Abstract
Open-source kernels have been adopted by massive downstream vendors on billions of devices. However, these vendors often omit or delay the adoption of patches released in the mainstream version. Even worse, many vendors are not publicizing the patching progress or even disclosing misleading information. However, patching status is critical for groups (e.g., governments and enterprise users) that are keen to security threats. Such a practice motivates the need for reliable patch presence testing for downstream kernels. Currently, the best means of patch presence testing is to examine the existence of a patch in the target kernel by using the code signature match. However, such an approach cannot address the key challenges in practice. Specifically, downstream vendors widely customize the mainstream code and use non-standard building configurations, which often change the code around the patching sites such that the code signatures are ineffective. In this work, we propose PDiff, a system to perform highly reliable patch presence testing with downstream kernel images. Technically speaking, PDiff generates summaries carrying the semantics related to a target patch. Based on the semantic summaries, PDiff compares the target kernel with its mainstream version before and after the adoption of the patch, preferring the closer reference version to determine the patching status. Unlike previous research on patch presence testing, our approach examines similarity based on the semantics of patches and therefore, provides high tolerance to code-level variations. Our test with 398 kernel images corresponding to 51 patches shows that PDiff can achieve high accuracy with an extremely low rate of false negatives and zero false positives. This significantly outperforms the state-of-the-art tool. More importantly, PDiff demonstrates consistently high effectiveness when code customization and non-standard building configurations occur.
| Original language | English (US) |
|---|---|
| Title of host publication | CCS 2020 - Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security |
| Publisher | Association for Computing Machinery |
| Pages | 1149-1163 |
| Number of pages | 15 |
| ISBN (Electronic) | 9781450370899 |
| DOIs | |
| State | Published - Oct 30 2020 |
| Event | 27th ACM SIGSAC Conference on Computer and Communications Security, CCS 2020 - Virtual, Online, United States Duration: Nov 9 2020 → Nov 13 2020 |
Publication series
| Name | Proceedings of the ACM Conference on Computer and Communications Security |
|---|---|
| ISSN (Print) | 1543-7221 |
Conference
| Conference | 27th ACM SIGSAC Conference on Computer and Communications Security, CCS 2020 |
|---|---|
| Country/Territory | United States |
| City | Virtual, Online |
| Period | 11/9/20 → 11/13/20 |
Funding
We would like to thank our shepherd Andrea Continella and anonymous reviewers for their helpful comments. This work was supported in part by the National Natural Science Foundation of China (U1636204, U1836210, U1836213, U1736208, 61972099), Natural Science Foundation of Shanghai (19ZR1404800), and National Program on Key Basic Research (NO. 2015CB358800). Min Yang is the corresponding author, and a faculty of Shanghai Institute of Intelligent Electronics & Systems, Shanghai Institute for Advanced Communication and Data Science, and Engineering Research Center of CyberSecurity Auditing and Monitoring, Ministry of Education, China.
Keywords
- linux kernel security
- patch presence test
- patch semantics
ASJC Scopus subject areas
- Software
- Computer Networks and Communications