finding race conditions in kernels
play

Finding Race Conditions in Kernels from fuzzing to symbolic - PowerPoint PPT Presentation

Sep 13, 2022 •1.01k likes •2.82k views

Finding Race Conditions in Kernels from fuzzing to symbolic execution Meng Xu July 16, 2020 Meng Xu (Georgia Tech) Finding Race Conditions in Kernels 1 July 16, 2020 The game of attack and defense Bug fi nding Exploitation Pro fi t Meng Xu

  1. Checking data races - ordering (causality) Syscall Timer Workqueue W delayed_work <timer start> <timer end> queue_work <work start> R Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 30

  2. Bring out data races explicitly with a checker Signaled? Data race checker Data race Syscall Program Crashed? Test case generator executor Memory error Feedback code coverage Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 31

  3. A slightly complicated data race G[ … ] is all null at initialization sys_readlink (path, ...): sys_truncate (size, ...): global A = 1; global A = 0; local y; local x; if (size > 4096) { if (IS_DIR(path)) { x = A + 1; y = A * 2; if (! G[ x ] ) if (! G[ y ] ) G[ x ] = kmalloc(...); G[ y ] = kmalloc(...); } } Thread 1 Thread 2 *Assume sequential consistency. Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 32

  4. A slightly complicated data race G[ … ] is all null at initialization sys_readlink (path, ...): sys_truncate (size, ...): global A = 1; global A = 0; local y; local x; if (size > 4096) { if (IS_DIR(path)) { x = A + 1; y = A * 2; if (! G[ x ] ) if (! G[ y ] ) G[ x ] = kmalloc(...); G[ y ] = kmalloc(...); } } Thread 1 Thread 2 *Assume sequential consistency. Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 33

  5. Case simpli fi ed A = 1; A = 0; x = A + 1; y = A * 2; Thread 1 Thread 2 Can we reach x == y? Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 34

  6. Case simpli fi ed A = 1; A = 1; A = 1; x = A + 1; A = 0; A = 0; A = 0; x = A + 1; y = A * 2; y = A * 2; y = A * 2; x = A + 1; A = 1; A = 0; x = A + 1; x = 2, y = 0 x = 1, y = 0 x = 1, y = 0 y = A * 2; Thread 1 Thread 2 A = 0; A = 0; A = 0; Can we reach x == y? y = A * 2; A = 1; A = 1; x = A + 1; A = 1; y = A * 2; x = A + 1; x = A + 1; y = A * 2; x = 2, y = 0 x = 2, y = 2 x = 2, y = 2 Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 35

  7. All interleavings yield to the same code coverage! A = 1; A = 1; A = 1; global A = 1; local x; x = A + 1; A = 0; A = 0; if (IS_DIR(path)) A = 0; x = A + 1; y = A * 2; x = A + 1; y = A * 2; y = A * 2; x = A + 1; if (! G[ x ] ) x = 2, y = 0 x = 1, y = 0 x = 1, y = 0 G[ x ] = kmalloc(...); ... A = 0; A = 0; A = 0; global A = 0; local y; y = A * 2; A = 1; A = 1; if (size > 4096) x = A + 1; A = 1; y = A * 2; y = A * 2; x = A + 1; x = A + 1; y = A * 2; if (! G[ y ] ) G[ y ] = kmalloc(...); x = 2, y = 0 x = 2, y = 2 x = 2, y = 2 ... Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 36

  8. Incompleteness of CFG edge coverage Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 37

  9. A multi-dimensional view of coverage in fuzzing Edge-coverage only Krace Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 38

  10. Visualizing the concurrency dimension Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 39

  11. Visualizing the concurrency dimension Edge-coverage only Krace Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 40

  12. Bring fuzzing to the concurrency dimension Signaled? Data race checker Data race Syscall Program Crashed? Test case generator executor Memory error Feedback code coverage Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 41

  13. Bring fuzzing to the concurrency dimension Signaled? Data race checker Data race Syscall Program Crashed? Test case generator executor Memory error Feedback code coverage concurrency coverage Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 42

  14. Bring fuzzing to the concurrency dimension Signaled? Data race Interleaving checker Data race generator Syscall Program Crashed? Test case generator executor Memory error Feedback code coverage concurrency coverage Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 43

  15. Concurrency coverage tracking Signaled? Data race Interleaving checker Data race generator Syscall Program Crashed? Test case generator executor Memory error Feedback code coverage concurrency coverage Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 44

  16. A straw-man solution sys_truncate (size, ...): sys_readlink (path, ...): global A = 0; global A = 1; i7 i1 local y; i8 local x; i2 if (size > 4096) { i9 if (IS_DIR(path)) { i3 y = A * 2; x = A + 1; i10 i4 if ( G[ y ] ) if ( G[ x ] ) i11 i5 kmalloc(...); i12 kmalloc(...); i6 } } Thread 1 Thread 2 Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 45

