Finding User/Kernel Pointer Bugs With Type Inference

Rob Johnson and David Wagner

EECS Department
University of California, Berkeley
Technical Report No. UCB/CSD-04-1308
March 2004

http://www2.eecs.berkeley.edu/Pubs/TechRpts/2004/CSD-04-1308.pdf

Today's operating systems struggle with vulnerabilities from careless handling of user space pointers. User/kernel pointer bugs have serious consequences for security: a malicious user could exploit a user/kernel pointer bug to gain elevated privileges, read sensitive data, or crash the system. We show how to detect user/kernel pointer bugs using type-qualifier inference, and we apply this method to the Linux kernel using CQUAL, a type-qualifier inference tool. We extend the basic type-inference capabilities of CQUAL to support context-sensitivity and greater precision when analyzing structures so that CQUAL requires fewer annotations and generates fewer false positives. With these enhancements, we were able to use CQUAL to find 16 exploitable user/kernel pointer bugs in the Linux kernel. Several of the bugs we found were missed by careful hand audits, other program analysis tools, or both.

BibTeX citation:

@techreport{Johnson:CSD-04-1308,
    Author = {Johnson, Rob and Wagner, David},
    Title = {Finding User/Kernel Pointer Bugs With Type Inference},
    Institution = {EECS Department, University of California, Berkeley},
    Year = {2004},
    Month = {Mar},
    URL = {http://www2.eecs.berkeley.edu/Pubs/TechRpts/2004/5587.html},
    Number = {UCB/CSD-04-1308},
    Abstract = {Today's operating systems struggle with vulnerabilities from careless handling of user space pointers. User/kernel pointer bugs have serious consequences for security: a malicious user could exploit a user/kernel pointer bug to gain elevated privileges, read sensitive data, or crash the system. We show how to detect user/kernel pointer bugs using type-qualifier inference, and we apply this method to the Linux kernel using CQUAL, a type-qualifier inference tool. We extend the basic type-inference capabilities of CQUAL to support context-sensitivity and greater precision when analyzing structures so that CQUAL requires fewer annotations and generates fewer false positives. With these enhancements, we were able to use CQUAL to find 16 exploitable user/kernel pointer bugs in the Linux kernel. Several of the bugs we found were missed by careful hand audits, other program analysis tools, or both.}
}

EndNote citation:

%0 Report
%A Johnson, Rob
%A Wagner, David
%T Finding User/Kernel Pointer Bugs With Type Inference
%I EECS Department, University of California, Berkeley
%D 2004
%@ UCB/CSD-04-1308
%U http://www2.eecs.berkeley.edu/Pubs/TechRpts/2004/5587.html
%F Johnson:CSD-04-1308

EECS at UC Berkeley

Search form

Finding User/Kernel Pointer Bugs With Type Inference

Rob Johnson and David Wagner

EECS Department
University of California, Berkeley
Technical Report No. UCB/CSD-04-1308
March 2004

http://www2.eecs.berkeley.edu/Pubs/TechRpts/2004/CSD-04-1308.pdf

Finding User/Kernel Pointer Bugs With Type Inference

Rob Johnson and David Wagner

EECS Department University of California, Berkeley Technical Report No. UCB/CSD-04-1308 March 2004

http://www2.eecs.berkeley.edu/Pubs/TechRpts/2004/CSD-04-1308.pdf

EECS Department
University of California, Berkeley
Technical Report No. UCB/CSD-04-1308
March 2004