A static detection method for time-of-check-to-time-of-use (TOCTOU) vulnerabilities of an operating system kernel

Abstract

This invention relates to the field of operating system vulnerability detection, and provides a static detection method for TOCTOU vulnerabilities in operating system kernels. The method includes: compiling the operating system kernel source code to generate intermediate bytecode; performing field-sensitive analysis on the intermediate bytecode to identify the fields to be checked, and verifying whether the checked fields are protected by lock consistency; generating atomic rules based on the verification results; performing state tracking on the intermediate bytecode based on the atomic rules to identify operation sequences that violate the atomic rules; determining the vulnerability path based on the operation sequences that violate the atomic rules, verifying the reachability of the vulnerability path, and filtering false positives indicating unreachable paths; and generating a TOCTOU vulnerability detection report based on the verified vulnerability paths. This invention solves the problem of the lack of systematic detection of TOCTOU vulnerability characteristics in existing technologies, and achieves effective and automated static detection of TOCTOU vulnerabilities in operating system kernels.

Description

Technical Field

[0001] This invention relates to the field of operating system vulnerability detection, and in particular to a static detection method for the TOCTOU vulnerability in the operating system kernel. Background Technology

[0002] As a core component of a computer system, the security of the operating system kernel directly impacts the reliable operation of the entire system. The Time-of-Check to Time-of-Use (TOCTOU) vulnerability is a typical concurrency flaw. Its essence lies in the failure to maintain state consistency between checks and uses of shared resources. Attackers can exploit this time window to tamper with shared resources, causing the kernel to behave unexpectedly. Due to the large size of the operating system kernel code, its high degree of concurrency, and the lack of explicit concurrency rule documentation, detecting TOCTOU vulnerabilities faces significant challenges.

[0003] Existing kernel vulnerability detection methods mainly include data race detection techniques based on lock rule mining and concurrency defect analysis techniques based on model detection. The former detects data races by analyzing the relationship between variable access and lock protection, but it only focuses on whether a single variable access is protected by a lock, failing to establish a correlation between the checking operation and the usage operation, making it difficult to identify TOCTOU vulnerabilities caused by atomicity violations. The latter uses model detection methods to analyze concurrent behavior, but faces the problem of state space explosion. Overly approximate assumptions used to mitigate this problem lead to decreased analysis accuracy and a high false positive rate. None of the above methods are systematically designed to address the atomicity violation characteristics of TOCTOU vulnerabilities, making it difficult to effectively detect such vulnerabilities in the kernel.

[0004] Therefore, how to achieve effective and automated detection of TOCTOU vulnerabilities in operating system kernels is a technical problem that urgently needs to be solved in this field. Summary of the Invention

[0005] This invention provides a static detection method for TOCTOU vulnerabilities in operating system kernels, which solves the problem of the lack of systematic detection of TOCTOU vulnerability characteristics in the prior art, and realizes effective and automated static detection of TOCTOU vulnerabilities in operating system kernels.

[0006] This invention provides a static detection method for the TOCTOU vulnerability in an operating system kernel, comprising the following steps: The operating system kernel source code is compiled to generate intermediate bytecode; Field sensitivity analysis is performed on the intermediate bytecode to identify the fields to be checked in the intermediate bytecode, and it is verified whether the fields to be checked are protected by lock consistency. Atomic rules are generated based on the verification results. Based on the atomic rules, the intermediate bytecode is state tracked to identify operation sequences that violate the atomic rules; Based on the sequence of operations that violate the atomic rules, the vulnerability path is determined, the reachability of the vulnerability path is verified, and false alarms indicating that the path is unreachable are filtered out. A TOCTOU vulnerability detection report is generated based on the verified vulnerability paths.

[0007] According to a static detection method for a TOCTOU vulnerability in an operating system kernel provided by the present invention, field-sensitive analysis is performed on the intermediate bytecode to identify the fields to be checked in the intermediate bytecode and verify whether the fields to be checked are protected by lock consistency. Based on the verification results, atomic rules are generated. The method includes: parsing the intermediate bytecode, dynamically constructing a field-sensitive alias graph, parsing the alias relationships of structure member accesses through the alias graph, identifying the fields to be checked involved in conditional statements in the intermediate bytecode; traversing all modification paths of the fields to be checked, tracking the lock fields protecting the fields to be checked on each modification path; if the fields to be checked are protected by the same lock field on all modification paths, generating atomic rules containing the correspondence between the fields to be checked and the lock fields.