  17. A straw-man solution global A = 1; sys_truncate (size, ...): sys_readlink (path, ...): i1 global A = 0; i7 global A = 0; local y; global A = 1; i7 i8 i1 local x; local y; i8 local x; i2 i2 if (IS_DIR(path)) { i3 if (size > 4096) { if (size > 4096) { i9 if (IS_DIR(path)) { i9 i3 x = A + 1; y = A * 2; x = A + 1; i4 i10 i4 y = A * 2; if ( G[ y ] ) if ( G[ x ] ) i10 i11 i5 if( G[ x ] ) kmalloc(...); i5 i12 kmalloc(...); i6 } if ( G[ y ] ) } i11 kmalloc(...); i12 Thread 1 Thread 2 } kmalloc(...); i6 } A possible interleaving Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 46

  18. A straw-man solution global A = 1; sys_truncate (size, ...): sys_readlink (path, ...): i1 global A = 0; i7 global A = 0; local y; global A = 1; i7 i8 i1 local x; local y; i8 local x; i2 i2 if (IS_DIR(path)) { if (IS_DIR(path)) { i3 if (size > 4096) { if (size > 4096) { if (size > 4096) { i9 if (IS_DIR(path)) { i9 i3 x = A + 1; y = A * 2; x = A + 1; i4 i10 i4 y = A * 2; if ( G[ y ] ) if ( G[ x ] ) i10 i11 i5 if( G[ x ] ) kmalloc(...); i5 i12 kmalloc(...); i6 } if ( G[ y ] ) } i11 kmalloc(...); i12 Thread 1 Thread 2 } kmalloc(...); i6 } Hash(i1, i7, i8, i2, i3 , i9 , i4, i10, i5, i11, i12, i6) = 7825 Hash(i1, i7, i8, i2, i9 , i3 , i4, i10, i5, i11, i12, i6) = 1356 Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 47

  19. A straw-man solution global A = 1; sys_truncate (size, ...): sys_readlink (path, ...): i1 global A = 0; i7 Number of possible interleavings of two threads global A = 0; local y; global A = 1; i7 i8 i1 local x; local y; i8 local x; i2 i2 If two threads have and instructions respectively, m n if (IS_DIR(path)) { i3 then the number interleavings between them is given by: if (size > 4096) { if (size > 4096) { i9 if (IS_DIR(path)) { i9 i3 x = A + 1; y = A * 2; x = A + 1; i4 ( m + n )! i10 i4 y = A * 2; if ( G[ y ] ) if ( G[ x ] ) i10 i11 i5 m ! × n ! if( G[ x ] ) kmalloc(...); i5 i12 kmalloc(...); i6 } if ( G[ y ] ) } i11 m = n = 2 m = n = 4 m = n = 8 m = n = 16 kmalloc(...); i12 6 70 13 K 601 M Thread 1 Thread 2 } kmalloc(...); i6 } A possible interleaving Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 48

  20. Observations on practical interleaving tracking Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 49

  21. Observations on practical interleaving tracking Thread 1 Thread 2 Only interleaved accesses to shared memory matters - In an extreme case where two threads do not shared memory, they interleaving does not matter at all. Only interleaved read-write accesses to shared memory locations matters - In an extreme case where two threads only read from shared memory, they interleaving does not matter at all. Thread interleaving alters the def-use relation of memory locations! Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 50

  22. Observations on practical interleaving tracking Thread 1 Thread 2 Only interleaved accesses to shared memory matters - In an extreme case where two threads do not shared memory, they interleaving does not matter at all. Only interleaved read-write accesses to y = A * 2 R shared memory locations matters - In an extreme case where two threads only read from x = A + 1 R shared memory, they interleaving does not matter at all. Thread interleaving alters the def-use relation of memory locations! Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 51

  23. Observations on practical interleaving tracking Thread 1 Thread 2 Only interleaved accesses to shared memory matters - In an extreme case where two threads do not shared A = 1 W memory, they interleaving does not matter at all. A = 0 W Only interleaved read-write accesses to shared memory locations matters - In an extreme case where two threads only read from x = A + 1 R shared memory, they interleaving does not matter at all. Thread interleaving alters the def-use relation of memory locations! Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 52

  24. Observations on practical interleaving tracking Thread 1 Thread 2 Only interleaved accesses to shared memory matters - In an extreme case where two threads do not shared A = 1 W memory, they interleaving does not matter at all. Interleaving approximation A = 0 W Only interleaved read-write accesses to Track cross-thread write-to-read (def-to-use) edges! shared memory matters - In an extreme case where two threads only read from x = A + 1 R shared memory, they interleaving does not matter at all. Thread interleaving alters the def-use relation of memory locations! Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 53

  25. Observations on practical interleaving tracking Interleaving approximation Track cross-thread write-to-read (def-to-use) edges! Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 54

  26. Aliased-instruction coverage Thread 1 Thread 2 A = 1 i1 W i2 i3 → A = 0 i2 W x = A + 1 i3 R Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 55

  27. Aliased-instruction coverage Thread 1 Thread 2 A = 1 i1 W i2 i5, i4 i3 → → A = 0 i4 W B = 2 i2 W x = A + 1 y = B * 4 i3 i5 R R Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 56

  28. Aliased-instruction coverage Thread 1 Thread 2 A = 1 i1 W Concurrency coverage bitmap size A = 0 i4 W During our experiment, we observed 63,590 unique cross-thread, write-to-read edges. B = 2 i2 i2 i5, i4 i3 W → → a bitmap size of 128KB will be su ffi cient. → x = A + 1 y = B * 4 i3 i5 R R Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 57

