A Soundy Analysis for Linux Kernel Drivers · Dr Checker: A Soundy Analysis of Linux Kernel Drivers...

DR. CHECKER A Soundy Analysis for Linux Kernel Drivers

Aravind Machiry, Chad Spensky, Jake Corina, Nick Stephens, Christopher Kruegel, and Giovanni Vigna

University of California, Santa Barbara

USENIX Security 2017

seclabTHE COMPUTER SECURITY GROUP AT UC SANTA BARBARA

seclabDr Checker: A Soundy Analysis of Linux Kernel DriversCSS, USENIX Security, 08/18/2017

First, a story…

$ mkdir driver_checker

First, a story…

$ mkdir dr_checker

First, a story…

Why Drivers?

$ ls linux

Why Drivers?

/arch /block /certs /crypto

/drivers /firmware /fs

/include /virt/init

/tools /sound /security/scripts

/samples

/net /mm /lib

/kernel /ipc

$ ls linux

Why Drivers?

/include /virt/init

/samples

/net /mm /lib

/kernel /ipc

$ ls linux

Why Drivers?

/include /virt/init

/samples

/net /mm /lib

/kernel /ipc

find bugs $

Why Drivers?

CVE - Common Vulnerability and Exposure

Why Drivers?

Drivers85%

Bugs in Windows XP (2003)

Why Drivers?

Drivers85%

Drivers28%

Linux Kernel CVEs (2016-2017)

Why Drivers?

Drivers85%

Drivers28%

Linux Kernel CVEs (2016-2017)

Drivers85%

Reported bugs in Android (2016)

Motivation

Only analyze the drivers!

Program Analysis for Bug Finding

• Points-to Analysis: Determines all storage locations that a pointer can point to

• Example bug: Kernel code pointer to user-controlled memory

• Points-to Analysis: Determines all storage locations that a pointer can point to

• Example bug: Kernel code pointer to user-controlled memory

• Taint Analysis: Determines all of the locations that are affected by user-supplied (tainted) data

• Example bug: User provided data used as length in copy_from_user()

Program Analysis on Kernel Code

• Pointers… Everywhere!

• State explosion

• Inter-procedural calls to core functions

• State explosion

Precision vs. Soundness

Precise Sound

Most of the things reported are true

True True

TrueTrue

Precise Sound

Everything that is true is reportedMost of the things reported are true

True True

TrueTrue

True True

Precise Sound

Soundiness

Violate soundness to achieve higher precision and practical computational constraints

True True

TrueTrue

Precise

True True

Soundiness

Violate soundness to achieve higher precision and practical computational constraints

True True

TrueTrue

Precise

True True

TrueTrue

Soundy

TrueFalse

False FalseFalse

Dr. Checker: Assumptions

(1) All non-driver code is implemented perfectly

(2) Only evaluate loops until a reaching definition

(3) All calls are traversed exactly once, even in loops

Dr. Checker: Design

• Modular framework to enable flexible development

• Simultaneously employ numerous vulnerability detectors

• Open source: github.com/ucsb-seclab/dr_checker

Dr. Checker: Design

Driver Code

Soundy Driver Traversal Analysis Clients

Points-to Analysis

Taint Analysis

2Global State

Vulnerability Detectors

Improper Tainted-Data Use Detector (ITDUD) Tainted Arithmetic Detector (TAD)

Invalid Cast Detector (ICD) Tainted Loop Bound Detector (TLBD)

Tainted Pointer Dereference Detector (TPDD) Tainted Size Detector (TSD)

Uninit Leak Detector (ULD) Global Variable Race Detector (GVRD)

