DR. CHECKER A Soundy Analysis for Linux Kernel Drivers Aravind - - PowerPoint PPT Presentation

dr checker
SMART_READER_LITE
LIVE PREVIEW

DR. CHECKER A Soundy Analysis for Linux Kernel Drivers Aravind - - PowerPoint PPT Presentation

Jul 27, 2023 320 likes •1k views

DR. CHECKER A Soundy Analysis for Linux Kernel Drivers Aravind Machiry, Chad Spensky , Jake Corina, Nick Stephens, Christopher Kruegel, and Giovanni Vigna University of California, Santa Barbara USENIX Security 2017 seclab THE COMPUTER SECURITY

slide-1
SLIDE 1
  • DR. CHECKER

A Soundy Analysis for Linux Kernel Drivers

Aravind Machiry, Chad Spensky, Jake Corina, Nick Stephens, Christopher Kruegel, and Giovanni Vigna University of California, Santa Barbara USENIX Security 2017

seclab

THE COMPUTER SECURITY GROUP AT UC SANTA BARBARA

slide-2
SLIDE 2

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

First, a story…

2

slide-3
SLIDE 3

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

First, a story…

3

slide-4
SLIDE 4

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

First, a story…

$ mkdir driver_checker

3

slide-5
SLIDE 5

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

First, a story…

$ mkdir dr_checker

4

slide-6
SLIDE 6

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

First, a story…

5

slide-7
SLIDE 7

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

Why Drivers?

6

slide-8
SLIDE 8

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

$ ls linux

Why Drivers?

6

/arch /block /certs /crypto /drivers /firmware /fs /include /virt /init /tools /sound /security /scripts /samples /net /mm /lib /kernel /ipc /usr

$

slide-9
SLIDE 9

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

$ ls linux

Why Drivers?

7

/arch /block /certs /crypto /drivers /firmware /fs /include /virt /init /tools /sound /security /scripts /samples /net /mm /lib /kernel /ipc /usr

$

slide-10
SLIDE 10

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

$ ls linux

Why Drivers?

7

/arch /block /certs /crypto /drivers /firmware /fs /include /virt /init /tools /sound /security /scripts /samples /net /mm /lib /kernel /ipc /usr

find bugs $

slide-11
SLIDE 11

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

Why Drivers?

8 CVE - Common Vulnerability and Exposure

slide-12
SLIDE 12

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

Why Drivers?

8

15% Drivers 85%

Bugs in Windows XP (2003)

CVE - Common Vulnerability and Exposure

slide-13
SLIDE 13

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

Why Drivers?

8

15% Drivers 85%

Bugs in Windows XP (2003)

72% Drivers 28%

Linux Kernel CVEs (2016-2017)

CVE - Common Vulnerability and Exposure

slide-14
SLIDE 14

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

Why Drivers?

8

15% Drivers 85%

Bugs in Windows XP (2003)

72% Drivers 28%

Linux Kernel CVEs (2016-2017)

15% Drivers 85%

Reported bugs in Android (2016)

CVE - Common Vulnerability and Exposure

slide-15
SLIDE 15

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

Motivation

9

Only analyze the drivers!

slide-16
SLIDE 16

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

Program Analysis for Bug Finding

10

slide-17
SLIDE 17

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

Program Analysis for Bug Finding

  • Points-to Analysis: Determines all storage locations that a pointer can

point to

  • Example bug: Kernel code pointer to user-controlled memory

10

slide-18
SLIDE 18

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

Program Analysis for Bug Finding

  • Points-to Analysis: Determines all storage locations that a pointer can

point to

  • Example bug: Kernel code pointer to user-controlled memory
  • Taint Analysis: Determines all of the locations that are affected by user-

supplied (tainted) data

  • Example bug: User provided data used as length in copy_from_user()

10

slide-19
SLIDE 19

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

Program Analysis on Kernel Code

  • Pointers… Everywhere!
  • State explosion
  • Inter-procedural calls to core functions
  • State explosion

