1 00:00:11,349 --> 00:00:15,340 my name is home of religion attack and 2 00:00:13,690 --> 00:00:16,580 today I'm going to present our work 3 00:00:15,340 --> 00:00:18,950 packs 4 00:00:16,580 --> 00:00:21,860 check analysis framework for Venice 5 00:00:18,950 --> 00:00:23,779 colonel my advisers are dr. Zhang Liang 6 00:00:21,860 --> 00:00:26,570 Chow agent they see the jungle work with 7 00:00:23,779 --> 00:00:32,540 dr. Irwin Borgia and a Hammond adds up 8 00:00:26,570 --> 00:00:34,610 and wrong and so permission check on 9 00:00:32,540 --> 00:00:36,350 trillion in axes are complex and 10 00:00:34,610 --> 00:00:38,809 currently there are three different 11 00:00:36,350 --> 00:00:41,540 cultural models and the first one as we 12 00:00:38,809 --> 00:00:44,419 all know is very common called dak wear 13 00:00:41,540 --> 00:00:47,600 which is a file-based of formation and 14 00:00:44,420 --> 00:00:49,930 the second Y is called capabilities data 15 00:00:47,600 --> 00:00:53,180 y is imitated to break down the route 16 00:00:49,930 --> 00:00:55,820 permission into our currently we have 38 17 00:00:53,180 --> 00:00:58,309 different capabilities and here is one 18 00:00:55,820 --> 00:01:01,670 example so the ping commander used to 19 00:00:58,309 --> 00:01:03,860 have the full group permission but now 20 00:01:01,670 --> 00:01:08,030 it only has the capability of sending 21 00:01:03,860 --> 00:01:08,720 raw network packet so and the third one 22 00:01:08,030 --> 00:01:11,479 is called 23 00:01:08,720 --> 00:01:15,770 LSM and that is short for Linux a secure 24 00:01:11,479 --> 00:01:17,450 module and as well now we have 190 25 00:01:15,770 --> 00:01:20,570 different hooks in the name is Colonel 26 00:01:17,450 --> 00:01:24,860 and they are used to implement selinux 27 00:01:20,570 --> 00:01:28,940 and IPP armor used by lots of defense 28 00:01:24,860 --> 00:01:31,580 mechanisms and because that are those 29 00:01:28,940 --> 00:01:34,880 hooks are actually added into the 30 00:01:31,580 --> 00:01:36,890 English Colonel in ad hoc manner and so 31 00:01:34,880 --> 00:01:38,509 that is hard to guarantee all of them 32 00:01:36,890 --> 00:01:41,870 are placed correctly and this is a 33 00:01:38,510 --> 00:01:45,440 motivation or work let's elect look at 34 00:01:41,870 --> 00:01:49,159 our one example so this example is 35 00:01:45,440 --> 00:01:52,670 showing the method to change a process 36 00:01:49,159 --> 00:01:54,920 name so usually we can have a the first 37 00:01:52,670 --> 00:01:57,530 method is to use the so-called proc file 38 00:01:54,920 --> 00:02:00,650 system there is a one file called comm 39 00:01:57,530 --> 00:02:03,500 as you can see here I draw a path from 40 00:02:00,650 --> 00:02:07,490 the user space the right and we can call 41 00:02:03,500 --> 00:02:11,150 the right to the Superman foul it has to 42 00:02:07,490 --> 00:02:13,970 pass a security file permission check in 43 00:02:11,150 --> 00:02:16,549 order to invoke these that has Kashiwa 44 00:02:13,970 --> 00:02:21,709 now which will eventually change the 45 00:02:16,549 --> 00:02:26,590 process name to a new name and there is 46 00:02:21,709 --> 00:02:29,590 also another way so that is to call the 47 00:02:26,590 --> 00:02:31,540 this so call the process control 48 00:02:29,590 --> 00:02:34,300 a citizen called you actually to change 49 00:02:31,540 --> 00:02:37,090 that name and that season Hall will call 50 00:02:34,300 --> 00:02:40,930 the service Castle amateur actual 51 00:02:37,090 --> 00:02:42,940 results are passing any checks so you 52 00:02:40,930 --> 00:02:46,180 can see here we bypassed the security 53 00:02:42,940 --> 00:02:49,090 file permission check which is actually 54 00:02:46,180 --> 00:02:53,260 a problem so our goal here is to design 55 00:02:49,090 --> 00:02:55,540 a static analysis to to find