Presentation Material
Abstract
While kernel drivers have long been know to poses huge security risks, due to their privileged access and lower code quality, bug-finding tools for drivers are still greatly lacking both in quantity and effectiveness. This is because the pointer-heavy code in these drivers present some of the hardest challenges to static analysis, and their tight coupling with the hardware make dynamic analysis infeasible in most cases. In this work, we present DR. CHECKER, a soundy (i.e., mostly sound) bug-finding tool for Linux kernel drivers that is based on well-known program analysis techniques. We are able to overcome many of the inherent limitations of static analysis by scoping our analysis to only the most bug-prone parts of the kernel (i.e., the drivers), and by only sacrificing soundness in very few cases to ensure that our technique is both scalable and precise. DR. CHECKER is a fully-automated static analysis tool capable of performing general bug finding using both pointer and taint analyses that are flow-sensitive, context-sensitive, and field-sensitive on kernel drivers. To demonstrate the scalability and efficacy of DR. CHECKER, we analyzed the drivers of nine production Linux kernels (3.1 million LOC), where it correctly identified 158 critical zero-day bugs with an overall precision of 78%.
AI Generated Summary
Dr. Checker is a static analysis framework designed to find security vulnerabilities in third-party Linux kernel drivers. The research was motivated by historical trends showing a disproportionate number of bugs in driver code, a pattern observed in both desktop and mobile kernels. The tool’s core relies on two fundamental analyses: points-to analysis to track pointer targets and taint analysis to trace untrusted data propagation. These analyses serve as a foundation for implementing various vulnerability detectors, such as those for improper taint use, tainted loop boundaries, and uninitialized memory leaks.
To make analysis of complex kernel code tractable, the tool intentionally sacrifices theoretical soundness through three key optimizations: assuming core kernel code is correct, limiting loop iteration analysis, and traversing each function call only once. This approach prioritizes practical scalability over exhaustive coverage. The framework is modular and context-sensitive, field-sensitive, and flow-sensitive, which improves precision and provides detailed, actionable warnings.
In an evaluation across 3.1 million lines of code from four major mobile kernels, Dr. Checker produced 5,071 warnings, with 73 true positives (78% precision) and 158 previously undisclosed zero-day vulnerabilities. Compared to existing tools like Flaw Finder, RATS, Sparse, and CPP Check, it generated significantly fewer total warnings while identifying bugs the others missed. The tool is open-source, and its design allows for easy integration of new detectors. The work demonstrates that targeted, pragmatic static analysis can effectively uncover critical flaws in poorly audited, high-privilege driver code, providing a valuable resource for vendors and researchers.