Statically Discovering High-Order Taint Style Vulnerabilities in OS Kernels

“…For this reason, we need the ability to track data flow across syscalls. SUTURE [51] is a static analysis framework for pointsto analysis and data-flow analysis for the Linux kernel. It solves the multi-interaction problem using a summary-based approach.…”

“…Intended cross-syscall data-flows result from the multiinteraction characteristic of the kernel, as has been described in §II-B. Without the ability to model them, some memory errors may not be exploitable [51]. We address this challenge by leveraging the cross-syscall point-to analysis from [51], as well as our DFG-based cross-syscall data-flow analysis.…”

“…Without the ability to model them, some memory errors may not be exploitable [51]. We address this challenge by leveraging the cross-syscall point-to analysis from [51], as well as our DFG-based cross-syscall data-flow analysis. Unintended cross-syscall data-flows occur when a syscall unintendedly writes to or reads from memory that is used by other syscalls through memory errors.…”

“…As shown in Figure 1, M-DFG is constructed based on two inputs: (1) the Linux kernel in LLVM's partial static single assignment (SSA) form, and (2) the point-to information generated by a flow-, context-, and field-sensitive inter-procedural static analysis [51]. We consider most LLVM instructions when constructing M-DFG, including:…”

“…We connect the M-DFG of each syscall using cross-syscall RAW edges. Using the cross-syscall points-to information generated by SUTURE [51], we look at all pairs of syscall entries and try to apply RAW rule to connect the store node of one syscall entry to the load node of another.…”

K-LEAK: Towards Automating the Generation of Multi-Step Infoleak Exploits against the Linux Kernel

“…For this reason, we need the ability to track data flow across syscalls. SUTURE [51] is a static analysis framework for pointsto analysis and data-flow analysis for the Linux kernel. It solves the multi-interaction problem using a summary-based approach.…”

“…Intended cross-syscall data-flows result from the multiinteraction characteristic of the kernel, as has been described in §II-B. Without the ability to model them, some memory errors may not be exploitable [51]. We address this challenge by leveraging the cross-syscall point-to analysis from [51], as well as our DFG-based cross-syscall data-flow analysis.…”

“…Without the ability to model them, some memory errors may not be exploitable [51]. We address this challenge by leveraging the cross-syscall point-to analysis from [51], as well as our DFG-based cross-syscall data-flow analysis. Unintended cross-syscall data-flows occur when a syscall unintendedly writes to or reads from memory that is used by other syscalls through memory errors.…”

“…As shown in Figure 1, M-DFG is constructed based on two inputs: (1) the Linux kernel in LLVM's partial static single assignment (SSA) form, and (2) the point-to information generated by a flow-, context-, and field-sensitive inter-procedural static analysis [51]. We consider most LLVM instructions when constructing M-DFG, including:…”

“…We connect the M-DFG of each syscall using cross-syscall RAW edges. Using the cross-syscall points-to information generated by SUTURE [51], we look at all pairs of syscall entries and try to apply RAW rule to connect the store node of one syscall entry to the load node of another.…”

K-LEAK: Towards Automating the Generation of Multi-Step Infoleak Exploits against the Linux Kernel

Multi-view Pre-trained Model for Code Vulnerability Identification

Constructing arbitrary write via puppet objects and delivering gadgets in Linux kernel