out all of 56 00:02:53,260 --> 00:02:58,690 those kinds of formation check box 57 00:02:55,540 --> 00:03:02,260 including the missing checks like I show 58 00:02:58,690 --> 00:03:06,040 here and inconsistent and the redundant 59 00:03:02,260 --> 00:03:09,329 information checks in order to do this 60 00:03:06,040 --> 00:03:12,400 we need to enumerate all the possible 61 00:03:09,330 --> 00:03:17,500 passes that can be reached by a user and 62 00:03:12,400 --> 00:03:20,230 luckily we can see those possible passes 63 00:03:17,500 --> 00:03:24,370 can be represented at a control flow 64 00:03:20,230 --> 00:03:27,880 graph that I can - over here and the 65 00:03:24,370 --> 00:03:29,250 whole problem becomes a carry numerator 66 00:03:27,880 --> 00:03:31,950 all the passes using these 67 00:03:29,250 --> 00:03:35,650 interprocedural control flow graph to 68 00:03:31,950 --> 00:03:40,380 find out the possible paths and before 69 00:03:35,650 --> 00:03:40,380 we do that and we actually need a 70 00:03:40,620 --> 00:03:47,079 interprocedural control flow graph how 71 00:03:42,970 --> 00:03:49,239 do you get that as we all know this is 72 00:03:47,079 --> 00:03:51,090 the first challenge as we all know in 73 00:03:49,239 --> 00:03:54,549 the Linux kernel there are lots of 74 00:03:51,090 --> 00:03:57,880 indirect function calls so we counted in 75 00:03:54,549 --> 00:04:02,019 the version four point eighteen point 76 00:03:57,880 --> 00:04:07,030 five there are 115,000 indirect costs 77 00:04:02,019 --> 00:04:09,670 ice and kernel frequently used those 78 00:04:07,030 --> 00:04:11,709 function pointer to call the real 79 00:04:09,670 --> 00:04:14,108 implementation or either it's a file 80 00:04:11,709 --> 00:04:16,690 system or the driver so it's so called 81 00:04:14,109 --> 00:04:19,600 the from the abstract layer to call the 82 00:04:16,690 --> 00:04:21,750 concrete implementation so for example 83 00:04:19,600 --> 00:04:25,120 we have way we our first layer it is 84 00:04:21,750 --> 00:04:28,389 calling the F from the file it is 85 00:04:25,120 --> 00:04:30,990 calling fo PS and then write either so 86 00:04:28,389 --> 00:04:35,710 the possible target could be yak see for 87 00:04:30,990 --> 00:04:39,640 btrfs CFS or the NFS similarly we can 88 00:04:35,710 --> 00:04:41,739 help the network layer is calling the 89 00:04:39,640 --> 00:04:47,050 send message according to different 90 00:04:41,740 --> 00:04:50,460 particle data you are using and there 91 00:04:47,050 --> 00:04:54,669 are however there there are no existing 92 00:04:50,460 --> 00:04:57,400 that well or working solutions do well 93 00:04:54,669 --> 00:05:01,810 the solution that used up by prowl work 94 00:04:57,400 --> 00:05:03,580 is to use a type based approach so if 95 00:05:01,810 --> 00:05:07,740 it's also known at the function 96 00:05:03,580 --> 00:05:10,500 signature based approach to resolve the 97 00:05:07,740 --> 00:05:14,830 indirect cause the downside of that is 98 00:05:10,500 --> 00:05:18,160 its imprecise for example the still that 99 00:05:14,830 --> 00:05:21,039 we are fast right example if we look at 100 00:05:18,160 --> 00:05:23,370 the function type or the function 101 00:05:21,039 --> 00:05:26,680 signature we can find out that the right 102 00:05:23,370 --> 00:05:27,970 function is actually the signature it's 103 00:05:26,680 --> 00:05:30,699 actually the same as read 104 00:05:27,970 --> 00:05:34,800 so if we use function signature this 105 00:05:30,699 --> 00:05:37,960 will result in the wrong call graph and 106 00:05:34,800 --> 00:05:40,539 another approach that people have tried 107 00:05:37,960 --> 00:05:44,320 or in the prior work is to use advanced 108 00:05:40,539 --> 00:05:47,800 upon her analysis that does not that 109 00:05:44,320 --> 00:05:52,180 will will also contain the point or 110 