Check it again: Detecting lacking-recheck bugs in OS kernels

Research output: Chapter in Book/Report/Conference proceedingConference contribution

30 Scopus citations


Operating system kernels carry a large number of security checks to validate security-sensitive variables and operations. For example, a security check should be embedded in a code to ensure that a user-supplied pointer does not point to the kernel space. Using security-checked variables is typically safe. However, in reality, security-checked variables are often subject to modification after the check. If a recheck is lacking after a modification, security issues may arise, e.g., adversaries can control the checked variable to launch critical attacks such as out-of-bound memory access or privilege escalation. We call such cases lacking-recheck (LRC) bugs, a subclass of TOCTTOU bugs, which have not been explored yet. In this paper, we present the first in-depth study of LRC bugs and develop LRSan, a static analysis system that systematically detects LRC bugs in OS kernels. Using an inter-procedural analysis and multiple new techniques, LRSan first automatically identifies security checks, critical variables, and uses of the checked variables, and then reasons about whether a modification is present after a security check. A case in which a modification is present but a recheck is lacking is an LRC bug. We apply LRSan to the latest Linux kernel and evaluate the effectiveness of LRSan. LRSan reports thousands of potential LRC cases, and we have confirmed 19 new LRC bugs. We also discuss patching strategies of LRC bugs based on our study and bug-fixing experience.

Original languageEnglish (US)
Title of host publicationCCS 2018 - Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security
PublisherAssociation for Computing Machinery
Number of pages15
ISBN (Electronic)9781450356930
StatePublished - Oct 15 2018
Event25th ACM Conference on Computer and Communications Security, CCS 2018 - Toronto, Canada
Duration: Oct 15 2018 → …

Publication series

NameProceedings of the ACM Conference on Computer and Communications Security
ISSN (Print)1543-7221


Other25th ACM Conference on Computer and Communications Security, CCS 2018
Period10/15/18 → …

Bibliographical note

Funding Information:
We would like to thank Hayawardh Vijayakumar and the anonymous reviewers for their valuable comments and helpful suggestions. This work is supported in part by the National Science Foundation under Grant No. CNS-1514444.

Publisher Copyright:
© 2018 Copyright held by the owner/author(s). Publication rights licensed to ACM.


  • Error code
  • Lacking-recheck
  • Missing check
  • OS Kernel Bug
  • Static analysis


Dive into the research topics of 'Check it again: Detecting lacking-recheck bugs in OS kernels'. Together they form a unique fingerprint.

Cite this