Check it again: Detecting lacking-recheck bugs in OS kernels

Wenwen Wang; Kangjie Lu; Pen Chung Yew

doi:10.1145/3243734.3243844

Check it again: Detecting lacking-recheck bugs in OS kernels

Wenwen Wang, Kangjie Lu, Pen Chung Yew

Computer Science and Engineering

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

8 Scopus citations

Abstract

Operating system kernels carry a large number of security checks to validate security-sensitive variables and operations. For example, a security check should be embedded in a code to ensure that a user-supplied pointer does not point to the kernel space. Using security-checked variables is typically safe. However, in reality, security-checked variables are often subject to modification after the check. If a recheck is lacking after a modification, security issues may arise, e.g., adversaries can control the checked variable to launch critical attacks such as out-of-bound memory access or privilege escalation. We call such cases lacking-recheck (LRC) bugs, a subclass of TOCTTOU bugs, which have not been explored yet. In this paper, we present the first in-depth study of LRC bugs and develop LRSan, a static analysis system that systematically detects LRC bugs in OS kernels. Using an inter-procedural analysis and multiple new techniques, LRSan first automatically identifies security checks, critical variables, and uses of the checked variables, and then reasons about whether a modification is present after a security check. A case in which a modification is present but a recheck is lacking is an LRC bug. We apply LRSan to the latest Linux kernel and evaluate the effectiveness of LRSan. LRSan reports thousands of potential LRC cases, and we have confirmed 19 new LRC bugs. We also discuss patching strategies of LRC bugs based on our study and bug-fixing experience.

Original language	English (US)
Title of host publication	CCS 2018 - Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security
Publisher	Association for Computing Machinery
Pages	1899-1913
Number of pages	15
ISBN (Electronic)	9781450356930
DOIs	https://doi.org/10.1145/3243734.3243844
State	Published - Oct 15 2018
Event	25th ACM Conference on Computer and Communications Security, CCS 2018 - Toronto, Canada Duration: Oct 15 2018 → …

Publication series

Name	Proceedings of the ACM Conference on Computer and Communications Security
ISSN (Print)	1543-7221

Other

Other	25th ACM Conference on Computer and Communications Security, CCS 2018
Country	Canada
City	Toronto
Period	10/15/18 → …

Keywords

Error code
Lacking-recheck
Missing check
OS Kernel Bug
Static analysis
TOCTTOU

Access

10.1145/3243734.3243844

Fingerprint Dive into the research topics of 'Check it again: Detecting lacking-recheck bugs in OS kernels'. Together they form a unique fingerprint.

Cite this

Wang, W., Lu, K., & Yew, P. C. (2018). Check it again: Detecting lacking-recheck bugs in OS kernels. In CCS 2018 - Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (pp. 1899-1913). (Proceedings of the ACM Conference on Computer and Communications Security). Association for Computing Machinery. https://doi.org/10.1145/3243734.3243844

Check it again : Detecting lacking-recheck bugs in OS kernels. / Wang, Wenwen; Lu, Kangjie ; Yew, Pen Chung.

CCS 2018 - Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, 2018. p. 1899-1913 (Proceedings of the ACM Conference on Computer and Communications Security).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Wang, W, Lu, K & Yew, PC 2018, Check it again: Detecting lacking-recheck bugs in OS kernels. in CCS 2018 - Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. Proceedings of the ACM Conference on Computer and Communications Security, Association for Computing Machinery, pp. 1899-1913, 25th ACM Conference on Computer and Communications Security, CCS 2018, Toronto, Canada, 10/15/18. https://doi.org/10.1145/3243734.3243844

@inproceedings{54b5d795cb614dd78b07c6967cef4d18,

title = "Check it again: Detecting lacking-recheck bugs in OS kernels",

abstract = "Operating system kernels carry a large number of security checks to validate security-sensitive variables and operations. For example, a security check should be embedded in a code to ensure that a user-supplied pointer does not point to the kernel space. Using security-checked variables is typically safe. However, in reality, security-checked variables are often subject to modification after the check. If a recheck is lacking after a modification, security issues may arise, e.g., adversaries can control the checked variable to launch critical attacks such as out-of-bound memory access or privilege escalation. We call such cases lacking-recheck (LRC) bugs, a subclass of TOCTTOU bugs, which have not been explored yet. In this paper, we present the first in-depth study of LRC bugs and develop LRSan, a static analysis system that systematically detects LRC bugs in OS kernels. Using an inter-procedural analysis and multiple new techniques, LRSan first automatically identifies security checks, critical variables, and uses of the checked variables, and then reasons about whether a modification is present after a security check. A case in which a modification is present but a recheck is lacking is an LRC bug. We apply LRSan to the latest Linux kernel and evaluate the effectiveness of LRSan. LRSan reports thousands of potential LRC cases, and we have confirmed 19 new LRC bugs. We also discuss patching strategies of LRC bugs based on our study and bug-fixing experience.",

