dr checker
play

DR. CHECKER A Soundy Analysis for Linux Kernel Drivers Aravind - PowerPoint PPT Presentation

DR. CHECKER A Soundy Analysis for Linux Kernel Drivers Aravind Machiry, Chad Spensky , Jake Corina, Nick Stephens, Christopher Kruegel, and Giovanni Vigna University of California, Santa Barbara USENIX Security 2017 seclab THE COMPUTER SECURITY


  1. DR. CHECKER A Soundy Analysis for Linux Kernel Drivers Aravind Machiry, Chad Spensky , Jake Corina, Nick Stephens, Christopher Kruegel, and Giovanni Vigna University of California, Santa Barbara USENIX Security 2017 seclab THE COMPUTER SECURITY GROUP AT UC SANTA BARBARA

  2. First, a story… seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 2 CSS, USENIX Security, 08/18/2017

  3. First, a story… seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 3 CSS, USENIX Security, 08/18/2017

  4. First, a story… $ mkdir driver_checker seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 3 CSS, USENIX Security, 08/18/2017

  5. First, a story… $ mkdir dr_checker seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 4 CSS, USENIX Security, 08/18/2017

  6. First, a story… seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 5 CSS, USENIX Security, 08/18/2017

  7. Why Drivers? seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 6 CSS, USENIX Security, 08/18/2017

  8. Why Drivers? $ ls linux /arch /block /certs /kernel /crypto /include /init /virt /ipc /samples /drivers /firmware /scripts /fs /net /tools /mm /usr /lib /sound /security $ seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 6 CSS, USENIX Security, 08/18/2017

  9. Why Drivers? $ ls linux /arch /block /certs /kernel /crypto /include /init /virt /ipc /samples /drivers /firmware /scripts /fs /net /tools /mm /usr /lib /sound /security $ seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 7 CSS, USENIX Security, 08/18/2017

  10. Why Drivers? $ ls linux /arch /block /certs /kernel /crypto /include /init /virt /ipc /samples /drivers /firmware /scripts /fs /net /tools /mm /usr /lib /sound /security $ find bugs seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 7 CSS, USENIX Security, 08/18/2017

  11. Why Drivers? CVE - Common Vulnerability and Exposure seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 8 CSS, USENIX Security, 08/18/2017

  12. Why Drivers? 15% Drivers 85% Bugs in Windows XP (2003) CVE - Common Vulnerability and Exposure seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 8 CSS, USENIX Security, 08/18/2017

  13. Why Drivers? 15% Drivers 28% 72% Drivers 85% Bugs in Windows XP (2003) Linux Kernel CVEs (2016-2017) CVE - Common Vulnerability and Exposure seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 8 CSS, USENIX Security, 08/18/2017

  14. Why Drivers? 15% 15% Drivers 28% 72% Drivers Drivers 85% 85% Bugs in Windows XP (2003) Linux Kernel CVEs (2016-2017) Reported bugs in Android (2016) CVE - Common Vulnerability and Exposure seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 8 CSS, USENIX Security, 08/18/2017

  15. Motivation Only analyze the drivers! seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 9 CSS, USENIX Security, 08/18/2017

  16. Program Analysis for Bug Finding seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 10 CSS, USENIX Security, 08/18/2017

  17. Program Analysis for Bug Finding • Points-to Analysis: Determines all storage locations that a pointer can point to • Example bug: Kernel code pointer to user-controlled memory seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 10 CSS, USENIX Security, 08/18/2017

  18. Program Analysis for Bug Finding • Points-to Analysis: Determines all storage locations that a pointer can point to • Example bug: Kernel code pointer to user-controlled memory • Taint Analysis: Determines all of the locations that are a ff ected by user- supplied (tainted) data • Example bug: User provided data used as length in copy_from_user() seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 10 CSS, USENIX Security, 08/18/2017

  19. Program Analysis on Kernel Code • Pointers… Everywhere! • State explosion • Inter-procedural calls to core functions • State explosion seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 11 CSS, USENIX Security, 08/18/2017

  20. Precision vs. Soundness Precise Sound seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 12 CSS, USENIX Security, 08/18/2017

  21. Precision vs. Soundness Precise Sound False False True True True True False True False True True False True True False True True True True False Most of the things reported are true seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 12 CSS, USENIX Security, 08/18/2017

