K-Miner Uncovering Memory Corruption in Linux

Transcription

1 K-Miner Uncovering Memory Corruption in Linux David Gens Simon Schmitt Ahmad-Reza Sadeghi Cyber Security Center (CYSEC) Technische Universität Darmstadt Lucas Davi Universität of Duisburg-Essen

2 Why Static Analysis?

3 Big Picture KERNEL FILES COMPILER Memory Corruption: Use-After-Free Double Free Use-After-Return Memory Leaks OS HARDWARE

4 Big Picture KERNEL FILES COMPILER Attacke r Memory Corruption: Use-After-Free Double Free Use-After-Return Memory Leaks OS HARDWARE Static Analysis at compile time. Dynamic Analysis at run time.

5 Data-Flow Analysis: Graphs void main() { int a = 1; int *p; if (a!= 0) p = &a; Entry: int a = 1 int main *p printf p = &a } printf( %d\n, *p); Call Graph printf( %d\n, *p); Control-Flow Graph

6 Data-Flow Analysis: Graphs void main() { int a = 1; int *p; Pointer p Obj_p Obj_a a a p=&a Stack } if (a!= 0) p = &a; printf( %d\n, *p); p phi *p Pointer Value-Flow Constraint Assignment Graph Graph

7 Source-Sink Analysis kalloc_x p alloc SOURCE void main() { int *p = alloc(); p=alloc() if (p!= NULL) free(p); free SINK } free(p); phi free SINK There exists a path that reaches two sinks.

8 Scalability and Precision High Complexity Context-Sensitive Field-Sensitive Inter-Procedural Analysis Low Complexity

9 Kernel Static Analysis - History Sparse [by Torvalds] APISAN [Yun et al. USENIX 16] Smatch [by Charpenter] Coccinelle [Padioleau et al. EuroSys 08] EBA [Abal et al. Springer 17]

10 Linux Kernel: Lines of Code 25M 20M 15M 10M Lines of Code 5M 0 M Version

11 Contributions and Challenges Analysis Format Large Codebase Expandability Data-Flow Analysis Different Kernel Versions Transformation of the kernel source into the LLVM intermediate representation Scaling inter-procedural Data-Flow Analysis to millions of kernel code lines A modular design, adding new checkers is straightforward Combine existing and novel approaches for inter-procedural bug checkers Reports of different kernel versions can be managed using a web-based interface

12 Enabling Data-Flow Analysis Idea: Partitioning the kernel along the system call API System calls are the interface between user- and kernelspace Attacke r Syscall API Vulnerabilities have to be exploited though system calls KERNEL Driver API HARDWARE

13 Enabling Data-Flow Analysis Idea: Partitioning the kernel along the system call API System calls are the interface between user- and kernelspace Attacke r Vulnerabilities have to be exploited though system calls HARDWARE

14 Enabling Data-Flow Analysis Idea: Partitioning the kernel along the system call API System calls are the interface between user- and kernelspace Attacke r Vulnerabilities have to be exploited though system calls HARDWARE

15 Enabling Data-Flow Analysis Idea: Partitioning the kernel along the system call API System calls are the interface between user- and kernelspace Attacke r Vulnerabilities have to be exploited though system calls HARDWARE

16 Design and Workflow KERNEL FILES COMPILER MAKE FILE IR Pre-Processing Model Memory Obj Define Contexts Init Contexts K-MINER

17 Design and Workflow KERNEL FILES COMPILER MAKE FILE IR K-MINER Pre-Processing Model Memory Obj Define Contexts Init Contexts Partitioner Report Engine Bug Checker global_x global_y Memory-Corruption Report: Use-After-Return: global_x -> local_y

18 Implementation Details K-Miner builds on top of LLVM and SVF Environment Setup: Register allocation sites by using a list of kernel allocation functions for dynamically allocated objects Context Handling: Defines syscalls and initcalls contexts Performs a call-graph analysis and pointer analysis Multi-Level reduction of relevant partitions Bug Checker: Exploit LLVM s Pass-Infrastructure Covers Use-After-Return, Double-Free and Memory-Leaks Performs particular analysis and several validation checks

19 Use-After-Return Checker void sys_foo() { do_foo() return } 6 global_p local_x void do_foo() { int local_x = 1 add_x(&local_x) if(cond()) remove_x() return } 3 5 null remove_x 4 add_x void add_x(int *p) { global_p = p } 1 2 do_foo 5 void remove_foo() { 6 global_p = NULL } 4 Value-Flow Graph

20 Use-After-Return Checker void sys_foo() { do_foo() return } 6 global_p local_x void do_foo() { int local_x = 1 add_x(&local_x) if(cond()) remove_x() return } 3 5 null remove_x 4 add_x void add_x(int *p) { global_p = p } 1 2 do_foo 5 void remove_foo() { 6 global_p = NULL } 4 Value-Flow Graph

21 Evaluation Coverage: Four Kernel Versions ca. 300 system calls Scalability: Ø 25 min. per system call Ø 12 GB memory usage Real-world Impact: CVE (UAR) CVE (DFree) Extensibility: Additional bug checkers can be added as Passes Version MLoC Functions Run-Time Globals Memory Locals UAR MLeak Total Pointer DFree v / s 124/ GB 6967/ /40 3/ / /13 v / s 122/ GB 9309/ /46 2/ / /19 v / s 126/ GB 9947/ /50 2/ / /31 v / s 157/ GB 9873/ /65 1/ / /22

22

23

24

25

26 Questions?