基于深度学习的Linux内核引用计数字段识别方法

引用计数机制是现代软件中一种常见的内存管理技术.引用计数错误往往会导致内存泄露、释放后使用(useafterfree)等严重的安全问题.现有致力于提高引用计数安全性的工作都依赖于对引用计数的字段进行识别.然而,由于类似于Linux等软件系统的代码十分复杂,在代码中识别出引用计数字段是一项十分困难的工作.传统的基于代码模式匹配的引用计数字段识别方法一方面存在需要专家经验总结规则,人工开销大的问题;另一方面存在总结的模式无法覆盖所有情况,召回率较低等局限.针对这些问题,发现与字段有关的代码行为以及字段的名称可以用来表征这个字段的特征,帮助识别引用计数字段.基于这两个层面的特征,设计了一种基于多模态深度学习的引用计数字段识别方法,并面向Linux内核实现原型系统.测试数据表明:该原型系统的精确率、召回率分别为96.98%和93.54%,而传统的基于代码模式匹配的方法没有识别出任何引用计数字段.此外,在Linux内核上发现61个引用计数字段使用不安全的数据类型,并对其中21个向Linux内核社区提交数据类型转换补丁以提高引用计数字段的安全性,其中6个已经被合并到Linux内核代码主分支.     

提高静态缺陷检测精度方法

误报率和漏报率是静态缺陷检测的关键技术指标,提高分析精度是降低误报和漏报的主要手段.文中介绍了缺陷模式及其有限状态机描述,提出基于传统数据流分析的缺陷检测方法.采用变量抽象取值来近似地表示程序动态执行信息,通过状态条件中的变量抽象取值范围为空来判断不可达路径,以实现路径敏感分析;使用缺陷相关的函数摘要来表示缺陷检测所需函数调用信息,其中缺陷相关的函数摘要包括前置约束信息、后置约束信息和函数特征信息三部分,实现了上下文敏感的跨函数分析.文中方法已在缺陷检测系统DTS中实现,在大型开源软件分析中的实验结果表明,该方法能减少误报和漏报.     

一种路径敏感的静态缺陷检测方法

提出一种多项式复杂度的路径敏感静态缺陷检测算法.该方法采用变量的抽象取值范围来表示属性状态条件,通过属性状态条件中的变量抽象取值范围为空来判断不可达路径.在控制流图(control flow graph,简称CFG)中的汇合节点上合并相同属性状态的状态条件,从而避免完整路径上下文分析的组合爆炸问题.该算法已应用于缺陷检测系统DTS(defect testing system).实际测试结果表明,该方法能够减少误报.     

基于配对函数调用场景的设备驱动漏洞检测

由于Linux系统的设备驱动工作在内核模式中,在这种特定的工作场景下,由设备驱动引发的漏洞问题极易影响操作系统的稳定性和安全性.当前在各类设备驱动漏洞中所占比例较高的当属资源操作类漏洞,针对这种情况,我们提出了一种基于配对函数调用场景的设备驱动漏洞检测方法.首先引入配对函数的概念,据此对特定的驱动程序做配对函数的自动提取与优化;随后结合手工分析结果构建配对函数在资源申请与释放过程中的执行路径;最后基于相应的函数调用场景进行配对检查,检测并验证设备驱动程序中内存资源的申请和释放是否为完全层次性匹配.为验证该方法的有效性,实验分别选取不同的设备驱动应用该漏洞检测方法,记录相应的漏报率、误报率及覆盖度.实验结果表明,该设备驱动漏洞检测方法精确率较高,检测速度快.并且该方法不依赖于实时编译以及硬件设备等条件.     

操作系统内核程序函数执行上下文的自动检验

函数执行上下文正确性是操作系统内核程序最容易违反且难以检查的正确性性质.应用传统的技术检查该类错误都有一定的困难和局限性.提出一个验证函数执行上下文正确性的框架PRPF,详细描述了其建模过程和相关算法.PRPF相比传统技术的优势有:直接检查源代码、无须编写形式化的验证规约、较低的时空运行开销、良好的可扩展性等等.该技术已应用在Linux内核2.4.20的网络设备驱动程序检查中.应用表明,PRPF能够自动探测程序中所有执行路径,有效地检查函数执行上下文的正确性.实验发现了Linux内核的23处编程错误,另有     

基于Linux系统调用的内核级Rootkit技术研究

系统调用是用户程序和操作系统进行交互的接口.劫持系统调用是内核级Rootkit入侵系统后保留后门常用的一项的技术.研究Linux系统调用机制及系统调用劫持在内核级Rootkit中的应用可以更好地检测和防范内核级Rootkit,使Linux系统更加安全.文中在分析Linux系统调用机制的基础上,研究了内核级Rootkit劫持系统Linux系统调用的5种不同方法的原理及实现,最后针对该类内核级Rootkit给出了3种有效的检测方法.在检测过程中综合利用文中提出的几种检测方法,能提高Linux系统的安全性.     