00:05:47,800 --> 00:05:54,909 solution for not only for the the 111 00:05:52,180 --> 00:05:59,680 function pointer as well and also data 112 00:05:54,909 --> 00:06:03,639 pointer as well so the problem all these 113 00:05:59,680 --> 00:06:06,760 are at once the pointer analysis to 114 00:06:03,639 --> 00:06:09,310 either it does not grow well for the 115 00:06:06,760 --> 00:06:12,099 size of Linux kernel so there are like 116 00:06:09,310 --> 00:06:14,770 eight sixteen millions the lines of code 117 00:06:12,099 --> 00:06:17,860 so the existing tools like the SAF does 118 00:06:14,770 --> 00:06:20,258 not scale well and the people how the 119 00:06:17,860 --> 00:06:22,930 people have tried to break down the 120 00:06:20,259 --> 00:06:25,599 kernel code into smaller pieces so that 121 00:06:22,930 --> 00:06:28,479 they can apply the SPF in a more 122 00:06:25,599 --> 00:06:31,389 scalable manner and there that downside 123 00:06:28,479 --> 00:06:34,000 it does it will harm the soundness so 124 00:06:31,389 --> 00:06:37,180 that mean the interprocedural call graph 125 00:06:34,000 --> 00:06:42,400 will be a colorful graph will be not as 126 00:06:37,180 --> 00:06:46,389 soon as the previous one and the 127 00:06:42,400 --> 00:06:50,469 challenge to is actually a result of the 128 00:06:46,389 --> 00:06:53,229 video there is the hot manner or adding 129 00:06:50,469 --> 00:06:56,110 those permission check functions or 130 00:06:53,229 --> 00:06:58,599 hoops so the first thing we don't know 131 00:06:56,110 --> 00:07:02,080 it the security permissions check 132 00:06:58,599 --> 00:07:04,779 function is add is added in ad hoc 133 00:07:02,080 --> 00:07:06,219 manner we don't know that and the second 134 00:07:04,779 --> 00:07:09,219 thing is that we don't know which 135 00:07:06,219 --> 00:07:11,919 function is actually intended to be 136 00:07:09,219 --> 00:07:15,190 protected by those are security 137 00:07:11,919 --> 00:07:16,419 permission check functions and the third 138 00:07:15,190 --> 00:07:19,930 thing is that we don't know their 139 00:07:16,419 --> 00:07:23,560 mapping so those are the three things as 140 00:07:19,930 --> 00:07:25,539 a result of the ads hopefully add it on 141 00:07:23,560 --> 00:07:28,330 the permission check function so we need 142 00:07:25,539 --> 00:07:31,180 to solve that those two challenges all 143 00:07:28,330 --> 00:07:33,310 right and that's look look like let's 144 00:07:31,180 --> 00:07:36,900 take a look at the how they actually the 145 00:07:33,310 --> 00:07:41,010 PAC's works the packs are takes into the 146 00:07:36,900 --> 00:07:44,020 kernel source code compelled as a I are 147 00:07:41,010 --> 00:07:46,529 they all we mi are and we first around 148 00:07:44,020 --> 00:07:52,930 the keyring which is responsible for 149 00:07:46,529 --> 00:07:55,440 resuming the indirect or and draw a 150 00:07:52,930 --> 00:07:58,630 interprocedural control flow graph and 151 00:07:55,440 --> 00:08:01,449 we use that intra procedural control 152 00:07:58,630 --> 00:08:04,150 flow graph to do to so the second 153 00:08:01,449 --> 00:08:07,750 challenge which will allow us to detect 154 00:08:04,150 --> 00:08:12,190 all the function permission function 155 00:08:07,750 --> 00:08:15,159 wrappers and the privilege functions 156 00:08:12,190 --> 00:08:17,349 which is actually intended to protect to 157 00:08:15,159 --> 00:08:20,229 be protected by permission check 158 00:08:17,349 --> 00:08:24,070 functions and finally we will use the 159 00:08:20,229 --> 00:08:27,820 ICF G and also the those mappings we 160 00:08:24,070 --> 00:08:30,099 generated to detect the error so let's 161 00:08:27,820 --> 00:08:33,218 let's take a look at how the keyring 162 00:08:30,099 --> 00:08:36,429 works and how to actually resolve those 163 00:08:33,219 --> 00:08:38,770 indirect calls