[0008] According to the present invention, a static detection method for a TOCTOU vulnerability in an operating system kernel is provided. Based on the atomic rules, the intermediate bytecode is state-tracked to identify operation sequences that violate the atomic rules. The method includes: initializing a finite state machine according to the correspondence between lock fields and checked fields in the atomic rules, wherein the finite state machine is used to track lock acquisition, lock release, variable checking, and variable usage operations; traversing the code paths in the intermediate bytecode and driving the finite state machine to perform state transitions according to the operation sequences; if the finite state machine enters a preset defective state, it is determined that there is an operation sequence that violates the atomic rules.

[0009] According to the present invention, a static detection method for a TOCTOU vulnerability in an operating system kernel is provided, wherein the reachability verification of the vulnerability path is performed, including: collecting path constraints on the vulnerability path, mapping the path constraints to constraint expressions of a constraint solver; mapping variables that are aliases to each other to the same symbol in the constraint solver; calling the constraint solver to solve the satisfiability of the constraint expressions; if they are not satisfiable, the vulnerability path is determined to be unreachable and the corresponding detection result is removed.

[0010] According to the present invention, a static detection method for TOCTOU vulnerabilities in an operating system kernel generates a TOCTOU vulnerability detection report based on verified vulnerability paths. The method includes: deduplicating the verified vulnerability paths according to the source code file names and line numbers where the vulnerabilities occur, merging duplicate vulnerability reports; and generating a TOCTOU vulnerability detection report, wherein the TOCTOU vulnerability detection report includes the vulnerability location, the shared variable fields involved, the lock fields, and the code triggering path.

[0011] According to the static detection method for the TOCTOU vulnerability in the operating system kernel provided by the present invention, after generating intermediate bytecode, the method further includes: traversing all intermediate bytecode files and collecting function information of kernel functions; the function information includes name, definition location and file information; and storing the collected function information in a preset function database.

[0012] This invention also provides a static detection device for the TOCTOU vulnerability in an operating system kernel, comprising the following modules: The code preprocessing module is used to compile the operating system kernel source code to generate intermediate bytecode; The rule mining module is used to perform field sensitivity analysis on the intermediate bytecode, identify the fields to be checked in the intermediate bytecode, verify whether the fields to be checked are protected by lock consistency, and generate atomic rules based on the verification results. The vulnerability detection module is used to perform state tracking on the intermediate bytecode based on the atomic rules and identify operation sequences that violate the atomic rules; The false alarm filtering module is used to determine the vulnerability path based on the operation sequence that violates the atomic rule, perform reachability verification on the vulnerability path, and filter false alarms that the path is unreachable. The results reporting module is used to generate a TOCTOU vulnerability detection report based on the verified vulnerability paths.

[0013] The present invention also provides an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the computer program to implement a static detection method for the TOCTOU vulnerability in the operating system kernel as described above.

[0014] The present invention also provides a non-transitory computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, implements a static detection method for the TOCTOU vulnerability in the operating system kernel as described above.

[0015] The present invention also provides a computer program product, including a computer program that, when executed by a processor, implements a static detection method for the TOCTOU vulnerability in the operating system kernel as described above.

[0016] This invention provides a static detection method for TOCTOU vulnerabilities in operating system kernels, offering the following advantages: First, by compiling the operating system kernel source code to generate intermediate bytecode, a unified intermediate representation foundation is provided for subsequent analysis. Second, by performing field-sensitive analysis on the intermediate bytecode, the inspected fields are identified and their consistency protection by locks is verified, thereby generating atomic rules. This automatically extracts implicit atomic constraints from complex kernel code, overcoming the difficulty of lacking explicit concurrency rule documentation in the kernel. Third, by performing state tracking on the intermediate bytecode based on atomic rules, operation sequences violating atomic rules are identified, achieving systematic detection of atomicity violation characteristics of TOCTOU vulnerabilities. Fourth, by verifying the reachability of vulnerability paths, invalid detection results caused by unreachable paths are eliminated, improving the accuracy of detection results. Finally, a detection report is generated based on the verified vulnerability paths, providing effective support for kernel security analysis. Therefore, this invention can achieve effective and automated detection of TOCTOU vulnerabilities in operating system kernels. Attached Figure Description

[0017] To more clearly illustrate the technical solutions in this invention or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are some embodiments of this invention. For those skilled in the art, other drawings can be obtained from these drawings without creative effort.

[0018] Figure 1 This is a flowchart illustrating the static detection method for the TOCTOU vulnerability in the operating system kernel provided by this invention.

[0019] Figure 2 This is a schematic diagram of the overall structure provided by the present invention.

[0020] Figure 3 This is an example diagram illustrating the identification of the field being inspected provided by the present invention.

[0021] Figure 4 This is a pseudocode diagram of the atomic rule mining algorithm provided by this invention.

