DR. CHECKER A Soundy Analysis for Linux Kernel Drivers Aravind Machiry, Chad Spensky , Jake Corina, Nick Stephens, Christopher Kruegel, and Giovanni Vigna University of California, Santa Barbara USENIX Security 2017 seclab THE COMPUTER SECURITY GROUP AT UC SANTA BARBARA
First, a story… seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 2 CSS, USENIX Security, 08/18/2017
First, a story… seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 3 CSS, USENIX Security, 08/18/2017
First, a story… $ mkdir driver_checker seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 3 CSS, USENIX Security, 08/18/2017
First, a story… $ mkdir dr_checker seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 4 CSS, USENIX Security, 08/18/2017
First, a story… seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 5 CSS, USENIX Security, 08/18/2017
Why Drivers? seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 6 CSS, USENIX Security, 08/18/2017
Why Drivers? $ ls linux /arch /block /certs /kernel /crypto /include /init /virt /ipc /samples /drivers /firmware /scripts /fs /net /tools /mm /usr /lib /sound /security $ seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 6 CSS, USENIX Security, 08/18/2017
Why Drivers? $ ls linux /arch /block /certs /kernel /crypto /include /init /virt /ipc /samples /drivers /firmware /scripts /fs /net /tools /mm /usr /lib /sound /security $ seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 7 CSS, USENIX Security, 08/18/2017
Why Drivers? $ ls linux /arch /block /certs /kernel /crypto /include /init /virt /ipc /samples /drivers /firmware /scripts /fs /net /tools /mm /usr /lib /sound /security $ find bugs seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 7 CSS, USENIX Security, 08/18/2017
Why Drivers? CVE - Common Vulnerability and Exposure seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 8 CSS, USENIX Security, 08/18/2017
Why Drivers? 15% Drivers 85% Bugs in Windows XP (2003) CVE - Common Vulnerability and Exposure seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 8 CSS, USENIX Security, 08/18/2017
Why Drivers? 15% Drivers 28% 72% Drivers 85% Bugs in Windows XP (2003) Linux Kernel CVEs (2016-2017) CVE - Common Vulnerability and Exposure seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 8 CSS, USENIX Security, 08/18/2017
Why Drivers? 15% 15% Drivers 28% 72% Drivers Drivers 85% 85% Bugs in Windows XP (2003) Linux Kernel CVEs (2016-2017) Reported bugs in Android (2016) CVE - Common Vulnerability and Exposure seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 8 CSS, USENIX Security, 08/18/2017
Motivation Only analyze the drivers! seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 9 CSS, USENIX Security, 08/18/2017
Program Analysis for Bug Finding seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 10 CSS, USENIX Security, 08/18/2017
Program Analysis for Bug Finding • Points-to Analysis: Determines all storage locations that a pointer can point to • Example bug: Kernel code pointer to user-controlled memory seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 10 CSS, USENIX Security, 08/18/2017
Program Analysis for Bug Finding • Points-to Analysis: Determines all storage locations that a pointer can point to • Example bug: Kernel code pointer to user-controlled memory • Taint Analysis: Determines all of the locations that are a ff ected by user- supplied (tainted) data • Example bug: User provided data used as length in copy_from_user() seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 10 CSS, USENIX Security, 08/18/2017
Program Analysis on Kernel Code • Pointers… Everywhere! • State explosion • Inter-procedural calls to core functions • State explosion seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 11 CSS, USENIX Security, 08/18/2017
Precision vs. Soundness Precise Sound seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 12 CSS, USENIX Security, 08/18/2017
Precision vs. Soundness Precise Sound False False True True True True False True False True True False True True False True True True True False Most of the things reported are true seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 12 CSS, USENIX Security, 08/18/2017
