K-Miner: Uncovering Memory Corruption in Linux

Operating system kernels are appealing attack targets: compromising the kernel usually allows attackers to bypass all deployed security mechanisms and take control over the entire system. Commodity kernels, like Linux, are written in low-level programming languages that offer only limited type and memory-safety guarantees, enabling adversaries to launch sophisticated run-time attacks against the kernel by exploiting memory-corruption vulnerabilities. Many defenses have been proposed to protect operating systems at run time, such as control-flow integrity (CFI). However, the goal of these run-time monitors is to prevent exploitation as a symptom of memory corruption, rather than eliminating the underlying root cause, i.e., bugs in the kernel code. While finding bugs can be automated, e.g., using static analysis, all existing approaches are limited to local, intra-procedural checks, and face severe scalability challenges due to the large kernel code base. Consequently, there currently exist no tools for conducting global static analysis of operating system kernels. In this paper, we present K-Miner, a new framework to efficiently analyze large, commodity operating system kernels like Linux. Our novel approach exploits the highly standardized interface structure of the kernel code to enable scalable pointer analysis and conduct global, context-sensitive analysis. Through our inter-procedural analysis we show that K-Miner systematically and reliably uncovers several different classes of memory-corruption vulnerabilities, such as dangling pointers, user-after-free, double-free, and double-lock vulnerabilities. We thoroughly evaluate our extensible analysis framework, which leverages the popular and widely used LLVM compiler suite, for the current Linux kernel and demonstrate its effectiveness by reporting several memory-corruption vulnerabilities.

[1]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[2]  Jean-Pierre Seifert,et al.  Towards Vulnerability Discovery Using Staged Program Analysis , 2015, DIMVA.

[3]  Jeffrey D. Ullman,et al.  Monotone data flow analysis frameworks , 1977, Acta Informatica.

[4]  Gerwin Klein,et al.  Operating system verification—An overview , 2009 .

[5]  Erik van der Kouwe,et al.  TypeSan: Practical Type Confusion Detection , 2016, CCS.

[6]  Patrick Cousot,et al.  The ASTREÉ Analyzer , 2005, ESOP.

[7]  Mayur Naik,et al.  APISan: Sanitizing API Usages through Semantic Cross-Checking , 2016, USENIX Security Symposium.

[8]  Ahmad-Reza Sadeghi,et al.  PT-Rand: Practical Mitigation of Data-only Attacks against Page Tables , 2017, NDSS.

[9]  Will Dietz,et al.  Nested Kernel: An Operating System Architecture for Intra-Kernel Privilege Separation , 2015, ASPLOS.

[10]  Jun Xu,et al.  Non-Control-Data Attacks Are Realistic Threats , 2005, USENIX Security Symposium.

[11]  Patrick Cousot,et al.  The ASTR ´ EE Analyzer , 2005 .

[12]  Vikram S. Adve,et al.  KCoFI: Complete Control-Flow Integrity for Commodity Operating System Kernels , 2014, 2014 IEEE Symposium on Security and Privacy.

[13]  Peng Ning,et al.  SKEE: A lightweight Secure Kernel-level Execution Environment for ARM , 2016, NDSS.

[14]  Greg Kroah-Hartman Signed kernel modules , 2004 .

[15]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[16]  Ben Hardekopf,et al.  Flow-sensitive pointer analysis for millions of lines of code , 2011, International Symposium on Code Generation and Optimization (CGO 2011).

[17]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[18]  Chris Fallin,et al.  Flipping bits in memory without accessing them: An experimental study of DRAM disturbance errors , 2014, 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA).

[19]  Peng Liu,et al.  CREDAL: Towards Locating a Memory Corruption Vulnerability with Your Core Dump , 2016, CCS.

[20]  Mark N. Wegman,et al.  An efficient method of computing static single assignment form , 1989, POPL '89.

[21]  Calvin Lin,et al.  Efficient Flow-Sensitive Interprocedural Data-Flow Analysis in the Presence of Pointers , 2006, CC.

[22]  Frederic T. Chong,et al.  Crafting a usable microkernel, processor, and I/O system with strict and provable information flow security , 2011, 2011 38th Annual International Symposium on Computer Architecture (ISCA).

[23]  Amitabha Sanyal,et al.  Data Flow Analysis - Theory and Practice , 2009 .

[24]  Laurie Hendren,et al.  Soot: a Java bytecode optimization framework , 2010, CASCON.

[25]  Jingling Xue,et al.  SVF: interprocedural static value-flow analysis in LLVM , 2016, CC.

[26]  Thorsten Bormer,et al.  Verifying the PikeOS Microkernel: First Results in the Verisoft XT Avionics Project , 2009 .

[27]  Wenke Lee,et al.  Unleashing Use-Before-Initialization Vulnerabilities in the Linux Kernel Using Targeted Stack Spraying , 2017, NDSS.

[28]  Xi Wang,et al.  Linux kernel vulnerabilities: state-of-the-art defenses and open problems , 2011, APSys.

[29]  William R. Harris,et al.  Enforcing Kernel Security Invariants with Data Flow Integrity. , 2016, NDSS 2016.

[30]  Julia L. Lawall,et al.  Documenting and automating collateral evolutions in linux device drivers , 2008, Eurosys '08.

[31]  Thomas Leich,et al.  TypeChef: toward type checking #ifdef variability in C , 2010, FOSD '10.

[32]  Fabian Yamaguchi,et al.  Pattern-Based Vulnerability Discovery , 2015 .

[33]  Hai Huang,et al.  Kernel Data Attack Is a Realistic Security Threat , 2015, SecureComm.

[34]  J. Doug Tygar,et al.  Adversarial machine learning , 2019, AISec '11.

[35]  Vikram S. Adve,et al.  LLVM: a compilation framework for lifelong program analysis & transformation , 2004, International Symposium on Code Generation and Optimization, 2004. CGO 2004..

[36]  Juanru Li,et al.  From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities in Linux Kernel , 2015, CCS.

[37]  Felix C. Freiling,et al.  Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms , 2009, USENIX Security Symposium.

[38]  Ahmad-Reza Sadeghi,et al.  CAn't Touch This: Practical and Generic Software-only Defenses Against Rowhammer Attacks , 2016, ArXiv.

[39]  Dawn Xiaodong Song,et al.  SoK: Eternal War in Memory , 2013, 2013 IEEE Symposium on Security and Privacy.

[40]  Thomas W. Reps,et al.  Precise interprocedural dataflow analysis via graph reachability , 1995, POPL '95.

[41]  Cristiano Giuffrida,et al.  Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization , 2012, USENIX Security Symposium.

[42]  Christopher Krügel,et al.  Driller: Augmenting Fuzzing Through Selective Symbolic Execution , 2016, NDSS.

[43]  Michael Hind,et al.  Pointer analysis: haven't we solved this problem yet? , 2001, PASTE '01.

[44]  Flemming Nielson,et al.  Principles of Program Analysis , 1999, Springer Berlin Heidelberg.

[45]  Gynvael Coldwind,et al.  Identifying and Exploiting Windows Kernel Race Conditions via Memory Access Patterns , 2013 .

[46]  Robert A. Martin,et al.  Vulnerability Type Distributions in CVE , 2007 .

[47]  Iago Abal,et al.  Effective Bug Finding in C Programs with Shape and Effect Abstractions , 2017, VMCAI.

[48]  Angelos D. Keromytis,et al.  ret2dir: Rethinking Kernel Isolation , 2014, USENIX Security Symposium.

[49]  Trent Jaeger,et al.  Fine-Grained Control-Flow Integrity for Kernel Software , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).