Check out the new USENIX Web site. next up previous
Next: Reducing False Positives Up: Results Previous: Category 3: Kernel-Initiated Operations

Type Error Rates

CQUAL type errors can be examined in two ways: source type errors and path type errors. A source type error is a variable that is used in such a way that a type error is generated. That is, the variable is used in an unchecked state in at least one function that expects the variable to be checked. A path type error is a unique call path that leads to a type error. Figure 11 shows an example path type error. Note that for each source type error there may be multiple path type errors.


Table 1: Path and source type errors.
Subsystems Path Type Error Counts Source Type Error Counts Source Type Error Rate (%)
File System 73 57 10%
Memory Management 18 17 9%
Networking 431 308 22%
IPC 2 2 3%


Table 1 shows both the source and path type error counts for Linux kernel subsystems. For source type errors, we also display the source type error rate, defined to be the percentage of controlled variables that are involved in type errors.

Table 1 shows two interesting facts: (1) over 500 path type errors are present in the kernel and (2) most of the type errors occur on one path. Fortunately for the LSM community, most the type errors identified by the analysis are false positives. However, examining this many type errors to find a few exploitable errors is not practical. Therefore, we need secondary analyses to remove obvious false positives. Second, since most types errors associate one source with one error path, so it may be that some of the sinks of the analysis (i.e., the functions with controlled operations) may not really require authorization.


next up previous
Next: Reducing False Positives Up: Results Previous: Category 3: Kernel-Initiated Operations
Catherine Zhang 2002-05-13