dr checker
play

DR. CHECKER A Soundy Analysis for Linux Kernel Drivers Aravind - PowerPoint PPT Presentation

Jul 27, 2023 •320 likes •995 views

DR. CHECKER A Soundy Analysis for Linux Kernel Drivers Aravind Machiry, Chad Spensky , Jake Corina, Nick Stephens, Christopher Kruegel, and Giovanni Vigna University of California, Santa Barbara USENIX Security 2017 seclab THE COMPUTER SECURITY

  1. DR. CHECKER A Soundy Analysis for Linux Kernel Drivers Aravind Machiry, Chad Spensky , Jake Corina, Nick Stephens, Christopher Kruegel, and Giovanni Vigna University of California, Santa Barbara USENIX Security 2017 seclab THE COMPUTER SECURITY GROUP AT UC SANTA BARBARA

  2. First, a story… seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 2 CSS, USENIX Security, 08/18/2017

  3. First, a story… seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 3 CSS, USENIX Security, 08/18/2017

  4. First, a story… $ mkdir driver_checker seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 3 CSS, USENIX Security, 08/18/2017

  5. First, a story… $ mkdir dr_checker seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 4 CSS, USENIX Security, 08/18/2017

  6. First, a story… seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 5 CSS, USENIX Security, 08/18/2017

  7. Why Drivers? seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 6 CSS, USENIX Security, 08/18/2017

  8. Why Drivers? $ ls linux /arch /block /certs /kernel /crypto /include /init /virt /ipc /samples /drivers /firmware /scripts /fs /net /tools /mm /usr /lib /sound /security $ seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 6 CSS, USENIX Security, 08/18/2017

  9. Why Drivers? $ ls linux /arch /block /certs /kernel /crypto /include /init /virt /ipc /samples /drivers /firmware /scripts /fs /net /tools /mm /usr /lib /sound /security $ seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 7 CSS, USENIX Security, 08/18/2017

  10. Why Drivers? $ ls linux /arch /block /certs /kernel /crypto /include /init /virt /ipc /samples /drivers /firmware /scripts /fs /net /tools /mm /usr /lib /sound /security $ find bugs seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 7 CSS, USENIX Security, 08/18/2017

  11. Why Drivers? CVE - Common Vulnerability and Exposure seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 8 CSS, USENIX Security, 08/18/2017

  12. Why Drivers? 15% Drivers 85% Bugs in Windows XP (2003) CVE - Common Vulnerability and Exposure seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 8 CSS, USENIX Security, 08/18/2017

  13. Why Drivers? 15% Drivers 28% 72% Drivers 85% Bugs in Windows XP (2003) Linux Kernel CVEs (2016-2017) CVE - Common Vulnerability and Exposure seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 8 CSS, USENIX Security, 08/18/2017

  14. Why Drivers? 15% 15% Drivers 28% 72% Drivers Drivers 85% 85% Bugs in Windows XP (2003) Linux Kernel CVEs (2016-2017) Reported bugs in Android (2016) CVE - Common Vulnerability and Exposure seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 8 CSS, USENIX Security, 08/18/2017

  15. Motivation Only analyze the drivers! seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 9 CSS, USENIX Security, 08/18/2017

  16. Program Analysis for Bug Finding seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 10 CSS, USENIX Security, 08/18/2017

  17. Program Analysis for Bug Finding • Points-to Analysis: Determines all storage locations that a pointer can point to • Example bug: Kernel code pointer to user-controlled memory seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 10 CSS, USENIX Security, 08/18/2017

  18. Program Analysis for Bug Finding • Points-to Analysis: Determines all storage locations that a pointer can point to • Example bug: Kernel code pointer to user-controlled memory • Taint Analysis: Determines all of the locations that are a ff ected by user- supplied (tainted) data • Example bug: User provided data used as length in copy_from_user() seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 10 CSS, USENIX Security, 08/18/2017

  19. Program Analysis on Kernel Code • Pointers… Everywhere! • State explosion • Inter-procedural calls to core functions • State explosion seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 11 CSS, USENIX Security, 08/18/2017