基于抽象解释的非函数依赖不变量的检测方法

不变量的检测是提高软件质量的一种有效方法.针对传统静态检测方法可能带来无效的不变量、缺失不变量等缺陷,文中提出一种以抽象解释理论为基础的非函数依赖不变量的静态检测方法.首先利用词法语法分析得到抽象语法树,然后将抽象语法树转化成抽象域图,接着对抽象域图进行抽象执行得到程序中可执行的路径,最后依据定义的非函数依赖不变量表现形式对可执行路径分析得到程序中潜在的非函数依赖不变量.同时通过一个 C 程序为例对该方法进行验证说明     

空指针引用缺陷分类假阳性识别方法

针对静态测试中空指针引用缺陷假阳性问题,提出一种空指针引用缺陷分类假阳性识别方法。挖掘空指针引用缺陷知识,对空指针引用缺陷知识进行预处理,生成空指针引用缺陷数据集;通过基于粗糙集理论属性重要性的ID3算法分类空指针引用缺陷数据集,分类结果有假阳性空指针引用缺陷实例和真实空指针引用缺陷实例两种;根据分类结果对静态测试中的空指针引用缺陷进行假阳性识别,确认真实的空指针引用缺陷。该方法对十个基准程序和基于主流静态测试工具FindBugs的空指针引用缺陷检测方法相比,空指针引用缺陷假阳性降低率平均为25%,减少了24%的空指针引用缺陷确认。实验结果表明,该方法在静态测试方面能有效降低缺陷确认开销,提高空指针引用缺陷检测效率和稳定性。     

组合内核与优化算法在羽绒识别系统中的应用

为了提高支持向量机(SVM)的识别性能,提出了在常用内核的基础上构造一个组合内核函数,然后用拟牛顿算法对其超参数进行优化的方法.该方法被成功运用于羽绒自动识别系统中.实验结果表明,内核优化后,与单独使用常用内核相比,组合内核函数使羽绒自动识别系统具有更佳的识别性能.     

函数副作用在软件静态测试中的应用

提高检测精度是在基于缺陷模式的软件测试中一个亟待解决的问题。在区间运算技术的基础上,将函数执行后对上下文产生的影响定义为函数的副作用,如函数中对全局变量或类成员变量的更改、对指针型参数或引用型参数的更改,以及函数的返回值等。并给出函数副作用的形式化描述和生成算法,将其用于区间运算的过程中,显示软件静态测试的效果。实验结果表明,使用该方法的测试工具对缺陷的误报及漏报情况明显减少,测试精度显著提高。     

CP-Miner: finding copy-paste and related bugs in large-scale software code

Recent studies have shown that large software suites contain significant amounts of replicated code. It is assumed that some of this replication is due to copy-and-paste activity and that a significant proportion of bugs in operating systems are due to copy-paste errors. Existing static code analyzers are either not scalable to large software suites or do not perform robustly where replicated code is modified with insertions and deletions. Furthermore, the existing tools do not detect copy-paste related bugs. In this paper, we propose a tool, CP-Miner, that uses data mining techniques to efficiently identify copy-pasted code in large software suites and detects copy-paste bugs. Specifically, it takes less than 20 minutes for CP-Miner to identify 190,000 copy-pasted segments in Linux and 150,000 in FreeBSD. Moreover, CP-Miner has detected many new bugs in popular operating systems, 49 in Linux and 31 in FreeBSD, most of which have since been confirmed by the corresponding developers and have been rectified in the following releases. In addition, we have found some interesting characteristics of copy-paste in operating system code. Specifically, we analyze the distribution of copy-pasted code by size (number lines of code), granularity (basic blocks and functions), and modification within copy-pasted code. We also analyze copy-paste across different modules and various software versions.     