[0022] Figure 5 This is an example diagram provided by the present invention for mining atomic rules by tracking the lock protection situation when variables are modified.

[0023] Figure 6 This is an example diagram of different atomicity violation modes that are supported for detection by the present invention.

[0024] Figure 7 This is an example diagram of the finite state machine used for vulnerability detection provided by the present invention.

[0025] Figure 8 This is an example diagram of using a finite state machine to detect vulnerabilities, as provided by the present invention.

[0026] Figure 9 This is a schematic diagram of the static detection device for the TOCTOU vulnerability in the operating system kernel provided by the present invention.

[0027] Figure 10 This is a schematic diagram of the structure of the electronic device provided by the present invention. Detailed Implementation

[0028] To make the objectives, technical solutions, and advantages of this invention clearer, the technical solutions of this invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some, not all, of the embodiments of this invention. All other embodiments obtained by those skilled in the art based on the embodiments of this invention without creative effort are within the scope of protection of this invention.

[0029] The following is combined Figures 1-10 The embodiments of the present invention are described in detail.

[0030] The static detection method for the TOCTOU vulnerability in the operating system kernel provided in this embodiment of the invention is executed by a static detection device for the TOCTOU vulnerability in the operating system kernel. This device can be configured in a computer, which can be a local computer or a cloud computer. The local computer can be a computer, tablet, etc., and no specific limitation is made here.

[0031] Figure 1 This is a flowchart illustrating the static detection method for the TOCTOU vulnerability in the operating system kernel provided by this invention, as shown below. Figure 1 As shown, the method includes the following steps: S110. Compile the operating system kernel source code to generate intermediate bytecode.

[0032] S120. Perform field sensitivity analysis on the intermediate bytecode, identify the fields to be checked in the intermediate bytecode, verify whether the fields to be checked are protected by the consistency of the lock, and generate atomic rules based on the verification results.

[0033] S130. Based on atomic rules, perform state tracking on intermediate bytecode to identify operation sequences that violate atomic rules.

[0034] S140. Determine the vulnerability path based on the operation sequence that violates the atomic rule, verify the reachability of the vulnerability path, and filter out false alarms that the path is unreachable.

[0035] S150. Generate a TOCTOU vulnerability detection report based on the verified vulnerability paths.

[0036] Specifically, the technical solution of the present invention is as follows, comprising the following five steps: Step S1. The code preprocessing module uses a compiler to compile the operating system kernel source code into intermediate bytecode and extracts function information to build a function database.

[0037] Step S2. The rule mining module uses field sensitivity analysis technology to identify the fields to be inspected in the code and verify whether their modification operations are protected by lock consistency, thereby mining atomic rules.

[0038] Step S3. Based on the discovered atomic rules, the vulnerability detection module uses a finite state machine to track the state of the kernel code and identify operation sequences that violate the atomic rules.

[0039] Step S4. The false alarm filtering module uses the constraint solver to verify the reachability of the detected vulnerability paths and filters out false alarms that the paths are unreachable.

[0040] Step S5. The result reporting module performs deduplication on the verified vulnerabilities and generates a final detection report containing the vulnerability location and code path.

[0041] This method uses static code analysis and requires the operating system kernel source code. Users only need to provide the kernel source code to be tested and configure the compilation environment to automatically complete rule discovery and vulnerability detection, without actually running the kernel.

[0042] Figure 2 This is a schematic diagram of the overall structure of the invention. The static detection technology for TOCTOU vulnerabilities in the operating system kernel mainly consists of a Clang compiler, a function information collection module, an atomic rule mining module, and a TOCTOU vulnerability detection module. The Clang compiler is responsible for compiling the operating system source code into LLVM intermediate bytecode files, providing a unified intermediate representation for subsequent analysis; the function information collection module is responsible for traversing the LLVM bytecode, collecting information such as the name, definition location, and file to which the kernel functions belong, and building a function information database to support inter-process analysis; the atomic rule mining module is responsible for identifying the fields to be checked using field sensitivity analysis, and for mining hidden atomic rules by tracking the lock protection situation when variables are modified; the TOCTOU vulnerability detection module is responsible for using a finite state machine to track the state of the code path based on the mined atomic rules, identifying dangerous operation sequences that violate atomic rules, and outputting a vulnerability detection report.

[0043] According to the static detection method for the TOCTOU vulnerability in the operating system kernel provided by the present invention, after generating intermediate bytecode, all intermediate bytecode files are traversed to collect function information of kernel functions; the function information includes name, definition location and file information; the collected function information is stored in a preset function database.