keywords = "Error code, Lacking-recheck, Missing check, OS Kernel Bug, Static analysis, TOCTTOU",

author = "Wenwen Wang and Kangjie Lu and Yew, {Pen Chung}",

year = "2018",

month = oct,

day = "15",

doi = "10.1145/3243734.3243844",

language = "English (US)",

series = "Proceedings of the ACM Conference on Computer and Communications Security",

publisher = "Association for Computing Machinery",

pages = "1899--1913",

booktitle = "CCS 2018 - Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security",

note = "25th ACM Conference on Computer and Communications Security, CCS 2018 ; Conference date: 15-10-2018",

}

TY - GEN

T1 - Check it again

T2 - 25th ACM Conference on Computer and Communications Security, CCS 2018

AU - Wang, Wenwen

AU - Lu, Kangjie

AU - Yew, Pen Chung

PY - 2018/10/15

Y1 - 2018/10/15

N2 - Operating system kernels carry a large number of security checks to validate security-sensitive variables and operations. For example, a security check should be embedded in a code to ensure that a user-supplied pointer does not point to the kernel space. Using security-checked variables is typically safe. However, in reality, security-checked variables are often subject to modification after the check. If a recheck is lacking after a modification, security issues may arise, e.g., adversaries can control the checked variable to launch critical attacks such as out-of-bound memory access or privilege escalation. We call such cases lacking-recheck (LRC) bugs, a subclass of TOCTTOU bugs, which have not been explored yet. In this paper, we present the first in-depth study of LRC bugs and develop LRSan, a static analysis system that systematically detects LRC bugs in OS kernels. Using an inter-procedural analysis and multiple new techniques, LRSan first automatically identifies security checks, critical variables, and uses of the checked variables, and then reasons about whether a modification is present after a security check. A case in which a modification is present but a recheck is lacking is an LRC bug. We apply LRSan to the latest Linux kernel and evaluate the effectiveness of LRSan. LRSan reports thousands of potential LRC cases, and we have confirmed 19 new LRC bugs. We also discuss patching strategies of LRC bugs based on our study and bug-fixing experience.

AB - Operating system kernels carry a large number of security checks to validate security-sensitive variables and operations. For example, a security check should be embedded in a code to ensure that a user-supplied pointer does not point to the kernel space. Using security-checked variables is typically safe. However, in reality, security-checked variables are often subject to modification after the check. If a recheck is lacking after a modification, security issues may arise, e.g., adversaries can control the checked variable to launch critical attacks such as out-of-bound memory access or privilege escalation. We call such cases lacking-recheck (LRC) bugs, a subclass of TOCTTOU bugs, which have not been explored yet. In this paper, we present the first in-depth study of LRC bugs and develop LRSan, a static analysis system that systematically detects LRC bugs in OS kernels. Using an inter-procedural analysis and multiple new techniques, LRSan first automatically identifies security checks, critical variables, and uses of the checked variables, and then reasons about whether a modification is present after a security check. A case in which a modification is present but a recheck is lacking is an LRC bug. We apply LRSan to the latest Linux kernel and evaluate the effectiveness of LRSan. LRSan reports thousands of potential LRC cases, and we have confirmed 19 new LRC bugs. We also discuss patching strategies of LRC bugs based on our study and bug-fixing experience.

KW - Error code

KW - Lacking-recheck

KW - Missing check

KW - OS Kernel Bug

KW - Static analysis

KW - TOCTTOU

UR - http://www.scopus.com/inward/record.url?scp=85056844878&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85056844878&partnerID=8YFLogxK

U2 - 10.1145/3243734.3243844

DO - 10.1145/3243734.3243844

M3 - Conference contribution

AN - SCOPUS:85056844878

T3 - Proceedings of the ACM Conference on Computer and Communications Security

SP - 1899

EP - 1913

BT - CCS 2018 - Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

PB - Association for Computing Machinery

Y2 - 15 October 2018

ER -