kernelmemorysanitizer kmsan signed off by alexander
play

KernelMemorySanitizer (KMSAN) ----------------------------- - PowerPoint PPT Presentation

Nov 02, 2023 •154 likes •554 views

KernelMemorySanitizer (KMSAN) ----------------------------- Signed-off-by: Alexander Potapenko <glider@google.com> Dynamic Tools Team @ Google --------------------------- Userspace tools: * ASan, LSan, MSan, TSan, UBSan * libFuzzer

  1. KernelMemorySanitizer (KMSAN) ----------------------------- Signed-off-by: Alexander Potapenko <glider@google.com>

  2. Dynamic Tools Team @ Google --------------------------- Userspace tools: * ASan, LSan, MSan, TSan, UBSan * libFuzzer (coverage-based userspace fuzzer) * control flow integrity in LLVM * tens of thousands bugs in Google and opensource code Kernel tools: * KASAN, KMSAN, KTSAN (prototype) * syzkaller (coverage-based kernel fuzzer) * hundreds of bugs in the kernel(s)

  3. MemorySanitizer (MSan) ---------------------- * around since 2012 * detects uses of uninitialized values in the userspace * found 2000+ bugs * works on big programs (think Chrome or server-side apps) See also: "MemorySanitizer: fast detector of uninitialized memory use in C++" by E. Stepanov and K. Serebryany, CGO 2015

  4. KernelMemorySanitizer (KMSAN) ----------------------------- * detects uses of uninitialized values in the kernel

  5. What one might think KMSAN does ------------------------------- int a; int b = c + a; // report reading of uninit a or: int p = a; copy_to_user(u, &p, 4); // don't report since p is inited This is useless: both false positives and false negatives!

  6. What KMSAN actually does ------------------------ int a; if (flag) a = 1; // initialized b = c + a; // not a "use" if (flag) copy_to_user(p, &b, 4); // use: don't report

  7. What KMSAN actually does (contd.) --------------------------------- int x; // uninitialized int a = x; // still uninitialized copy_to_user(p, &a, 4); // use: report an error

  8. KernelMemorySanitizer (KMSAN) ----------------------------- * detects uses of uninitialized values in the kernel: - conditions - pointer dereferencing and indexing - values copied to the userspace, hardware etc.

  9. Example 1 --------- struct config *update_config(struct config *conf) { if (!conf) conf = kmalloc(CONFIG_SIZE, GFP_KERNEL) do_update(conf); return conf; } void do_update(struct config *conf) { if (conf->is_root) allow_everything(conf); }

  10. Example 2 --------- int socket_bind(int sockfd, __user struct sockaddr *uaddr, int ulen) { struct sockaddr kaddr; if (ulen > sizeof(struct sockaddr) || ulen < 0) return -EINVAL; copy_from_user(&kaddr, uaddr, ulen); return do_bind(sockfd, &kaddr); }

  11. Example 3 --------- void put_dev_name_32(struct device *dev, __user char *buf) { char name[32]; strncpy(name, dev->name, 32); if (buf) copy_to_user(buf, name, 32); }

  12. KernelMemorySanitizer (KMSAN) ----------------------------- * detects uses of uninitialized values in the kernel: - conditions - pointer dereferencing and indexing - values copied to the userspace, hardware etc. * almost working since April 2017 * found/fixed 13 bugs (and counting) * based on MSan * therefore requires Clang

  13. KernelMemorySanitizer (KMSAN) ----------------------------- * detects uses of uninitialized values in the kernel - conditions - pointer dereferencing and indexing - values copied to the userspace, hardware etc. * almost working since April 2017 * found/fixed 13 bugs (and counting) * based on MSan * therefore requires Clang * life is too short to hack GCC `\_("/)_/`

  14. Sample report (redacted) ------------------------ BUG: KMSAN: use of unitialized memory in strlen __msan_warning32 mm/kmsan/kmsan_instr.c:424 strlen lib/string.c:484 strlcpy lib/string.c:144 packet_bind_spkt net/packet/af_packet.c:3132 SYSC_bind net/socket.c:1370 origin: __msan_set_alloca_origin4 mm/kmsan/kmsan_instr.c:380 SYSC_bind net/socket.c:1356 SyS_bind net/socket.c:1356 origin description: ----address@SYSC_bind

