Linux Kernel Research Articles

Constructing arbitrary write via puppet objects and delivering gadgets in Linux kernel

Researchers have proposed various methods to perform kernel exploitation, which facilitates vulnerability evaluation and fixing. To sum up, traditional approaches tend to construct ROP chains or perform arbitrary write to escalate privileges. However, the former depends on some unusual ROP gadgets to save the stack frame pointer and demands adequate kernel memory space to hold the ROP chain. Additionally, to construct arbitrary write, existing approaches either rely on the usability of a certain kernel object or have restrictions on the write value. These limitations sometimes hinder the exploitation of the vulnerability.In this paper, to overcome the limitations of existing exploitation strategies, we propose an elegant approach, which uses puppet objects and delivering gadgets to construct arbitrary writes. This approach relies on common ROP gadgets, requires less controllable memory, imposes fewer restrictions, and features a concise exploitation process. We also devise a tool named PODE to automatically identify puppet objects in Linux kernel and select suitable puppet objects and delivering gadgets for a given vulnerability. We evaluate PODE using 22 real-world kernel vulnerabilities and successfully exploit 16 of them using puppet objects, demonstrating that it not only diversifies the ways to perform kernel exploitation but also escalates the exploitability of kernel vulnerabilities.

SPATA: Effective OS Bug Detection with Summary-Based, Alias-Aware, and Path-Sensitive Typestate Analysis

The operating system (OS) is the cornerstone for computer systems. It manages hardware and provides fundamental service for user-level applications. Thus, detecting bugs in OSes is important to improve the reliability of computer systems. Static typestate analysis is a common technique for detecting various types of bugs, but it is often inaccurate or unscalable for large-size OS code, due to imprecision of identifying alias relationships as well as high costs of typestate tracking, path-feasibility validation, and inter-procedural analysis. In this article, 1 we present SPATA, a novel summary-based, alias-aware, and path-sensitive typestate analysis framework to detect OS bugs. To identify precise alias relationships in the OS code, SPATA performs a path-based alias analysis based on control-flow paths and access paths. With these alias relationships, SPATA reduces the costs of typestate tracking and path-feasibility validation, to accelerate path-sensitive typestate analysis for accurate bug detection. Moreover, SPATA uses an alias-summary-based analysis to accelerate inter-procedural bug detection, without time-consuming alias analysis across functions. We have evaluated SPATA on the Linux kernel and three popular IoT OSes, and it finds 651 real bugs with a false-positive rate of 18%. Besides, our alias-summary-based analysis achieves a 6.7x speedup in bug detection compared to non-summary-based analysis.

Sequentialized Virtual File System: A Virtual File System Enabling Address Sequentialization for Flash-Based Solid State Drives

Solid-state drives (SSDs) are widely adopted in mobile devices, desktop PCs, and data centers since they offer higher throughput, lower latency, and lower power consumption to modern computing systems and applications compared with hard disk drives (HDDs). However, the performance of the SSDs can be degraded depending on the I/O access pattern due to the unique characteristics of SSDs. For example, random I/O operation degrades the SSD performance since it reduces the spatial locality and induces garbage collection (GC) overhead. In this paper, we present an address reshaping scheme in a virtual file system (VFS) called sVFS for improving performance and easy deployment. To do this, it first sequentializes a random access pattern in the VFS layer which is an abstract layer on top of a more concrete file system. Thus, our scheme is independent and easily deployed on any concrete file systems, block layer configuration (e.g., RAID), and devices. Second, we adopt a mapping table for managing sequentialized addresses, which guarantees correct read operations. Third, we support transaction processing for updating the mapping table to avoid sacrificing the consistency. We implement our scheme at the VFS layer in Linux kernel 5.15.34. The evaluation results show that our scheme improve the random write throughput by up to 27%, 36%, 34%, and 2.35× using the microbenchmark and 25%, 22%, 20%, and 3.51× using the macrobenchmark compared with the existing scheme in the case of EXT4, F2FS, XFS, and BTRFS, respectively.