  29. Concurrency coverage tracking Signaled? Data race Interleaving checker Data race generator Syscall Program Crashed? Test case generator executor Memory error Feedback code coverage concurrency coverage Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 58

  30. Interleaving exploration Signaled? Data race Interleaving checker Data race generator Syscall Program Crashed? Test case generator executor Memory error Feedback code coverage concurrency coverage Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 59

  31. Active interleaving exploration - ideal case A = 1; A = 1; A = 1; x = A + 1; A = 0; A = 0; A = 0; x = A + 1; y = A * 2; y = A * 2; y = A * 2; x = A + 1; x = 2, y = 0 x = 1, y = 0 x = 1, y = 0 A = 1; A = 0; i3 i1 i3 i2 i3 i2 <nil> x = A + 1; → → y = A * 2; i2 i4 Thread 1 Thread 2 A = 0; A = 0; A = 0; y = A * 2; A = 1; A = 1; x = A + 1; A = 1; y = A * 2; x = A + 1; x = A + 1; y = A * 2; x = 2, y = 0 x = 2, y = 2 x = 2, y = 2 <nil> i1 i4 i1 i4 → → Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 60

  32. Active interleaving exploration - ideal case A = 1; A = 1; A = 1; x = A + 1; A = 0; A = 0; A = 0; x = A + 1; y = A * 2; y = A * 2; y = A * 2; x = A + 1; Enumerating all interleaving among all kernel threads is impossible x = 2, y = 0 x = 1, y = 0 x = 1, y = 0 A = 1; A = 0; i3 i1 i3 i2 i3 i2 <nil> x = A + 1; → → y = A * 2; i2 i4 During our experiment, we observed at maximum 60 threads running concurrently. Thread 1 Thread 2 A = 0; A = 0; A = 0; ⟶ 10 60 Assume each thread have only 10 shared memory accesses possibilities. y = A * 2; A = 1; A = 1; x = A + 1; A = 1; y = A * 2; x = A + 1; x = A + 1; y = A * 2; x = 2, y = 0 x = 2, y = 2 x = 2, y = 2 <nil> i1 i4 i1 i4 → → Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 61

  33. Active interleaving exploration through delay injection i1 T1 R Concurrency coverage i2 T2 W i3 T3 W i4 T4 R Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 62

  34. Active interleaving exploration through delay injection d(669) i1 T1 R R d(300) Concurrency coverage i2 T2 W W d(273) i3 T3 W W i4 T4 R R d(20) Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 63

  35. Active interleaving exploration through delay injection d(669) i1 T1 R d(300) Concurrency coverage i2 T2 W d(273) i3 T3 W i4 T4 R d(20) Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 64

  36. Interleaving exploration Signaled? Data race Interleaving checker Data race generator Syscall Program Crashed? Test case generator executor Memory error Feedback code coverage concurrency coverage Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 65

  37. Bring them all together Signaled? Data race Interleaving checker Data race generator Syscall Program Crashed? Test case generator executor Memory error Feedback code coverage concurrency coverage Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 66

  38. QEMU-based implementation Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 67

  39. Alias coverage growth will be saturating Btrfs Ext4 But fi le systems that are higher in concurrency level saturates much slower! Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 68

  40. Edge and alias coverage goes generally in synchronization Btrfs Ext4 But there will be time when the edge coverage saturates but alias coverage keeps fi nding new thread interleaving Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 69

  41. Slightly more branch coverage than Syzkaller Btrfs Ext4 This maybe due to the fact that we give each seed more chances (if they make progresses in alias coverage) Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 70

  42. Evaluation Bugs Bugs found by Krace File system # data races # harmful con fi rmed Btrfs 11 8 Ext4 4 1 VFS 8 2 Total 23 11 Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 71

  43. Comparison with related works Structured input Application [Google] Syzkaller [CCS’17] SlowFuzz [SP’19] Janus [ICSE’19] DifFuzz [ICSE’19] SLF [VLDB’20] Apollo …… …… Seed selection Coverage metric [CCS’16] AFLFast [SP’18] Angora [ASE’18] FairFuzz [RAID’19] Benchmark [SP’20] Krace [FSE’19] Fudge …… Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 72

  44. Conclusion and contribution Structured input Application [Google] Syzkaller [CCS’17] SlowFuzz [SP’19] Janus [ICSE’19] DifFuzz [ICSE’19] SLF [VLDB’20] Apollo …… …… Seed selection Coverage metric [CCS’16] AFLFast [SP’18] Angora [ASE’18] FairFuzz [RAID’19] Benchmark [SP’20] Krace [FSE’19] Fudge …… Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 73

  45. Common criticism about the fuzzing approach 1. How strong is the security guarantee? e.g., 1 hour of fuzzing without any bugs, what does that mean? 2. Can you deterministically replay the bugs found? Most likely not, because we do not directly control the scheduler. 3. How easy can these data races be triggered in reality? Hard to argue, because fuzzing is essentially a probabilistic search. 4. What are the consequences out of these data races? e.g., can you really alter the control fl ow or change some sensitive data? Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 74