Warnings

Dr. Checker: Design

Driver Code

Points-to Analysis

Taint Analysis

2Global State

Warnings

Dr. Checker: Design

Driver Code

Points-to Analysis

Taint Analysis

2Global State

Warnings

Dr. Checker: Design

Driver Code

Points-to Analysis

Taint Analysis

2Global State

Warnings

Dr. Checker: Design

Driver Code

Points-to Analysis

Taint Analysis

2Global State

Warnings

Dr. Checker: Design

Driver Code

Points-to Analysis

Taint Analysis

2Global State

Warnings

Soundy Driver Traversal

• Context-sensitive: Analysis for each function call is done in the context of the calling function

• Field-sensitive: The ability to differentiate between different fields in a memory structure

• Flow-sensitive: The ability to track data usage (e.g., taint) throughout a program, according to its control flow

struct kernel_obj ko;

void internal_function(int *ptr) { *ptr += 1; }

void entry_point(void *user_ptr, int len) { curr_data->item = &ko;

copy_from_user(&ko, user_ptr, len);

for (int i = 0; i < ko.count; i++) { internal_function(&(ko.data[i])); }

dangerous_function(curr_data->buf); dangerous_function(curr_data->item); kernel_function(curr_data->item);

Taint Analysis

user_ptr

Taint Analysis

user_ptr

Field-sensitive

Taint Analysis

user_ptr

Taint Sourcecurr_data->item

Warning: Improper Tainted-Data Use

Field-sensitive

Taint Analysis

user_ptr

Taint Sourcecurr_data->item

Field-sensitive

Warning: Tainted Loop Bound

Taint Analysis

user_ptr

Field-sensitiveko

Taint Source

curr_data->item

Taint Analysis

user_ptr

Field-sensitiveko

Taint Source

Warning: Tainted Arithmetic

curr_data->item

Taint Analysis

user_ptr

Field-sensitiveko

Taint Source

Untainted Field

curr_data->item

Taint Analysis

user_ptr

Field-sensitiveko

Taint Source

Untainted FieldWarning: Improper Tainted-Data Use

curr_data->item

Taint Analysis

user_ptr

Field-sensitiveko

Taint Source

Kernel Functions Ignored

curr_data->item

Taint Analysis

user_ptr

Field-sensitiveko

Taint Source

Kernel Functions Ignored

Soundy: Loop Traversal

Soundy: Ignore kernel functions

Soundy: Single traversalcurr_data->item

Identifying Vendor Drivers

• diff with mainline sources

• Extract code-names from vendor configuration files

Driver Entry Points

• File Operations

• Attribute Operations

• Socket Operations

• Wrapper Functions

Entry Type Argument(s) Taint Type

Read (File) char *buf, size_t len Direct

Write (File) char *buf, size_t len Direct

Ioctl (File) long args Direct

DevStore (Attribute) const char *buf Indirect

NetDevIoctl (Socket) struct *ifreq Indirect

V4Ioctl struct v412_format *f Indirect

Evaluation: Mobile Kernels

Amazon Echo (5.5.0.3)

Amazon Fire HD8 (6th Generation, 5.3.2.1)

HTC One Hima (3.10.61-g5f0fe7e)

Sony Xperia XA (33.2.A.3.123)

HTC Desire A56 (a56uhl-3.4.0)

LG K8 ACG (AS375)

ASUS Zenfone 2 Laser (ZE550KL / MR5- 21.40.1220.1794)

Huawei Venus P9 Lite (2016-03-29)

Samsung Galaxy S7 Edge (SM-G935F NN)

