johnson-usenix2004 - Finding User/Kernel Pointer Bugs With...

Info iconThis preview shows pages 1–2. Sign up to view the full content.

View Full Document Right Arrow Icon
Finding User/Kernel Pointer Bugs With Type Inference Rob Johnson David Wagner University of California at Berkeley Abstract Today’s operating systems struggle with vulnerabil- ities from careless handling of user space pointers. User/kernel pointer bugs have serious consequences for security: a malicious user could exploit a user/kernel pointer bug to gain elevated privileges, read sensitive data, or crash the system. We show how to detect user/kernel pointer bugs using type-qualifier inference, and we apply this method to the Linux kernel using CQUAL, a type-qualifier inference tool. We extend the basic type-inference capabilities of CQUAL to support context-sensitivity and greater precision when analyz- ing structures so that CQUAL requires fewer annota- tions and generates fewer false positives. With these enhancements, we were able to use CQUAL to find 17 exploitable user/kernel pointer bugs in the Linux kernel. Several of the bugs we found were missed by careful hand audits, other program analysis tools, or both. 1 Introduction Security critical programs must handle data from un- trusted sources, and mishandling of this data can lead to security vulnerabilities. Safe data-management is par- ticularly crucial in operating systems, where a single bug can expose the entire system to attack. Pointers passed as arguments to system calls are a common type of un- trusted data in OS kernels and have been the cause of many security vulnerabilities. Such user pointers oc- cur in many system calls, including, for example, read , write , ioctl , and statfs . These user pointers must be handled very carefully: since the user program and operating system kernel reside in conceptually differ- ent address spaces, the kernel must not directly derefer- ence pointers passed from user space, otherwise security holes can result. By exploiting a user/kernel bug, a ma- licious user could take control of the operating system by overwriting kernel data structures, read sensitive data out of kernel memory, or simply crash the machine by corrupting kernel data. Kernel version Bugs found Linux 2.4.20 11 Linux 2.4.23 10 Table 1: User/kernel bugs found by CQUAL. Each of these bugs represents an exploitable security vulnerabil- ity. Four bugs were common to both 2.4.20 and 2.4.23, for a total of 17 unique bugs. Eight of the bugs in Linux 2.4.23 were also in Linux 2.5.63. User/kernel pointer bugs are unfortunately all too com- mon. In an attempt to avoid these bugs, the Linux pro- grammers have created several easy-to-use functions for accessing user pointers. As long as programmers use these functions correctly, the kernel is safe. Unfortu- nately, almost every device driver must use these func- tions, creating thousands of opportunities for error, and as a result, user/kernel pointer bugs are endemic. This class of bugs is not unique to Linux. Every version of Unix and Windows must deal with user pointers inside the OS kernel, so a method for automatically checking an OS kernel for correct user pointer handling would be
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Image of page 2
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

Page1 / 23

johnson-usenix2004 - Finding User/Kernel Pointer Bugs With...

This preview shows document pages 1 - 2. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online