Raspberry Pi based IOT Weather Station

This paper presents a real-time system for monitoring and updating weather conditions online. The system tracks three key parameters: temperature, humidity, and rainfall. These values are displayed on an LCD screen and stored in a database. When the area is dry, the rainfall reading shows zero. If raindrops are detected, the rainfall value updates accordingly. As the temperature changes, it also reflects on the display. Users can check the weather status of a specific area from anywhere. We use an ARM-based Raspberry Pi 3 board, running the Raspbian operating system with a Linux kernel. The programming is done in Python, which is supported by the IDLE environment. This system provides users with a clear understanding of local weather conditions, making it a valuable tool for monitoring the climate in a specific area.

REMaQE: Reverse Engineering Math Equations from Executables

Cybersecurity attacks on embedded devices for industrial control systems and cyber-physical systems may cause catastrophic physical damage as well as economic loss. This could be achieved by infecting device binaries with malware that modifies the physical characteristics of the system operation. Mitigating such attacks benefits from reverse engineering tools that recover sufficient semantic knowledge in terms of mathematical equations of the implemented algorithm. Conventional reverse engineering tools can decompile binaries to low-level code, but offer little semantic insight. This article proposes the REMaQE automated framework for reverse engineering of math equations from binary executables. Improving over state-of-the-art, REMaQE handles equation parameters accessed via registers, the stack, global memory, or pointers, and can reverse engineer equations from object-oriented implementations such as C++ classes. Using REMaQE, we discovered a bug in the Linux kernel thermal monitoring tool “tmon.” To evaluate REMaQE, we generate a dataset of 25,096 binaries with math equations implemented in C and Simulink. REMaQE successfully recovers a semantically matching equation for all 25,096 binaries. REMaQE executes in 0.48 seconds on average and in up to 2 seconds for complex equations. Real-time execution enables integration in an interactive math-oriented reverse engineering workflow.

On the Expressive Power of Languages for Static Variability

Variability permeates software development to satisfy ever-changing requirements and mass-customization needs. A prime example is the Linux kernel, which employs the C preprocessor to specify a set of related but distinct kernel variants. To study, analyze, and verify variational software, several formal languages have been proposed. For example, the choice calculus has been successfully applied for type checking and symbolic execution of configurable software, while other formalisms have been used for variational model checking, change impact analysis, among other use cases. Yet, these languages have not been formally compared, hence, little is known about their relationships. Crucially, it is unclear to what extent one language subsumes another, how research results from one language can be applied to other languages, and which language is suitable for which purpose or domain. In this paper, we propose a formal framework to compare the expressive power of languages for static (i.e., compile-time) variability. By establishing a common semantic domain to capture a widely used intuition of explicit variability, we can formulate the basic, yet to date neglected, properties of soundness, completeness, and expressiveness for variability languages. We then prove the (un)soundness and (in)completeness of a range of existing languages, and relate their ability to express the same variational systems. We implement our framework as an extensible open source Agda library in which proofs act as correct compilers between languages or differencing algorithms. We find different levels of expressiveness as well as complete and incomplete languages w.r.t. our unified semantic domain, with the choice calculus being among the most expressive languages.

A Lightweight, Polarization-Camera Equipped Sensor Rig for the Development of Autonomous Surface Vehicles

