Gui-Dong Han, Jia-Ju Bai, Qiu-Ji Chen, and Jiqiang Lu, Beihang University
The TOCTOU (Time Of Check to Time Of Use) bug is a well-known security issue in kernel code, because it bypasses security checks and leads to unexpected behaviors that can cause serious problems like system crashes and privilege escalation. According to our study on Linux kernel patches, kernel race is the most common root cause of kernel TOCTOU bugs. However, due to the complexity of kernel concurrency logic and non-determinism of thread scheduling, there is still no systematic approach that focuses on detecting TOCTOU bugs caused by kernel races.
In this paper, we design KERAT, the first systematic static approach for detecting TOCTOU bugs caused by kernel races. Indeed, such TOCTOU bugs are introduced by atomicity violations about the check-use operations of specific shared variables. Thus, KERAT performs bug detection by statically mining and checking the atomicity rules about shared variables from kernel code. Specifically, KERAT has two key techniques: (1) an atomicity-rule mining method to effectively identify which lock should protect the check-use operations of which shared variable; and (2) a state-based validation strategy to detect TOCTOU bugs that violate the mined atomicity rules based on state machines encoding of common bug patterns. We have evaluated KERAT on Linux-6.8 and FreeBSD-14.1, and found 351 real bugs. Among these bugs, 287 are identified as harmful, and 65 of them have been confirmed by kernel developers. 10 bugs have received CVE IDs.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