  20. Precision vs. Soundness Precise Sound seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 12 CSS, USENIX Security, 08/18/2017

  21. Precision vs. Soundness Precise Sound False False True True True True False True False True True False True True False True True True True False Most of the things reported are true seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 12 CSS, USENIX Security, 08/18/2017

  22. Precision vs. Soundness Precise Sound False False False False True False True True True False True False False True False True False True True False False True False False False True False False True True True True True False True False False Most of the things reported are true Everything that is true is reported seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 12 CSS, USENIX Security, 08/18/2017

  23. Soundiness Sound Precise False False False False True False True True True False True False False True False False True True True False False True False False False False True False True True True True False True True False False Violate soundness to achieve higher precision and practical computational constraints seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 13 CSS, USENIX Security, 08/18/2017

  24. Soundiness Soundy True Sound Precise False True False False False False False True True False True True True True False False False True False False False True True False False True True True True False False False True False False True False False True False True True True True True False True False True True False False True False Violate soundness to achieve higher precision and practical computational constraints seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 13 CSS, USENIX Security, 08/18/2017

  25. Dr. Checker: Assumptions (1) All non-driver code is implemented perfectly (2) Only evaluate loops until a reaching definition (3) All calls are traversed exactly once, even in loops seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 14 CSS, USENIX Security, 08/18/2017

  26. Dr. Checker: Design • Modular framework to enable flexible development • Simultaneously employ numerous vulnerability detectors • Open source: github.com/ucsb-seclab/dr_checker seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 15 CSS, USENIX Security, 08/18/2017

  27. Dr. Checker: Design Soundy Driver Traversal Analysis Clients Driver Code 1 Points-to Analysis Global State 2 Taint Analysis Vulnerability Detectors Warnings Improper Tainted-Data Use Detector (ITDUD) Tainted Arithmetic Detector (TAD) Invalid Cast Detector (ICD) 3 Tainted Loop Bound Detector (TLBD) Tainted Pointer Dereference Detector (TPDD) Tainted Size Detector (TSD) Uninit Leak Detector (ULD) Global Variable Race Detector (GVRD) seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 16 CSS, USENIX Security, 08/18/2017

  28. Dr. Checker: Design Soundy Driver Traversal Analysis Clients Driver Code 1 Points-to Analysis Global State 2 Taint Analysis Vulnerability Detectors Warnings Improper Tainted-Data Use Detector (ITDUD) Tainted Arithmetic Detector (TAD) Invalid Cast Detector (ICD) 3 Tainted Loop Bound Detector (TLBD) Tainted Pointer Dereference Detector (TPDD) Tainted Size Detector (TSD) Uninit Leak Detector (ULD) Global Variable Race Detector (GVRD) seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 16 CSS, USENIX Security, 08/18/2017

  29. Dr. Checker: Design Soundy Driver Traversal Analysis Clients Driver Code 1 Points-to Analysis Global State 2 Taint Analysis Vulnerability Detectors Warnings Improper Tainted-Data Use Detector (ITDUD) Tainted Arithmetic Detector (TAD) Invalid Cast Detector (ICD) 3 Tainted Loop Bound Detector (TLBD) Tainted Pointer Dereference Detector (TPDD) Tainted Size Detector (TSD) Uninit Leak Detector (ULD) Global Variable Race Detector (GVRD) seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 16 CSS, USENIX Security, 08/18/2017

  30. Dr. Checker: Design Soundy Driver Traversal Analysis Clients Driver Code 1 Points-to Analysis Global State 2 Taint Analysis Vulnerability Detectors Warnings Improper Tainted-Data Use Detector (ITDUD) Tainted Arithmetic Detector (TAD) Invalid Cast Detector (ICD) 3 Tainted Loop Bound Detector (TLBD) Tainted Pointer Dereference Detector (TPDD) Tainted Size Detector (TSD) Uninit Leak Detector (ULD) Global Variable Race Detector (GVRD) seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 16 CSS, USENIX Security, 08/18/2017