Abstract Situational Awareness (SITAW) of Autonomous Surface Vessels (ASV) is critical for safe and efficient maritime operations, enabling these vehicles to understand their environment better and make informed decisions. High-quality data sets from relevant maritime environments are needed to advance the development of SITAW, as it is both the backbone of any learning-based method and the development and validation of classical methods. Research vessels such as the full-scale ferry milliAmpere2 provide such data, but there tends to be a considerable labor cost associated with their operation. With this in mind, we have developed a portable sensor rig that makes collecting sensor data significantly easier. The sensor rig is designed for easy transport and operation by a single individual. It can also be temporarily attached to an existing vessel, making it versatile for a wide range of data collection scenarios. The sensor rig is equipped with a Jetson Orin AGX computer, two dual-band GNSS receivers, a high-quality IMU, and two color polarization cameras. Accurate synchronization of all sensors and the computer to UTC is achieved using a microcontroller for triggering and a custom Pulse Per Second (PPS)-enabled Linux kernel on the Jetson. The sensor rig is controlled and monitored by connecting a smartphone to its hosted web app, which provides a live stream from the cameras and information about the sensors. We present a new dataset from the river Nidelva in Trondheim, Norway, to demonstrate the sensor rig’s potential and the benefit of color polarization cameras in the maritime domain. We show how the data from color polarization cameras can be used directly to make the water surface more visibly distinct and remove reflections and sun glare. This new data set consists of synchronized stereo color polarization video, raw IMU data, and raw GNSS data, and it is made publically available to the research community.

Toward Linux-based safety-critical systems—Execution time variability analysis of Linux system calls

Modern transportation and industrial domain safety-critical applications, such as autonomous vehicles and collaborative robots, exhibit a combination of escalating software complexity and the need to integrate diverse software stacks and machine learning algorithms, consequently demanding complex high-performance hardware. Linux’s extensive platform support and library ecosystem make it a valuable general-purpose operating system for developing complex software systems. However, because the Linux kernel has not been designed to comply with safety standards, it has a high execution path variability and does not provide execution time guarantees. In this context, several research initiatives have studied the usage of Linux for developing complex safety-related systems, focusing on topics that include its development process, isolation architectures, or test coverage estimation. Nonetheless, execution-time analysis and providing temporal guarantees is still a challenge. This work extends the novel statistical analysis of Linux system call execution paths with the analysis of execution-time variability and proposes a method for estimating the worst-case execution time, forming a sound approach for an in-depth analysis of the Linux kernel execution paths and execution times for safety-related systems. The proposed method is applied to a representative use case that implements an Autonomous Emergency Brake application in an NVIDIA Jetson Nano board connected to the CARLA autonomous driving simulator.

Program context-assisted address translation for high-capacity SSDs

As the capacity of NAND flash-based SSDs keeps increasing, it becomes crucial to design a memory-efficient address translation algorithm that offers high performance when a translation table cannot be entirely loaded in a controller DRAM. Existing flash translation layers (FTL) employ demand-based address translation which caches popular mapping information in DRAM by leveraging locality of I/O references. Owing to the lack of information about detailed behaviors of applications, however, existing demand-based FTLs often suffer from many translation-table misses and thus result in sub-optimal performance. In this paper, we propose a new Program context-AssisteDFlash Translation Layer, called PADFTL. Unlike existing FTLs which are implemented as the form of firmware, PADFTL is vertically integrated with a host-level I/O classifier which provides useful hints for an FTL in an SSD to make a better decision in managing a translation table. The host-level I/O classifier monitors unique behaviors of applications by analyzing their program contexts and categorizes I/O patterns into four types, (1) Loop, (2) Hot, (3) Sequential, and (4) Random, which are then delivered to an SSD through extended interfaces. The SSD-side module of PADFTL partitions a controller DRAM into four zones and isolates mapping information associated with different I/O patterns into separate zones. By employing cache management strategies optimized for individual zones, PADFTL can lower the overall translation-table miss ratio. To evaluate the effectiveness of PADFTL, we implement the host-level classifier in the Linux kernel and PADFTL’s FTL in a trace-driven FTL simulator. In our experimental results, compared to the state-of-the-art FTL, PADFTL increases the overall table hit ratio by 16% while reducing the address translation time by up to 20% on average.