the human is actually 164 00:08:36,429 --> 00:08:41,468 designed based on the observation that 165 00:08:38,770 --> 00:08:45,579 most of the in doubt cause we count in 166 00:08:41,469 --> 00:08:48,400 the number about 90% in the Linux kernel 167 00:08:45,579 --> 00:08:50,279 is actually using a well defined at the 168 00:08:48,400 --> 00:08:54,939 interface data also talked about and 169 00:08:50,279 --> 00:08:56,320 that means so give you example so the 170 00:08:54,940 --> 00:08:58,680 for the filesystem we can have the 171 00:08:56,320 --> 00:09:01,000 instructor file operations and the 172 00:08:58,680 --> 00:09:03,160 kernel developer so for example the 173 00:09:01,000 --> 00:09:05,610 filesystem but you are poor only need to 174 00:09:03,160 --> 00:09:08,620 worry about those 175 00:09:05,610 --> 00:09:11,350 those functions in order to I mean 176 00:09:08,620 --> 00:09:14,649 integral to their own of the file system 177 00:09:11,350 --> 00:09:18,550 into the kernel we end without worrying 178 00:09:14,649 --> 00:09:21,040 about other parting the whole thousand 179 00:09:18,550 --> 00:09:23,349 stack similarly for the network protocol 180 00:09:21,040 --> 00:09:25,449 we only need to worry about how to 181 00:09:23,350 --> 00:09:32,380 implement and the messages receive 182 00:09:25,450 --> 00:09:34,839 message and so on so and so so the 183 00:09:32,380 --> 00:09:37,810 queuing is actually designed in to take 184 00:09:34,839 --> 00:09:41,050 one he wrote this and it can be 185 00:09:37,810 --> 00:09:42,369 implemented in the two steps and the 186 00:09:41,050 --> 00:09:44,500 step one 187 00:09:42,370 --> 00:09:47,440 like I just add the kernel how a 188 00:09:44,500 --> 00:09:49,510 well-defined such interface the thing we 189 00:09:47,440 --> 00:09:53,320 need to do in the step one is to collect 190 00:09:49,510 --> 00:09:56,529 all possible target for those function 191 00:09:53,320 --> 00:09:58,990 pointers in the such interface so we can 192 00:09:56,529 --> 00:10:02,350 see for the profile system we can how 193 00:09:58,990 --> 00:10:05,380 the sill amorite being assigned to the 194 00:10:02,350 --> 00:10:08,890 right function pointer there so 195 00:10:05,380 --> 00:10:13,540 similarly we can have LC 4 and we FTE 196 00:10:08,890 --> 00:10:15,670 and other system and so keyring 197 00:10:13,540 --> 00:10:17,980 basically keep track of all those 198 00:10:15,670 --> 00:10:20,620 basically you can see here it's 199 00:10:17,980 --> 00:10:22,510 aesthetically neutralized and we can 200 00:10:20,620 --> 00:10:25,390 also have a dynamic we initialize the 201 00:10:22,510 --> 00:10:28,510 structure as well and curiam basically 202 00:10:25,390 --> 00:10:30,310 keep track of all those and once we have 203 00:10:28,510 --> 00:10:33,760 all those information with this thing 204 00:10:30,310 --> 00:10:35,739 will be become much simpler though the 205 00:10:33,760 --> 00:10:38,829 thing we need only need to do is to look 206 00:10:35,740 --> 00:10:41,890 at the call side first thing is for this 207 00:10:38,829 --> 00:10:44,859 step two we need to identify such 208 00:10:41,890 --> 00:10:47,620 interface and so you can see this we 209 00:10:44,860 --> 00:10:49,990 have a foul right example we are 210 00:10:47,620 --> 00:10:52,870 actually using these file operations 211 00:10:49,990 --> 00:10:56,380 that are interface and we are calling 212 00:10:52,870 --> 00:10:59,680 the right using the right function 213 00:10:56,380 --> 00:11:02,380 pointer inside the interface and then we 214 00:10:59,680 --> 00:11:06,880 can draw a conclusion that this line is 215 00:11:02,380 --> 00:11:09,339 actually trying to call a a function 216 00:11:06,880 --> 00:11:14,380 that a function pointer that assigned to 217 00:11:09,339 --> 00:11:17,470 that right field and based on our 218 00:11:14,380 --> 00:11:18,279 digital step one we can see the possible 219 00:11:17,470 --> 00:11:22,269 Holly 220 00:11:18,279 --> 00:11:27,490 for this FOP right is still mmm right so 221 00:11:22,269 --> 00:11:29,529 this is how the keyring works and it can 222 00:11:27,490 --> 00:11:33,370 help us to so many personal the in our 223 00:11:29,529 --> 00:11:35,970 cost which is pretty good so the 224 00:11:33,370 --> 00:11:38,800 advantage of this approach is that its 225 00:11:35,970 --> 00:11:41,439 precision is better than the type based 226 00:11:38,800 --> 00:11:43,529 method as I just showed in the previous 227 00:11:41,439 --> 00:11:47,339 example the type is the one will 228 00:11:43,529 --> 00:11:49,990 possibly point the right to some read 229 00:11:47,339 --> 00:11:52,449 function which is actually incorrect and 230 00:11:49,990 --> 00:11:55,720 if we compare our hearing approach to 231 00:11:52,449 --> 00:11:59,709 the existing as we have based approach 232 00:11:55,720 --> 00:12:02,399 we can find out that or our approach is 233 00:11:59,709 --> 00:12:05,979 much more simpler and more scalable than 234 00:12:02,399 --> 00:12:08,649 the as we have based the approach so 235 00:12:05,980 --> 00:12:12,100 necessarily let's took a take a look at 236 00:12:08,649 --> 00:12:13,930 the rest of the packs workflow so next 237 00:12:12,100 --> 00:12:17,769 I'm going to talk about how we saw 238 00:12:13,930 --> 00:12:21,069 channel 2 so we actually require the 239 00:12:17,769 --> 00:12:23,230 user to give us some CD input for the 240 00:12:21,069 --> 00:12:26,829 permission check function and then we 241 00:12:23,230 --> 00:12:29,170 will run the analysis on the I CFG we 242 00:12:26,829 --> 00:12:30,939 generated to detect all the function 243 00:12:29,170 --> 00:12:34,889 wrappers to that permission check 244 00:12:30,939 --> 00:12:39,099 functions and we'll you that detected 245 00:12:34,889 --> 00:12:41,439 permission check functions that you did 246 00:12:39,100 --> 00:12:43,920 have all the privilege function so we 247 00:12:41,439 --> 00:12:46,920 want to know which function is actually 248 00:12:43,920 --> 00:12:49,360 protected by those permission charts and 249 00:12:46,920 --> 00:12:51,459 in the next couple slides I will focus 250 00:12:49,360 --> 00:12:57,600 on how we actually detect the privilege 251 00:12:51,459 --> 00:13:00,699 functions so in order to detect the 252 00:12:57,600 --> 00:13:03,189 privileged functions we run the analysis 253 00:13:00,699 --> 00:13:07,359 on the interprocedural the control flow 254 00:13:03,189 --> 00:13:11,019 graph and the first requirement for that 255 00:13:07,360 --> 00:13:13,029 is the Deb has had to be user reachable 256 00:13:11,019 --> 00:13:14,980 all right that's no doubt right 257 00:13:13,029 --> 00:13:20,170 otherwise there is no way to trigger 258 00:13:14,980 --> 00:13:26,339 that so the second thing is that the 259 00:13:20,170 --> 00:13:28,269 call site all a are protected a 260 00:13:26,339 --> 00:13:31,490 permission check function should 261 00:13:28,269 --> 00:13:34,519 dominate another call side 262 00:13:31,490 --> 00:13:37,249 that actually in the green box right 263 00:13:34,519 --> 00:13:39,079 here so you can see without going 264 00:13:37,249 --> 00:13:41,689 through the security file permission 265 00:13:39,079 --> 00:13:45,040 that is a permission check function call 266 00:13:41,689 --> 00:13:48,860 we cannot reach another cosine which is 267 00:13:45,040 --> 00:13:50,929 FOP right so that means the FOP right is 268 00:13:48,860 --> 00:13:54,410 actually protected by the security 269 00:13:50,929 --> 00:13:59,629 profile permissions and then we will 270 00:13:54,410 --> 00:14:04,100 mark the Kali oh such the green box at 271 00:13:59,629 --> 00:14:07,790 the the privileged function and however 272 00:14:04,100 --> 00:14:09,920 if we have another outgoing edge from 273 00:14:07,790 --> 00:14:13,420 the security file permission let's see 274 00:14:09,920 --> 00:14:16,069 it can call some function called bar and 275 00:14:13,420 --> 00:14:19,910 there is another incoming edge from 276 00:14:16,069 --> 00:14:22,069 somewhere we don't know and then so that 277 00:14:19,910 --> 00:14:24,079 means without you going through this 278 00:14:22,069 --> 00:14:26,149 permission check we can still call the 279 00:14:24,079 --> 00:14:29,868 function bar then we cannot draw the 280 00:14:26,149 --> 00:14:35,569 conclusion that the power is the 281 00:14:29,869 --> 00:14:39,970 previous function so that's the result 282 00:14:35,569 --> 00:14:45,679 of the the privilege function detection 283 00:14:39,970 --> 00:14:48,350 and then we can use those information 284 00:14:45,679 --> 00:14:50,240 that we collected and run the analysis 285 00:14:48,350 --> 00:14:54,709 on the inter procedural control flow 286 00:14:50,240 --> 00:14:58,129 that we generated using keyring and you 287 00:14:54,709 --> 00:14:59,959 can see in the first step we use your 288 00:14:58,129 --> 00:15:02,720 permission check function and we got the 289 00:14:59,959 --> 00:15:05,209 privilege function in the bar but they 290 00:15:02,720 --> 00:15:07,220 were bottom and once we've got that 291 00:15:05,209 --> 00:15:11,849 information we will run a backward 292 00:15:07,220 --> 00:15:13,480 analysis to see whether we can reach a 293 00:15:11,850 --> 00:15:17,089 [Music] 294 00:15:13,480 --> 00:15:19,759 system query point and for that exactly 295 00:15:17,089 --> 00:15:21,740 in the past if we found out that there 296 00:15:19,759 --> 00:15:26,559 is no permission check function called 297 00:15:21,740 --> 00:15:29,209 then we will the taxi will reason alarm 298 00:15:26,559 --> 00:15:33,410 for implementation and the evaluation we 299 00:15:29,209 --> 00:15:37,670 we implemented our packs using our VM 300 00:15:33,410 --> 00:15:42,569 and generated a single VM Linux dot BC 301 00:15:37,670 --> 00:15:44,520 file using Java VM and we evaluated the 302 00:15:42,570 --> 00:15:46,650 it is stable in the sky at the time we 303 00:15:44,520 --> 00:15:49,829 write a paper and we use two different 304 00:15:46,650 --> 00:15:52,050 configurations for the for testing so 305 00:15:49,830 --> 00:15:54,450 it's a default configuration that 306 00:15:52,050 --> 00:15:56,660 contains two font for millions of lines 307 00:15:54,450 --> 00:15:59,730 of code and all yes config which 308 00:15:56,660 --> 00:16:03,089 contains almost 16 million lines of code 309 00:15:59,730 --> 00:16:04,980 and next let me show the detection 310 00:16:03,090 --> 00:16:08,310 capability which is the most interesting 311 00:16:04,980 --> 00:16:11,010 one as we can see the packs keyring 312 00:16:08,310 --> 00:16:15,479 which is the are all work will detach 313 00:16:11,010 --> 00:16:18,840 any one bugs for the packs with type 314 00:16:15,480 --> 00:16:23,670 based in the Oracle resolution we will 315 00:16:18,840 --> 00:16:27,990 also detect any one but but for the key 316 00:16:23,670 --> 00:16:30,240 minor plus the plus the SPF based 317 00:16:27,990 --> 00:16:33,510 approach we only did have the sixth of 318 00:16:30,240 --> 00:16:37,590 them that is because the way that how 319 00:16:33,510 --> 00:16:41,910 the the after we Fe is actually applied 320 00:16:37,590 --> 00:16:44,430 can generally a unsound interpersonal 321 00:16:41,910 --> 00:16:46,740 control flow graph and although we can 322 00:16:44,430 --> 00:16:53,760 see here we have the same amount about 323 00:16:46,740 --> 00:16:57,630 the detected the PAX type based one for 324 00:16:53,760 --> 00:17:00,390 the next slide are here we if we compare 325 00:16:57,630 --> 00:17:04,560 the number of warnings that