Precise and Scalable Detection of Double-Fetch Bugs in OS Kernels

Meng Xu, Chenxiong Qian, Kangjie Lu, Michael Backes, Taesoo Kim

Research output: Chapter in Book/Report/Conference proceedingConference contribution

70 Scopus citations

Abstract

During system call execution, it is common for operating system kernels to read userspace memory multiple times (multi-reads). A critical bug may exist if the fetched userspace memory is subject to change across these reads, i.e., a race condition, which is known as a double-fetch bug. Prior works have attempted to detect these bugs both statically and dynamically. However, due to their improper assumptions and imprecise definitions regarding double-fetch bugs, their multi-read detection is inherently limited and suffers from significant false positives and false negatives. For example, their approach is unable to support device emulation, inter-procedural analysis, loop handling, etc. More importantly, they completely leave the task of finding real double-fetch bugs from the haystack of multi-reads to manual verification, which is expensive if possible at all. In this paper, we first present a formal and precise definition of double-fetch bugs and then implement a static analysis system-Deadline-to automatically detect double-fetch bugs in OS kernels. Deadline uses static program analysis techniques to systematically find multi-reads throughout the kernel and employs specialized symbolic checking to vet each multi-read for double-fetch bugs. We apply Deadline to Linux and FreeBSD kernels and find 23 new bugs in Linux and one new bug in FreeBSD. We further propose four generic strategies to patch and prevent double-fetch bugs based on our study and the discussion with kernel maintainers.

Original languageEnglish (US)
Title of host publicationProceedings - 2018 IEEE Symposium on Security and Privacy, SP 2018
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages661-678
Number of pages18
ISBN (Electronic)9781538643525
DOIs
StatePublished - Jul 23 2018
Event39th IEEE Symposium on Security and Privacy, SP 2018 - San Francisco, United States
Duration: May 21 2018May 23 2018

Publication series

NameProceedings - IEEE Symposium on Security and Privacy
Volume2018-May
ISSN (Print)1081-6011

Other

Other39th IEEE Symposium on Security and Privacy, SP 2018
Country/TerritoryUnited States
CitySan Francisco
Period5/21/185/23/18

Bibliographical note

Publisher Copyright:
© 2018 IEEE.

Keywords

  • bug
  • detection
  • kernel

Fingerprint

Dive into the research topics of 'Precise and Scalable Detection of Double-Fetch Bugs in OS Kernels'. Together they form a unique fingerprint.

Cite this