A Formal Verification Approach for Linux Kernel Designing

Although the Linux kernel is widely used, its complexity makes errors common and potentially serious. Traditional formal verification methods often have high overhead and rely heavily on manual coding. They typically verify only specific functionalities of the kernel or target microkernels and do not support continuous verification of the entire kernel. To address these limitations, we introduce LMVM (Linux Kernel Modeling and Verification Method), a formal method based on type theory that ensures the correct design of the Linux architecture. In the model, the kernel is treated as a top-level type, subdivided into the following sublevels: subsystem, dentry, file, struct, function, and base. These types are defined in the structure and relationships. The verification process includes checking the design specifications for both type relationships and the presence of each type. Our contribution lies primarily in the following two points: 1. This is a lightweight verification. As long as the modeling is complete, architectural errors in the design phase can be identified promptly. 2. The designed “model refactor” module supports kernel updating, and the kernel can be continuously verified by extending the kernel model. To test its usefulness, we develop a set of security communication mechanisms in the kernel, which are verified using our method.

Docker Performance Evaluation across Operating Systems

Docker has gained significant popularity in recent years. With the introduction of Docker Desktop for Windows and macOS, there is a need to determine the impact of the operating system on the performance of the Docker platform. This paper aims to investigate the performance of Docker containers based on the operating system. One of the fundamental goals of this study is to conduct a comprehensive analysis of the Docker architecture. This technology utilizes Linux kernel virtualization mechanisms such as namespaces and cgroups. Upon analyzing the distribution of Docker Desktop for Windows and Docker Desktop for macOS, it was discovered that running the Docker environment on these requires a lightweight virtual machine that emulates the Linux system. This information suggests that the additional virtualization layer may hinder the performance of non-Linux operating systems hosting Docker containers. The paper presents a performance test of the Docker runtime on Linux, Microsoft Windows, and macOS. The test evaluated specific aspects of operating system performance on a MacBook computer with an ×86/64 processor architecture. The experiment carried out examined the performance in terms of CPU speed, I/O speed, and network throughput. This test measured the efficiency of software that utilizes various system resources.

IKern: Advanced Intrusion Detection and Prevention at the Kernel Level Using eBPF

The development of new technologies has significantly enhanced the monitoring and analysis of network traffic. Modern solutions like the Extended Berkeley Packet Filter (eBPF) demonstrate a clear advancement over traditional techniques, allowing for more customized and efficient filtering. These technologies are crucial for influencing system performance as they operate at the lowest layer of the operating system, such as the kernel. Network-based Intrusion Detection/Prevention Systems (IDPS), including Snort, Suricata, and Bro, passively monitor network traffic from terminal access points. However, most IDPS are signature-based and face challenges on large networks, where the drop rate increases due to limitations in capturing and processing packets. High throughput leads to overheads, causing IDPS buffers to drop packets, which can pose serious threats to network security. Typically, IDPS are targeted by volumetric and multi-vector attacks that overload the network beyond the reception and processing capacity of IDPS, resulting in packet loss due to buffer overflows. To address this issue, the proposed solution, iKern, utilizes eBPF and Virtual Network Functions (VNF) to examine and filter packets at the kernel level before forwarding them to user space. Packet stream inspection is performed within the iKern Engine at the kernel level to detect and mitigate volumetric floods and multi-vector attacks. The iKern detection engine, operating within the Linux kernel, is powered by eBPF bytecode injected from user space. This system effectively handles volumetric Distributed Denial of Service (DDoS) attacks. Real-time implementation of this scheme has been tested on a 1Gbps network and shows significant detection and reduction capabilities against volumetric and multi-vector floods.

Early mitigation of CPU-optimized ransomware using monitoring encryption instructions

Ransomware attacks pose a significant threat to information systems. Server hosts, including cloud infrastructure as a service, are prime targets for ransomware developers. To address this, security mechanisms, such as antivirus software, have proven effective. Moreover, research on ransomware detection advocates for behavior-based finding mechanisms while ransomware is in operation. In response to evolving detections, ransomware developers are now adapting an optimized design tailored for CPU architecture (CPU-optimized ransomware). This variant can rapidly encrypt files, potentially evading detection by traditional antivirus methods that rely on fixed time intervals for file scans. In ransomware detection research, numerous files can be encrypted by CPU-optimized ransomware until malicious activity is detected. This study proposes an early mitigation mechanism named CryptoSniffer, which is designed specifically to counter CPU-optimized ransomware attacks on server hosts. CryptoSniffer focuses on the misuse of CPU architecture-specific encryption instructions for swift file encryption by CPU-optimized ransomware. This can be achieved by capturing the ciphertext in user processes and thwarting file encryption by scrutinizing the content intended for writing. To demonstrate the efficacy of CryptoSniffer, the mechanism was implemented in the latest Linux kernel, and its security and performance were systematically evaluated. The experimental results demonstrate that CryptoSniffer successfully prevents real-world CPU-optimized ransomware, and the performance overhead is well-suited for practical applications.