11

slide-20
SLIDE 20

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

Precision vs. Soundness

12

Precise Sound

slide-21
SLIDE 21

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

Precision vs. Soundness

12

Most of the things reported are true True True True True True True True True True True False False

Precise Sound

True True True False False False False False

slide-22
SLIDE 22

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

Precision vs. Soundness

12

Everything that is true is reported Most of the things reported are true True True True True True True True True True True False False True True True True False False False False False False False False False

Precise Sound

True True True False False False False False False False False False

slide-23
SLIDE 23

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

Soundiness

13

Violate soundness to achieve higher precision and practical computational constraints

True True True True True True True True True True False False

Precise

True True True False False False False False True True True True False False False False False False False False False

Sound

False False False False

slide-24
SLIDE 24

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

Soundiness

13

Violate soundness to achieve higher precision and practical computational constraints

True True True True True True True True True True False False

Precise

True True True False False False False False True True True True False False False False False False False False False

Sound

False False False False

True True True True True True True True True False

Soundy

True False False False False False False False

slide-25
SLIDE 25

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

  • Dr. Checker: Assumptions

(1) All non-driver code is implemented perfectly (2) Only evaluate loops until a reaching definition (3) All calls are traversed exactly once, even in loops

14

slide-26
SLIDE 26

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

  • Dr. Checker: Design
  • Modular framework to enable flexible development
  • Simultaneously employ numerous vulnerability detectors
  • Open source: github.com/ucsb-seclab/dr_checker

15

slide-27
SLIDE 27

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

  • Dr. Checker: Design

16

Driver Code Soundy Driver Traversal Analysis Clients

Points-to Analysis Taint Analysis 1 2 Global State

Vulnerability Detectors

Improper Tainted-Data Use Detector (ITDUD) Tainted Arithmetic Detector (TAD) Invalid Cast Detector (ICD) Tainted Loop Bound Detector (TLBD) Tainted Pointer Dereference Detector (TPDD) Tainted Size Detector (TSD) Uninit Leak Detector (ULD) Global Variable Race Detector (GVRD)

Warnings

3

slide-28
SLIDE 28

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

  • Dr. Checker: Design

16

Driver Code Soundy Driver Traversal Analysis Clients

Points-to Analysis Taint Analysis 1 2 Global State

Vulnerability Detectors

Improper Tainted-Data Use Detector (ITDUD) Tainted Arithmetic Detector (TAD) Invalid Cast Detector (ICD) Tainted Loop Bound Detector (TLBD) Tainted Pointer Dereference Detector (TPDD) Tainted Size Detector (TSD) Uninit Leak Detector (ULD) Global Variable Race Detector (GVRD)

Warnings

3

slide-29
SLIDE 29

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

  • Dr. Checker: Design

16

Driver Code Soundy Driver Traversal Analysis Clients

Points-to Analysis Taint Analysis 1 2 Global State

Vulnerability Detectors

Improper Tainted-Data Use Detector (ITDUD) Tainted Arithmetic Detector (TAD) Invalid Cast Detector (ICD) Tainted Loop Bound Detector (TLBD) Tainted Pointer Dereference Detector (TPDD) Tainted Size Detector (TSD) Uninit Leak Detector (ULD) Global Variable Race Detector (GVRD)

Warnings

3

slide-30
SLIDE 30

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

  • Dr. Checker: Design

16

Driver Code Soundy Driver Traversal Analysis Clients

Points-to Analysis Taint Analysis 1 2 Global State

Vulnerability Detectors

Improper Tainted-Data Use Detector (ITDUD) Tainted Arithmetic Detector (TAD) Invalid Cast Detector (ICD) Tainted Loop Bound Detector (TLBD) Tainted Pointer Dereference Detector (TPDD) Tainted Size Detector (TSD) Uninit Leak Detector (ULD) Global Variable Race Detector (GVRD)