  46. Agenda 1. What are race conditions? c 2. Finding their presence with fuzzing ? [SP’20] Data races in fi le systems 3. Towards a more systematic methodology? [SP’18] Symbolic race checking c 4. Up to the extreme of completeness and soundness ? [WIP (CAV’21)] C to SMT transpilation Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 75

  47. Agenda 1. What are race conditions? c 2. Finding their presence with fuzzing ? [SP’20] Data races in fi le systems 3. Towards a more systematic methodology? [SP’18] Symbolic race checking 4. Up to the extreme of completeness and soundness ? [WIP (CAV’21)] C to SMT transpilation Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 76

  48. SMT and symbolic execution • SMT stands for satis fi ability modulo theories • Given some basic math theories about Booleans, Integers, etc, decide whether some constraints are satis fi able or not ==> constraint solvers. • Example: what are the values of and that satisfy both constraints: x y • x + y = 10 • x + 2 y = 20 • Manual solving: x = 0, y = 10 Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 77

  49. An SMT script is a problem description • To describe the problem to an automated solver, • we need some standardized format ==> an SMT script • Continued from the example: (declare-const x Int) (declare-const y Int) sat • x + y = 10 (model (assert (= (+ x y) 10)) (define-fun y () Int 10) (assert (= (+ x (* 2 y)) 20)) (define-fun x () Int 0) • x + 2 y = 20 ) (check-sat) (get-model) The problem we have in mind The SMT script we formulated The answer given by Z3 SMT solver Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 78

  50. Analogy with bug fi nding Will variable “ s” over fl ow in the program? (declare-const x Int) (declare-const y Int) int loop(int x) { sat • int s = 1; x + y = 10 (model ??? ??? (assert (= (+ x y) 10)) for (int i=1; i<=x; i++) { (define-fun y () Int 10) (assert (= (+ x (* 2 y)) 20)) s *= i; (define-fun x () Int 0) • x + 2 y = 20 } ) (check-sat) return s; (get-model) } The problem we have in mind The SMT script we formulated The answer given by Z3 SMT solver Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 79

  51. Analogy with bug fi nding Translating bug description — focus of the SP’18 paper Symbolizing program — focus of the ongoing CAV’21 paper Will variable “ s” over fl ow in the program? int loop(int x) { int s = 1; ??? ??? for (int i=1; i<=x; i++) { s *= i; } return s; } The problem we have in mind The SMT script we formulated The answer given by Z3 SMT solver Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 80

  52. What is a double-fetch bug? static int perf_copy_attr( struct perf_event_attr __user *uattr, User program struct perf_event_attr *kattr) { address space u32 size; /* first fetch */ if (copy_from_user(&size, &uattr->size, 4)) return -EFAULT; /* sanity checks */ if (size > PAGE_SIZE || size < PERF_ATTR_SIZE_VER0) Kernel return -EFAULT; address space /* second fetch */ if (copy_from_user(attr, &uattr->size, size)) return -EFAULT; ...... } /* BUG: when attr->size is used later */ copy_from_user(uattr, attr, attr->size)) Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 81

  53. What is a double-fetch bug? static int perf_copy_attr( struct perf_event_attr __user *uattr, User program struct perf_event_attr *kattr) { address space u32 size; /* first fetch */ if (copy_from_user(&size, &uattr->size, 4)) return -EFAULT; /* sanity checks */ if (size > PAGE_SIZE || size < PERF_ATTR_SIZE_VER0) Kernel return -EFAULT; address space /* second fetch */ if (copy_from_user(attr, &uattr->size, size)) return -EFAULT; ...... } /* BUG: when attr->size is used later */ copy_from_user(uattr, attr, attr->size)) Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 82

  54. What is a double-fetch bug? ?? bytes static int perf_copy_attr( struct perf_event_attr __user *uattr, User program struct perf_event_attr *kattr) { address space u32 size; /* first fetch */ if (copy_from_user(&size, &uattr->size, 4)) return -EFAULT; /* sanity checks */ if (size > PAGE_SIZE || size < PERF_ATTR_SIZE_VER0) Kernel return -EFAULT; address space /* second fetch */ if (copy_from_user(attr, &uattr->size, size)) return -EFAULT; ...... } /* BUG: when attr->size is used later */ copy_from_user(uattr, attr, attr->size)) Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 83

  55. What is a double-fetch bug? ?? bytes static int perf_copy_attr( struct perf_event_attr __user *uattr, User program 30 struct perf_event_attr *kattr) { address space 4 bytes u32 size; /* first fetch */ if (copy_from_user(&size, &uattr->size, 4)) return -EFAULT; /* sanity checks */ if (size > PAGE_SIZE || size < PERF_ATTR_SIZE_VER0) Kernel return -EFAULT; address space /* second fetch */ if (copy_from_user(attr, &uattr->size, size)) return -EFAULT; ...... } /* BUG: when attr->size is used later */ copy_from_user(uattr, attr, attr->size)) Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 84

  56. What is a double-fetch bug? ?? bytes static int perf_copy_attr( struct perf_event_attr __user *uattr, User program 30 struct perf_event_attr *kattr) { address space 4 bytes u32 size; /* first fetch */ 30 if (copy_from_user(&size, &uattr->size, 4)) return -EFAULT; /* sanity checks */ if (size > PAGE_SIZE || size < PERF_ATTR_SIZE_VER0) Kernel return -EFAULT; address space /* second fetch */ if (copy_from_user(attr, &uattr->size, size)) return -EFAULT; ...... } /* BUG: when attr->size is used later */ copy_from_user(uattr, attr, attr->size)) Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 85