Optimizing Storage Efficiency Through Pipelining and Parallelization for Enhanced Data Deduplication

Nowadays, huge devices are connected to the internet to deal with many cloud environments for storing data efficiently. Also, it is used to store big data determined in business activities. However, the data storage in the cloud avoids duplicate copies of files and reduces complexity issues. However, this platform is utilized by many users for storing the file in cloud and this creates a data redundancy problem. Also, fingerprint indexing is a major issue in data storage in the cloud. So in order to overcome this issue a novel Enhanced Arithmetic Optimization Algorithm with Mixed-Kernel-based Extreme Learning Machine-based Random Forest (EAOA-MKELM-RF) method is proposed that overcome the deduplication issues. In spite, the scalability issues are solved, and the limitations determined in fingerprint indexing. Further, the pipelining and parallelizing hash function values are utilized to address the scalability issue in the deduplication process. The data storage container organizes the programs and files into data blocks, metadata files and nonduplicate blocks. However, the proposed methods determine the similarity issues and accelerate the fingerprint queries for better scalability. The datasets employed to evaluate the proposed approach are CorrAL-100 dataset, Madelon dataset, XOR-100 dataset, Infocom’05 dataset and Linux kernel dataset. The experimentation results demonstrated that the proposed method attained a superior accuracy by 96.8% in terms of restoration accuracy, robustness and delivery ratio. Additionally, the proposed approach reduces buffer time, improving overall system performance. This validation optimized the storage resources, diminished storage costs and improved overall data management.

IPOD2: an irrecoverable and verifiable deletion scheme for outsourced data

Abstract To alleviate the burden of data storage and management, there is a growing trend of outsourcing data to the cloud that enables users to remotely manage their data flexibly. However, this shift also raises concerns regarding outsourced data deletion, as users lose physical control over their outsourced data and are unable to verify its proper eradication. To address this issue, cloud service providers are required to provide a scheme that guarantees the effective deletion of outsourced data. Existing schemes, including key management-based and overwriting-based schemes, fail to ensure both the irrecoverability of deleted data and the verifiability of the deletion process. In this paper, we propose IPOD2, an irrecoverable and verifiable deletion scheme for outsourced data. Specifically, IPOD2 utilizes the overwriting-based deletion method to implement outsourced data deletion and extends the Integrity Measurement Architecture to measure the operations in the deletion process. The measurement results are protected by the Trusted Platform Module and verifiable for users. To demonstrate the viability of IPOD2, we implement a prototype of IPOD2 on the Linux kernel 5.4.120. Experimental results show that, compared with the three existing schemes, IPOD2 has the minimum overhead in both deletion and verification processes.

Understanding Vulnerability Inducing Commits of the Linux Kernel

Understanding Vulnerability Inducing Commits of the Linux Kernel

CEIU: Consistent and Efficient Incremental Update mechanism for mobile systems on flash storage

The ever-growing sizes and frequent updating of mobile applications cause high network and storage cost for updating. Hence, emerging mobile systems often employ incremental update algorithms, typically HDiffPatch, to upgrade mobile applications. However, we find that existing incremental update algorithms not only generate a significant amount of redundant data accesses, but also lacks of consistency guarantees for the whole package of application. In this paper, we present a novel Consistent and Efficient Incremental Update (CEIU) mechanism for upgrading mobile applications. Firstly, CEIU reduces the memory consumption and file access of incremental updates by reusing the indexes of blocks in the old image rather than copying the blocks. Secondly, CEIU employs a two-level journaling mechanism to ensure the consistency of the whole package and subfiles of the new image. We implement the proposed mechanism in Linux kernel based on TI-LFAT file system and evaluate it with real-world applications. The experimental results show that the proposed mechanism can reduce 30%–80% memory footprints in comparison with HDiffPatch, the state-of-the-art incremental update algorithm. It also significantly reduces the recovery time when power failure or system crash occurs.

