Software programs may frequently encounter various errors such as allocation failures. Error handling aims to gracefully deal with the errors to avoid security and reliability issues, thus it is prevalent and vital. However, because of its complexity and corner cases, error handling itself is often erroneous, and prior research has primarily focused on finding bugs in the handling part, such as incorrect error-code returning or missing error propagation. In this paper, we propose and investigate a class of bugs in error-handling code from a different perspective. In particular, we find that programs often perform “cleanup” operations before the actual error handling, such as freeing memory or decreasing refcount. Critical bugs occur when these operations are performed (1) in an incorrect order, (2) redundantly, or (3) inadequately. We refer to such bugs as Disordered Error Handling (DiEH). Our investigation reveals that DiEH bugs are not only common but can also cause security problems such as privilege escalation, memory corruption, and denial-of-service. Based on the findings from the investigation, we then develop a system, HERO (Handling ERrors Orderly), to automatically detect DiEH. The core of HERO is a novel technique that precisely pairs both common and custom functions based on the unique error-handling structures, which allows us to infer expected cleanup functions. With HERO, we found 239 DiEH bugs in the Linux kernel, the FreeBSD kernel, and OpenSSL, which can cause security and reliability issues. The evaluation results show that DiEH is critical and widely exists in system software, and HERO is effective in detecting DiEH. We also believe that the precise function pairing is of independent interest in other research areas such as temporal-rule inference and race detection.
|Original language||English (US)|
|Title of host publication||Proceedings of the 30th USENIX Security Symposium|
|Number of pages||18|
|State||Published - 2021|
|Event||30th USENIX Security Symposium, USENIX Security 2021 - Virtual, Online|
Duration: Aug 11 2021 → Aug 13 2021
|Name||Proceedings of the 30th USENIX Security Symposium|
|Conference||30th USENIX Security Symposium, USENIX Security 2021|
|Period||8/11/21 → 8/13/21|
Bibliographical noteFunding Information:
We thank our shepherd, Mathias Payer, and the anonymous reviewers for their helpful suggestions and comments. We are grateful to Linux maintainers for providing prompt feedback on patching the Linux kernel. The authors also thank Peng Le for helping implement function pairing. This research was supported in part by the NSF awards CNS-1815621 and CNS-1931208. Any opinions, findings, conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of NSF.
© 2021 by The USENIX Association. All rights reserved.