Untrusted Hardware Causes Double-Fetch Problems in the I/O Memory

Kai Lu; Peng-Fei Wang; Gen Li; Xu Zhou

doi:10.1007/s11390-018-1842-3

AI Chat Paper

Note: Please note that the following content is generated by AMiner AI. SciOpen does not take any responsibility related to this content.

Chat more with AI

| Sign up

Browse by Subject

Search for peer-reviewed journals with full access.

Journals A - Z

About Us

Discover the SciOpen Platform and Achieve Your Research Goals with Ease.

About Us

Publish with Us

Support

Search articles, authors, keywords, DOl and etc.

Published Date

Reset Search

{{expandStatus?'Exit ':''}}Advanced Search

Journals A - Z

About Us

Publish with Us

Support

Article Link

Cite

EndNote(RIS) BibTeX

Collect

Submit Manuscript

Show Outline

Outline

Show full outline

Hide outline

Outline

Show full outline

Hide outline

Regular Paper

Untrusted Hardware Causes Double-Fetch Problems in the I/O Memory

Kai Lu^{¹^,²^,³}, Peng-Fei Wang^¹(

), Gen Li^¹, Xu Zhou^¹

College of Computer, National University of Defense Technology, Changsha 410073, China

Science and Technology on Parallel and Distributed Processing Laboratory, National University of Defense Technology Changsha 410073, China

Collaborative Innovation Center of High-Performance Computing, National University of Defense Technology Changsha 410073, China

Show Author Information

Abstract

The double fetch problem occurs when the data is maliciously changed between two kernel reads of the supposedly same data, which can cause serious security problems in the kernel. Previous research focused on the double fetches between the kernel and user applications. In this paper, we present the first dedicated study of the double fetch problem between the kernel and peripheral devices (aka. the hardware double fetch). Operating systems communicate with peripheral devices by reading from and writing to the device mapped I/O (input and output) memory. Owing to the lack of effective validation of the attached hardware, compromised hardware could flip the data between two reads of the same I/O memory address, causing a double fetch problem. We propose a static pattern-matching approach to identify the hardware double fetches from the Linux kernel. Our approach can analyze the entire kernel without relying on the corresponding hardware. The results are categorized and each category is analyzed using case studies to discuss the possibility of causing bugs. We also find four previously unknown double-fetch vulnerabilities, which have been confirmed and fixed after reporting them to the maintainers.

Keywords

hardware double fetch double-fetch bug I/O memory peripheral device double-fetch vulnerability

Electronic Supplementary Material

Download File(s)

jcst-33-3-587-Highlights.pdf (5.8 MB)

References

[1]

Tahir R, Hamid Z, Tahir H. Analysis of AutoPlay feature via the USB flash drives. In Proc. the World Congress on Engineering, July 2008.

[2]

Wang P F, Lu K, Li G, Zhou X. A survey of the double-fetch vulnerabilities. Concurrency and Computation Practice and Experience, 2018, 30(6): e4345.

Crossref Google Scholar

[3]

Jurczyk M, Coldwind G. Identifying and exploiting windows kernel race conditions via memory access patterns. Technical Report, Google Research, 2013. http://pdfs.semanticscholar.org/ca60/2e7193f159a56a3559-f08b677abfba60beb2.pdf, Mar. 2018.

[4]

Wilhelm F. Tracing privileged memory accesses to discover software vulnerabilities [Master’s Thesis]. Operating Systems Group, Karlsruhe Institute of Technology (KIT), Germany, 2015.

[5]

Wang P F, Krinke J, Lu K, Li G, Dodier-Lazaro S. How double-fetch situations turn into double-fetch vulnerabilities: A study of double fetches in the Linux kernel. In Proc. the 26th USENIX Security Symp., August 2017.

Crossref

[6]

Chou A, Yang J F, Chelf B, Hallem S, Engler D. An empirical study of operating systems errors. ACM SIGOPS Operating Systems Review, 2011, 35(5): 73-88.

Crossref Google Scholar

[7]

Palix N, Thomas G, Saha S, Calvès C, Lawall J, Muller G. Faults in Linux: Ten years later. ACM SIGPLAN Notices, 2011, 46(3): 305-318.