he that 326 00:17:00,390 --> 00:17:07,530 generated by type based on one and packs 327 00:17:04,560 --> 00:17:09,720 keyring we can see the packs carrying 328 00:17:07,530 --> 00:17:13,649 actually generates here way less number 329 00:17:09,720 --> 00:17:15,420 of warnings then the the perhaps the 330 00:17:13,650 --> 00:17:18,030 type based on that means the programmer 331 00:17:15,420 --> 00:17:19,890 need to spend less amount of time 332 00:17:18,030 --> 00:17:23,369 parsing all those warning to find out 333 00:17:19,890 --> 00:17:27,510 the real bugs and there is no surprise 334 00:17:23,369 --> 00:17:29,489 that the packs K minor based approach 335 00:17:27,510 --> 00:17:33,950 generally some nasa number of warning 336 00:17:29,490 --> 00:17:39,030 because the sound i CFG generally hit by 337 00:17:33,950 --> 00:17:41,100 Dom so to conclude pack C is a static 338 00:17:39,030 --> 00:17:43,680 permission check analysis framework for 339 00:17:41,100 --> 00:17:46,800 Linux kernel and queuing is a very 340 00:17:43,680 --> 00:17:48,810 effective way to beauty interpersonal 341 00:17:46,800 --> 00:17:53,570 control flow graph for kernel analysis 342 00:17:48,810 --> 00:17:55,629 and we also produced a list of 343 00:17:53,570 --> 00:17:58,629 permission check functions and 344 00:17:55,630 --> 00:18:02,470 related functions for developers to use 345 00:17:58,630 --> 00:18:05,230 and we evaluated the latest of all a 346 00:18:02,470 --> 00:18:07,930 stable Linux kernel with packs and 347 00:18:05,230 --> 00:18:18,370 phones all the 36 permission check box 348 00:18:07,930 --> 00:18:20,710 and that's it thank you we attempt for 349 00:18:18,370 --> 00:18:24,010 about one maybe two questions well I 350 00:18:20,710 --> 00:18:25,990 know get sets up alright general 351 00:18:24,010 --> 00:18:28,600 chrismal University of Rochester nice 352 00:18:25,990 --> 00:18:32,050 talk one question I have to ask I have 353 00:18:28,600 --> 00:18:33,399 about Kieran is the call graph analysis 354 00:18:32,050 --> 00:18:35,649 that it's performing is it taking 355 00:18:33,400 --> 00:18:36,880 advantage of Linux isms so for example 356 00:18:35,650 --> 00:18:40,090 the fact that these global data 357 00:18:36,880 --> 00:18:42,010 structures are initialized once it's not 358 00:18:40,090 --> 00:18:43,629 modified mmm 359 00:18:42,010 --> 00:18:45,970 yeah most of them are actually 360 00:18:43,630 --> 00:18:49,150 initialize and this out to the read-only 361 00:18:45,970 --> 00:18:51,070 and there are cases that the you know 362 00:18:49,150 --> 00:18:53,740 the URL war can be dynamically 363 00:18:51,070 --> 00:18:55,810 configured so there are also cases those 364 00:18:53,740 --> 00:19:02,950 fields are dynamically neutralized so we 365 00:18:55,810 --> 00:19:05,350 also keep track of that yeah yeah that's 366 00:19:02,950 --> 00:19:17,260 possible yeah it could also be modified 367 00:19:05,350 --> 00:19:19,419 but that's rare okay from UC Irvine when 368 00:19:17,260 --> 00:19:22,180 there are multiple candidates for 369 00:19:19,420 --> 00:19:24,370 function points are in building your 370 00:19:22,180 --> 00:19:28,750 control flow graph how do you choose 371 00:19:24,370 --> 00:19:30,699 among them because the data structure 372 00:19:28,750 --> 00:19:34,840 that you show maybe in some modules 373 00:19:30,700 --> 00:19:37,300 there are a couple of them and you you 374 00:19:34,840 --> 00:19:39,760 can't know which one which one to choose 375 00:19:37,300 --> 00:19:41,919 for this oh I think probably we're all 376 00:19:39,760 --> 00:19:43,240 out how we had to be off yeah 377 00:19:41,920 --> 00:19:44,560 yes thank you take it offline all right 378 00:19:43,240 --> 00:19:46,490 thanks let's thank our speaker once 379 00:19:44,560 --> 00:19:48,550 again 380 00:19:46,490 --> 00:19:48,550 you