• Stars
    star
    329
  • Rank 128,030 (Top 3 %)
  • Language
    C++
  • License
    BSD 2-Clause "Sim...
  • Created over 7 years ago
  • Updated over 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

DR.CHECKER : A Soundy Vulnerability Detection Tool for Linux Kernel Drivers

DR.CHECKER : A Soundy Vulnerability Detection Tool for Linux Kernel Drivers

License

warning

This repo contains all the sources, including setup scripts. Now with an Amazing UI to view the warnings along with corresponding source files.

Tested on

Ubuntu >= 14.04.5 LTS

Announcements

16 Feb 2018:

  • DR.CHECKER has been dockerized. Refer Docker Usage on how to use it.

Frequently Asked Questions

0. Using Dockerized Setup (Recommended)

Refer the Docker Usage document for details on how to use DR.CHECKER in a pre-built docker container.

1. Setup

Our implementation is based on LLVM, specifically LLVM 3.8. We also need tools like c2xml to parse headers.

First, make sure that you have cmake (used by setup/build scripts) and libxml (required for c2xml):

sudo apt-get install cmake libxml2-dev

Next, We have created a single script, which downloads and builds all the required tools.

cd helper_scripts
python setup_drchecker.py --help
usage: setup_drchecker.py [-h] [-b TARGET_BRANCH] [-o OUTPUT_FOLDER]

optional arguments:
  -h, --help        show this help message and exit
  -b TARGET_BRANCH  Branch (i.e. version) of the LLVM to setup. Default:
                    release_38 e.g., release_38
  -o OUTPUT_FOLDER  Folder where everything needs to be setup.

Example:

python setup_drchecker.py -o drchecker_deps

To complete the setup you also need modifications to your local PATH environment variable. The setup script will give you exact changes you need to do.

2. Building

This depends on the successful completion of Setup. We have a single script that builds everything, you are welcome.

cd llvm_analysis
./build.sh

3. Running

This depends on the successful completion of Build. To run DR.CHECKER on kernel drivers, we need to first convert them into llvm bitcode.

3.1 Building kernel

First, we need to have a buildable kernel. Which means you should be able to compile the kernel using regular build setup. i.e., make. We first capture the output of make command, from this output we extract the exact compilation command.

3.1.1 Generating output of make (or makeout.txt)

Just pass V=1 and redirect the output to the file. Example:

make V=1 O=out ARCH=arm64 > makeout.txt 2>&1

NOTE: DO NOT USE MULTIPLE PROCESSES i.e., -j. Running in multi-processing mode will mess up the output file as multiple process try to write to the output file.

That's it. DR.CHECKER will take care from here.

3.2 Running DR.CHECKER analysis

There are several steps to run DR.CHECKER analysis, all these steps are wrapped in a single script helper_scripts/runner_scripts/run_all.py How to run:

python run_all.py --help
usage: run_all.py [-h] [-l LLVM_BC_OUT] [-a CHIPSET_NUM] [-m MAKEOUT] [-g COMPILER_NAME] [-n ARCH_NUM] [-o OUT] [-k KERNEL_SRC_DIR] [-skb] [-skl] [-skp] [-ske] [-ski] [-f SOUNDY_ANALYSIS_OUT]

optional arguments:
  -h, --help            show this help message and exit
  -l LLVM_BC_OUT        Destination directory where all the generated bitcode files should be stored.
  -a CHIPSET_NUM        Chipset number. Valid chipset numbers are:
                        1(mediatek)|2(qualcomm)|3(huawei)|4(samsung)
  -m MAKEOUT            Path to the makeout.txt file.
  -g COMPILER_NAME      Name of the compiler used in the makeout.txt, This is
                        needed to filter out compilation commands. Ex: aarch64-linux-android-gcc
  -n ARCH_NUM           Destination architecture, 32 bit (1) or 64 bit (2).
  -o OUT                Path to the out folder. This is the folder, which
                        could be used as output directory during compiling
                        some kernels. (Note: Not all kernels needs a separate out folder)
  -k KERNEL_SRC_DIR     Base directory of the kernel sources.
  -skb                  Skip LLVM Build (default: not skipped).
  -skl                  Skip Dr Linker (default: not skipped).
  -skp                  Skip Parsing Headers (default: not skipped).
  -ske                  Skip Entry point identification (default: not
                        skipped).
  -ski                  Skip Soundy Analysis (default: not skipped).
  -f SOUNDY_ANALYSIS_OUT    Path to the output folder where the soundy analysis output should be stored.

