Core Concepts
A novel static analysis technique that infers field-based locking rules and checks the code against these rules to detect potential race conditions in complex software like the Linux kernel.
Abstract
The paper presents a new static analysis technique called LLIF (Linux Lock Issue Finder) to detect potential race conditions in the Linux kernel. The key aspects of the approach are:
Inferring Locking Rules:
LLIF infers field-based locking rules by tracking which locks cover which field accesses in the code.
This is done in a scalable, outlier-based manner, without relying on lockset analysis.
The inferred rules capture which locks are required to protect each field.
Detecting Violations:
LLIF checks the code against the inferred locking rules to detect potential race conditions.
It uses a context-sensitive mechanism to reduce false positives by considering the context of similar field accesses.
LLIF also applies several heuristics to filter out intentionally unprotected accesses, such as initialization/cleanup code, unlocked check-locked recheck patterns, and concurrency-safe functions.
Evaluation:
LLIF was evaluated on Linux kernel version 5.14.11.
It was able to detect 11 out of 14 known security vulnerabilities related to race conditions.
For new issues, LLIF reported 1214 potential race conditions, which were manually categorized into 257 true positives, 169 false positives, and 185 unknowns.
The context-sensitivity and heuristics were shown to be effective in reducing the false positive rate from 75.44% to 39.67%.
LLIF found and reported 24 new bugs in Linux 5.14.11, 23 of which have been fixed.