  15. Shadow memory ------------- Bit to bit shadow mapping * struct page { ... struct page *shadow; ... }; * "1" means "poisoned" (uninitialized) Uninitialized memory: * kmalloc() * local stack objects Writing a constant to memory unpoisons it Shadow is propagated through arithmetics and memory accesses

  16. Compiler instrumentation ------------------------ $ clang -fsanitize=kernel-memory adding code that: * poisons local variables * handles loads and stores * propagates shadow through arithmetic operations * passes shadow to/from function calls * performs shadow checks

  17. Poisoning locals ---------------- void foo() { int a = 1; char b[8]; }

  18. Poisoning locals ---------------- void foo() { int a = 1; __msan_unpoison(&a, 4); char b[8]; __msan_poison_alloca(b, 8, "b"); }

  19. Instrumenting loads and stores ------------------------------ void copy(char *from, char *to) { if (!from) *to = -1; } else { *to = *from; } }

  20. Instrumenting loads and stores ------------------------------ void copy(char *from, char *to) { if (!from) *to = -1; __msan_store_shadow_1(to, 0); } else { u64 shadow = __msan_load_shadow_1(from); *to = *from; __msan_store_shadow_1(to, shadow); } }

  21. Shadow propagation ------------------ 0b00??1101 & 0b000011?1 is always initialized A = B + C ==> A' = B' | C' A = B << C ==> A' = B' << C A = B & C ==> A' = (B' & C') | (B' & ~C) | (~B & C') * helps to minimize the number of false positives * somewhat similar to Valgrind, but working with SSA registers at compile time - we can leverage compiler optimizations * operations are sometimes approximated for efficiency

  22. Instrumenting function calls ---------------------------- int sum_n(int n) { if (n == 0) { return 0; } int sum_rec = sum_n(n - 1); return n + sum_rec; }

  23. Instrumenting function calls ---------------------------- int sum_n(int n) { kmsan_context_state *s = __msan_get_context_state(); int shadow_n = s->args[0]; if (n == 0) { s->ret = 0; return 0; } int sum_rec = sum_n(n - 1); s->ret = shadow_n | s->ret; return n + sum_rec; }

  24. Adding shadow checks -------------------- if (i >= 0) { res = a[i]; }

  25. Adding shadow checks -------------------- if (__msan_load_shadow_4(&i) & INT_MIN) __msan_warning(); if (i >= 0) { if (__msan_load_shadow_4(a) || __msan_load_shadow_4(&i)) __msan_warning(); u64 shadow = __msan_load_shadow_4(&a[i]); res = a[i]; __msan_store_shadow(&res, shadow); }

  26. Tracking origins ---------------- a = kmalloc(...); ... b = kmalloc(...); ... memcpy(c, b, sizeof(*b)); ... d = *a + *c; ... if (d) ... // Which argument is guilty in the case of UMR?

  27. Tracking origins (contd.) ------------------------- * when an uninit value is allocated: - put the stack into the stack depot (lib/stackdepot.c) - for each 4 bytes of allocated memory, store the 4-byte stack ID into the secondary shadow * when the memory is copied: - create a new origin from the current stack and the previous origin * when two values are used in an expression: - take the origin of the first uninitialized operand

  28. Handling non-instrumented code ------------------------------ * asm() in *.c: - check that inputs are initialized - outputs are unpoisoned * can't instrument around 40 files: - arch/x86/... - mm/... - *.S * KMSAN_SANITIZE_filename.o := n - no instrumentation - locals, function args, return values may be dirty

  29. Closing the gap --------------- * __attribute__((no_sanitize("kernel-memory"))) - no shadow propagation, unpoison locals and stores * kmsan_poison_memory() - kmalloc() * kmsan_unpoison_memory() - copy_from_user() - struct pt_regs in interrupts - RNGs * kmsan_check_memory() - copy_to_user() - hardware (send to network, write to disk)

  30. What about kmemcheck? --------------------- * When did you last run kmemcheck? - 1 commit fixing a bug from kmemcheck in 2017, 4 in 2014 - 1 false positive in 2016, 1 in 2014 * Throughput in `netperf -l 30` - nodebug: 39056.37 - kasan: 5217.185 - kmsan: 478.96 (there's still room for improvement) - kmemcheck: was 2000 times slower than nodebug in 2015

  31. Long shot: taint analysis ------------------------- * use shadow to indicate that a value came from an untrusted source * use origin to mark the place where this value was obtained * call kmsan_check_memory() at places where we expect only trusted data # There's also another Clang tool, DFSan, which can help.