  57. What is a double-fetch bug? ?? bytes static int perf_copy_attr( struct perf_event_attr __user *uattr, User program 30 struct perf_event_attr *kattr) { address space 4 bytes u32 size; /* first fetch */ 30 if (copy_from_user(&size, &uattr->size, 4)) return -EFAULT; /* sanity checks */ if (size > PAGE_SIZE || size < PERF_ATTR_SIZE_VER0) Kernel return -EFAULT; address space /* second fetch */ if (copy_from_user(attr, &uattr->size, size)) return -EFAULT; ...... } /* BUG: when attr->size is used later */ copy_from_user(uattr, attr, attr->size)) Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 86

  58. What is a double-fetch bug? 30 bytes static int perf_copy_attr( struct perf_event_attr __user *uattr, User program 30 struct perf_event_attr *kattr) { address space 4 bytes u32 size; /* first fetch */ 30 if (copy_from_user(&size, &uattr->size, 4)) return -EFAULT; /* sanity checks */ if (size > PAGE_SIZE || size < PERF_ATTR_SIZE_VER0) Kernel return -EFAULT; address space /* second fetch */ if (copy_from_user(attr, &uattr->size, size)) return -EFAULT; ...... } /* BUG: when attr->size is used later */ copy_from_user(uattr, attr, attr->size)) Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 87

  59. What is a double-fetch bug? 30 bytes static int perf_copy_attr( struct perf_event_attr __user *uattr, User program 30 struct perf_event_attr *kattr) { address space 4 bytes u32 size; /* first fetch */ 30 if (copy_from_user(&size, &uattr->size, 4)) return -EFAULT; /* sanity checks */ if (size > PAGE_SIZE || size < PERF_ATTR_SIZE_VER0) Kernel return -EFAULT; address space /* second fetch */ 30 if (copy_from_user(kattr, uattr, size)) return -EFAULT; ...... } /* BUG: when attr->size is used later */ copy_from_user(uattr, attr, attr->size)) Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 88

  60. What is a double-fetch bug? 30 bytes static int perf_copy_attr( struct perf_event_attr __user *uattr, User program 30 struct perf_event_attr *kattr) { address space 4 bytes u32 size; /* first fetch */ 30 if (copy_from_user(&size, &uattr->size, 4)) return -EFAULT; /* sanity checks */ if (size > PAGE_SIZE || size < PERF_ATTR_SIZE_VER0) Kernel return -EFAULT; address space /* second fetch */ 30 if (copy_from_user(kattr, uattr, size)) return -EFAULT; ...... } Copy 30 bytes back to user copy_to_user(uattr, attr, attr->size)) Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 89

  61. The assumption failure 30 bytes static int perf_copy_attr( struct perf_event_attr __user *uattr, User program 30 struct perf_event_attr *kattr) { address space 4 bytes u32 size; /* first fetch */ 30 if (copy_from_user(&size, &uattr->size, 4)) What can go wrong in this process? return -EFAULT; Data atomicity during syscall execution is not guaranteed! /* sanity checks */ if (size > PAGE_SIZE || size < PERF_ATTR_SIZE_VER0) Kernel return -EFAULT; address space /* second fetch */ 30 if (copy_from_user(kattr, attr, size)) return -EFAULT; ...... } Copy 30 bytes back to user copy_to_user(uattr, attr, attr->size)) Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 90

  62. Up until the fi rst fetch… ?? bytes static int perf_copy_attr( struct perf_event_attr __user *uattr, User program 30 struct perf_event_attr *kattr) { address space 4 bytes u32 size; /* first fetch */ 30 if (copy_from_user(&size, &uattr->size, 4)) return -EFAULT; /* sanity checks */ if (size > PAGE_SIZE || size < PERF_ATTR_SIZE_VER0) Kernel return -EFAULT; address space /* second fetch */ if (copy_from_user(attr, &uattr->size, size)) return -EFAULT; ...... } /* BUG: when attr->size is used later */ copy_from_user(uattr, attr, attr->size)) Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 91

  63. Wrong assumption: atomicity in syscall ?? bytes static int perf_copy_attr( struct perf_event_attr __user *uattr, User program 60000 struct perf_event_attr *kattr) { address space 4 bytes u32 size; /* first fetch */ 30 if (copy_from_user(&size, &uattr->size, 4)) return -EFAULT; /* sanity checks */ if (size > PAGE_SIZE || size < PERF_ATTR_SIZE_VER0) Kernel return -EFAULT; address space /* second fetch */ if (copy_from_user(attr, &uattr->size, size)) return -EFAULT; ...... } /* BUG: when attr->size is used later */ copy_from_user(uattr, attr, attr->size)) Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 92

