PeX: A Permission Check Analysis Framework for Linux Kernel

Abstract:

Permission checks play an essential role in operating system security by providing access control to privileged functionalities. However, it is particularly challenging for kernel developers to correctly apply new permission checks and to scalably verify the soundness of existing checks due to the large code base and complexity of the kernel. In fact, Linux kernel contains millions of lines of code with hundreds of permission checks, and even worse its complexity is fast-growing.

This paper presents PeX, a static Permission check error detector for LinuX, which takes as input a kernel source code and reports any missing, inconsistent, and redundant permission checks. PeX uses KIRIN (Kernel InteRface based Indirect call aNalysis), a novel, precise, and scalable indirect call analysis technique, leveraging the common programming paradigm used in kernel abstraction interfaces. Over the inter-procedural control flow graph built by KIRIN, PeX automatically identifies all permission checks and infers the mappings between permission checks and privileged functions. For each privileged function, PeX examines all possible paths to the function to check if necessary permission checks are correctly enforced before it is called.

We evaluated PeX on the latest stable Linux kernel v4.18.5 for three types of permission checks: Discretionary Access Controls (DAC), Capabilities, and Linux Security Modules (LSM). PeX reported 36 new permission check errors, 14 of which have been confirmed by the kernel developers.

Bio:

申文博，浙江大学百人计划研究员，博士生导师。2015年获得美国北卡罗莱纳州立大学计算机博士学位，并于同年加入位于美国硅谷的三星美国研究院（Samsung Research America），担任操作系统内核安全的技术负责人。于2019年加入浙江大学网络空间安全研究中心和计算机科学与技术学院。

申文博研究员研究成果包含论文及专利30余篇，包含IEEE S&P, ACM CCS, USENIX Security, NDSS, TDSC, ACM MobiCom, TMC等会议及期刊论文，获得2项杰出论文奖，包含四大顶级会议之一的NDSS的杰出论文奖。申文博研究员常年活跃于移动系统安全攻防一线，通过分析实际攻击，设计相应的操作系统保护方案，具有学术界和工业界的双重研究经历和视野；多年来设计、实现并主导部署了多种操作系统内核安全机制，保护超过亿部设备系统内核安全。