Warnings

3

slide-31
SLIDE 31

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

  • Dr. Checker: Design

16

Driver Code Soundy Driver Traversal Analysis Clients

Points-to Analysis Taint Analysis 1 2 Global State

Vulnerability Detectors

Improper Tainted-Data Use Detector (ITDUD) Tainted Arithmetic Detector (TAD) Invalid Cast Detector (ICD) Tainted Loop Bound Detector (TLBD) Tainted Pointer Dereference Detector (TPDD) Tainted Size Detector (TSD) Uninit Leak Detector (ULD) Global Variable Race Detector (GVRD)

Warnings

3

slide-32
SLIDE 32

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

  • Dr. Checker: Design

16

Driver Code Soundy Driver Traversal Analysis Clients

Points-to Analysis Taint Analysis 1 2 Global State

Vulnerability Detectors

Improper Tainted-Data Use Detector (ITDUD) Tainted Arithmetic Detector (TAD) Invalid Cast Detector (ICD) Tainted Loop Bound Detector (TLBD) Tainted Pointer Dereference Detector (TPDD) Tainted Size Detector (TSD) Uninit Leak Detector (ULD) Global Variable Race Detector (GVRD)

Warnings

3

slide-33
SLIDE 33

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

Soundy Driver Traversal

17

slide-34
SLIDE 34

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

Soundy Driver Traversal

  • Context-sensitive: Analysis for each function call is done in the context
  • f the calling function

17

slide-35
SLIDE 35

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

Soundy Driver Traversal

  • Context-sensitive: Analysis for each function call is done in the context
  • f the calling function
  • Field-sensitive: The ability to differentiate between different fields in a

memory structure

17

slide-36
SLIDE 36

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

Soundy Driver Traversal

  • Context-sensitive: Analysis for each function call is done in the context
  • f the calling function
  • Field-sensitive: The ability to differentiate between different fields in a

memory structure

  • Flow-sensitive: The ability to track data usage (e.g., taint) throughout a

program, according to its control flow

17

slide-37
SLIDE 37

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

Soundy Driver Traversal

18

struct kernel_obj ko; void internal_function(int *ptr) { *ptr += 1; } void entry_point(void *user_ptr, int len) { curr_data->item = &ko; copy_from_user(&ko, user_ptr, len); for (int i = 0; i < ko.count; i++) { internal_function(&(ko.data[i])); } dangerous_function(curr_data->buf); dangerous_function(curr_data->item); kernel_function(curr_data->item); }

slide-38
SLIDE 38

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

Soundy Driver Traversal

19

struct kernel_obj ko; void internal_function(int *ptr) { *ptr += 1; } void entry_point(void *user_ptr, int len) { curr_data->item = &ko; copy_from_user(&ko, user_ptr, len); for (int i = 0; i < ko.count; i++) { internal_function(&(ko.data[i])); } dangerous_function(curr_data->buf); dangerous_function(curr_data->item); kernel_function(curr_data->item); } Taint Analysis user_ptr len

slide-39
SLIDE 39

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

Soundy Driver Traversal

20

struct kernel_obj ko; void internal_function(int *ptr) { *ptr += 1; } void entry_point(void *user_ptr, int len) { curr_data->item = &ko; copy_from_user(&ko, user_ptr, len); for (int i = 0; i < ko.count; i++) { internal_function(&(ko.data[i])); } dangerous_function(curr_data->buf); dangerous_function(curr_data->item); kernel_function(curr_data->item); } Taint Analysis user_ptr len

Field-sensitive

slide-40
SLIDE 40

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

Soundy Driver Traversal

21

struct kernel_obj ko; void internal_function(int *ptr) { *ptr += 1; } void entry_point(void *user_ptr, int len) { curr_data->item = &ko; copy_from_user(&ko, user_ptr, len); for (int i = 0; i < ko.count; i++) { internal_function(&(ko.data[i])); } dangerous_function(curr_data->buf); dangerous_function(curr_data->item); kernel_function(curr_data->item); } Taint Analysis user_ptr len ko