  64. Wrong assumption: atomicity in syscall 30 bytes static int perf_copy_attr( struct perf_event_attr __user *uattr, User program 60000 struct perf_event_attr *kattr) { address space 4 bytes u32 size; /* first fetch */ 30 if (copy_from_user(&size, &uattr->size, 4)) return -EFAULT; /* sanity checks */ if (size > PAGE_SIZE || size < PERF_ATTR_SIZE_VER0) Kernel return -EFAULT; address space /* second fetch */ 60000 if (copy_from_user(kattr, uattr, size)) return -EFAULT; ...... } /* BUG: when attr->size is used later */ copy_from_user(uattr, attr, attr->size)) Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 93

  65. When the exploit happens 30 bytes static int perf_copy_attr( struct perf_event_attr __user *uattr, User program 60000 struct perf_event_attr *kattr) { address space 4 bytes u32 size; /* first fetch */ 30 if (copy_from_user(&size, &uattr->size, 4)) return -EFAULT; /* sanity checks */ if (size > PAGE_SIZE || size < PERF_ATTR_SIZE_VER0) Kernel return -EFAULT; address space /* second fetch */ 60000 if (copy_from_user(kattr, uattr, size)) return -EFAULT; ...... } /* BUG: when attr->size is used later */ Kernel information leak! copy_to_user(uattr, kattr, kattr->size)) Meng Xu (Georgia Tech) Finding Race Conditions in Kernels July 16, 2020 94

  66. Modeling a double-fetch bug Fetch : a pair , where ( A , S ) - the starting address of the fetch A - the size of memory copied into kernel S Meng Xu (Georgia Tech) Finding Semantic Bugs in Kernels March 18, 2020 95

  67. Modeling a double-fetch bug Fetch : a pair , where ( A , S ) - the starting address of the fetch A - the size of memory copied into kernel S Overlap : two fetches, and , that satisfy ( A 1 , S 1 ) ( A 2 , S 2 ) A 1 ≤ A 2 < ( A 1 + S 1 ) || A 2 ≤ A 1 < ( A 2 + S 2 ) Meng Xu (Georgia Tech) Finding Semantic Bugs in Kernels March 18, 2020 96

  68. Modeling a double-fetch bug Fetch : a pair , where ( A , S ) - the starting address of the fetch A - the size of memory copied into kernel S Overlap : two fetches, and , that satisfy ( A 1 , S 1 ) ( A 2 , S 2 ) A 1 ≤ A 2 < ( A 1 + S 1 ) || A 2 ≤ A 1 < ( A 2 + S 2 ) Dependency : such that controls whether and how the ∃ V ∈ 𝙿𝚠𝚏𝚜𝚖𝚋𝚚 V second fetch might take place. Meng Xu (Georgia Tech) Finding Semantic Bugs in Kernels March 18, 2020 97

  69. Modeling a double-fetch bug Fetch : a pair , where ( A , S ) - the starting address of the fetch A - the size of memory copied into kernel S Overlap : two fetches, and , that satisfy ( A 1 , S 1 ) ( A 2 , S 2 ) A 1 ≤ A 2 < ( A 1 + S 1 ) || A 2 ≤ A 1 < ( A 2 + S 2 ) Dependency : such that controls whether and how the ∃ V ∈ 𝙿𝚠𝚏𝚜𝚖𝚋𝚚 V second fetch might take place. Precaution : check that from the second fetch equals from the fi rst fetch. V ′ V Meng Xu (Georgia Tech) Finding Semantic Bugs in Kernels March 18, 2020 98

  70. Model illustration static int perf_copy_attr( struct perf_event_attr __user *uattr, struct perf_event_attr *kattr) { u32 size; /* first fetch */ if (copy_from_user(&size, &uattr->size, 4)) return -EFAULT; /* sanity checks */ if (size > PAGE_SIZE || size < PERF_ATTR_SIZE_VER0) return -EFAULT; /* second fetch */ if (copy_from_user(kattr, uattr, size)) return -EFAULT; ...... } /* BUG: when attr->size is used later */ copy_to_user(uattr, kattr, kattr->size)) Meng Xu (Georgia Tech) Finding Semantic Bugs in Kernels March 18, 2020 99

  71. Model illustration static int perf_copy_attr( struct perf_event_attr __user *uattr, struct perf_event_attr *kattr) { u32 size; /* first fetch */ size if (copy_from_user(&size, &uattr->size, 4)) return -EFAULT; /* sanity checks */ if (size > PAGE_SIZE || size < PERF_ATTR_SIZE_VER0) return -EFAULT; /* second fetch */ if (copy_from_user(kattr, uattr, size)) return -EFAULT; ...... } /* BUG: when attr->size is used later */ copy_to_user(uattr, kattr, kattr->size)) Meng Xu (Georgia Tech) Finding Semantic Bugs in Kernels March 18, 2020 100

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Testing atomicity Finding race conditions by random testing John Hughes &quot;We know there is a

Testing atomicity Finding race conditions by random testing John Hughes &quot;We know there is a

Testing atomicity Finding race conditions by random testing John Hughes &quot;We know there is a lurking bug somewhere in the dets code. We have got 'bad object' and 'premature eof' every other month the last year. We have not been able to

584 views • 29 slides
D7: Front-running Race conditions #7: Front ont-running running A form of a race condition

D7: Front-running Race conditions #7: Front ont-running running A form of a race condition

