Electrical Engineering
      and Computer Sciences

Electrical Engineering and Computer Sciences

COLLEGE OF ENGINEERING

UC Berkeley

Finding User/Kernel Pointer Bugs With Type Inference

Rob Johnson and David Wagner

EECS Department
University of California, Berkeley
Technical Report No. UCB/CSD-04-1308
March 2004

http://www.eecs.berkeley.edu/Pubs/TechRpts/2004/CSD-04-1308.pdf

Today's operating systems struggle with vulnerabilities from careless handling of user space pointers. User/kernel pointer bugs have serious consequences for security: a malicious user could exploit a user/kernel pointer bug to gain elevated privileges, read sensitive data, or crash the system. We show how to detect user/kernel pointer bugs using type-qualifier inference, and we apply this method to the Linux kernel using CQUAL, a type-qualifier inference tool. We extend the basic type-inference capabilities of CQUAL to support context-sensitivity and greater precision when analyzing structures so that CQUAL requires fewer annotations and generates fewer false positives. With these enhancements, we were able to use CQUAL to find 16 exploitable user/kernel pointer bugs in the Linux kernel. Several of the bugs we found were missed by careful hand audits, other program analysis tools, or both.


BibTeX citation:

@techreport{Johnson:CSD-04-1308,
    Author = {Johnson, Rob and Wagner, David},
    Title = {Finding User/Kernel Pointer Bugs With Type Inference},
    Institution = {EECS Department, University of California, Berkeley},
    Year = {2004},
    Month = {Mar},
    URL = {http://www.eecs.berkeley.edu/Pubs/TechRpts/2004/5587.html},
    Number = {UCB/CSD-04-1308},
    Abstract = {Today's operating systems struggle with vulnerabilities from careless handling of user space pointers. User/kernel pointer bugs have serious consequences for security: a malicious user could exploit a user/kernel pointer bug to gain elevated privileges, read sensitive data, or crash the system. We show how to detect user/kernel pointer bugs using type-qualifier inference, and we apply this method to the Linux kernel using CQUAL, a type-qualifier inference tool. We extend the basic type-inference capabilities of CQUAL to support context-sensitivity and greater precision when analyzing structures so that CQUAL requires fewer annotations and generates fewer false positives. With these enhancements, we were able to use CQUAL to find 16 exploitable user/kernel pointer bugs in the Linux kernel. Several of the bugs we found were missed by careful hand audits, other program analysis tools, or both.}
}

EndNote citation:

%0 Report
%A Johnson, Rob
%A Wagner, David
%T Finding User/Kernel Pointer Bugs With Type Inference
%I EECS Department, University of California, Berkeley
%D 2004
%@ UCB/CSD-04-1308
%U http://www.eecs.berkeley.edu/Pubs/TechRpts/2004/5587.html
%F Johnson:CSD-04-1308