Taint Source

curr_data->item

Warning: Improper Tainted-Data Use Field-sensitive

slide-41
SLIDE 41

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

Soundy Driver Traversal

22

struct kernel_obj ko; void internal_function(int *ptr) { *ptr += 1; } void entry_point(void *user_ptr, int len) { curr_data->item = &ko; copy_from_user(&ko, user_ptr, len); for (int i = 0; i < ko.count; i++) { internal_function(&(ko.data[i])); } dangerous_function(curr_data->buf); dangerous_function(curr_data->item); kernel_function(curr_data->item); } Taint Analysis user_ptr len ko

Taint Source

curr_data->item

Warning: Improper Tainted-Data Use Field-sensitive Warning: Tainted Loop Bound

slide-42
SLIDE 42

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

struct kernel_obj ko; void internal_function(int *ptr) { *ptr += 1; } void entry_point(void *user_ptr, int len) { curr_data->item = &ko; copy_from_user(&ko, user_ptr, len); for (int i = 0; i < ko.count; i++) { internal_function(&(ko.data[i])); } dangerous_function(curr_data->buf); dangerous_function(curr_data->item); kernel_function(curr_data->item); }

Warning: Improper Tainted-Data Use

Soundy Driver Traversal

23

Taint Analysis user_ptr len

Field-sensitive

ko

Taint Source Warning: Tainted Loop Bound

curr_data->item

slide-43
SLIDE 43

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

struct kernel_obj ko; void internal_function(int *ptr) { *ptr += 1; } void entry_point(void *user_ptr, int len) { curr_data->item = &ko; copy_from_user(&ko, user_ptr, len); for (int i = 0; i < ko.count; i++) { internal_function(&(ko.data[i])); } dangerous_function(curr_data->buf); dangerous_function(curr_data->item); kernel_function(curr_data->item); }

Warning: Improper Tainted-Data Use

Soundy Driver Traversal

24

Taint Analysis user_ptr len

Field-sensitive

ko

Taint Source Warning: Tainted Loop Bound Warning: Tainted Arithmetic

curr_data->item

slide-44
SLIDE 44

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

struct kernel_obj ko; void internal_function(int *ptr) { *ptr += 1; } void entry_point(void *user_ptr, int len) { curr_data->item = &ko; copy_from_user(&ko, user_ptr, len); for (int i = 0; i < ko.count; i++) { internal_function(&(ko.data[i])); } dangerous_function(curr_data->buf); dangerous_function(curr_data->item); kernel_function(curr_data->item); }

Warning: Improper Tainted-Data Use

Soundy Driver Traversal

25

Taint Analysis user_ptr len

Field-sensitive

ko

Taint Source Warning: Tainted Loop Bound Warning: Tainted Arithmetic Untainted Field

curr_data->item

slide-45
SLIDE 45

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

struct kernel_obj ko; void internal_function(int *ptr) { *ptr += 1; } void entry_point(void *user_ptr, int len) { curr_data->item = &ko; copy_from_user(&ko, user_ptr, len); for (int i = 0; i < ko.count; i++) { internal_function(&(ko.data[i])); } dangerous_function(curr_data->buf); dangerous_function(curr_data->item); kernel_function(curr_data->item); }

Warning: Improper Tainted-Data Use

Soundy Driver Traversal

26

Taint Analysis user_ptr len

Field-sensitive

ko

Taint Source Warning: Tainted Loop Bound Warning: Tainted Arithmetic Untainted Field Warning: Improper Tainted-Data Use

curr_data->item

slide-46
SLIDE 46

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

struct kernel_obj ko; void internal_function(int *ptr) { *ptr += 1; } void entry_point(void *user_ptr, int len) { curr_data->item = &ko; copy_from_user(&ko, user_ptr, len); for (int i = 0; i < ko.count; i++) { internal_function(&(ko.data[i])); } dangerous_function(curr_data->buf); dangerous_function(curr_data->item); kernel_function(curr_data->item); }