D7: Front-running Race conditions #7: Front ont-running running A form of a race condition time-of-check vs time-of-use (TOCTOU) race conditions and transaction ordering dependence (TOD) A classic problem in operating systems 15.8%

467 views • 31 slides
Data-Race Detection for Interrupt-Driven Data-Races and Happens- Kernels Before Analyzing

Data-Race Detection for Interrupt-Driven Data-Races and Happens- Kernels Before Analyzing

Overview Problem Definition Interrupt- Driven Programs Data-Race Detection for Interrupt-Driven Data-Races and Happens- Kernels Before Analyzing FreeRTOS Kernel Library Nikita Chopra, Deepak DSouza and Rekha Pai Conclusion Indian

512 views • 21 slides
Overview: Kernels for Sequences and Graphs String Kernels 8 Example Sequence Classification

Overview: Kernels for Sequences and Graphs String Kernels 8 Example Sequence Classification

Memorial Sloan-Kettering Cancer Center Overview: Kernels for Sequences and Graphs String Kernels 8 Example Sequence Classification Position-(In)dependent Kernels Advanced Kernels Easysvm Kernels on Graphs 9 Basics Random Walks Subtrees

1.8k views • 148 slides
Race Conditions A common cause of security bugs Usually involve multiprogramming or

Race Conditions A common cause of security bugs Usually involve multiprogramming or

Race Conditions A common cause of security bugs Usually involve multiprogramming or multithreaded programs Caused by different threads of control operating in unpredictable fashion When programmer thought theyd work in a

649 views • 21 slides
Society of Ohio Archivists 2020 Plenary Finding Sex, Race &amp; Suffrage in the Archives

Society of Ohio Archivists 2020 Plenary Finding Sex, Race &amp; Suffrage in the Archives

Society of Ohio Archivists 2020 Plenary Finding Sex, Race &amp; Suffrage in the Archives Kimberly A. Hamlin @ProfessorHamlin Kimberlyhamlin.com Who was Helen Hamilton Gardener? The fallen woman who changed her name (born Alice

281 views • 17 slides
Razzer: Finding Kernel Race Bugs thro ugh Fuzzing Dae R. Jeong Kyungtae Kim Basavesh

Razzer: Finding Kernel Race Bugs thro ugh Fuzzing Dae R. Jeong Kyungtae Kim Basavesh

Razzer: Finding Kernel Race Bugs thro ugh Fuzzing Dae R. Jeong Kyungtae Kim Basavesh Shivakumar Byoungyoung Lee Insik Shin Korea Advanced Institute of Science and Technology Seoul National University Purdue

3.64k views • 23 slides
CSCI [4|6] 730 Synchronization Language/Definitions: What are race conditions? Operating

CSCI [4|6] 730 Synchronization Language/Definitions: What are race conditions? Operating

Process [&amp; Thread] Synchronization Why is synchronization needed? CSCI [4|6] 730 Synchronization Language/Definitions: What are race conditions? Operating Systems What are critical sections? What are atomic operations?

253 views • 11 slides
Lecture 07: Race Conditions, Deadlock, Data Integrity The job - list - broken and job - list -

Lecture 07: Race Conditions, Deadlock, Data Integrity The job - list - broken and job - list -

Lecture 07: Race Conditions, Deadlock, Data Integrity The job - list - broken and job - list - fixed examples from the prior slide deck highlight a key issue that comes with the introduction of signals and signal handling. Neither job -

377 views • 10 slides
CSCI 350 Ch. 5 Synchronization Mark Redekopp Michael Shindler &amp; Ramesh Govindan 2 RACE

CSCI 350 Ch. 5 Synchronization Mark Redekopp Michael Shindler &amp; Ramesh Govindan 2 RACE

1 CSCI 350 Ch. 5 Synchronization Mark Redekopp Michael Shindler &amp; Ramesh Govindan 2 RACE CONDITIONS AND ATOMIC OPERATIONS 3 Race Condition A race condition occurs when the behavior of the program depends on the interleaving of

781 views • 49 slides
2 More Paper Goals The L4 Microkernel Is this actually useful? Is the Operations:

2 More Paper Goals The L4 Microkernel Is this actually useful? Is the Operations:

A short history of kernels Early kernel: a library of device drivers, support for threads (QNX) Operating System Kernels Monolithic kernels: Unix, VMS, OS 360 Unstructured but fast Over time, became very large

318 views • 10 slides
Race Race In D&amp;D, race refers to any intelligent humanoid species Dwarf Elf

Race Race In D&amp;D, race refers to any intelligent humanoid species Dwarf Elf

Race Race In D&amp;D, race refers to any intelligent humanoid species Dwarf Elf Halfling Human Gnome Half-Elf Half-Orc Tiefling Race Select a race now and record it near the top Rock gnome of your character sheet

713 views • 43 slides
So You Want to Race to Bermuda Marion Bermuda Race Starts June 19, 2015 So You Want to Race to

So You Want to Race to Bermuda Marion Bermuda Race Starts June 19, 2015 So You Want to Race to

So You Want to Race to Bermuda Marion Bermuda Race Starts June 19, 2015 So You Want to Race to Bermuda Why You Should Go The History The Race Preparing for The Race The Boat The Crew Post Race Where to begin 2

