Verifying the Safety of User Pointer Dereferences

Operating systems divide virtual memory addresses into kernel space and user space. The interface of a modern operating system consists of a set of system call procedures that may take pointer arguments called user pointers. It is safe to dereference a user pointer if and only if it points into user space. If the operating system dereferences a user pointer that does not point into user space, then a malicious user application could gain control of the operating system, reveal sensitive data from kernel space, or crash the machine. Because the operating system cannot trust user processes, the operating system must check that the user pointer points to user space before dereferencing it. In this paper, we present a scalable and precise static analysis capable of verifying the absence of unchecked user pointer dereferences. We evaluate an implementation of our analysis on the entire Linux operating system with over 6.2 million lines of code with false alarms reported on only 0.05% of dereference sites.

[1]  Zhe Yang,et al.  Software validation via scalable path-sensitive value flow analysis , 2004, ISSTA '04.

[2]  Dawson R. Engler,et al.  A system and language for building system-specific, static analyses , 2002, PLDI '02.

[3]  Patrick Cousot,et al.  Design and Implementation of a Special-Purpose Static Program Analyzer for Safety-Critical Real-Time Embedded Software , 2002, The Essence of Computation.

[4]  Thomas A. Henzinger,et al.  Lazy abstraction , 2002, POPL '02.

[5]  Eran Yahav,et al.  Effective typestate verification in the presence of aliasing , 2006, TSEM.

[6]  Sorin Lerner,et al.  ESP: path-sensitive program verification in polynomial time , 2002, PLDI '02.

[7]  Isil Dillig,et al.  An overview of the saturn project , 2007, PASTE '07.

[8]  Alexander Aiken,et al.  How is aliasing used in systems software? , 2006, SIGSOFT '06/FSE-14.

[9]  David A. Wagner,et al.  Finding User/Kernel Pointer Bugs with Type Inference , 2004, USENIX Security Symposium.

[10]  Alexander Aiken,et al.  Scalable error detection using boolean satisfiability , 2005, POPL '05.

[11]  Isil Dillig,et al.  Static error detection using semantic inconsistency inference , 2007, PLDI '07.

[12]  Robert E. Strom,et al.  Typestate: A programming language concept for enhancing software reliability , 1986, IEEE Transactions on Software Engineering.

[13]  Junfeng Yang,et al.  MECA: an extensible, expressive system and language for statically checking security properties , 2003, CCS '03.

[14]  Sriram K. Rajamani,et al.  The SLAM project: debugging system software via static analysis , 2002, POPL '02.

[15]  Alexander Aiken,et al.  A theory of type qualifiers , 1999, PLDI '99.