  31. Dr. Checker: Design Soundy Driver Traversal Analysis Clients Driver Code 1 Points-to Analysis Global State 2 Taint Analysis Vulnerability Detectors Warnings Improper Tainted-Data Use Detector (ITDUD) Tainted Arithmetic Detector (TAD) Invalid Cast Detector (ICD) 3 Tainted Loop Bound Detector (TLBD) Tainted Pointer Dereference Detector (TPDD) Tainted Size Detector (TSD) Uninit Leak Detector (ULD) Global Variable Race Detector (GVRD) seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 16 CSS, USENIX Security, 08/18/2017

Recommend

Nuspell: version 3 of the new spell checker FOSS spell checker implemented in C++17 with aid of

Nuspell: version 3 of the new spell checker FOSS spell checker implemented in C++17 with aid of

Nuspell: version 3 of the new spell checker FOSS spell checker implemented in C++17 with aid of Mozilla Sander van Geloven FOSDEM, Brussels February 1, 2020 . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

611 views • 39 slides
Nuspell: the new spell checker FOSS spell checker implemented in C++14 with aid of Mozilla.

Nuspell: the new spell checker FOSS spell checker implemented in C++14 with aid of Mozilla.

Nuspell: the new spell checker FOSS spell checker implemented in C++14 with aid of Mozilla. Sander van Geloven FOSDEM, Brussels February 2, 2019 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

327 views • 21 slides
Have some fun Checker: Checker: http://www.cs.caltech.edu/~ vhuang/cs 20/c/applet/more.html

Have some fun Checker: Checker: http://www.cs.caltech.edu/~ vhuang/cs 20/c/applet/more.html

Have some fun Checker: Checker: http://www.cs.caltech.edu/~ vhuang/cs 20/c/applet/more.html 1 Local Beam Search Run multiple searches to find the Run multiple searches to find the solution The best K states are selected. Like

636 views • 24 slides
The UPPAAL Model Checker The UPPAAL Model Checker Julin Proenza Systems, Robotics and Vision

The UPPAAL Model Checker The UPPAAL Model Checker Julin Proenza Systems, Robotics and Vision

The UPPAAL Model Checker The UPPAAL Model Checker Julin Proenza Systems, Robotics and Vision Group. UIB. SPAIN Julin Proenza. UIB. Oct 2008 The aim of this presentation Introduce the basic concepts of model checking from a practical

804 views • 68 slides
Lecture 3: Model-checker NuSMV B. Srivathsan Chennai Mathematical Institute NPTEL-course July -

Lecture 3: Model-checker NuSMV B. Srivathsan Chennai Mathematical Institute NPTEL-course July -

Lecture 3: Model-checker NuSMV B. Srivathsan Chennai Mathematical Institute NPTEL-course July - November 2015 1 / 31 Model-checker Specify the model of the system Specify the requirements Model-checker will automatically check if system

1.72k views • 112 slides
Using a Grammar Checker for Evaluation and Postprocessing of Statistical Machine Translation Sara

Using a Grammar Checker for Evaluation and Postprocessing of Statistical Machine Translation Sara

Using a Grammar Checker for Evaluation and Postprocessing of Statistical Machine Translation Sara Stymne and Lars Ahrenberg Link oping University, Sweden LREC May 20, 2010 Using a Grammar Checker for Evaluation and Postprocessing of

755 views • 29 slides
LIBIS/Aware conformance checker Agenda Functional analysis Technical design Research

LIBIS/Aware conformance checker Agenda Functional analysis Technical design Research

LIBIS/Aware conformance checker Agenda Functional analysis Technical design Research TIFF LIBIS/AWare conformance checker - Preforma Conformance checker Checks conformance with TIFF Embedded metadata TIFF files Every

349 views • 15 slides
Tizen Web Application Checker Xu Zhang (xu.u.zhang@intel.com) Agenda Tizen Compliance and

Tizen Web Application Checker Xu Zhang (xu.u.zhang@intel.com) Agenda Tizen Compliance and

Tizen Web Application Checker Xu Zhang (xu.u.zhang@intel.com) Agenda Tizen Compliance and Application Compatibility Tool Features Design Overview Checker Modules Getting Started Contributing to Tizen Web