  32. Long shot: fuzzing assistance ----------------------------- We already have instrumentation of comparison instructions and switch statements in LLVM: * for each comparison, insert instrument_cmp(arg1, arg2) * if either arg1 or arg2 can be found in the input [1], try to mutate that input But the value's presence in the input doesn't guarantee the input actually affects this value! [1] - or some f(argi) can be found in the input

  33. Long shot: fuzzing assistance (contd.) -------------------------------------- * poison each argument of each syscall and assign a unique origin to it * for each comparison: if (shadow1 | shadow2) instrument_cmp(arg1, sh1, orig1, arg2, sh2, orig2); * mutate only the arguments that really affect arg1 or arg2

  34. Food for thought ---------------- CVE-2017-1000380: data race on /dev/snd/timer allows the attacker to read uninitialized heap memory. In fact, a user with access to the device was able to e.g. read the data another user wrote into a file or socket. Can we do something to kill all uninit bugs? (Something smarter than s/kmalloc/kzalloc ?)

Recommend

Zaslavskys Theorem on acyclic orientations of signed graphs Definitions: is a signed graph

Zaslavskys Theorem on acyclic orientations of signed graphs Definitions: is a signed graph

Zaslavskys Theorem on acyclic orientations of signed graphs Definitions: is a signed graph is the function that assigns +1 or -1 to each edge k is a signed coloring of , k is proper if k(v) - (e)k(w) is nonzero for all e = vw is an

148 views • 11 slides
Signed numbers Goals unsigned numbers - non-negative integers signed numbers - positive/negative

Signed numbers Goals unsigned numbers - non-negative integers signed numbers - positive/negative

Signed numbers Goals unsigned numbers - non-negative integers signed numbers - positive/negative numbers represent negative numbers Chapter 10: Signed Addition twos complement representation Many ways to represent signed numbers add &amp;

301 views • 7 slides
Hannenhalli-Pevzner Theory Signed, unichromosomal genomes Operation: reversal (signed)

Hannenhalli-Pevzner Theory Signed, unichromosomal genomes Operation: reversal (signed)

Hannenhalli-Pevzner Theory Signed, unichromosomal genomes Operation: reversal (signed) Polynomial time algorithms for distance &amp; operations First polynomial result for a realistic model of genome rearrangements HP Theory

239 views • 10 slides
MULTIPLICATION p = x y x (multiplicand), y (multiplier), and p (product) signed integers

MULTIPLICATION p = x y x (multiplicand), y (multiplier), and p (product) signed integers

1 MULTIPLICATION p = x y x (multiplicand), y (multiplier), and p (product) signed integers SCHEMES a) SEQUENTIAL ADD-SHIFT RECURRENCE CPA, CSA, SIGNED-DIGIT ADDER HIGHER RADIX AND RECODING b) COMBINATIONAL CPA, CSA,

808 views • 54 slides
Raymarching Signed Distance Fields To raytrace or raycast implicit functions, consider signed

Raymarching Signed Distance Fields To raytrace or raycast implicit functions, consider signed

Raymarching Signed Distance Fields To raytrace or raycast implicit functions, consider signed distance fields . 1. Fire ray into scene 2. At each step, measure distance field function: d = [distance to nearest object in scene] 3. Advance ray

403 views • 4 slides
Signed posets and a B -symmetric generalization of Stanleys acyclicity theorem Jake Huryn, Kat

Signed posets and a B -symmetric generalization of Stanleys acyclicity theorem Jake Huryn, Kat

Signed graphs Colorings Acyclic orientations References Signed posets and a B -symmetric generalization of Stanleys acyclicity theorem Jake Huryn, Kat Husar, and Hannah Johnson joint work with Eric Fawcett, Torey Hilbert and Mikey Reilly

