Automatic Detection of Reference Counting Bugs in Linux Kernel Drivers
Joe Hattori, Naoki Kobayashi, Ken Sakayori
TL;DR
This paper presents DrvHorn, an automated tool that detects reference counting bugs in Linux kernel drivers by transforming the problem into assertion checking, leading to the discovery of many new bugs and patches.
Contribution
The introduction of DrvHorn, a novel automated detection tool that models the Linux kernel and uses program slicing to find reference counting bugs effectively.
Findings
Discovered 545 bugs in Linux kernel drivers, 424 of which were previously unknown.
Lower false positive rate of 29.9% compared to prior methods.
Submitted patches for root cause fixes, with 45 merged into the Linux kernel.
Abstract
Reference counting bugs in Linux kernel drivers can lead to severe resource mismanagement and security vulnerabilities. We introduce DrvHorn, a novel automated tool to detect these bugs by reducing reference counting verification to an assertion checking problem leveraging the Linux driver interface. Through efficient modeling of the Linux kernel and aggressive program slicing, DrvHorn discovered 545 bugs, of which 424 were previously unknown, across all platform drivers in v6.6 Linux kernel, with a lower false positive rate of 29.9% compared to prior studies. To address the root causes of these newly discovered bugs, we submitted patches to the Linux kernel, and 45 of them were merged.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.