| As a well-known open source operating system software,Linux has developed rapidly in the past few decades.However,as the scale and complexity of the Linux kernel con-tinue to grow,how to ensure the security of the Linux kernel has become a challenge.According to the characteristics of specific vulnerabilities,it is an important topic to use the static analysis technology of the program to detect the vulnerabilities of the entire Linux kernel.The Linux kernel uses a large number of security checks to prevent security-sensitive operations from being performed under insecure conditions.If security-sensitive opera-tions are not protected by the corresponding security check,a missing-check bug occurs.Missing-check vulnerabilities are serious software program vulnerabilities,especially in the operating system kernel,which may cause various security problems,such as out-of-bounds access,permission bypass,and privilege escalation.Due to the lack of specific security specifications,how to automatically identify security-sensitive operations and the required security checks in the Linux kernel has become a challenge for the detection of missing-check vulnerabilities.Early research work required tool users to provide map-ping specifications between security check functions and security-sensitive operations.However,because the Linux kernel has a huge code base,it is difficult for users to man-ually find such security specifications.Recent research work still requires manual input of part of the security check function.This method has limitations due to the inability to fully identify the security check function.This paper proposes a new detection method for missing-check vulnerabilities.The detection object is the Linux kernel.This method can automatically identify the security check function in the Linux kernel and infer the security-sensitive operations protected by the security check function.When security-sensitive operations are not protected by corresponding security checks,our method will report the vulnerability.The main con-tributions and innovations of this article are as follows:(1)Identify the security check functions based on the Linux kernel error code and error-handling function.This method first identifies the security check,then extracts the security check function,and finally analyzes the encapsulation relationship between the security check functions.(2)Propose a two-direction analysis method.The method can automatically iden-tify the security-sensitive operations protected by the security check function,and au-tomatically detect the Linux kernel missing-check vulnerabilities based on the mapping relationship between the security check function and the security-sensitive operation.(3)Based on the LLVM(Low Level Virtual Machine)framework,a tool named AM-Che X was designed and implemented.The tool was used to detect vulnerabilities in the Linux kernel.We evaluate the experimental results.AMChe X reported 12 new missing-check vulnerabilities.Linux kernel maintainers confirmed 5 of them and accepted the patches we provided. |
PDF Full Text Request