Detecting Memory Life-Cycle Bugs With Extended Define-Use Chain Analysis

Abstract

OS kernels leverage various memory allocation functions to carry out memory allocation, and memory data in kernel space of OS should be cautiously handled, e.g., allocating with kmalloc() and freeing with kfree(). However, real cases do exist where memory data is incorrectly allocated/freed, not checked before dereferenced, or left unfreed when out of use. We define these cases as Memory Life-cycle (MLC) bugs, and according to what we know, this new type of software bugs has not been deeply researched yet. In this paper, we go deep into the life-cycle of kernel memory space, including allocation, dereference and free, and propose the first systematical study of MLC bugs and build an automated and scalable detection framework, MLC bug sanitizer (MLCSan). MLCSan is capable of revealing memory allocation and free functions OS kernels. Besides, the occurrences of allocating, dereferencing and freeing sites can be automatically detected by MLCSan, leading to cases where MLC bugs may appear. Moreover, experiment result of analyzing the latest mainline OS kernels with MLCSan is a strong proof that MLCSan is effective in detecting MLC bugs and can scale to different platforms, in which 41 new bugs are identified in Linux and FreeBSD. And undoubtedly, we will open source MLCSan prototype to contribute to the security research in this area.