AMCheX:Accurate Analysis of Missing-Check Bugs for Linux Kernel

The Linux kernel adopts a large number of security checks to prevent security-sensitive operations from being executed under unsafe conditions.If a security-sensitive operation is unchecked,a missing-check issue arises.Missing check is a class of severe bugs in software programs especially in operating system kernels,which may cause a variety of security issues,such as out-of-bound accesses,permission bypasses,and privilege escalations.Due to the lack of security specifications,how to automatically identify security-sensitive operations and their required security checks in the Linux kernel becomes a challenge for missing-check analysis.In this paper,we present an accurate missing-check analysis method for Linux kernel,which can automatically infer possible security-sensitive operations.Particularly,we first automatically identify all possible security check functions of Linux.Then according to their callsites,a two-direction analysis method is leveraged to identify possible security-sensitive operations.A missing-check bug is reported when the security-sensitive operation is not protected by its corresponding security check.We have implemented our method as a tool,named AMCheX,on top of the LLVM(Low Level Virtual Machine) framework and evaluated it on the Linux kernel.AMCheX reported 12 new missing-check bugs which can cause security issues.Five of them have been confirmed by Linux maintainers.     

SharpChecker: Static analysis tool for C# programs

This paper considers various aspects of static analysis of C# programs in order to detect the maximum number of software bugs in an acceptable time. A complete cycle of software static analysis is described with the main focus being placed on the specifics of the C# language. Some methods are discussed that take into account popular features of C# at all levels of analysis: call graph and control flow graph construction, dataflow analysis, as well as context- and path-sensitive interprocedural analysis. A symbolic execution method is proposed, which is based on the works devoted to the Bounded Model Checking (BMC) and the Saturn Software Analysis Project. A memory model is described that enables an accurate intraprocedural analysis and allows one to create compact representations of error conditions associated with functions, which are essential for interprocedural analysis. A special attention is paid to the optimizations that occur during path-sensitive analysis of error conditions. The conditions need to be optimized in terms of size, because path-sensitive interprocedural analysis requires saving a large number of conditions for each analyzed function. The conditions are resolved using advanced SMT solvers (such as the Microsoft Z3 Prover). This paper also considers various approaches to modeling the behavior of library functions: based on a summary containing a set of properties required for analysis, or based on simplified implementations in C#. All the discussed solutions are implemented in the SharpChecker static analysis tool and are tested on a number of open-source projects from 1.5 thousand to 1.35 million lines of code.     

辅助检测Linux驱动中漏洞的符号驱动环境

Linux系统中的驱动漏洞被证实是内核漏洞的主要来源,可以被利用导致严重的安全问题。通过系统模型、驱动与内核的交互和驱动与设备的交互这三部分的设计与实现,构建了符号驱动环境,用于辅助检测Linux驱动中的漏洞。使用符号驱动环境对两个真实的驱动进行检测,成功检测出了两个漏洞,证实了该工具的可行性。与SymDrive工具的性能相比,符号驱动环境执行速度快90%,覆盖率提高20%。     

使用符号化驱动环境检测Linux设备驱动程序的漏洞

研究表明,驱动程序的漏洞是造成Linux系统安全问题的主要原因之一,可引发提权、拒绝服务等高危情况。针对无具体设备的情况下,无法对驱动程序进行运行时漏洞检测的问题,提出了对驱动程序进行符号化执行的思路,提出了一种基于符号执行技术实现的驱动程序模拟环境,可以用于分析和检测Linux设备驱动程序中存在的安全漏洞。该环境通过模拟内核提供给驱动程序的服务接口,使驱动程序可以在应用层进行符号执行进而可对其进行漏洞检测。同时,该环境无需真实硬件的支持,并且具备覆盖率高、执行速度快、易于扩展等特点。通过将该环境作用于6个不同的Linux设备驱动,检测出了6个真实的漏洞,其中三个漏洞已向驱动维护者提交补丁并被接受。实验结果表明,符号化驱动环境具备一定的漏洞检测能力,并且拥有资源消耗低、检测速度快和不依赖于硬件设备的特点。     

Message filters for hardening the Linux kernel

Various mechanisms for hardening the Linux kernel (for example, enforcing system call policies, device driver failure recovery, protection against exploitation of bugs in code) are proposed in the literature. The main problem with these mechanisms is that, they require changes in the kernel code leading to the possibility of introducing new bugs and hence increasing the testing time. We propose a message filter model as an extension to object‐oriented wrappers for the Linux kernel, to dynamically provide various filtering capabilities to the kernel. This model works as a comprehensive framework for specifying system call policies, handling device driver faults, protecting the kernel against exploits of bugs in code etc, without modifying the existing kernel code. This considerably reduces the possibility of creating new bugs in the kernel code. We have integrated policies for system call interception and device driver failure handling, into the Linux kernel (2.6.9), using message filter model. Our experiments show that the overhead due to our filter objects is very low, making it a useful mechanism for providing filtering capabilities to the Linux kernel. Copyright © 2010 John Wiley & Sons, Ltd.     

