Detecting Missed Security Operations Through Differential Checking of Object-based Similar Paths

Missing a security operation such as a bound check has been a major cause of security-critical bugs. Automatically checking whether the code misses a security operation in large programs is challenging since it has to understand whether the security operation is indeed necessary in the context. Recent methods typically employ cross-checking to identify deviations as security bugs, which collects functionally similar program slices and infers missed security operations through majority-voting. An inherent limitation of such approaches is that they heavily rely on a substantial number of similar code pieces to enable cross-checking. In practice, many code pieces are unique, and thus we may be unable to find adequate similar code snippets to utilize cross-checking. In this paper, we present IPPO (Inconsistent Path Pairs as a bug Oracle), a static analysis framework for detecting security bugs based on differential checking. IPPO defines several novel rules to identify code paths that share similar semantics with respect to an object, and collects them as similar-path pairs. It then investigates the path pairs for identifying inconsistent security operations with respect to the object. If one path in a path pair enforces a security operation while the other does not, IPPO reports it as a potential security bug. By utilizing on object-based path-similarity analysis, IPPO achieves a higher precision, compared to conventional code-similarity analysis methods. Through differential checking of a similar-path pair, IPPO eliminates the requirement of constructing a large number of similar code pieces, addressing the limitation of traditional cross-checking approaches. We implemented IPPO and extensively evaluated it on four widely used open-source programs: Linux kernel, OpenSSL library, FreeBSD kernel, and PHP. IPPO found 154, 5, 1, and 1 new security bugs in the above systems, respectively. We have submitted patches for all these bugs, and 136 of them have been accepted by corresponding maintainers. The results confirm the effectiveness and usefulness of IPPO in practice.

[1]  Chanchal Kumar Roy,et al.  Improving IR-based bug localization with context-aware query reformulation , 2018, ESEC/SIGSOFT FSE.

[2]  Yu Chen,et al.  RID: Finding Reference Count Bugs with Inconsistent Path Pair Checking , 2016, ASPLOS.

[3]  Christopher Krügel,et al.  DIFUZE: Interface Aware Fuzzing for Kernel Drivers , 2017, CCS.

[4]  Zhenguang Liu,et al.  Smart Contract Vulnerability Detection using Graph Neural Network , 2020, IJCAI.

[5]  Osamu Mizuno,et al.  Using a Distributed Representation of Words in Localizing Relevant Files for Bug Reports , 2016, 2016 IEEE International Conference on Software Quality, Reliability and Security (QRS).

[6]  Pengfei Wang,et al.  DFTracker: detecting double-fetch bugs by multi-taint parallel tracking , 2016, Frontiers of Computer Science.

[7]  Eunseok Lee,et al.  Improved bug localization based on code change histories and bug reports , 2017, Inf. Softw. Technol..

[8]  Insik Shin,et al.  HFL: Hybrid Fuzzing on the Linux Kernel , 2020, NDSS.

[9]  Chenxiong Qian,et al.  Precise and Scalable Detection of Double-Fetch Bugs in OS Kernels , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[10]  Suman Saha,et al.  Hector: Detecting Resource-Release Omission Faults in error-handling code for systems software , 2013, 2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[11]  Stephen McCamant,et al.  Understanding and Detecting Disordered Error Handling with Precise Function Pairing , 2021, USENIX Security Symposium.

[12]  Ben Hardekopf,et al.  The ant and the grasshopper: fast and accurate pointer analysis for millions of lines of code , 2007, PLDI '07.

[13]  Mansour Ahmadi,et al.  Finding Bugs Using Your Own Code: Detecting Functionally-similar yet Inconsistent Code , 2021, USENIX Security Symposium.

[14]  Pengfei Wang,et al.  DFTinker: Detecting and Fixing Double-Fetch Bugs in an Automated Way , 2018, WASA.

