UBITect: a precise and scalable method to detect use-before-initialization bugs in Linux kernel

Zhai, Yizhuo; Yu, Hao; Zhang, Hang; Wang, Daimeng; Song, Chengyu; Qian, Zhiyun; Lesani, Mohsen; Krishnamurthy, Srikanth V.; Yu, Paul

doi:10.1145/3368089.3409686

Cited by 15 publications

(1 citation statement)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Besides the above seven open-source approaches, there are some other OS-bug detection approaches that detect specific bug types or are closed-source. For example, UBITect [87] targets use-before-initialization bugs in OS code, and it performs source-sink analysis and searches for a feasible path between the source (allocation site) and the sink (use site) using symbolic execution; while PATA first performs alias-aware typestate analysis without checking code-path feasibility, and then it uses alias relationships to efficiently check the code-path feasibility of each possible bug. MLEE [75] focuses on early-exit paths and detects memory leaks by comparing these paths to normal paths in OS code; while PATA considers more code paths and can detect memory leaks via typestate tracking.…”

Section: Comparison To Existing Approachesmentioning

confidence: 99%

Path-sensitive and alias-aware typestate analysis for detecting OS bugs

Bai

Sui

et al. 2022

Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems

View full text Add to dashboard Cite

Operating system (OS) is the cornerstone for modern computer systems. It manages devices and provides fundamental service for user-level applications. Thus, detecting bugs in OSes is important to improve reliability and security of computer systems. Static typestate analysis is a common technique for detecting different types of bugs, but it is often inaccurate or unscalable for large-size OS code, due to imprecision of identifying alias relationships as well as high costs of typestate tracking and path-feasibility validation.In this paper, we present PATA, a novel path-sensitive and aliasaware typestate analysis framework to detect OS bugs. To improve the precision of identifying alias relationships in OS code, PATA performs a path-based alias analysis based on control-flow paths and access paths. With these alias relationships, PATA reduces the costs of typestate tracking and path-feasibility validation, to boost the efficiency of path-sensitive typestate analysis for bug detection. We have evaluated PATA on the Linux kernel and three popular IoT OSes (Zephyr, RIOT and TencentOS-tiny) to detect three common types of bugs (null-pointer dereferences, uninitializedvariable accesses and memory leaks). PATA finds 574 real bugs with a false positive rate of 28%. 206 of these bugs have been confirmed by the developers of the four OSes. We also compare PATA to seven state-of-the-art static approaches (Cppcheck, Coccinelle, Smatch, CSA, Infer, Saber and SVF). PATA finds many real bugs missed by them, with a lower false positive rate. CCS CONCEPTS• Software and its engineering → Software defect analysis; • Security and privacy → Operating systems security.

show abstract

Section: Comparison To Existing Approachesmentioning

confidence: 99%

Path-sensitive and alias-aware typestate analysis for detecting OS bugs

Bai

Sui

et al. 2022

Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems

View full text Add to dashboard Cite

show abstract

SparrowHawk: Memory Safety Flaw Detection via Data-Driven Source Code Annotation

Lyu

Gao

et al. 2021

Information Security and Cryptology

View full text Add to dashboard Cite

Enchanting Program Specification Synthesis by Large Language Models Using Static Analysis and Program Verification

Wen,

Cao,

et al. 2024

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Formal verification provides a rigorous and systematic approach to ensure the correctness and reliability of software systems. Yet, constructing specifications for the full proof relies on domain expertise and non-trivial manpower. In view of such needs, an automated approach for specification synthesis is desired. While existing automated approaches are limited in their versatility, i.e., they either focus only on synthesizing loop invariants for numerical programs, or are tailored for specific types of programs or invariants. Programs involving multiple complicated data types (e.g., arrays, pointers) and code structures (e.g., nested loops, function calls) are often beyond their capabilities. To help bridge this gap, we present AutoSpec, an automated approach to synthesize specifications for automated program verification. It overcomes the shortcomings of existing work in specification versatility, synthesizing satisfiable and adequate specifications for full proof. It is driven by static analysis and program verification, and is empowered by large language models (LLMs). AutoSpec addresses the practical challenges in three ways: (1) driving AutoSpec by static analysis and program verification, LLMs serve as generators to generate candidate specifications, (2) programs are decomposed to direct the attention of LLMs, and (3) candidate specifications are validated in each round to avoid error accumulation during the interaction with LLMs. In this way, AutoSpec can incrementally and iteratively generate satisfiable and adequate specifications. The evaluation shows its effectiveness and usefulness, as it outperforms existing works by successfully verifying 79% of programs through automatic specification synthesis, a significant improvement of 1.592x. It can also be successfully applied to verify the programs in a real-world X509-parser project.

show abstract

UBITect: a precise and scalable method to detect use-before-initialization bugs in Linux kernel

Cited by 15 publications

References 13 publications

Path-sensitive and alias-aware typestate analysis for detecting OS bugs

Path-sensitive and alias-aware typestate analysis for detecting OS bugs

SparrowHawk: Memory Safety Flaw Detection via Data-Driven Source Code Annotation

Enchanting Program Specification Synthesis by Large Language Models Using Static Analysis and Program Verification

Contact Info

Product

Resources

About