Warning: Improper Tainted-Data Use

Soundy Driver Traversal

27

Taint Analysis user_ptr len

Field-sensitive

ko

Taint Source Warning: Tainted Loop Bound Warning: Tainted Arithmetic Untainted Field Warning: Improper Tainted-Data Use Kernel Functions Ignored

curr_data->item

slide-47
SLIDE 47

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

struct kernel_obj ko; void internal_function(int *ptr) { *ptr += 1; } void entry_point(void *user_ptr, int len) { curr_data->item = &ko; copy_from_user(&ko, user_ptr, len); for (int i = 0; i < ko.count; i++) { internal_function(&(ko.data[i])); } dangerous_function(curr_data->buf); dangerous_function(curr_data->item); kernel_function(curr_data->item); }

Warning: Improper Tainted-Data Use

Soundy Driver Traversal

28

Taint Analysis user_ptr len

Field-sensitive

ko

Taint Source Warning: Tainted Loop Bound Warning: Tainted Arithmetic Untainted Field Warning: Improper Tainted-Data Use Kernel Functions Ignored Soundy: Loop Traversal Soundy: Ignore kernel functions Soundy: Single traversal

curr_data->item

slide-48
SLIDE 48

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

Identifying Vendor Drivers

  • diff with mainline sources
  • Extract code-names from vendor configuration files

29

slide-49
SLIDE 49

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

Driver Entry Points

  • File Operations
  • Attribute Operations
  • Socket Operations
  • Wrapper Functions

30

Entry Type Argument(s) Taint Type Read (File) char *buf, size_t len Direct Write (File) char *buf, size_t len Direct Ioctl (File) long args Direct DevStore (Attribute) const char *buf Indirect NetDevIoctl (Socket) struct *ifreq Indirect V4Ioctl struct v412_format *f Indirect

slide-50
SLIDE 50

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

Evaluation: Mobile Kernels

31

Amazon Echo (5.5.0.3) Amazon Fire HD8 (6th Generation, 5.3.2.1) HTC One Hima (3.10.61-g5f0fe7e) Sony Xperia XA (33.2.A.3.123) HTC Desire A56 (a56uhl-3.4.0) 
 LG K8 ACG (AS375) 
 ASUS Zenfone 2 Laser (ZE550KL / MR5- 
 21.40.1220.1794) 
 Huawei Venus P9 Lite (2016-03-29) Samsung Galaxy S7 Edge (SM-G935F NN)

3.1 Million lines of driver code

slide-51
SLIDE 51

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

Other Tools

  • Flawfinder — pattern-based bug detector
  • RATS (Rough Auditing Tool for Security) — pattern-based bug detector
  • Sparse — compiler-based bug detector
  • cppcheck — all-in-one static analysis bug detector

32

slide-52
SLIDE 52

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

Other Tools: Analysis

33

Feature cppcheck flawfinder RATS Sparse Dr. Checker Extensible ✔ ✔ Inter-prodecural ✔ Handles pointers ✔ Kernel specific ✔ ✔ No manual annotations ✔ ✔ ✔ ✔ Requires compilable sources ✔ ✔ ✔ Sound Tracable Warnings ✔ ✔

slide-53
SLIDE 53

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

Other Tools: Warnings

34

Kernel cppcheck flawfinder RATS Sparse Qualcomm 18 4,365 693 5,202 Samsung 22 8,173 2,244 1,726 Hauwei 34 18,132 2,301 11,320 Mediatek 168 14,230 3,730 13,771 242 44,900 8,968 31,929