881 views • 66 slides
Introducing Shared-Memory Concurrency Race Conditions and Atomic Blocks Laura Effinger-Dean

Introducing Shared-Memory Concurrency Race Conditions and Atomic Blocks Laura Effinger-Dean

Concurrency Race conditions Atomic blocks Real-life mechanisms Introducing Shared-Memory Concurrency Race Conditions and Atomic Blocks Laura Effinger-Dean November 19, 2007 Laura Effinger-Dean Introducing Shared-Memory Concurrency

542 views • 32 slides
Last Time Today Cost of nearly full resources Advanced interrupts Race conditions

Last Time Today Cost of nearly full resources Advanced interrupts Race conditions

Last Time Today Cost of nearly full resources Advanced interrupts Race conditions RAM is limited System design Think carefully about whether you use a heap Prioritized interrupts Look carefully for stack overflow

307 views • 6 slides
The Gray Code Kernels The Gray Code Kernels The Gray Code Kernels Gil Ben-Artzi Hagit Hel-Or

The Gray Code Kernels The Gray Code Kernels The Gray Code Kernels Gil Ben-Artzi Hagit Hel-Or

The Gray Code Kernels The Gray Code Kernels The Gray Code Kernels Gil Ben-Artzi Hagit Hel-Or Yacov Hel-Or Bar-Ilan University Haifa University IDC 1 Motivation Motivation Image filtering with a successive set of kernels is very

1.06k views • 58 slides
WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats Andrea Fioraldi , Daniele Cono

WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats Andrea Fioraldi , Daniele Cono

WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats Andrea Fioraldi , Daniele Cono DElia and Emilio Coppa @andreafioraldi andreafioraldi@gmail.com Format-aware Fuzzing Input Input Program Crashes Format Generation Under

666 views • 63 slides
K-Nearest Neighbors Jia-Bin Huang Virginia Tech Spring 2019 ECE-5424G / CS-5824 Administrative

K-Nearest Neighbors Jia-Bin Huang Virginia Tech Spring 2019 ECE-5424G / CS-5824 Administrative

K-Nearest Neighbors Jia-Bin Huang Virginia Tech Spring 2019 ECE-5424G / CS-5824 Administrative Check out review materials Probability Linear algebra Python and NumPy Start your HW 0 On your Local machine: Install

730 views • 57 slides
AI Lab - Session 1 Uninformed Search Riccardo Sartea University of Verona Department of

AI Lab - Session 1 Uninformed Search Riccardo Sartea University of Verona Department of

AI Lab - Session 1 Uninformed Search Riccardo Sartea University of Verona Department of Computer Science March 15 th 2019 The OpenAI Gym Framework What is it Gym is a toolkit for developing and comparing reinforcement learn- ing algorithms.

420 views • 8 slides
Distribution Nion Swift Workshop Chris Meyer 2018 October 5 Nion Swift is software for

Distribution Nion Swift Workshop Chris Meyer 2018 October 5 Nion Swift is software for

Nion Swift Plug-in Distribution Nion Swift Workshop Chris Meyer 2018 October 5 Nion Swift is software for integrating instrument control, data acquisition, organization, visualization, and analysis using Python. Nion Swift Plug-in

199 views • 15 slides
SnaPEA : Predictive Early Activation for Reducing Computation In Deep Convolutional Neural

SnaPEA : Predictive Early Activation for Reducing Computation In Deep Convolutional Neural

SnaPEA : Predictive Early Activation for Reducing Computation In Deep Convolutional Neural Networks * * Vahideh Akhlaghi Amir Yazdanbakhsh Kambiz Samadi Rajesh K. Gupta Hadi Esmaeilzadeh * Equal Contribution University

565 views • 32 slides
Acts Series Lesson #94 December 18, 2012 Dean Bible Ministries www.deanbible.org Dr. Robert L.

Acts Series Lesson #94 December 18, 2012 Dean Bible Ministries www.deanbible.org Dr. Robert L.

Acts Series Lesson #94 December 18, 2012 Dean Bible Ministries www.deanbible.org Dr. Robert L. Dean, Jr. The Acts of the Apostles To the end of the earth Acts 1:8 Acts as a Transition and Overview of Things to Come Acts 13; Matthew

551 views • 19 slides
CS 241: Systems Programming Lecture 1. Introduction Spring 2020 Prof. Stephen Checkoway 1 What

CS 241: Systems Programming Lecture 1. Introduction Spring 2020 Prof. Stephen Checkoway 1 What

CS 241: Systems Programming Lecture 1. Introduction Spring 2020 Prof. Stephen Checkoway 1 What is this course about? Tools for succeeding in computer science Unix command line Bash scripting C programming Building software

268 views • 24 slides
Lecture 19 Logistics HW7 due now A few days off before HW8 kicks in A few days off

Lecture 19 Logistics HW7 due now A few days off before HW8 kicks in A few days off

Lecture 19 Logistics HW7 due now A few days off before HW8 kicks in A few days off before HW8 kicks in Midterm review session tomorrow 4:15 EEB125 Midterm 2 in class (45min long, starts at 10:35am) Last lecture Moore

675 views • 11 slides

More recommend