[0044] Specifically, the Clang compiler is invoked to compile the kernel source code written in C into LLVM Intermediate Representation files, providing a unified intermediate representation foundation for subsequent analysis. Simultaneously, a function analyzer traverses all bytecode files, collecting the names, definition locations, and file information of all functions in the kernel, and storing this information in a function database for subsequent inter-procedural analysis and function summary generation.

[0045] By compiling and converting the kernel source code and establishing a function information database, this invention lays a data foundation for subsequent atomic rule mining and vulnerability detection, and improves the systematic nature of the analysis process.

[0046] According to the present invention, a static detection method for TOCTOU vulnerabilities in operating system kernels performs field-sensitive analysis on intermediate bytecode, identifies the fields to be checked in the intermediate bytecode, verifies whether the fields to be checked are protected by lock consistency, and generates atomic rules based on the verification results. The method includes: parsing the intermediate bytecode, dynamically constructing a field-sensitive alias graph, resolving the alias relationships of structure member access through the alias graph, identifying the fields to be checked involved in conditional statements in the intermediate bytecode; traversing all modification paths of the fields to be checked, tracing the lock fields protecting the fields to be checked on each modification path; and generating atomic rules containing the correspondence between the fields to be checked and the lock fields if the fields to be checked are protected by the same lock field on all modification paths.

[0047] Specifically, firstly, by analyzing code paths and dynamically constructing a field-sensitive alias graph, the alias relationships between structure members are analyzed to identify the fields being checked in conditional statements. Then, for each checked field, its lock protection across all modification paths is tracked. If a modification operation on a checked field is protected by the same lock field across all modification paths, a protected relationship is established between the checked field and the lock field, generating atomic rules containing the "checked field - lock field" correspondence.

[0048] This embodiment dynamically constructs a field-sensitive alias graph and tracks the lock protection status of the inspected field on all modification paths, which can automatically mine hidden atomic rules from complex kernel code, improving the accuracy and automation of rule mining.

[0049] Figure 3 This is an example diagram illustrating step S2 of this invention, which identifies the fields to be inspected. The left side (a) shows a portion of the source code in the Linux kernel's mxser driver, highlighting variables read and inspected in conditional statements, such as xmit_cnt and stopped. The right side (b) shows a field-sensitive alias graph dynamically constructed for this code snippet. In the alias graph, nodes represent data structures or fields, and directed edges represent access relationships between structure members. The shaded nodes (n4, n6, n7) are the fields identified by the algorithm, corresponding to the fields inspected in the code on the left.

[0050] Figure 4 This is a pseudocode diagram of the atomic rule mining algorithm used in step S2 of this invention. The algorithm mainly consists of two core stages: the first stage is the candidate rule generation stage, which identifies the set of locks held by the field being checked during modification operations by traversing the code path, and adds variables and locks with a common root node as candidate atomic rules to the set; the second stage is the consistency verification stage, which traverses the code path again to check whether the variables in the candidate rules are modified without locks under certain paths. If so, the candidate rule is removed from the set, and finally, a set of atomic rules that has passed consistency verification is output.

[0051] Figure 5 This is an example diagram illustrating step S2 of this invention, which mines atomic rules by tracking lock protection during variable modifications. The diagram illustrates the mining logic of atomic rules by comparing two different scenarios: the upper part shows the situation where inconsistent lock protection prevents rule mining, i.e., the modification operation of the same shared variable in one execution path is protected by a lock, while the modification operation in another path is not protected by the same lock, thus determining that no atomic rule exists; the lower part shows the situation where consistent lock protection leads to rule mining, i.e., the write operation of another shared variable is always protected by a specific lock in all execution paths involving modification. Based on this consistency, the algorithm successfully mines an atomic rule containing the variable and the lock, indicating that the checking and use of the variable must be protected by the lock.

[0052] According to the present invention, a static detection method for TOCTOU vulnerabilities in operating system kernels is provided. Based on atomic rules, the method performs state tracking on intermediate bytecode and identifies operation sequences that violate atomic rules. The method includes: initializing a finite state machine according to the correspondence between lock fields and checked fields in the atomic rules; the finite state machine is used to track lock acquisition, lock release, variable checking, and variable usage operations; traversing the code paths in the intermediate bytecode and driving the finite state machine to perform state transitions according to the operation sequences; if the finite state machine enters a preset defective state, it is determined that there is an operation sequence that violates atomic rules.

[0053] In one embodiment of the present invention, inter-procedural analysis is performed using function summaries in a function database to trace lock operations and variable accesses in function calls based on the function summaries.