The script builds, links and runs DR.CHECKER on all the drivers, as such might take considerable time(45 min-90 min). If you want to run DR.CHECKER manually on individual drivers, refer standalone

The above script performs following tasks in a multiprocessor mode to make use of all CPU cores:

3.2.1. LLVM Build

  • Enabled by default.

All the bitcode files generated will be placed in the folder provided to the argument -l. This step takes considerable time, depending on the number of cores you have. So, if you had already done this step, You can skip this step by passing -skb.

3.2.2. Linking all driver bitcode files in s consolidated bitcode file.

  • Enabled by default

This performs linking, it goes through all the bitcode files and identifies the related bitcode files that need to be linked and links them (using llvm-link) in to a consolidated bitcode file (which will be stored along side corresponding bitcode file).

Similar to the above step, you can skip this step by passing -skl.

3.2.3.Parsing headers to identify entry function fields.

  • Enabled by default.

This step looks for the entry point declarations in the header files and stores their configuration in the file: hdr_file_config.txt under LLVM build directory.

To skip: -skp

3.2.4.Identify entry points in all the consolidated bitcode files.

  • Enabled by default

This step identifies all the entry points across all the driver consolidated bitcode files. The output will be stored in file: entry_point_out.txt under LLVM build directory.

Example of contents in the file entry_point_out.txt:

FileRead:hidraw_read:/home/drchecker/33.2.A.3.123/llvm_bc_out/drivers/hid/llvm_link_final/final_to_check.bc
FileWrite:hidraw_write:/home/drchecker/33.2.A.3.123/llvm_bc_out/drivers/hid/llvm_link_final/final_to_check.bc
IOCTL:hidraw_ioctl:/home/drchecker/33.2.A.3.123/llvm_bc_out/drivers/hid/llvm_link_final/final_to_check.bc

To skip: -ske

3.2.5.Run Soundy Analysis on all the identified entry points.

  • Enabled by default.

This step will run DR.CHECKER on all the entry points in the file entry_point_out.txt. The output for each entry point will be stored in the folder provided for option -f.

To skip: -ski

3.2.6 Example:

Now, we will show an example from the point where you have kernel sources to the point of getting vulnerability warnings.

We have uploaded a mediatek kernel 33.2.A.3.123.tar.bz2. First download and extract the above file.

Lets say you extracted the above file in a folder called: ~/mediatek_kernel

3.2.6.1 Building
cd ~/mediatek_kernel
source ./env.sh
cd kernel-3.18
# the following step may not be needed depending on the kernel
mkdir out
make O=out ARCH=arm64 tubads_defconfig
# this following command copies all the compilation commands to makeout.txt
make V=1 -j8 O=out ARCH=arm64 > makeout.txt 2>&1
3.2.6.2 Running DR.CHECKER
cd <repo_path>/helper_scripts/runner_scripts

python run_all.py -l ~/mediatek_kernel/llvm_bitcode_out -a 1 -m ~/mediatek_kernel/kernel-3.18/makeout.txt -g aarch64-linux-android-gcc -n 2 -o ~/mediatek_kernel/kernel-3.18/out -k ~/mediatek_kernel/kernel-3.18 -f ~/mediatek_kernel/dr_checker_out

The above command takes quite some time (30 min - 1hr).

3.2.6.3 Understanding the output

First, all the analysis results will be in the folder: ~/mediatek_kernel/dr_checker_out (argument given to the option -f), for each entry point a .json file will be created which contains all the warnings in JSON format. These json files contain warnings organized by contexts.

Second, The folder ~/mediatek_kernel/dr_checker_out/instr_warnings (w.r.t argument given to the option -f) contains warnings organized by instruction location.

These warnings could be analyzed using our Visualizer.

Finally, a summary of all the warnings for each entry point organized by the type will be written to the output CSV file: ~/mediatek_kernel/dr_checker_out/warnings_stats.csv (w.r.t argument given to the option -f).

3.2.7 Things to note:

3.2.7.1 Value for option -g

To provide value for option -g you need to know the name of the *-gcc binary used to compile the kernel. An easy way to know this would be to grep for gcc in makeout.txt and you will see compiler commands from which you can know the *-gcc binary name.

For our example above, if you do grep gcc makeout.txt for the example build, you will see lot of lines like below:

aarch64-linux-android-gcc -Wp,-MD,fs/jbd2/.transaction.o.d  -nostdinc -isystem ...

So, the value for -g should be aarch64-linux-android-gcc.

If the kernel to be built is 32-bit then the binary most likely will be arm-eabi-gcc

3.2.7.2 Value for option -a

Depeding on the chipset type, you need to provide corresponding number.

3.2.7.3 Value for option -o

This is the path of the folder provided to the option O= for make command during kernel build.

