AMCheX: Accurate Analysis of Missing-Check Bugs for Linux Kernel

作     者：Ying-Jie Wang Liang-Ze Yin Wei Dong Ying-Jie Wang;Liang-Ze Yin;Wei Dong

作者机构：Key Laboratory of Software Engineering for Complex SystemsCollege of Computer Science National University of Defense TechnologyChangsha 410073China 

出 版 物：《Journal of Computer Science & Technology》 (计算机科学技术学报（英文版）)

年 卷 期：2021年第36卷第6期

页      面：1325-1341页

核心收录：

学科分类：0839[工学-网络空间安全] 08[工学] 

基　　金：supported by the National Nature Science Foundation of China under Grant Nos.61802415 62032019 and 62032024.PDF(PC)23 

主　　题：security check function security-sensitive operation program analysis missing-check 

摘      要：The Linux kernel adopts a large number of security checks to prevent security-sensitive operations from being executed under unsafe *** a security-sensitive operation is unchecked,a missing-check issue *** check is a class of severe bugs in software programs especially in operating system kernels,which may cause a variety of security issues,such as out-of-bound accesses,permission bypasses,and privilege *** to the lack of security specifications,how to automatically identify security-sensitive operations and their required security checks in the Linux kernel becomes a challenge for missing-check *** this paper,we present an accurate missing-check analysis method for Linux kernel,which can automatically infer possible security-sensitive ***,we first automatically identify all possible security check functions of *** according to their callsites,a two-direction analysis method is leveraged to identify possible security-sensitive operations.A missing-check bug is reported when the security-sensitive operation is not protected by its corresponding security *** have implemented our method as a tool,named AMCheX,on top of the LLVM(Low Level Virtual Machine)framework and evaluated it on the Linux *** reported 12 new missing-check bugs which can cause security *** of them have been confirmed by Linux maintainers.