slide-54
SLIDE 54

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

  • Dr. Checker

35

Detector Huawei Qualcomm Mediatek Samsung Total TaintedSizeDetector 62 / 62/ 5 33 / 33 / 2 155 / 155 / 6 20 / 20 / 1 270 / 268 / 14 TaintedPointerDereferenceChecker 522 / 155 / 12 264 / 264 / 3 465 / 459 / 6 479 / 423 / 4 1,760 / 1,301 / 25 TaintedLoopBoundDetector 75 / 56 / 4 52 / 52 / 0 73 / 73 / 1 78 / 78 / 0 278 / 259 / 5 GlobalVariableRaceDetector 324 / 184 / 38 188 / 108 / 8 548 / 420 / 5 100 / 62 / 12 1,160 / 774 / 63 ImproperTaintedDataUseDetector 81 / 74 / 5 92 / 91 / 3 243 / 241 / 9 135 / 134 / 4 551 / 540 / 21 IntegerOverflowDetector 250 / 177 / 6 196 / 196 / 2 247 / 247 / 6 99 / 87 / 2 792 / 707 / 16 KernelUninitMemoryLeakDetector 9 / 7 / 5 1 / 1 / 0 8 / 5 / 5 6 / 2 / 1 24 / 15 / 11 InvalidCastDetector 96 / 13 / 2 75 / 74 / 1 9 / 9 / 0 56 / 13 / 0 236 / 109 / 3 1,449 / 728 / 78 901 / 819 / 19 1,748 / 1,607 / 44 973 / 819 / 24 5,071 / 3,973 / 158

Warnings per Kernel (Count / Confirmed / Bug)

Precision: 78%

slide-55
SLIDE 55

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

  • Dr. Checker

35

Detector Huawei Qualcomm Mediatek Samsung Total TaintedSizeDetector 62 / 62/ 5 33 / 33 / 2 155 / 155 / 6 20 / 20 / 1 270 / 268 / 14 TaintedPointerDereferenceChecker 522 / 155 / 12 264 / 264 / 3 465 / 459 / 6 479 / 423 / 4 1,760 / 1,301 / 25 TaintedLoopBoundDetector 75 / 56 / 4 52 / 52 / 0 73 / 73 / 1 78 / 78 / 0 278 / 259 / 5 GlobalVariableRaceDetector 324 / 184 / 38 188 / 108 / 8 548 / 420 / 5 100 / 62 / 12 1,160 / 774 / 63 ImproperTaintedDataUseDetector 81 / 74 / 5 92 / 91 / 3 243 / 241 / 9 135 / 134 / 4 551 / 540 / 21 IntegerOverflowDetector 250 / 177 / 6 196 / 196 / 2 247 / 247 / 6 99 / 87 / 2 792 / 707 / 16 KernelUninitMemoryLeakDetector 9 / 7 / 5 1 / 1 / 0 8 / 5 / 5 6 / 2 / 1 24 / 15 / 11 InvalidCastDetector 96 / 13 / 2 75 / 74 / 1 9 / 9 / 0 56 / 13 / 0 236 / 109 / 3 1,449 / 728 / 78 901 / 819 / 19 1,748 / 1,607 / 44 973 / 819 / 24 5,071 / 3,973 / 158

Warnings per Kernel (Count / Confirmed / Bug)

