Effective Static Analysis of Concurrency Use-After-Free Bugs in Linux Device Drivers


Jia-Ju Bai, Tsinghua University; Julia Lawall, Sorbonne Université/Inria/LIP6; Qiu-Liang Chen and Shi-Min Hu, Tsinghua University


In Linux device drivers, use-after-free (UAF) bugs can cause system crashes and serious security problems. According to our study of Linux kernel commits, 42% of the driver commits fixing use-after-free bugs involve driver concurrency. We refer to these use-after-free bugs as concurrency use-after-free bugs. Due to the non-determinism of concurrent execution, concurrency use-after-free bugs are often more difficult to reproduce and detect than sequential use-after-free bugs.

In this paper, we propose a practical static analysis approach named DCUAF, to effectively detect concurrency use-after-free bugs in Linux device drivers. DCUAF combines a local analysis analyzing the source code of each driver with a global analysis statistically analyzing the local results of all drivers, forming a local-global analysis, to extract the pairs of driver interface functions that may be concurrently executed. Then, with these pairs, DCUAF performs a summary-based lockset analysis to detect concurrency use-after-free bugs. We have evaluated DCUAF on the driver code of Linux 4.19, and found 640 real concurrency use-after-free bugs. We have randomly selected 130 of the real bugs and reported them to Linux kernel developers, and 95 have been confirmed.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {234866,
author = {Jia-Ju Bai and Julia Lawall and Qiu-Liang Chen and Shi-Min Hu},
title = {Effective Static Analysis of Concurrency {Use-After-Free} Bugs in Linux Device Drivers},
booktitle = {2019 USENIX Annual Technical Conference (USENIX ATC 19)},
year = {2019},
isbn = {978-1-939133-03-8},
address = {Renton, WA},
pages = {255-268},
url = {https://www.usenix.org/conference/atc19/presentation/bai},
publisher = {USENIX Association},
month = jul,

Presentation Video