[0054] Specifically, based on atomic rules, corresponding finite state machines are initialized for different types of TOCTOU vulnerability patterns, such as checking operations without holding locks or checking and using operations not being in the same critical section. During code path traversal, the system tracks key operations such as lock acquisition and release, variable checking and usage in real time, driving the finite state machine to perform state transitions. Simultaneously, a field-sensitive alias graph is used to handle alias relationships, and function digest technology is used for inter-process analysis. When the finite state machine enters a predefined defective state, the current path is marked as a potential TOCTOU vulnerability.

[0055] This embodiment, by initializing a finite state machine and tracing key operation sequences, combined with alias analysis and function digest techniques, can effectively identify operation sequences that violate atomic rules, thereby improving the detection capability of TOCTOU vulnerabilities and the efficiency of inter-process analysis.

[0056] Figure 6 This is an example diagram illustrating different atomicity violation modes supported for detection in step S3 of this embodiment of the invention. The diagram shows five possible combination modes of lock operations with variable checks and usage operations. The first mode on the left is a safe mode that complies with atomic rules, while the other four modes are dangerous modes that violate atomic rules, leading to atomicity violations and potential vulnerabilities.

[0057] Figure 7 This is an example diagram of the finite state machines used in step S3 of this embodiment to detect vulnerabilities. The diagram defines two finite state machines, FSM1 and FSM2, for tracking the program execution state, respectively covering... Figure 6 Different atomicity violation modes exist. FSM1 primarily addresses situations where the check operation is not protected by a lock or where lock acquisition occurs after the check; FSM2 primarily addresses situations where the check and use operations are not in the same critical section.

[0058] Figure 8This is an example diagram illustrating step S3 of this embodiment of the invention, which uses a finite state machine to detect vulnerabilities. The diagram, combined with a Linux kernel code snippet, illustrates the detection process: the code performs a lock-free check on the shared variable at line 979, then acquires a spinlock at line 982, and uses the variable at line 985. During the detection process, FSM1's state transitions from its initial state to a lock-free check state due to the check operation, then to a lock-acquired state after the check due to the lock acquisition operation, and finally to a defect-triggered state due to the use operation, thus successfully identifying and reporting the vulnerability. Simultaneously, FSM2 does not enter its defined defective state when processing this sequence, indicating that the vulnerability belongs to the pattern category covered by FSM1.

[0059] According to the present invention, a static detection method for TOCTOU vulnerability in operating system kernel is provided, which verifies the reachability of the vulnerability path, including: collecting path constraints on the vulnerability path, mapping the path constraints to constraint expressions of the constraint solver; mapping variables that are aliases to each other to the same symbol in the constraint solver; calling the constraint solver to solve the satisfiability of the constraint expressions, and if they are not satisfiable, determining that the vulnerability path is unreachable and removing the corresponding detection result.

[0060] In one embodiment of the present invention, the initialization and unloading functions of the kernel module are identified. Since such functions usually do not involve concurrent execution, the vulnerability paths corresponding to the initialization and unloading functions are excluded from the detection results.

[0061] Specifically, the Z3 constraint solver is integrated to verify the reachability of marked potential vulnerability paths. The system first collects the path constraints on potential defective paths, converts them into constraint expressions, and solves for path satisfiability, thereby eliminating false positives caused by path inaccessibility. Simultaneously, keyword matching, such as insertion and unregistration, is used to identify kernel module initialization and unloading functions. Since these functions typically do not involve concurrent execution, they are excluded from the detection scope, further reducing the false positive rate and improving the accuracy of the detection results.

[0062] This embodiment uses an integrated constraint solver to verify path reachability and combines keyword matching to exclude non-concurrent functions, which can effectively eliminate potential false alarms and improve the accuracy of detection results.

[0063] Table 1 is an example diagram of step S4 in this embodiment of the invention, which filters false alarms caused by unreachable paths through path reachability verification. For detected vulnerabilities, the instructions in their code paths are mapped to constraints in the constraint solver. By checking whether the constraints can be satisfied, the reachability of the path where the vulnerability is located is checked. Reports of unreachable paths are discarded as false alarms, thereby reducing the false alarm rate. In particular, in order to reduce the number of constraints and the complexity of constraint solving, this embodiment of the invention maps variables that are aliases to the same symbol in the constraint solver. Assuming that the constraint solver symbol corresponding to the set where variable a is located is S(a), for the arithmetic operation a = b op c, the constraint S(a) == S(b) op S(c) is established, where op can be +, -, ... For branch jump statements, assuming the condition is cond, when the control flow jumps to true, add the constraint S(cond) != 0, and when the control flow jumps to false, add the constraint S(cond) == 0.