Precision: 78%

5,071 / 3,973 / 158

slide-56
SLIDE 56

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

  • Dr. Checker

35

Detector Huawei Qualcomm Mediatek Samsung Total TaintedSizeDetector 62 / 62/ 5 33 / 33 / 2 155 / 155 / 6 20 / 20 / 1 270 / 268 / 14 TaintedPointerDereferenceChecker 522 / 155 / 12 264 / 264 / 3 465 / 459 / 6 479 / 423 / 4 1,760 / 1,301 / 25 TaintedLoopBoundDetector 75 / 56 / 4 52 / 52 / 0 73 / 73 / 1 78 / 78 / 0 278 / 259 / 5 GlobalVariableRaceDetector 324 / 184 / 38 188 / 108 / 8 548 / 420 / 5 100 / 62 / 12 1,160 / 774 / 63 ImproperTaintedDataUseDetector 81 / 74 / 5 92 / 91 / 3 243 / 241 / 9 135 / 134 / 4 551 / 540 / 21 IntegerOverflowDetector 250 / 177 / 6 196 / 196 / 2 247 / 247 / 6 99 / 87 / 2 792 / 707 / 16 KernelUninitMemoryLeakDetector 9 / 7 / 5 1 / 1 / 0 8 / 5 / 5 6 / 2 / 1 24 / 15 / 11 InvalidCastDetector 96 / 13 / 2 75 / 74 / 1 9 / 9 / 0 56 / 13 / 0 236 / 109 / 3 1,449 / 728 / 78 901 / 819 / 19 1,748 / 1,607 / 44 973 / 819 / 24 5,071 / 3,973 / 158

Warnings per Kernel (Count / Confirmed / Bug)

Precision: 78%

5,071 / 3,973 / 158

slide-57
SLIDE 57

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

  • Dr. Checker

35

Detector Huawei Qualcomm Mediatek Samsung Total TaintedSizeDetector 62 / 62/ 5 33 / 33 / 2 155 / 155 / 6 20 / 20 / 1 270 / 268 / 14 TaintedPointerDereferenceChecker 522 / 155 / 12 264 / 264 / 3 465 / 459 / 6 479 / 423 / 4 1,760 / 1,301 / 25 TaintedLoopBoundDetector 75 / 56 / 4 52 / 52 / 0 73 / 73 / 1 78 / 78 / 0 278 / 259 / 5 GlobalVariableRaceDetector 324 / 184 / 38 188 / 108 / 8 548 / 420 / 5 100 / 62 / 12 1,160 / 774 / 63 ImproperTaintedDataUseDetector 81 / 74 / 5 92 / 91 / 3 243 / 241 / 9 135 / 134 / 4 551 / 540 / 21 IntegerOverflowDetector 250 / 177 / 6 196 / 196 / 2 247 / 247 / 6 99 / 87 / 2 792 / 707 / 16 KernelUninitMemoryLeakDetector 9 / 7 / 5 1 / 1 / 0 8 / 5 / 5 6 / 2 / 1 24 / 15 / 11 InvalidCastDetector 96 / 13 / 2 75 / 74 / 1 9 / 9 / 0 56 / 13 / 0 236 / 109 / 3 1,449 / 728 / 78 901 / 819 / 19 1,748 / 1,607 / 44 973 / 819 / 24 5,071 / 3,973 / 158

Warnings per Kernel (Count / Confirmed / Bug)

Precision: 78%

24 / 15 / 11

slide-58
SLIDE 58

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

  • Dr. Checker

35

Detector Huawei Qualcomm Mediatek Samsung Total TaintedSizeDetector 62 / 62/ 5 33 / 33 / 2 155 / 155 / 6 20 / 20 / 1 270 / 268 / 14 TaintedPointerDereferenceChecker 522 / 155 / 12 264 / 264 / 3 465 / 459 / 6 479 / 423 / 4 1,760 / 1,301 / 25 TaintedLoopBoundDetector 75 / 56 / 4 52 / 52 / 0 73 / 73 / 1 78 / 78 / 0 278 / 259 / 5 GlobalVariableRaceDetector 324 / 184 / 38 188 / 108 / 8 548 / 420 / 5 100 / 62 / 12 1,160 / 774 / 63 ImproperTaintedDataUseDetector 81 / 74 / 5 92 / 91 / 3 243 / 241 / 9 135 / 134 / 4 551 / 540 / 21 IntegerOverflowDetector 250 / 177 / 6 196 / 196 / 2 247 / 247 / 6 99 / 87 / 2 792 / 707 / 16 KernelUninitMemoryLeakDetector 9 / 7 / 5 1 / 1 / 0 8 / 5 / 5 6 / 2 / 1 24 / 15 / 11 InvalidCastDetector 96 / 13 / 2 75 / 74 / 1 9 / 9 / 0 56 / 13 / 0 236 / 109 / 3 1,449 / 728 / 78 901 / 819 / 19 1,748 / 1,607 / 44 973 / 819 / 24 5,071 / 3,973 / 158