Not all kernels need a separate out path. You may build kernel by not providing an option O, in which case you SHOULD NOT provide value for that option while running run_all.py.

3.3 Visualizing DR.CHECKER results ❄️

We provide a web-based UI to view all the warnings. Please refer Visualization.

3.6 Disabling Vulnerability checkers

You can disable one or more vulnerability checkers by uncommenting the corresponding #define DISABLE_* lines in BugDetectorDriver.cpp

3.5 Post-processing DR.CHECKER results

To your liking, we also provide a script to post-process the results. Check it out.

Have fun!!

4. Contact

More Repositories

1

karonte

Karonte is a static analysis tool to detect multi-binary vulnerabilities in embedded firmware
Python
390
star
2

BootStomp

BootStomp: a bootloader vulnerability finder
Python
378
star
3

difuze

Fuzzer for Linux Kernel Drivers
C++
369
star
4

leakless

Function redirection via ELF tricks.
Python
156
star
5

hal-fuzz

Source code of HAL-fuzz
137
star
6

baredroid

Python
90
star
7

packware

Effects of packers on machine-learning-based malware classifiers that use only static analysis
Python
83
star
8

pretender

Automatic modeling of hardware to enable the rehosting of embedded firmware
C
80
star
9

greed

A symbolic execution engine for EVM smart contract binaries.
Python
74
star
10

agrigento

Agrigento is a tool to identify privacy leaks in Android apps by performing black-box differential analysis on the network traffic.
Python
69
star
11

monolithic-firmware-collection

Repository for monolithic firmware blobs
Python
68
star
12

goldphish

Arbitrage bot for the Ethereum blockchain
Python
58
star
13

popkorn-artifact

Python
57
star
14

boomerang

Exploiting the Semantic Gap in Trusted Execution Environments
C
54
star
15

sailfish

Data and code for the IEEE S&P'22 paper SAILFISH: Vetting Smart Contract State-Inconsistency Bugs in Seconds
Python
50
star
16

heapster

Identify and test the security of dynamic memory allocators in monolithic firmware images
C
41
star
17

diane

DiAne is a smart fuzzer for IoT devices
Python
39
star
18

sasi

Signedness-Agnostic Strided-Interval
C++
34
star
19

actor

Source code for ACTOR, an action-guided kernel fuzzer (USENIX 2023 paper)
Go
27
star
20

android_ui_deception

Source code for our "What the App is That? Deception and Countermeasures in the Android User Interface" paper
Java
19
star
21

android_broken_fingers

Java
16
star
22

BullseyePoison

Bullseye Polytope Clean-Label Poisoning Attack
Python
14
star
23

autofacts

Towards Automatically Generating a Sound and Complete Dataset for Evaluating Static Analysis Tools
C++
14
star
24

symbexcel

Python
13
star
25

syml

Python
12
star
26

Neurlux

Code from the paper: Neurlux: Dynamic Malware Analysis Without Feature Engineering
Python
12
star
27

nft-security-study

Code and data of the CCS '22 paper titled "Understanding Security Issues in the NFT Ecosystem"
10
star
28

LoopMC

All code related to the LoopMC paper
Python
8
star
29

chainreactor

PDDL
8
star
30

ictf-service-samples

Sample services for the 2015 iCTF
Python
7
star
31

regulator-dynamic

C++
6
star
32

shimware

Python
6
star
33

turi

Python
5
star
34

DeepCASE-Dataset

5
star
35

bran

C
4
star
36

trust.io

A method for automatically protecting the physical interfaces on cyber-physical systems using TrustZone.
VHDL
4
star
37

hacrs

The human-assisted cyber reasoning system
JavaScript
4
star
38

jackal

Confusum Contractum: Confused Deputy Vulnerabilities in Ethereum Smart Contracts
Python
4
star
39

DeepCASE

Python
3
star
40

iCTF23

An educational CTF centered about the concept of AI and Cybersecurity
HTML
3
star
41

conware

Framework for automatically modeling hardware peripherals.
C
3
star
42

android_device_public

Java
3
star
43

columbus

Source code for Columbus (ICSE 2023 paper)
3
star
44

VenoMave

2
star
45

crush

Python
2
star
46

SECrow

Sources ad Guide for Secure Crowdsourced Location Tracking System paper.
Python
2
star
47

slither-sailfish

Modified Slither for Sailfish
Python
1
star
48

glitch_resistor

C++
1
star
49

cs177-ctfd-oracle-challenges

Plugin for CTFd to manage oracle challenges
Python
1
star
50

invisible-code

C
1
star
51

heapster-dataset-metadata

Collection of metadata for the firmware images used in Heapster
C
1
star
52

GUIDE-ENRICHER

Python
1
star