  22. Precision vs. Soundness Precise Sound False False False False True False True True True False True False False True False True False True True False False True False False False True False False True True True True True False True False False Most of the things reported are true Everything that is true is reported seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 12 CSS, USENIX Security, 08/18/2017

  23. Soundiness Sound Precise False False False False True False True True True False True False False True False False True True True False False True False False False False True False True True True True False True True False False Violate soundness to achieve higher precision and practical computational constraints seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 13 CSS, USENIX Security, 08/18/2017

  24. Soundiness Soundy True Sound Precise False True False False False False False True True False True True True True False False False True False False False True True False False True True True True False False False True False False True False False True False True True True True True False True False True True False False True False Violate soundness to achieve higher precision and practical computational constraints seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 13 CSS, USENIX Security, 08/18/2017

  25. Dr. Checker: Assumptions (1) All non-driver code is implemented perfectly (2) Only evaluate loops until a reaching definition (3) All calls are traversed exactly once, even in loops seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 14 CSS, USENIX Security, 08/18/2017

  26. Dr. Checker: Design • Modular framework to enable flexible development • Simultaneously employ numerous vulnerability detectors • Open source: github.com/ucsb-seclab/dr_checker seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 15 CSS, USENIX Security, 08/18/2017

  27. Dr. Checker: Design Soundy Driver Traversal Analysis Clients Driver Code 1 Points-to Analysis Global State 2 Taint Analysis Vulnerability Detectors Warnings Improper Tainted-Data Use Detector (ITDUD) Tainted Arithmetic Detector (TAD) Invalid Cast Detector (ICD) 3 Tainted Loop Bound Detector (TLBD) Tainted Pointer Dereference Detector (TPDD) Tainted Size Detector (TSD) Uninit Leak Detector (ULD) Global Variable Race Detector (GVRD) seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 16 CSS, USENIX Security, 08/18/2017

  28. Dr. Checker: Design Soundy Driver Traversal Analysis Clients Driver Code 1 Points-to Analysis Global State 2 Taint Analysis Vulnerability Detectors Warnings Improper Tainted-Data Use Detector (ITDUD) Tainted Arithmetic Detector (TAD) Invalid Cast Detector (ICD) 3 Tainted Loop Bound Detector (TLBD) Tainted Pointer Dereference Detector (TPDD) Tainted Size Detector (TSD) Uninit Leak Detector (ULD) Global Variable Race Detector (GVRD) seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 16 CSS, USENIX Security, 08/18/2017

  29. Dr. Checker: Design Soundy Driver Traversal Analysis Clients Driver Code 1 Points-to Analysis Global State 2 Taint Analysis Vulnerability Detectors Warnings Improper Tainted-Data Use Detector (ITDUD) Tainted Arithmetic Detector (TAD) Invalid Cast Detector (ICD) 3 Tainted Loop Bound Detector (TLBD) Tainted Pointer Dereference Detector (TPDD) Tainted Size Detector (TSD) Uninit Leak Detector (ULD) Global Variable Race Detector (GVRD) seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 16 CSS, USENIX Security, 08/18/2017

  30. Dr. Checker: Design Soundy Driver Traversal Analysis Clients Driver Code 1 Points-to Analysis Global State 2 Taint Analysis Vulnerability Detectors Warnings Improper Tainted-Data Use Detector (ITDUD) Tainted Arithmetic Detector (TAD) Invalid Cast Detector (ICD) 3 Tainted Loop Bound Detector (TLBD) Tainted Pointer Dereference Detector (TPDD) Tainted Size Detector (TSD) Uninit Leak Detector (ULD) Global Variable Race Detector (GVRD) seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 16 CSS, USENIX Security, 08/18/2017

  31. Dr. Checker: Design Soundy Driver Traversal Analysis Clients Driver Code 1 Points-to Analysis Global State 2 Taint Analysis Vulnerability Detectors Warnings Improper Tainted-Data Use Detector (ITDUD) Tainted Arithmetic Detector (TAD) Invalid Cast Detector (ICD) 3 Tainted Loop Bound Detector (TLBD) Tainted Pointer Dereference Detector (TPDD) Tainted Size Detector (TSD) Uninit Leak Detector (ULD) Global Variable Race Detector (GVRD) seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 16 CSS, USENIX Security, 08/18/2017

Recommend


More recommend