Operating system kernels carry a large number of security checks to validate security-sensitive variables and operations. For example, a security check should be embedded in a code to ensure that a user-supplied pointer does not point to the kernel space. Using security-checked variables is typically safe. However, in reality, security-checked variables are often subject to modification after the check. If a recheck is lacking after a modification, security issues may arise, e.g., adversaries can control the checked variable to launch critical attacks such as out-of-bound memory access or privilege escalation. We call such cases lacking-recheck (LRC) bugs, a subclass of TOCTTOU bugs, which have not been explored yet. In this paper, we present the first in-depth study of LRC bugs and develop LRSan, a static analysis system that systematically detects LRC bugs in OS kernels. Using an inter-procedural analysis and multiple new techniques, LRSan first automatically identifies security checks, critical variables, and uses of the checked variables, and then reasons about whether a modification is present after a security check. A case in which a modification is present but a recheck is lacking is an LRC bug. We apply LRSan to the latest Linux kernel and evaluate the effectiveness of LRSan. LRSan reports thousands of potential LRC cases, and we have confirmed 19 new LRC bugs. We also discuss patching strategies of LRC bugs based on our study and bug-fixing experience.
|Original language||English (US)|
|Title of host publication||CCS 2018 - Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security|
|Publisher||Association for Computing Machinery|
|Number of pages||15|
|State||Published - Oct 15 2018|
|Event||25th ACM Conference on Computer and Communications Security, CCS 2018 - Toronto, Canada|
Duration: Oct 15 2018 → …
|Name||Proceedings of the ACM Conference on Computer and Communications Security|
|Other||25th ACM Conference on Computer and Communications Security, CCS 2018|
|Period||10/15/18 → …|
Bibliographical noteFunding Information:
We would like to thank Hayawardh Vijayakumar and the anonymous reviewers for their valuable comments and helpful suggestions. This work is supported in part by the National Science Foundation under Grant No. CNS-1514444.
© 2018 Copyright held by the owner/author(s). Publication rights licensed to ACM.
- Error code
- Missing check
- OS Kernel Bug
- Static analysis