3.1 Million lines of driver code

Other Tools

• Flawfinder — pattern-based bug detector

• RATS (Rough Auditing Tool for Security) — pattern-based bug detector

• Sparse — compiler-based bug detector

• cppcheck — all-in-one static analysis bug detector

Other Tools: Analysis

Feature cppcheck flawfinder RATS Sparse Dr. Checker

Extensible ✔ ✔

Inter-prodecural ✔

Handles pointers ✔

Kernel specific ✔ ✔

No manual annotations ✔ ✔ ✔ ✔

Requires compilable sources

✔ ✔ ✔

Tracable Warnings ✔ ✔

Other Tools: Warnings

Kernel cppcheck flawfinder RATS Sparse

Qualcomm 18 4,365 693 5,202

Samsung 22 8,173 2,244 1,726

Hauwei 34 18,132 2,301 11,320

Mediatek 168 14,230 3,730 13,771

242 44,900 8,968 31,929

Dr. Checker

Detector Huawei Qualcomm Mediatek Samsung Total

TaintedSizeDetector 62 / 62/ 5 33 / 33 / 2 155 / 155 / 6 20 / 20 / 1 270 / 268 / 14TaintedPointerDereferenceChecker 522 / 155 / 12 264 / 264 / 3 465 / 459 / 6 479 / 423 / 4 1,760 / 1,301 / 25

TaintedLoopBoundDetector 75 / 56 / 4 52 / 52 / 0 73 / 73 / 1 78 / 78 / 0 278 / 259 / 5GlobalVariableRaceDetector 324 / 184 / 38 188 / 108 / 8 548 / 420 / 5 100 / 62 / 12 1,160 / 774 / 63

ImproperTaintedDataUseDetector 81 / 74 / 5 92 / 91 / 3 243 / 241 / 9 135 / 134 / 4 551 / 540 / 21IntegerOverflowDetector 250 / 177 / 6 196 / 196 / 2 247 / 247 / 6 99 / 87 / 2 792 / 707 / 16

KernelUninitMemoryLeakDetector 9 / 7 / 5 1 / 1 / 0 8 / 5 / 5 6 / 2 / 1 24 / 15 / 11

InvalidCastDetector 96 / 13 / 2 75 / 74 / 1 9 / 9 / 0 56 / 13 / 0 236 / 109 / 3

1,449 / 728 / 78 901 / 819 / 19 1,748 / 1,607 / 44 973 / 819 / 24 5,071 / 3,973 / 158

Warnings per Kernel (Count / Confirmed / Bug)

Precision: 78%

Dr. Checker

1,449 / 728 / 78 901 / 819 / 19 1,748 / 1,607 / 44 973 / 819 / 24 5,071 / 3,973 / 158

Precision: 78%5,071 / 3,973 / 158

Dr. Checker

1,449 / 728 / 78 901 / 819 / 19 1,748 / 1,607 / 44 973 / 819 / 24 5,071 / 3,973 / 158

Precision: 78%5,071 / 3,973 / 158

Dr. Checker

1,449 / 728 / 78 901 / 819 / 19 1,748 / 1,607 / 44 973 / 819 / 24 5,071 / 3,973 / 158

Precision: 78%

24 / 15 / 11

Dr. Checker

1,449 / 728 / 78 901 / 819 / 19 1,748 / 1,607 / 44 973 / 819 / 24 5,071 / 3,973 / 158

Precision: 78%

522 / 155 / 12 479 / 423 / 4

Zero-day Bug

static char call status ; ...static ssize_t accdet_store_call_state( struct device driver ∗ddri , const char ∗buf , size t count) { int ret = sscanf(buf, ”%s”, &call status);

if (ret != 1) { ACCDETDEBUG(”accdet: Invalid values\n”); return -EINVAL; } … }

A buffer overflow bug detected in Mediatek’s Accdet driver

Zero-day Bug

buf can contain more than one char !

Zero-day Bug

ret is checked, but it’s too late

Results: Soundy vs. Sound

Dr. Checker

Dr. Checker (Ignoring kernel functions)

Dr. Checker (Sound Analysis) [18/100]

.008 Seconds

log10(seconds)

980 Seconds

Time to analyze 100 randomly selected entry points

3,000 Seconds

2,300 Seconds

.16 Seconds

.12 Seconds

Results: Soundy vs. Sound

Dr. Checker

Dr. Checker (Ignoring kernel functions)

Dr. Checker (Sound Analysis) [18/100]

.008 Seconds

log10(seconds)

