To reduce the development costs, IoT vendors tend to construct IoT kernels by customizing the Linux kernel. Code pruning is common in this customization process. However, due to the intrinsic complexity of the Linux kernel and the lack of long-term effective maintenance, IoT vendors may mistakenly delete necessary security operations in the pruning process, which leads to various bugs such as memory leakage and NULL pointer dereference. Yet detecting bugs caused by code pruning in IoT kernels is difficult. Specifically, (1) a significant structural change makes precisely locating the deleted security operations (DSO ) difficult, and (2) inferring the security impact of a DSO is not trivial since it requires complex semantic understanding, including the developing logic and the context of the corresponding IoT kernel. In this paper, we present CPscan, a system for automatically detecting bugs caused by code pruning in IoT kernels. First, using a new graph-based approach that iteratively conducts a structure-aware basic block matching, CPscan can precisely and efficiently identify theDSOs in IoT kernels. Then, CPscan infers the security impact of a DSO by comparing the bounded use chains (where and how a variable is used within potentially influenced code segments) of the security-critical variable associated with it. Specifically, CPscan reports the deletion of a security operation as vulnerable if the bounded use chain of the associated security-critical variable remains the same before and after the deletion. This is because the unchanged uses of a security-critical variable likely need the security operation, and removing it may have security impacts. The experimental results on 28 IoT kernels from 10 popular IoT vendors show that CPscan is able to identify 3,193DSO s and detect 114 new bugs with a reasonably low false-positive rate. Many such bugs tend to have a long latent period (up to 9 years and 5 months). We believe CPscan paves a way for eliminating the bugs introduced by code pruning in IoT kernels. We will open-source CPscan to facilitate further research.
|Original language||English (US)|
|Title of host publication||CCS 2021 - Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security|
|Publisher||Association for Computing Machinery|
|Number of pages||17|
|State||Published - Nov 12 2021|
|Event||27th ACM Annual Conference on Computer and Communication Security, CCS 2021 - Virtual, Online, Korea, Republic of|
Duration: Nov 15 2021 → Nov 19 2021
|Name||Proceedings of the ACM Conference on Computer and Communications Security|
|Conference||27th ACM Annual Conference on Computer and Communication Security, CCS 2021|
|Country/Territory||Korea, Republic of|
|Period||11/15/21 → 11/19/21|
Bibliographical noteFunding Information:
This work was partly supported by NSFC under No. U1936215 and U1836202, the Zhejiang Provincial Natural Science Foundation for Distinguished Young Scholars under No. LR19F020003, the State Key Laboratory of Computer Architecture (ICT, CAS) under Grant No. CARCHA202001, the Fundamental Research Funds for the Central Universities (Zhejiang University NGICS Platform), and Alibaba-Zhejiang University Joint Research Institute of Frontier Technologies. Kangjie Lu was supported in part by the NSF awards CNS-1815621 and CNS-1931208.
© 2021 ACM.
- bug detection
- inconsistency analysis
- missing security operation
- static analysis