Warnings per Kernel (Count / Confirmed / Bug)

Precision: 78%

522 / 155 / 12 479 / 423 / 4

slide-59
SLIDE 59

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

Zero-day Bug

36

static char call status ; ...
 static ssize_t accdet_store_call_state( struct device driver ∗ddri , const char ∗buf , size t count) { 
 int ret = sscanf(buf, ”%s”, &call status); if (ret != 1) {
 ACCDETDEBUG(”accdet: Invalid values\n”); return -EINVAL; } 
 … } A buffer overflow bug detected in Mediatek’s Accdet driver

slide-60
SLIDE 60

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

Zero-day Bug

36

static char call status ; ...
 static ssize_t accdet_store_call_state( struct device driver ∗ddri , const char ∗buf , size t count) { 
 int ret = sscanf(buf, ”%s”, &call status); if (ret != 1) {
 ACCDETDEBUG(”accdet: Invalid values\n”); return -EINVAL; } 
 … }

buf can contain more than one char !

A buffer overflow bug detected in Mediatek’s Accdet driver

slide-61
SLIDE 61

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

Zero-day Bug

36

static char call status ; ...
 static ssize_t accdet_store_call_state( struct device driver ∗ddri , const char ∗buf , size t count) { 
 int ret = sscanf(buf, ”%s”, &call status); if (ret != 1) {
 ACCDETDEBUG(”accdet: Invalid values\n”); return -EINVAL; } 
 … }

Warning: Improper Tainted-Data Use buf can contain more than one char !

A buffer overflow bug detected in Mediatek’s Accdet driver

slide-62
SLIDE 62

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

Zero-day Bug

36

static char call status ; ...
 static ssize_t accdet_store_call_state( struct device driver ∗ddri , const char ∗buf , size t count) { 
 int ret = sscanf(buf, ”%s”, &call status); if (ret != 1) {
 ACCDETDEBUG(”accdet: Invalid values\n”); return -EINVAL; } 
 … }

Warning: Improper Tainted-Data Use buf can contain more than one char ! ret is checked, but it’s too late

A buffer overflow bug detected in Mediatek’s Accdet driver

slide-63
SLIDE 63

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

Results: Soundy vs. Sound

37

  • Dr. Checker
  • Dr. Checker (Ignoring kernel functions)
  • Dr. Checker (Sound Analysis) [18/100]

.008 Seconds log10(seconds) 980 Seconds

Time to analyze 100 randomly selected entry points

3,000 Seconds 2,300 Seconds .16 Seconds .12 Seconds

slide-64
SLIDE 64

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

Results: Soundy vs. Sound

37

  • Dr. Checker
  • Dr. Checker (Ignoring kernel functions)
  • Dr. Checker (Sound Analysis) [18/100]

.008 Seconds log10(seconds) 980 Seconds

Time to analyze 100 randomly selected entry points

3,000 Seconds 2,300 Seconds .16 Seconds .12 Seconds

82 Analyses did not finish!

slide-65
SLIDE 65

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

Conclusion

  • Modular bug-finding tool for Linux kernel drivers
  • Soundy program analysis techniques to maintain practicality
  • Scalable tool capable of employing multiple vulnerability detectors
  • 158 previously undiscovered zero-day bugs
  • Open-source project to encourage more development/collaboration

38

slide-66
SLIDE 66

seclab

Dr Checker: A Soundy Analysis of Linux Kernel Drivers CSS, USENIX Security, 08/18/2017

github.com/ucsb-seclab/dr_checker

Aravind Machiry (machiry@cs.ucsb.edu) Chad Spensky (cspensky@cs.ucsb.edu)

Help Make Drivers Great Again

39