基于错误路径行为一致性的内核引用计数缺陷检测  

作　　者：熊忻 谈心 张源 Xiong Xin;Tan Xin;Zhang Yuan(College of Computer Science and Technology,Fudan University,Shanghai 200438)

机构地区：[1]复旦大学计算机科学技术学院,上海200438

出　　处：《计算机研究与发展》2023年第7期1489-1500,共12页Journal of Computer Research and Development

基　　金：国家自然科学基金项目(U1836210,62172105);上海市青年科技启明星计划项目(21QA1400700);上海市基础研究特区计划项目(21TQ1400100:21TQ012)。

摘　　要：内核中的引用计数缺陷会引起内存泄露、释放后使用漏洞等严重安全问题.针对这类缺陷,提出基于错误路径行为一致性分析的缺陷检测方案.相比已有工作,该方案引入错误路径的语义信息来推断合理的引用计数行为,从而检出以往难以覆盖的引用计数缺陷.具体而言,首先,该方案基于代码特征识别函数中所有的错误路径.其次,采用路径敏感的静态分析对各条错误路径上的引用计数行为进行分析汇总,以推断该函数在错误路径上引用计数操作的主流倾向.最终,基于一致性分析原理,将与主流倾向不一致的路径标识为潜在缺陷.实验表明,该方案在Linux内核版本5.6-rc2和版本5.17上分别发现21个和9个引用计数缺陷,且大部分都被开发者确认;其中,在内核版本5.6-rc2上有9个缺陷是已有工作无法覆盖的.Reference counting(refcount)bugs in the kernel could cause critical security problems including memory leak and use-after-free vulnerabilities.To detect such defects,we propose a refcount bug detection system based on consistency analysis of error path behavior.Compared with the existing work,our method introduces semantic information of the error paths to infer the appropriate refcount behavior on these paths,thus detecting refcount defects cannot be covered by the existing work.First,the system identifies all the error paths in the target function based on the function return value and fault handling code.Second,path-sensitive analysis is performed to collect the specific refcount behavior on each error path within the target function,which is aggregated to infer the dominant tendency of refcount behavior of the error paths in the target function.Finally,based on the idea of consistency checking,the error paths whose refcount behavior is inconsistent with the dominant tendency are identified as potential refcount bugs.In the evaluation,the proposed system finds 21 and 9 bugs on Linux kernel version 5.6-rc2 and version 5.17,respectively,most of which have been confirmed by the kernel developers.In addition,on kernel version 5.6-rc2,the system detects 9 new refcount bugs that could not be identified by existing work.

关 键 词：缺陷检测 内核引用计数缺陷 静态程序分析 一致性分析 错误路径分析 

分 类 号：TP311[自动化与计算机技术—计算机软件与理论]