Static analysis based invariant detection for commodity operating systems

• Published in: 7th International Conference on Collaborative Computing: Networking, Applications and Worksharing (CollaborateCom) pp. 287 - 296
• Main Authors: Jinpeng Wei, Feng Zhu, Shinjo, Y.
• Format: Conference Proceeding
• Language: English
• Published: ICST 01.10.2011
• Subjects: Analytical models; Hardware; integrity modeling; invariants detection; Software; static analysis
• ISBN: 1467306835; 9781467306836

The recent interest in runtime attestation requires modeling of a program's runtime behavior to formulate its integrity properties. In this paper, we study the possibility of employing static source code analysis to derive integrity models of a commodity operating systems kernel. We develop a precise and static analysis-based global invariant detection tool that overcomes several technical challenges: field-sensitivity, array-sensitivity, pointer analysis, and handling of assembly code. We apply our tool to Linux kernel 2.4.32 and identify 141,279 global invariants that are critical to its runtime integrity. Furthermore, comparison with the result of a dynamic invariant detector reveals 17,182 variables that can cause false alarms for the dynamic detector. Our experience suggests that static analysis is a viable option for automated integrity property derivation, and it can have very low false positive rate (1 out of 141,280 in our Linux kernel case study) and very low false negative rate (about 0.013%).