521 views • 20 slides
Dedukti : A Universal Proof Checker Mathieu Boespflug 1 Quentin Carbonneaux 2 Olivier Hermant 3 1

Dedukti : A Universal Proof Checker Mathieu Boespflug 1 Quentin Carbonneaux 2 Olivier Hermant 3 1

Dedukti : A Universal Proof Checker Mathieu Boespflug 1 Quentin Carbonneaux 2 Olivier Hermant 3 1 McGill University 2 INRIA and ENPC 3 INRIA and ISEP PxTP 2012 Contents Introduction The -calculus modulo The Dedukti proof checker Better

517 views • 32 slides
Circuit Validity Checker D. Mitch Bailey Shuhari System, Japan WOSET 2020 CVC: Circuit Validity

Circuit Validity Checker D. Mitch Bailey Shuhari System, Japan WOSET 2020 CVC: Circuit Validity

CVC Circuit Validity Checker D. Mitch Bailey Shuhari System, Japan WOSET 2020 CVC: Circuit Validity Checker What is it? A system to pinpoint reliability errors that can lead to device failures or unintended current leakage. Similar

746 views • 6 slides
The Design, Implementation and Evaluation of a Pluggable Type Checker for Thread-Locality in Java

The Design, Implementation and Evaluation of a Pluggable Type Checker for Thread-Locality in Java

The Design, Implementation and Evaluation of a Pluggable Type Checker for Thread-Locality in Java By: Amanj Sherwany 2011 http://www.amanj.me Background Loci is a static checker for thread- Informationsteknologi locality for Java-like

931 views • 50 slides
MediaConch implementation and policy checking on FFV1, Matroska, LPCM, and more Jrme

MediaConch implementation and policy checking on FFV1, Matroska, LPCM, and more Jrme

MediaConch implementation and policy checking on FFV1, Matroska, LPCM, and more Jrme Martinez MediaArea.net SARL What is MediaConch? A conformance checker Implementation checker Policy checker Reporter Fixer What is MediaConch? A

321 views • 13 slides
Implementation of a Coalgebraic Model Checker Aaron Strahlberger 16.07.2019 Parity Game based

Implementation of a Coalgebraic Model Checker Aaron Strahlberger 16.07.2019 Parity Game based

Implementation of a Coalgebraic Model Checker Aaron Strahlberger 16.07.2019 Parity Game based Model Checker Game-Based Local Model Checking for the Coalgebraic -Calculus by Daniel Hausmann and Lutz Schrder [1] (CONCUR 2019)

474 views • 31 slides
Schedulability Analysis of Timed CSP Models Using the PAT Model Checker O uzcan O UZ Jan

Schedulability Analysis of Timed CSP Models Using the PAT Model Checker O uzcan O UZ Jan

Schedulability Analysis of Timed CSP Models Using the PAT Model Checker O uzcan O UZ Jan F. BROENINK Angelika MADER Robotics and Mechatronics, University of Twente, The Netherlands Contents Problem Statement & Approach

516 views • 24 slides
MPI-Checker Static Analysis for MPI Alexander Droste, Michael Kuhn, Thomas Ludwig November

MPI-Checker Static Analysis for MPI Alexander Droste, Michael Kuhn, Thomas Ludwig November

MPI-Checker Static Analysis for MPI Alexander Droste, Michael Kuhn, Thomas Ludwig November 15, 2015 Motivation Clang Static Analyzer MPI-Checker Limitations Evaluation Future Work Motivation 2 / 39 Motivation Clang Static Analyzer

535 views • 41 slides
BttrWrtr: a grammar checker for the web Luke Gotszling about.me/luke luke@about.me @lmgtwit

BttrWrtr: a grammar checker for the web Luke Gotszling about.me/luke luke@about.me @lmgtwit

BttrWrtr: a grammar checker for the web Luke Gotszling about.me/luke luke@about.me @lmgtwit Super Happy Dev House 45 1 Inspired by Matt Mights (@mattmight) collection of Bash and Perl: 3 shell scripts to improve your writing, or My

306 views • 6 slides
Development of a Verified, Efficient Checker for SAT Proofs Matt Kaufmann (In collaboration with

