety of critical security consequences, including permission bypasses, out-of-bound accesses, and system crashes. While missingcheck bugs are common and critical, only a few research works have attempted to detect them, which is arguably because of the inherent challenges in the detection—whether a variable requires a security check depends on its semantics, contexts and developer logic, and understanding them is a hard problem. In this paper, we present CRIX, a system for detecting missing-check bugs in OS kernels. CRIX can scalably and precisely evaluate whether any security checks are missing for critical variables, using an inter-procedural, semanticand context-aware analysis. In particular, CRIX’s modeling and cross-checking of the semantics of conditional statements in the peer slices of critical variables infer their criticalness, which allows CRIX to effectively detect missing-check bugs. Evaluation results show that CRIX finds missing-check bugs with reasonably low false-report rates. Using CRIX, we have found 278 new missing-check bugs in the Linux kernel that can cause security issues. We submitted patches for all these bugs; Linux maintainers have accepted 151 of them. The promising results show that missing-check bugs are a common occurrence, and CRIX is effective and scalable in detecting missing-check bugs in OS kernels.

[1]  Baishakhi Ray,et al.  Automatically diagnosing and repairing error handling bugs in C , 2017, ESEC/SIGSOFT FSE.

[2]  Xuxian Jiang,et al.  Mitigating code-reuse attacks with control-flow locking , 2011, ACSAC '11.

[3]  Suman Jana,et al.  APEx: Automated inference of error specifications for C APIs , 2016, 2016 31st IEEE/ACM International Conference on Automated Software Engineering (ASE).

[4]  Craig A. Knoblock,et al.  Advanced Programming in the UNIX Environment , 1992, Addison-Wesley professional computing series.

[5]  Nikolai Tillmann,et al.  Fitness-guided path exploration in dynamic symbolic execution , 2009, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.

[6]  Xiao Ma,et al.  AutoISES: Automatically Inferring Security Specification and Detecting Violations , 2008, USENIX Security Symposium.

[7]  Jingling Xue,et al.  Value-Flow-Based Demand-Driven Pointer Analysis for C and C++ , 2020, IEEE Transactions on Software Engineering.

[8]  Marco Pistoia,et al.  ALETHEIA: Improving the Usability of Static Security Analysis , 2014, CCS.

[9]  William K. Robertson,et al.  On the Effectiveness of Type-based Control Flow Integrity , 2018, ACSAC.

[10]  Barbara G. Ryder,et al.  Precise Call Graphs for C Programs with Function Pointers , 2004, Automated Software Engineering.

[11]  Andrea C. Arpaci-Dusseau,et al.  EIO: Error Handling is Occasionally Correct , 2008, FAST.

[12]  Jorge A. Navas,et al.  Path-Sensitive Backward Slicing , 2012, SAS.

[13]  Miguel Castro,et al.  Preventing Memory Error Exploits with WIT , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[14]  Lok-Kwong Yan,et al.  Debloating Software through Piece-Wise Compilation and Loading , 2018, USENIX Security Symposium.

[15]  Xi Wang,et al.  Improving Integer Security for Systems with KINT , 2012, OSDI.

[16]  Ahmad-Reza Sadeghi,et al.  K-Miner: Uncovering Memory Corruption in Linux , 2018, NDSS.

[17]  Jingling Xue,et al.  SVF: interprocedural static value-flow analysis in LLVM , 2016, CC.

[18]  Konrad Rieck,et al.  Chucky: exposing missing checks in source code for vulnerability discovery , 2013, CCS.

[19]  Bing Mao,et al.  Vanguard: Detecting Missing Checks for Prognosing Potential Vulnerabilities , 2018, Internetware.

[20]  Vitaly Shmatikov,et al.  RoleCast: finding missing security checks when you do not know what checks are , 2011, OOPSLA '11.

[21]  Michael Hind,et al.  Pointer analysis: haven't we solved this problem yet? , 2001, PASTE '01.

[22]  Ben Niu,et al.  Modular control-flow integrity , 2014, PLDI.

[23]  Peiyuan Zong,et al.  SemFuzz: Semantics-based Automatic Generation of Proof-of-Concept Exploits , 2017, CCS.

[24]  Xi Chen,et al.  A Tough Call: Mitigating Advanced Code-Reuse Attacks at the Binary Level , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[25]  Dawson R. Engler,et al.  Under-Constrained Symbolic Execution: Correctness Checking for Real Code , 2015, USENIX Annual Technical Conference.

[26]  Suman Jana,et al.  Automatically Detecting Error Handling Bugs Using Error Specifications , 2016, USENIX Security Symposium.

[27]  Wenke Lee,et al.  UniSan: Proactive Kernel Memory Initialization to Eliminate Data Leakages , 2016, CCS.

[28]  Dawson R. Engler,et al.  From uncertainty to belief: inferring the specification within , 2006, OSDI '06.

[29]  Úlfar Erlingsson,et al.  Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM , 2014, USENIX Security Symposium.

[30]  Ben Hardekopf,et al.  The ant and the grasshopper: fast and accurate pointer analysis for millions of lines of code , 2007, PLDI '07.

[31]  Julia L. Lawall,et al.  Documenting and automating collateral evolutions in linux device drivers , 2008, Eurosys '08.

[32]  Prasad Naldurg,et al.  MACE: Detecting Privilege Escalation Vulnerabilities in Web Applications , 2014, CCS.

[33]  Changwoo Min,et al.  Cross-checking semantic correctness: the case of finding file system bugs , 2015, SOSP.

[34]  Andrea C. Arpaci-Dusseau,et al.  Error propagation analysis for file systems , 2009, PLDI '09.

[35]  Suman Saha,et al.  Hector: Detecting Resource-Release Omission Faults in error-handling code for systems software , 2013, 2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[36]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[37]  Xiangke Liao,et al.  Boosting the precision of virtual call integrity protection with partial pointer analysis for C++ , 2017, ISSTA.

[38]  Isil Dillig,et al.  Static error detection using semantic inconsistency inference , 2007, PLDI '07.

[39]  Trent Jaeger,et al.  Fine-Grained Control-Flow Integrity for Kernel Software , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[40]  Bjarne Steensgaard,et al.  Points-to analysis in almost linear time , 1996, POPL '96.

[41]  Wenwen Wang,et al.  Check It Again: Detecting Lacking-Recheck Bugs in OS Kernels , 2018, CCS.

[42]  Mathias Payer,et al.  Control-Flow Integrity , 2017, ACM Comput. Surv..

[43]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.