Effective Static Analysis of Concurrency Use-After-Free Bugs in Linux Device Drivers

In Linux device drivers, use-after-free (UAF) bugs can cause system crashes and serious security problems. According to our study of Linux kernel commits, 42% of the driver commits fixing use-after-free bugs involve driver concurrency. We refer to these use-after-free bugs as concurrency use-after-free bugs. Due to the non-determinism of concurrent execution, concurrency use-after-free bugs are often more difficult to reproduce and detect than sequential use-after-free bugs. In this paper, we propose a practical static analysis approach named DCUAF, to effectively detect concurrency use-after-free bugs in Linux device drivers. DCUAF combines a local analysis analyzing the source code of each driver with a global analysis statistically analyzing the local results of all drivers, forming a local-global analysis, to extract the pairs of driver interface functions that may be concurrently executed. Then, with these pairs, DCUAF performs a summary-based lockset analysis to detect concurrency use-after-free bugs. We have evaluated DCUAF on the driver code of Linux 4.19, and found 640 real concurrency use-after-free bugs. We have randomly selected 130 of the real bugs and reported them to Linux kernel developers, and 95 have been confirmed.

[1]  Shin Hong,et al.  Effective pattern-driven concurrency bug detection for operating systems , 2013, J. Syst. Softw..

[2]  Rüdiger Kapitza,et al.  AsyncShock: Exploiting Synchronisation Bugs in Intel SGX Enclaves , 2016, ESORICS.

[3]  Chao Zhang,et al.  POSTER: UAFChecker: Scalable Static Detection of Use-After-Free Vulnerabilities , 2014, CCS.

[4]  Shiping Chen,et al.  Spatio-Temporal Context Reduction: A Pointer-Analysis-Based Static Approach for Detecting Use-After-Free Vulnerabilities , 2018, 2018 IEEE/ACM 40th International Conference on Software Engineering (ICSE).

[5]  Mayur Naik,et al.  APISan: Sanitizing API Usages through Semantic Cross-Checking , 2016, USENIX Security Symposium.

[6]  Dawson R. Engler,et al.  Bugs as deviant behavior: a general approach to inferring errors in systems code , 2001, SOSP.

[7]  Suman Saha,et al.  Hector: Detecting Resource-Release Omission Faults in error-handling code for systems software , 2013, 2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[8]  Wenguang Chen,et al.  DRDDR: a lightweight method to detect data races in Linux kernel , 2016, The Journal of Supercomputing.

[9]  Derek Bruening,et al.  AddressSanitizer: A Fast Address Sanity Checker , 2012, USENIX Annual Technical Conference.

[10]  Shi-Min Hu,et al.  DSAC: Effective Static Analysis of Sleep-in-Atomic-Context Bugs in Kernel Modules , 2018, USENIX Annual Technical Conference.

[11]  Wenke Lee,et al.  Preventing Use-after-free with Dangling Pointers Nullification , 2015, NDSS.

[12]  Erik van der Kouwe,et al.  DangSan: Scalable Use-after-free Detection , 2017, EuroSys.

[13]  Yves Younan,et al.  FreeSentry: protecting against use-after-free vulnerabilities due to dangling pointers , 2015, NDSS.

[14]  Julia L. Lawall,et al.  Documenting and automating collateral evolutions in linux device drivers , 2008, Eurosys '08.

[15]  Xiao Ma,et al.  MUVI: automatically inferring multi-variable access correlations and detecting related semantic and concurrency bugs , 2007, SOSP.

[16]  Juanru Li,et al.  From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities in Linux Kernel , 2015, CCS.

[17]  Olaf Spinczyk,et al.  LockDoc: Trace-Based Analysis of Locking in the Linux Kernel , 2019, EuroSys.

[18]  Michael Burrows,et al.  Eraser: a dynamic data race detector for multithreaded programs , 1997, TOCS.

[19]  Dawson R. Engler,et al.  RacerX: effective, static detection of race conditions and deadlocks , 2003, SOSP '03.

[20]  Manuvir Das,et al.  Perracotta: mining temporal API rules from imperfect traces , 2006, ICSE.

[21]  Xi Wang,et al.  Linux kernel vulnerabilities: state-of-the-art defenses and open problems , 2011, APSys.

[22]  Shuvendu K. Lahiri,et al.  A Solver for Reachability Modulo Theories , 2012, CAV.

[23]  Olivier Tardieu,et al.  Ultra-fast aliasing analysis using CLA: a million lines of C code in a second , 2001, PLDI '01.

[24]  Juan Caballero,et al.  Undangle: early detection of dangling pointers in use-after-free and double-free vulnerabilities , 2012, ISSTA 2012.

[25]  Shi-Min Hu,et al.  Detecting Data Races Caused by Inconsistent Lock Protection in Device Drivers , 2019, 2019 IEEE 26th International Conference on Software Analysis, Evolution and Reengineering (SANER).

[26]  Shi-Min Hu,et al.  Mining and checking paired functions in device drivers using characteristic fault injection , 2016, Inf. Softw. Technol..

[27]  Sorin Lerner,et al.  RELAY: static race detection on millions of lines of code , 2007, ESEC-FSE '07.

[28]  Zhenmin Li,et al.  PR-Miner: automatically extracting implicit programming rules and detecting violations in large software code , 2005, ESEC/FSE-13.

[29]  Alastair F. Donaldson,et al.  Fast and Precise Symbolic Analysis of Concurrency Bugs in Device Drivers , 2015 .

[30]  Varmo Vene,et al.  Static race detection for device drivers: The Goblint approach , 2016, 2016 31st IEEE/ACM International Conference on Automated Software Engineering (ASE).

[31]  Sebastian Burckhardt,et al.  Effective Data-Race Detection for the Kernel , 2010, OSDI.

[32]  Julia L. Lawall,et al.  WYSIWIB: A declarative approach to finding API protocols and bugs in Linux code , 2009, DSN.

[33]  Li Xiong,et al.  Frequent pattern mining for kernel trace data , 2008, SAC '08.

[34]  Shiping Chen,et al.  Machine-Learning-Guided Typestate Analysis for Static Use-After-Free Detection , 2017, ACSAC.