[0064] In Table 1, for x = 1, add the constraint S(x) == 1. For y = x, alias analysis shows that x and y are aliases of each other and are located in the same alias set. They map to the same symbol in the constraint solver, so no constraint needs to be added. For the branch jump statement, assuming the branch jumps to the branch where the condition is true (i.e., line 4), add the constraint S(y) == 0. At this time, the constraints are S(x) == 1 and S(y) == 0. Since x and y are aliases of each other, S(x) and S(y) correspond to the same symbol in the constraint solver. This symbol cannot be both 1 and 0. Therefore, the constraint cannot be satisfied, and the path is unreachable.

[0065] Table 1

[0066] According to the present invention, a static detection method for TOCTOU vulnerabilities in an operating system kernel generates a TOCTOU vulnerability detection report based on verified vulnerability paths. The method includes: deduplicating the verified vulnerability paths according to the source code file names and line numbers where the vulnerabilities occur, merging duplicate vulnerability reports; and generating a TOCTOU vulnerability detection report, which includes the vulnerability location, the shared variable fields involved, the lock fields, and the code triggering path.

[0067] Specifically, the system organizes and deduplicates vulnerability reports that have passed the false positive filtering. Duplicate reports are merged based on the source code filename and line number where the vulnerability occurred, ensuring that each vulnerability is output only once. The final detection report includes key information such as the vulnerability location, involved shared variable fields, lock fields, and the specific code trigger path, providing developers with detailed references for understanding and fixing vulnerabilities.

[0068] This embodiment deduplicates vulnerability reports and outputs detailed vulnerability information, providing developers with clear and accurate remediation guidelines and improving the readability and usability of vulnerability reports.

[0069] In summary, the key points of this invention include: (I) To address the issues of unclear concurrency rules and a lack of explicit documentation and comments in operating system kernels, a field-sensitive atomic rule mining method is proposed. During static code analysis, this method dynamically constructs a field-sensitive alias graph to accurately identify the fields being checked in conditional statements. Subsequently, by analyzing the LLVM intermediate bytecode of the kernel source code, it tracks the lock protection during variable modifications, uncovering the fields being checked that are consistently protected by specific lock fields during modification operations. This allows for the extraction of atomic rules that require "check-use" operations to be protected by specific locks. This method overcomes the limitation of traditional lock rule mining, which only focuses on single variable accesses, and can automatically and accurately extract implicit atomic rules from complex kernel data structures.

[0070] (II) To address the complex atomic violation patterns of Time-of-Check to Time-of-Use (TOCTOU) vulnerabilities, an atomic rule verification method based on finite state machines is proposed. This method designs two finite state machines based on the mined atomic rules, targeting different atomic violation patterns. By tracing the operation sequences of lock acquisition, lock release, variable checking, and variable usage, it detects the existence of dangerous operation sequences that violate atomic rules. During the verification process, field-sensitive alias analysis technology is introduced to handle complex alias relationships in the kernel, and function digest technology is used to reduce redundant analysis, thereby improving detection accuracy and inter-process analysis efficiency. This method can effectively identify TOCTOU vulnerabilities caused by a lack of lock protection or improper lock usage between check and use operations, achieving systematic detection of such vulnerabilities.

[0071] This invention provides a static detection method and system for TOCTOU vulnerabilities in operating system kernels, enabling effective and automated detection of TOCTOU vulnerabilities in the operating system kernel. This invention utilizes a field-sensitive atomic rule mining method to automatically extract implicit atomic rules from complex kernel code, overcoming the difficulties caused by the lack of concurrent rule documentation and comments. Simultaneously, it combines a finite state machine-based verification strategy, employing finite state machines designed for different violation modes to trace operation sequences, and introduces alias analysis and function digest techniques to effectively handle alias relationships while improving inter-process analysis efficiency. This invention can effectively help improve the security and robustness of operating system kernels, providing strong support for the discovery and remediation of related vulnerabilities.

[0072] The static detection device for the TOCTOU vulnerability in the operating system kernel provided by the present invention will be described below. The static detection device for the TOCTOU vulnerability in the operating system kernel described below can be referred to in correspondence with the static detection method for the TOCTOU vulnerability in the operating system kernel described above.