Evaluating the Effectiveness of Deep Learning Models for Foundational Program Analysis Tasks

While deep neural networks provide state-of-the-art solutions to a wide range of programming language tasks, their effectiveness in dealing with foundational program analysis tasks remains under explored. In this paper, we present an empirical study that evaluates four prominent models of code (i.e., CuBERT, CodeBERT, GGNN, and Graph Sandwiches) in two such foundational tasks: (1) alias prediction, in which models predict whether two pointers must alias, may alias or must not alias; and (2) equivalence prediction, in which models predict whether or not two programs are semantically equivalent. At the core of this study is CodeSem, a dataset built upon the source code of real-world flagship software (e.g., Linux Kernel, GCC, MySQL) and manually validated for the two prediction tasks. Results show that all models are accurate in both prediction tasks, especially CuBERT with an accuracy of 89% and 84% in alias prediction and equivalence prediction, respectively. We also conduct a comprehensive, in-depth analysis of the results of all models in both tasks, concluding that deep learning models are generally capable of performing foundational tasks in program analysis even though in specific cases their weaknesses are also evident. Our code and evaluation data are publicly available at https://github.com/CodeSemDataset/CodeSem.

Accurate Data Race Prediction in the Linux Kernel through Sparse Fourier Learning

Testing for data races in the Linux OS kernel is challenging because there is an exponentially large space of system calls and thread interleavings that can potentially lead to concurrent executions with races. In this work, we introduce a new approach for modeling execution trace feasibility and apply it to Linux OS Kernel race prediction. To address the fundamental scalability challenge posed by the exponentially large domain of possible execution traces, we decompose the task of predicting trace feasibility into independent prediction subtasks encoded as learning Boolean indicator functions for specific memory accesses, and apply a sparse fourier learning approach to learning each feasibility subtask. Boolean functions that are sparse in their fourier domain can be efficiently learned by estimating the coefficients of their fourier expansion. Since the feasibility of each memory access depends on only a few other relevant memory accesses or system calls (e.g., relevant inter-thread communications), we observe that trace feasibility functions often have this sparsity property and can be learned efficiently. We use learned trace feasibility functions in conjunction with conservative alias analysis to implement a kernel race-testing system, HBFourier, that uses sparse fourier learning to efficiently model feasibility when making predictions. We evaluate our approach on a recent Linux development kernel and show it finds 44 more races with 15.7% more accurate race predictions than the next best performing system in our evaluation, in addition to identifying 5 new race bugs confirmed by kernel developers.

Enhancing Static Analysis for Practical Bug Detection: An LLM-Integrated Approach

While static analysis is instrumental in uncovering software bugs, its precision in analyzing large and intricate codebases remains challenging. The emerging prowess of Large Language Models (LLMs) offers a promising avenue to address these complexities. In this paper, we present LLift, a pioneering framework that synergizes static analysis and LLMs, with a spotlight on identifying use-before-initialization (UBI) bugs within the Linux kernel. Drawing from our insights into variable usage conventions in Linux, we enhance path analysis using post-constraint guidance. This approach, combined with our methodically crafted procedures, empowers LLift to adeptly handle the challenges of bug-specific modeling, extensive codebases, and the unpredictable nature of LLMs. Our real-world evaluations identified four previously undiscovered UBI bugs in the mainstream Linux kernel, which the Linux community has acknowledged. This study reaffirms the potential of marrying static analysis with LLMs, setting a compelling direction for future research in this area.