Progressive Scrutiny: Incremental Detection of UBI bugs in the Linux Kernel

“…Given the time-intensive and complex nature of the cases, manual analysis usually focuses on a sample of cases. When the total number of cases is substantial, state-of-the-art practices [4,12,15,30,43,48,49,55] typically sample and manually analyze 40-400 cases. According to the previous study [7], such sampling ratios would result in a margin of error between ±5% to ±15%.…”

“…Indirect-call analysis is critical for these tools, but false positives can impede bug detection. For example, as the claims from INCRELUX [55] and DiffCVSS [49], using traditional techniques, such as type analysis, to identify indirect calls will introduce high false positives into their results and sometimes even make the tool unusable. Our study found that imprecise indirect call analysis is a major contributor to the results of Crix, accounting for 59% of the total warnings.…”

“…For example, the Linux kernel 5.7 and Android kernel 5.10 have more than 55K and 62K indirect call sites. Accurately identifying these indirect calls is critical for building precise call graphs and control flow graphs, which are the basis of modern program analysis and security analysis, including bug detection [55], program debloating [1,39], directed fuzzing [5,35], vulnerability assessment [49], model checking [3], and many others [13,37,38,47].…”

GNNIC: Finding Long-Lost Sibling Functions with Abstract Similarity

“…Given the time-intensive and complex nature of the cases, manual analysis usually focuses on a sample of cases. When the total number of cases is substantial, state-of-the-art practices [4,12,15,30,43,48,49,55] typically sample and manually analyze 40-400 cases. According to the previous study [7], such sampling ratios would result in a margin of error between ±5% to ±15%.…”

“…Indirect-call analysis is critical for these tools, but false positives can impede bug detection. For example, as the claims from INCRELUX [55] and DiffCVSS [49], using traditional techniques, such as type analysis, to identify indirect calls will introduce high false positives into their results and sometimes even make the tool unusable. Our study found that imprecise indirect call analysis is a major contributor to the results of Crix, accounting for 59% of the total warnings.…”

“…For example, the Linux kernel 5.7 and Android kernel 5.10 have more than 55K and 62K indirect call sites. Accurately identifying these indirect calls is critical for building precise call graphs and control flow graphs, which are the basis of modern program analysis and security analysis, including bug detection [55], program debloating [1,39], directed fuzzing [5,35], vulnerability assessment [49], model checking [3], and many others [13,37,38,47].…”

GNNIC: Finding Long-Lost Sibling Functions with Abstract Similarity

SyzDescribe: Principled, Automated, Static Generation of Syscall Descriptions for Kernel Drivers

Non-Distinguishable Inconsistencies as a Deterministic Oracle for Detecting Security Bugs