[0073] like Figure 9 The image shows a static detection device for the TOCTOU vulnerability in an operating system kernel provided by the present invention, comprising: The code preprocessing module 910 is used to compile the operating system kernel source code to generate intermediate bytecode; The rule mining module 920 is used to perform field sensitivity analysis on the intermediate bytecode, identify the fields to be checked in the intermediate bytecode, verify whether the fields to be checked are protected by lock consistency, and generate atomic rules based on the verification results. The vulnerability detection module 930 is used to perform state tracking on the intermediate bytecode based on the atomic rules and identify operation sequences that violate the atomic rules; The false alarm filtering module 940 is used to determine the vulnerability path based on the operation sequence that violates the atomic rule, perform reachability verification on the vulnerability path, and filter false alarms that the path is unreachable. The results reporting module 950 is used to generate a TOCTOU vulnerability detection report based on the verified vulnerability paths.

[0074] Specifically, the functions of each module in the static detection device for the TOCTOU vulnerability in the operating system kernel provided in this embodiment of the invention correspond one-to-one with the operation flow of each step in the above method-like embodiments, and the achieved effects are also the same. For details, please refer to the above embodiments, and this will not be repeated in this embodiment of the invention.

[0075] Figure 10 An example is a schematic diagram of the physical structure of an electronic device, such as... Figure 10As shown, the electronic device may include: a processor 1010, a communications interface 1020, a memory 1030, and a communication bus 1040. The processor 1010, communications interface 1020, and memory 1030 communicate with each other via the communication bus 1040. The processor 1010 can call logical instructions in the memory 1030 to execute a static detection method for the TOCTOU vulnerability in the operating system kernel. This method includes: compiling the operating system kernel source code to generate intermediate bytecode; performing field-sensitive analysis on the intermediate bytecode to identify the fields to be checked and verifying whether the checked fields are protected by lock consistency, generating atomic rules based on the verification results; performing state tracking on the intermediate bytecode based on the atomic rules to identify operation sequences that violate the atomic rules; determining the vulnerability path based on the operation sequences that violate the atomic rules, verifying the reachability of the vulnerability path, and filtering false alarms indicating unreachable paths; and generating a TOCTOU vulnerability detection report based on the verified vulnerability paths.

[0076] Furthermore, the logical instructions in the aforementioned memory 1030 can be implemented as software functional units and, when sold or used as independent products, can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention, or the part that contributes to the prior art, or a part of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods of the various embodiments of the present invention. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.

[0077] On the other hand, the present invention also provides a computer program product, which includes a computer program that can be stored on a non-transitory computer-readable storage medium. When the computer program is executed by a processor, the computer can execute the static detection method for the TOCTOU vulnerability in the operating system kernel provided by the above methods. The method includes: compiling the operating system kernel source code to generate intermediate bytecode; performing field-sensitive analysis on the intermediate bytecode to identify the fields to be checked in the intermediate bytecode and verifying whether the fields to be checked are protected by lock consistency, and generating atomic rules based on the verification results; performing state tracking on the intermediate bytecode based on the atomic rules to identify operation sequences that violate the atomic rules; determining the vulnerability path based on the operation sequences that violate the atomic rules, performing reachability verification on the vulnerability path, and filtering false alarms of unreachable paths; and generating a TOCTOU vulnerability detection report based on the verified vulnerability paths.

[0078] In another aspect, the present invention also provides a non-transitory computer-readable storage medium storing a computer program thereon. When executed by a processor, the computer program implements a static detection method for the TOCTOU vulnerability in the operating system kernel provided by the methods described above. This method includes: compiling the operating system kernel source code to generate intermediate bytecode; performing field-sensitive analysis on the intermediate bytecode to identify the fields to be checked and verifying whether the checked fields are protected by lock consistency; generating atomic rules based on the verification results; performing state tracking on the intermediate bytecode based on the atomic rules to identify operation sequences that violate the atomic rules; determining the vulnerability path based on the operation sequences that violate the atomic rules; performing reachability verification on the vulnerability path and filtering false alarms indicating unreachable paths; and generating a TOCTOU vulnerability detection report based on the verified vulnerability paths.

[0079] The device embodiments described above are merely illustrative. The units described as separate components may or may not be physically separate, and the components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the modules can be selected to achieve the purpose of this embodiment according to actual needs. Those skilled in the art can understand and implement this without any creative effort.

[0080] Through the above description of the embodiments, those skilled in the art can clearly understand that each embodiment can be implemented by means of software plus necessary general-purpose hardware platforms, and of course, it can also be implemented by hardware. Based on this understanding, the above technical solutions, in essence or the part that contributes to the prior art, can be embodied in the form of a software product. This computer software product can be stored in a computer-readable storage medium, such as ROM / RAM, magnetic disk, optical disk, etc., including several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute the methods of various embodiments or some parts of embodiments.