878 views • 59 slides
Origin-Signed Exchanges draft-yasskin-http-origin-signed-responses-03 Jeffrey Yasskin, Chromium

Origin-Signed Exchanges draft-yasskin-http-origin-signed-responses-03 Jeffrey Yasskin, Chromium

Origin-Signed Exchanges draft-yasskin-http-origin-signed-responses-03 Jeffrey Yasskin, Chromium IETF 101 March 2018 Use Cases From draft-yasskin-webpackage-use-cases-01: Privacy-preserving prefetch This, with other changes, lets

736 views • 12 slides
On the average number of reversals needed to sort signed permutations 1 Thaynara Arielly de Lima

On the average number of reversals needed to sort signed permutations 1 Thaynara Arielly de Lima

Introduction Sorting signed permutations Conclusion On the average number of reversals needed to sort signed permutations 1 Thaynara Arielly de Lima &amp; 1 , 2 Mauricio Ayala-Rinc on atica 1 &amp; Ci ao 2 Departamentos de Matem encia

795 views • 46 slides
Denial Letters PLEASE NOTE: MGP no longer send automated denial letters signed by the Dean of the

Denial Letters PLEASE NOTE: MGP no longer send automated denial letters signed by the Dean of the

Denial Letters PLEASE NOTE: MGP no longer send automated denial letters signed by the Dean of the Graduate School. Your program is now responsible for setting up a customized denial email template signed by the authority of your choice

938 views • 9 slides
Poster #190 1 Spectral Clustering of Signed Graphs Poster #190 Our Goal: Extend Spectral

Poster #190 1 Spectral Clustering of Signed Graphs Poster #190 Our Goal: Extend Spectral

Spectral Clustering of Signed Graphs via Matrix Power Means Pedro Mercado, Francesco Tudisco and Matthias Hein ICML 2019, Long Beach, USA Poster #190 1 Spectral Clustering of Signed Graphs Poster #190 Our Goal: Extend Spectral Clustering to

106 views • 7 slides
Alexander Ostrovsky (1823-1886) 1 1 Alexander Ostrovsky , Wikipedia ,

Alexander Ostrovsky (1823-1886) 1 1 Alexander Ostrovsky , Wikipedia ,

Alexander Ostrovsky (1823-1886) 1 1 Alexander Ostrovsky , Wikipedia , http://en.wikipedia.org/wiki/File:Wassilij_Grigorjewitsch_Perow_003.jpg 110629 Bibliotheca Alexandrina Compiled by: Ahmed Ghazi, Basma

239 views • 8 slides
Compiling the Linux kernel with LLVM tools FOSDEM 19 Signed-off-by: Bill Wendling

Compiling the Linux kernel with LLVM tools FOSDEM 19 Signed-off-by: Bill Wendling

Compiling the Linux kernel with LLVM tools FOSDEM 19 Signed-off-by: Bill Wendling &lt;morbo@google.com&gt; Signed-off-by: Nick Desaulniers &lt;ndesaulniers@google.com&gt; Goals Improve the Linux kernel Additional warning coverage

344 views • 13 slides
Balance and Clustering in Signed Graphs Thomas Zaslavsky Binghamton University (State University

Balance and Clustering in Signed Graphs Thomas Zaslavsky Binghamton University (State University

Balance and Clustering in Signed Graphs Thomas Zaslavsky Binghamton University (State University of New York) C R Rao Advanced Institute of Mathematics, Statistics and Computer Science 26 July 2010 Outline 1. Signed Graphs 2. Balance 3.

411 views • 20 slides
ALEXANDER MILES INVENTED THE ELEVATOR Kalaya S Alexander Miles was born in Duluth, MN.

ALEXANDER MILES INVENTED THE ELEVATOR Kalaya S Alexander Miles was born in Duluth, MN.

