user_kernel_slides - Finding User/Kernel Bugs with Type...

Info iconThis preview shows pages 1–9. Sign up to view the full content.

View Full Document Right Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: Finding User/Kernel Bugs with Type Inference Rob Johnson and David Wagner UC Berkeley User/Kernel Pointer Bugs buf might point to unmapped memory page fault buf might point to kernel region Frst set then get can override kernel memory attacker could read arbitrary kernel memory locations int x; void sys_setint(int *p) { memcpy(&x, p, sizeof(x)); // BAD! } void sys_getint(int *p) { memcpy(p, &x, sizeof(x)); // BAD! } getint(buf); The solution: Different pointer types User pointers A pointer whose value is under user control and hence untrustworthy Kernel pointers A pointer variable whose value is under kernel and guaranteed by the kernel to always point into kernel's memory space, and hence is trustworthy Relation to ADT kernel int is different type than user int , so the type checker can check them The solution: Different pointer types Pointer Kernel User The solution: Different pointer types Pointer Kernel User The solution: Different pointer types User Kernel The solution: Different pointer types int copy_from_user(void * kernel to, void * user from, int len); int memcpy(void * kernel to, void * kernel from, int len); int x; void sys_setint(int * user p) { copy_from_user(&x, p, sizeof(x)); } void sys_getint(int * user p) { memcpy(p, &x, sizeof(x)); // TYPE-CHECK ERROR } Qualifer inFerence Want to fnd bugs in Linux kernel which is huge (2.3 Mloc) Manually annotating every pointer with a...
View Full Document

This note was uploaded on 02/24/2012 for the course CSE 503 taught by Professor Davidnotikin during the Winter '11 term at University of Washington.

Page1 / 26

user_kernel_slides - Finding User/Kernel Bugs with Type...

This preview shows document pages 1 - 9. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online