[0081] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, and not to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some of the technical features; and these modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims

1. A static detection method for the TOCTOU vulnerability in an operating system kernel, characterized in that, include: The operating system kernel source code is compiled to generate intermediate bytecode; Field sensitivity analysis is performed on the intermediate bytecode to identify the fields to be checked in the intermediate bytecode, and it is verified whether the fields to be checked are protected by lock consistency. Atomic rules are generated based on the verification results. Based on the atomic rules, the intermediate bytecode is state tracked to identify operation sequences that violate the atomic rules; Based on the sequence of operations that violate the atomic rules, the vulnerability path is determined, the reachability of the vulnerability path is verified, and false alarms indicating that the path is unreachable are filtered out. A TOCTOU vulnerability detection report is generated based on the verified vulnerability paths.

2. The static detection method for the TOCTOU vulnerability in the operating system kernel according to claim 1, characterized in that, The process involves performing field-sensitive analysis on the intermediate bytecode to identify the fields to be inspected and verifying whether the inspected fields are protected by lock consistency. Based on the verification results, atomic rules are generated, including: The intermediate bytecode is parsed to dynamically construct a field-sensitive alias graph. The alias graph is used to parse the alias relationships of structure member accesses and identify the fields being checked in the conditional statements in the intermediate bytecode. Traverse all modification paths of the field being inspected and track the lock fields protecting the field being inspected on each modification path; If the field being checked is protected by the same lock field on all modification paths, then an atomic rule containing the correspondence between the field being checked and the lock field is generated.

3. The static detection method for the TOCTOU vulnerability in the operating system kernel according to claim 1, characterized in that, Based on the atomic rules, state tracking is performed on the intermediate bytecode to identify operation sequences that violate the atomic rules, including: Based on the correspondence between the lock field and the checked field in the atomic rules, a finite state machine is initialized. The finite state machine is used to track lock acquisition, lock release, variable checking, and variable usage operations. Traverse the code paths in the intermediate bytecode and drive the finite state machine to perform state transitions according to the operation sequence; If the finite state machine enters a preset defective state, it is determined that there is an operation sequence that violates the atomic rules.

4. The static detection method for the TOCTOU vulnerability in the operating system kernel according to claim 1, characterized in that, The reachability of the vulnerable path is verified, including: Collect the path constraints on the vulnerability path and map the path constraints to the constraint solver's constraint expressions; Map variables that are aliases to each other to the same symbol in the constraint solver; The constraint solver is invoked to determine the satisfiability of the constraint expression. If the constraint is not satisfiable, the vulnerability path is determined to be unreachable and the corresponding detection result is removed.

5. The static detection method for the TOCTOU vulnerability in the operating system kernel according to claim 1, characterized in that, A TOCTOU vulnerability detection report is generated based on the verified vulnerability paths, including: For verified vulnerability paths, deduplication is performed based on the filename and line number of the source code where the vulnerability occurred, and duplicate vulnerability reports are merged. Generate a TOCTOU vulnerability detection report, which includes the vulnerability location, the shared variable fields involved, the lock fields, and the code triggering path.

6. The static detection method for the TOCTOU vulnerability in the operating system kernel according to claim 1, characterized in that, After generating intermediate bytecode, the method further includes: Traverse all intermediate bytecode files and collect function information of kernel functions; the function information includes name, definition location, and file information; The collected function information is stored in a pre-defined function database.

7. A static detection device for the TOCTOU vulnerability in an operating system kernel, characterized in that, include: The code preprocessing module is used to compile the operating system kernel source code to generate intermediate bytecode; The rule mining module is used to perform field sensitivity analysis on the intermediate bytecode, identify the fields to be checked in the intermediate bytecode, verify whether the fields to be checked are protected by lock consistency, and generate atomic rules based on the verification results. The vulnerability detection module is used to perform state tracking on the intermediate bytecode based on the atomic rules and identify operation sequences that violate the atomic rules; The false alarm filtering module is used to determine the vulnerability path based on the operation sequence that violates the atomic rule, perform reachability verification on the vulnerability path, and filter false alarms that the path is unreachable. The results reporting module is used to generate a TOCTOU vulnerability detection report based on the verified vulnerability paths.

8. An electronic device comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, characterized in that, When the processor executes the computer program, it implements the static detection method for the TOCTOU vulnerability in the operating system kernel as described in any one of claims 1 to 6.

9. A non-transitory computer-readable storage medium having a computer program stored thereon, characterized in that, When the computer program is executed by the processor, it implements the static detection method for the TOCTOU vulnerability in the operating system kernel as described in any one of claims 1 to 6.

10. A computer program product, comprising a computer program, characterized in that, When the computer program is executed by the processor, it implements the static detection method for the TOCTOU vulnerability in the operating system kernel as described in any one of claims 1 to 6.

Images