ALEXANDER MILES INVENTED THE ELEVATOR Kalaya S Alexander Miles was born in Duluth, MN. He got married and his wife's name was Mrs.Candace and they had a kid named Grace. Alexander Miles was born May 18,1838. He died May 7, 1918

357 views • 9 slides
Uniform and Appearance Policy Date: May 2018 To be reviewed May 2021 Signed:

Uniform and Appearance Policy Date: May 2018 To be reviewed May 2021 Signed:

Uniform and Appearance Policy Date: May 2018 To be reviewed May 2021 Signed: ________________________________ Executive Headteacher ________________ Date Signed: ________________________________ Chair of Governors

486 views • 10 slides
O signed into law the Controlling the Sending messages from e-mail accounts or Assault of

O signed into law the Controlling the Sending messages from e-mail accounts or Assault of

G The Tech Group Alert January 2004 The CAN-SPAM Act: Federal Government Regulates Unsolicited Commercial E-mail By David Leit, Esq. n December 16, 2003, President Bush Falsifying header information; O signed into law the Controlling

239 views • 3 slides
Hostes conjecture and roots of the Alexander polynomial Alexander Stoimenow Department of

Hostes conjecture and roots of the Alexander polynomial Alexander Stoimenow Department of

Hostes conjecture and roots of the Alexander polynomial Alexander Stoimenow Department of Mathematics, Keimyung University, Daegu, Korea May 22, 2012 Topology Seminar Pusan National

668 views • 28 slides
N recently signed into law Assembly Bill tax, New Jersey has announced that the AMA will 2501,

N recently signed into law Assembly Bill tax, New Jersey has announced that the AMA will 2501,

G Tax Alert August 2002 New Jerseys Business Tax Reform Act Makes Major Changes to the States Taxation of Business Entities ew Jersey Governor James E. McGreevey are negligible. Because the AMA is not an income N recently signed into

364 views • 3 slides
What is Act 32? Act 32, signed into law in 2008, completely changes the withholding,

What is Act 32? Act 32, signed into law in 2008, completely changes the withholding,

What is Act 32? Act 32, signed into law in 2008, completely changes the withholding, reporting, and collection of local earned income tax (EIT) in Pennsylvania. Goals of Act 32 Establishing uniform withholding, remittance, and

1k views • 48 slides
ALEXANDER CALDER 3 SOURCE: http://www.smith-davidson.com/artists/alexander-calder ALEXANDER

ALEXANDER CALDER 3 SOURCE: http://www.smith-davidson.com/artists/alexander-calder ALEXANDER

ALEXANDER CALDER 3 SOURCE: http://www.smith-davidson.com/artists/alexander-calder ALEXANDER CALDER 3 SOURCE: http://creartart.blogspot.com.es/2013_05_01_archive.html ALEXANDER CALDER 3 SOURCE:

244 views • 13 slides
V. Reiner &quot;Signed Posets&quot; R. Stanley &quot;A Symmetric Generalization of the Chromatic

V. Reiner &quot;Signed Posets&quot; R. Stanley &quot;A Symmetric Generalization of the Chromatic

Resourses V. Reiner &quot;Signed Posets&quot; R. Stanley &quot;A Symmetric Generalization of the Chromatic Polynomial of a Graph&quot; T . Zaslavsky &quot;Signed Graph Coloring&quot; R. Adin et al. &quot;Character Formulas and Descents for

210 views • 9 slides
Learning Virtual Convening Together Adapted from Nobody signed up for this. Not for

Learning Virtual Convening Together Adapted from Nobody signed up for this. Not for

Learning Virtual Convening Together Adapted from Nobody signed up for this. Not for sickness, not for social distancing, not for the additional stress. Not for the sudden halt of our collective lives together in the office, or with

469 views • 14 slides
Protected Areas, Law &amp; Governance Alexander Paterson Alexander.Paterson@uct.ac.za Before we

Protected Areas, Law &amp; Governance Alexander Paterson Alexander.Paterson@uct.ac.za Before we

Protected Areas, Law &amp; Governance Alexander Paterson Alexander.Paterson@uct.ac.za Before we begin Complexity in 60 Minutes! Some Context IUCN ELC PA Law Programme Phase 1 Phase 2 2013 2011 2013-2015 Legal Guidance Capacity Building An

748 views • 44 slides
Literature Review Alexander Radovic College of William and Mary Alexander Radovic 1

Literature Review Alexander Radovic College of William and Mary Alexander Radovic 1

Literature Review Alexander Radovic College of William and Mary Alexander Radovic 1 Where to start? You dont need a formal education in ML to use its tools. But it doesnt hurt to work through a online textbook or course. Here are

593 views • 14 slides

More recommend