Precision vs. Soundness Precise Sound False False False False True False True True True False True False False True False True False True True False False True False False False True False False True True True True True False True False False Most of the things reported are true Everything that is true is reported seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 12 CSS, USENIX Security, 08/18/2017
Soundiness Sound Precise False False False False True False True True True False True False False True False False True True True False False True False False False False True False True True True True False True True False False Violate soundness to achieve higher precision and practical computational constraints seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 13 CSS, USENIX Security, 08/18/2017
Soundiness Soundy True Sound Precise False True False False False False False True True False True True True True False False False True False False False True True False False True True True True False False False True False False True False False True False True True True True True False True False True True False False True False Violate soundness to achieve higher precision and practical computational constraints seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 13 CSS, USENIX Security, 08/18/2017
Dr. Checker: Assumptions (1) All non-driver code is implemented perfectly (2) Only evaluate loops until a reaching definition (3) All calls are traversed exactly once, even in loops seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 14 CSS, USENIX Security, 08/18/2017
Dr. Checker: Design • Modular framework to enable flexible development • Simultaneously employ numerous vulnerability detectors • Open source: github.com/ucsb-seclab/dr_checker seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 15 CSS, USENIX Security, 08/18/2017
Dr. Checker: Design Soundy Driver Traversal Analysis Clients Driver Code 1 Points-to Analysis Global State 2 Taint Analysis Vulnerability Detectors Warnings Improper Tainted-Data Use Detector (ITDUD) Tainted Arithmetic Detector (TAD) Invalid Cast Detector (ICD) 3 Tainted Loop Bound Detector (TLBD) Tainted Pointer Dereference Detector (TPDD) Tainted Size Detector (TSD) Uninit Leak Detector (ULD) Global Variable Race Detector (GVRD) seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 16 CSS, USENIX Security, 08/18/2017
Dr. Checker: Design Soundy Driver Traversal Analysis Clients Driver Code 1 Points-to Analysis Global State 2 Taint Analysis Vulnerability Detectors Warnings Improper Tainted-Data Use Detector (ITDUD) Tainted Arithmetic Detector (TAD) Invalid Cast Detector (ICD) 3 Tainted Loop Bound Detector (TLBD) Tainted Pointer Dereference Detector (TPDD) Tainted Size Detector (TSD) Uninit Leak Detector (ULD) Global Variable Race Detector (GVRD) seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 16 CSS, USENIX Security, 08/18/2017
Dr. Checker: Design Soundy Driver Traversal Analysis Clients Driver Code 1 Points-to Analysis Global State 2 Taint Analysis Vulnerability Detectors Warnings Improper Tainted-Data Use Detector (ITDUD) Tainted Arithmetic Detector (TAD) Invalid Cast Detector (ICD) 3 Tainted Loop Bound Detector (TLBD) Tainted Pointer Dereference Detector (TPDD) Tainted Size Detector (TSD) Uninit Leak Detector (ULD) Global Variable Race Detector (GVRD) seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 16 CSS, USENIX Security, 08/18/2017
Dr. Checker: Design Soundy Driver Traversal Analysis Clients Driver Code 1 Points-to Analysis Global State 2 Taint Analysis Vulnerability Detectors Warnings Improper Tainted-Data Use Detector (ITDUD) Tainted Arithmetic Detector (TAD) Invalid Cast Detector (ICD) 3 Tainted Loop Bound Detector (TLBD) Tainted Pointer Dereference Detector (TPDD) Tainted Size Detector (TSD) Uninit Leak Detector (ULD) Global Variable Race Detector (GVRD) seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 16 CSS, USENIX Security, 08/18/2017
Dr. Checker: Design Soundy Driver Traversal Analysis Clients Driver Code 1 Points-to Analysis Global State 2 Taint Analysis Vulnerability Detectors Warnings Improper Tainted-Data Use Detector (ITDUD) Tainted Arithmetic Detector (TAD) Invalid Cast Detector (ICD) 3 Tainted Loop Bound Detector (TLBD) Tainted Pointer Dereference Detector (TPDD) Tainted Size Detector (TSD) Uninit Leak Detector (ULD) Global Variable Race Detector (GVRD) seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 16 CSS, USENIX Security, 08/18/2017
Recommend
More recommend