980 Seconds

Time to analyze 100 randomly selected entry points

3,000 Seconds

2,300 Seconds

.16 Seconds

.12 Seconds

82 Analyses did not finish!

Conclusion

• Modular bug-finding tool for Linux kernel drivers

• Soundy program analysis techniques to maintain practicality

• Scalable tool capable of employing multiple vulnerability detectors

• 158 previously undiscovered zero-day bugs

• Open-source project to encourage more development/collaboration

github.com/ucsb-seclab/dr_checker

Aravind Machiry (machiry@cs.ucsb.edu)

Chad Spensky (cspensky@cs.ucsb.edu)

Help Make Drivers Great Again

A Soundy Analysis for Linux Kernel Drivers · Dr Checker: A Soundy Analysis of Linux Kernel Drivers...

Documents

Transcript of A Soundy Analysis for Linux Kernel Drivers · Dr Checker: A Soundy Analysis of Linux Kernel Drivers...

DR. CHECKER: A Soundy Analysis for Linux Kernel … A Soundy Analysis for Linux Kernel Drivers ... A Soundy Analysis for Linux Kernel Drivers ... An integer overﬂow in Huawei’s

man pages section 9F: Kernel Functions for Drivers

A Soundy Analysis for Linux Kernel Drivers - sites.cs.ucsb.educspensky/slides/dr_checker_usenix2017.pdf · DR. CHECKER A Soundy Analysis for Linux Kernel Drivers Aravind Machiry,

Chapter 12 Drivers and the Kernel

linux kernel and device drivers

Introduction to Linux Device Drivers › wp-content › uploads › 2014 › ...Introduction to Linux Device Drivers John Linn Based on 3.14 Linux kernel . Concepts Kernel Runtime

Linux User Space Device Drivers - d9 Tech Blog · Linux device drivers are typically designed as kernel drivers running in kernel space User space I/O is another alternative device

Free Electrons. Kernel, drivers and embedded Linux ... · Free Electrons. Kernel, drivers and embedded Linux development, consulting, training and support. 1/1

Windows Kernel Internals Overview - TuxFamily dev/doc... · Windows Kernel Internals Overview David B. Probert, Ph.D. ... Windows Kernel Internals. Projects. Device Drivers and Registry

Free Electrons. Kernel, drivers and embedded Linux development, consulting, training ... · 2016-07-06 · Free Electrons. Kernel, drivers and embedded Linux development, consulting,

Linux kernel serial drivers - Bootlin · Linux serial drivers This file is an old chapter of Free Electrons’ embedded Linux kernel and driver development training materials ...

Telit Modules Linux USB Drivers User Guide€¦ · Telit Modules Linux USB Drivers User Guide ... INTRODUCTION ... used kernel driver: Device type Kernel driver

linux Pci Drivers - Bootlin · Linux PCI drivers Implementing Linux drivers. 12 Free Electrons. Kernel, drivers and embedded Linux development, consulting, training and support. http

Embedded Linux Kernel and Drivers Labs

Linux Kernel architecture for device drivers

Linux Kernel Driver Tutorial - Admingildetali.admingilde.org/dhwk/vorlesung.pdf · Linux Kernel Driver Tutorial ... Character-device-drivers ... The Linux Kernel can be built in many

Embedded Linux kernel and driver development€¦ · Embedded Linux kernel and ... Kernel, drivers and embedded Linux development, consulting, training and ... the kernel Makefile

BlueField Overview · BlueOS Yocto Poky Kernel CentOS reference drivers Ubuntu commercial OS Mellanox Drivers & Packages MLNX_OFED driver ASAP2 NVMe-oF Kernel support & target reference

DIFUZE: Interface Aware Fuzzing for Kernel Drivers · DIFUZE: Interface Aware Fuzzing for Kernel Drivers Jake Corina UC Santa Barbara jcorina@cs.ucsb.edu Aravind Machiry UC Santa

iDEA: Static Analysis on the Security of Apple Kernel Drivers