Crossref Google Scholar

[8]

Swift M M, Bershad B N, Levy H M. Improving the reliability of commodity operating systems. ACM Trans. Computer Systems, 2005, 23(1): 77-110.

Crossref Google Scholar

[9]

Bishop M, Dilger M. Checking for race conditions in file accesses. Computing Systems, 1996, 9(2): 131-152.

Google Scholar

[10]

Watson R N M. Exploiting concurrency vulnerabilities in system call wrappers. In Proc. the 1st USENIX Workshop on Offensive Technologies, August 2007.

[11]

Chen H, Wagner D. MOPS: An infrastructure for examining security properties of software. In Proc. the 9th ACM Conf. Computer and Communications Security, November 2002, pp.235-244.

Crossref

[12]

Cowan C, Beattie S, Wright C, Kroah-Hartman G. Race-Guard: Kernel protection from temporary file race vulnerabilities. In Proc. the 10th Conf. USENIX Security Symp., August 2001, pp.165-176.

[13]

Lhee K S, Chapin S J. Detection of file-based race conditions. International Journal of Information Security, 2005, 4(1/2): 105-119.

Crossref Google Scholar

[14]

Cai X, Gui Y W, Johnson R. Exploiting Unix file-system races via algorithmic complexity attacks. In Proc. the 30th IEEE Symp. Security and Privacy, May 2009, pp.27-20.

Crossref

[15]

Payer M, Gross T R. Protecting applications against TOCTTOU races by user-space caching of file metadata. In Proc. the 8th ACM SIGPLAN/SIGOPS Conf. Virtual Execution Environments, March 2012.

Crossref

[16]

Lawall J, Laurie B, Hansen R R, Palix N, Muller G. Finding error handling bugs in OpenSSL using Coccinelle. In Proc. the 2010 European Dependable Computing Conf., April 2010, pp.191-196.

Crossref

[17]

Brunel J, Doligez D, Hansen R R, Lawall J L, Muller G. A foundation for flow-based program matching: Using temporal logic and model checking. In Proc. the 36th Annual ACM SIGPLAN-SIGACT Symp. Principles of Programming Languages, January 2009.

Crossref

[18]

Lie D, Thekkath C A, Horowitz M. Implementing an untrusted operating system on trusted hardware. ACM SIGOPS Operating Systems Review, 2003, 37(5): 178-192.

Crossref Google Scholar

[19]

Irvine C E, Levitt K. Trusted hardware: Can it be trustworthy? In Proc. the 44th ACM/IEEE Design Automation Conf., June 2007.

Crossref

[20]

Katz J. Universally composable multi-party computation using tamper-proof hardware. In Proc. the 26th Annual Int. Conf. the Theory and Applications of Cryptographic Techniques, May 2007, pp.115-128.

Crossref

[21]

Chandran N, Goyal V, Sahai A. New constructions for UC secure computation using tamper-proof hardware. In Proc. the 27th Annual Int. Conf. the Theory and Applications of Cryptographic Techniques, April 2008, pp.545-562.

Crossref

[22]

Yang J F, Cui A, Stolfo S, Sethumadhavan S. Concurrency attacks. In Proc. the 4th USENIX Conf. Hot Topics in Parallelism, June 2012.

[23]

Mulliner C, Michéle B. Read it twice! A mass-storage-based TOCTTOU attack. In Proc. the 6th USENIX Conf. Offensive Technologies, August 2012, pp.105-112.

Journal of Computer Science and Technology

Volume 33 Issue 3,
May 2018

Pages 587-602

DOI: 10.1007/s11390-018-1842-3

Cite this article:

Lu K, Wang P-F, Li G, et al. Untrusted Hardware Causes Double-Fetch Problems in the I/O Memory. Journal of Computer Science and Technology, 2018, 33(3): 587-602. https://doi.org/10.1007/s11390-018-1842-3

370

Views

Crossref

N/A

Web of Science

Scopus

CSCD

Google Scholar
Citation

Altmetrics

Received: 01 July 2017

Revised: 13 February 2018

Published: 11 May 2018