[15]  Ahmed M. Azab,et al.  PeX: A Permission Check Analysis Framework for Linux Kernel , 2019, USENIX Security Symposium.

[16]  Insik Shin,et al.  Razzer: Finding Kernel Race Bugs through Fuzzing , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[17]  Cynthia Sturton Hardware Is the New Software: Finding Exploitable Bugs in Hardware Designs , 2019 .

[18]  Yan Wang,et al.  MAZE: Towards Automated Heap Feng Shui , 2021, USENIX Security Symposium.

[19]  Bihuan Chen,et al.  MVP: Detecting Vulnerabilities using Patch-Enhanced Vulnerability Signatures , 2020, USENIX Security Symposium.

[20]  Shi-Min Hu,et al.  DCNS: Automated Detection Of Conservative Non-Sleep Defects in the Linux Kernel , 2019, ASPLOS.

[21]  Lin Tan,et al.  CRADLE: Cross-Backend Validation to Detect and Localize Bugs in Deep Learning Libraries , 2019, 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE).

[22]  Dawson R. Engler,et al.  Under-Constrained Symbolic Execution: Correctness Checking for Real Code , 2015, USENIX Annual Technical Conference.

[23]  Thorsten Holz,et al.  EvilCoder: automated bug insertion , 2016, ACSAC.

[24]  Jean-Pierre Seifert,et al.  PeriScope: An Effective Probing and Fuzzing Framework for the Hardware-OS Boundary , 2019, NDSS.

[25]  David Brumley,et al.  AEG: Automatic Exploit Generation , 2011, NDSS.

[26]  Stephen McCamant,et al.  Precisely Characterizing Security Impact in a Flood of Patches via Symbolic Rule Comparison , 2020, NDSS.

[27]  Xuechen Zhang,et al.  Pallas: Semantic-Aware Checking for Finding Deep Bugs in Fast Path , 2017, ASPLOS.

[28]  Wenwen Wang,et al.  Check It Again: Detecting Lacking-Recheck Bugs in OS Kernels , 2018, CCS.

[29]  Changwoo Min,et al.  Cross-checking semantic correctness: the case of finding file system bugs , 2015, SOSP.

[30]  Xiang Ling,et al.  Multilevel Graph Matching Networks for Deep Graph Similarity Learning , 2020, IEEE Transactions on Neural Networks and Learning Systems.

[31]  Kangjie Lu,et al.  Exaggerated Error Handling Hurts! An In-Depth Study and Context-Aware Detection , 2020, CCS.

[32]  Dawson R. Engler,et al.  Bugs as deviant behavior: a general approach to inferring errors in systems code , 2001, SOSP.

[33]  V. Krishna Nandivada,et al.  Batch Alias Analysis , 2019, 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[34]  Mayur Naik,et al.  APISan: Sanitizing API Usages through Semantic Cross-Checking , 2016, USENIX Security Symposium.

[35]  Suman Jana,et al.  MoonShine: Optimizing OS Fuzzer Seed Selection with Trace Distillation , 2018, USENIX Security Symposium.

[36]  Kangjie Lu,et al.  Detecting Missing-Check Bugs via Semantic- and Context-Aware Criticalness and Constraints Inferences , 2019, USENIX Security Symposium.

[37]  Zhenguang Liu,et al.  Combining Graph Neural Networks With Expert Knowledge for Smart Contract Vulnerability Detection , 2021, IEEE Transactions on Knowledge and Data Engineering.

[38]  Anh Tuan Nguyen,et al.  Bug Localization with Combination of Deep Learning and Information Retrieval , 2017, 2017 IEEE/ACM 25th International Conference on Program Comprehension (ICPC).

[39]  Shouhuai Xu,et al.  VulPecker: an automated vulnerability detection system based on code similarity analysis , 2016, ACSAC.

[40]  Christian Rossow,et al.  Cross-Architecture Bug Search in Binary Executables , 2015, 2015 IEEE Symposium on Security and Privacy.