Linux bugs: Life cycle,resolution and architectural analysis

Efforts to improve application reliability can be irrelevant if the reliability of the underlying operating system on which the application resides is not seriously considered. An important first step in improving the reliability of an operating system is to gain insights into why and how the bugs originate, contributions of the different modules to the bugs, their distribution across severities, the different ways in which the bugs may be resolved and the impact of bug severities on their resolution times. To acquire this insight, we conducted an extensive analysis of the publicly available bug data on the Linux kernel over a period of seven years. We also justify and explain the statistical bug occurrence trends observed from the data, using the architecture of the Linux kernel as an anchor. The statistical analysis of the Linux bug data suggests that the Linux kernel may draw significant benefits from the continual reliability improvement efforts of its developers. These efforts, however, are disproportionately targeted towards popular configurations and hardware platforms, due to which the reliability of these configurations may be better than those that are not commonly used. Thus, a key finding of our study is that it may be prudent to restrict to using common configurations and platforms when using open source systems such as Linux in applications with stringent reliability expectations. Finally, our study of the architectural properties of the bugs suggests that the dependence among the modules rather than the unreliabilities of the individual modules is the primary cause of the bugs and their impact on system reliability.     

一种语义感知的安全检查检测方法

安全检查是OS中最常见的安全增强方式,是漏洞检测的重要基石。检测安全检查必然要用到异常处理函数,本论文从检测异常处理函数入手,实现了基于异常处理函数的安全检查检测方法。论文提出了一种语义感知的安全检查检测方法（Sased）,通过基于自然语义、程序语义的异常处理函数检测方法对Linux系统的函数控制流进行静态分析。同时,Sased可以对异常处理函数和安全检查进行回溯过滤从而降低其误报率。通过实验,Sased共报告异常处理函数795个,安全检查41519个,二者都达到了90%以上的检测准确率。这其中,有208个异常处理函数是之前的工作中从未发现的。同时,我们结合已有的漏洞检测方法,发现了Linux内核的9个新漏洞。实验表明Sased可以非常高效地检测OS中的异常处理函数及安全检查,从而为操作系统漏洞检测提供有益的参考。     

MEBS:Uncovering Memory Life-Cycle Bugs in Operating System Kernels

Allocation,dereferencing,and freeing of memory data in kernels are coherently linked.There widely exist real cases where the correctness of memory is compromised.This incorrectness in kernel memory brings about significant security issues,e.g.,information leaking.Though memory allocation,dereferencing,and freeing are closely related,previous work failed to realize they are closely related.In this paper,we study the life-cycle of kernel memory,which consists of allocation,dereferencing,and freeing.Errors in them are called memory life-cycle(MLC)bugs.We propose an in-depth study of MLC bugs and implement a memory life-cycle bug sanitizer(MEBS)for MLC bug detection.Utilizing an inter-procedural global call graph and novel identification approaches,MEBS can reveal memory allocation,dereferencing,and freeing sites in kernels.By constructing a modified define-use chain and examining the errors in the life-cycle,MLC bugs can be identified.Moreover,the experimental results on the latest kernels demonstrate that MEBS can effectively detect MLC bugs,and MEBS can be scaled to different kernels.More than 100 new bugs are exposed in Linux and FreeBSD,and 12 common vulnerabilities and exposures(CVE)are assigned.     

基于计数副本的传统操作系统代码空闲状态监测技术

在系统不重启的情况下对操作系统进行缺陷修复对于保障服务器系统的性能、安全和可用性等方面具有重要意义。因传统操作系统并未针对在线更新进行实现,现有在线更新技术不能较好地处理被更新代码正处于"使用中"状态的问题,导致在有些场景下无法进行在线更新。本文针对这一问题,设计了一种用于传统操作系统的代码使用计数动态监测技术,通过将原始函数二进制码替换为与其对等的计数副本,以及修改相关线程的内核栈上返回地址,实现对于被更新代码执行情况的监测,从而发现可进行在线更新的时机。最后,本文基于开源的动态升级软件ksplice验证了上述工作的有效性。