Development of a Verified, Efficient Checker for SAT Proofs Matt Kaufmann (In collaboration with

I NTRODUCTION A S EQUENCE OF C HECKERS C ONCLUSION R EFERENCES Development of a Verified, Efficient Checker for SAT Proofs Matt Kaufmann (In collaboration with Marijn Heule and Warren Hunt, Jr.) ACL2 Seminar The University of Texas at Austin

621 views • 49 slides
Development of a Verified, Efficient Checker for SAT Proofs Matt Kaufmann (With contributions

Development of a Verified, Efficient Checker for SAT Proofs Matt Kaufmann (With contributions

T HE P ROBLEM T OWARDS A S OLUTION A S EQUENCE OF C HECKERS R ELATED W ORK C ONCLUSION R EFERENCES Development of a Verified, Efficient Checker for SAT Proofs Matt Kaufmann (With contributions from Marijn Heule, Warren Hunt, and Nathan Wetzler)

216 views • 21 slides
Towards a model-checker for counter systems S. Demri 1 A. Finkel 1 V. Goranko 2 G. van Drimmelen 2

Towards a model-checker for counter systems S. Demri 1 A. Finkel 1 V. Goranko 2 G. van Drimmelen 2

Towards a model-checker for counter systems S. Demri 1 A. Finkel 1 V. Goranko 2 G. van Drimmelen 2 1 LSV, CNRS & ENS Cachan & INRIA Futurs 2 University of Witwatersrand, Johannesburg ATVA, October 2006, Beijing Motivations Presburger

679 views • 37 slides
A checker for dangling string pointers in C++ in the Clang Static Analyzer Rka Kovcs

A checker for dangling string pointers in C++ in the Clang Static Analyzer Rka Kovcs

A checker for dangling string pointers in C++ in the Clang Static Analyzer Rka Kovcs Mentors: Artem Dergachev Etvs Lornd University, Budapest, Hungary Gbor Horvth rekanikolett@gmail.com Real-world example return

257 views • 9 slides
MC-Checker: Detecting Memory Consistency Errors in MPI One-Sided Applications Zhezhe Chen 1 ,

MC-Checker: Detecting Memory Consistency Errors in MPI One-Sided Applications Zhezhe Chen 1 ,

MC-Checker: Detecting Memory Consistency Errors in MPI One-Sided Applications Zhezhe Chen 1 , James Dinan 2 , Zhen Tang 3 , Pavan Balaji 4 , Hua Zhong 3 , Jun Wei 3 , Tao Huang 3 , and Feng Qin 5 1. Twitter Inc. 2. Intel Corporation 3. Chinese

398 views • 27 slides
A Tutorial on Model Checker SPIN Instructor: Hao Zheng Department of Computer Science and

A Tutorial on Model Checker SPIN Instructor: Hao Zheng Department of Computer Science and

A Tutorial on Model Checker SPIN Instructor: Hao Zheng Department of Computer Science and Engineering University of South Florida Tampa, FL 33620 Email: haozheng@usf.edu Phone: (813)974-4757 Fax: (813)974-5456 1 Overview of Concurrent

1.5k views • 68 slides
Resolving the almost decade old checker dependency issue in the Clang Static Analyzer Kristf

Resolving the almost decade old checker dependency issue in the Clang Static Analyzer Kristf

. . . . . . . . . . . . . . . . Resolving the almost decade old checker dependency issue in the Clang Static Analyzer Kristf Umann dkszelethus@gmail.com Etvs Lornd University, Budapest Ericsson Hungary . . . . . .

603 views • 15 slides
A Prototype Embedding of Bluespec SystemVerilog in the SAL Model Checker Dominic Richards and

A Prototype Embedding of Bluespec SystemVerilog in the SAL Model Checker Dominic Richards and

A Prototype Embedding of Bluespec SystemVerilog in the SAL Model Checker Dominic Richards and David Lester Advanced Processor Technologies Group The University of Manchester Introduction Bluespec SystemVerilog (BSV) is a language for high

856 views • 29 slides

More recommend