A Context-Sensitive, Outlier-Based Static Analysis to Find Kernel Race Conditions

TL;DR

The paper tackles the problem of race conditions in large, concurrent kernel codebases where locking rules are frequently implicit. It introduces LLIF, an outlier-based, context-sensitive static analyzer that first infers field-level locking rules from code and then checks the code against those rules to detect violations, while pruning false positives through context and heuristics. The authors demonstrate effectiveness by evaluating LLIF on Linux kernel v5.14.11, identifying known CVEs and discovering new issues, with 24 patches confirmed by maintainers. Extensions and ethical considerations are discussed, including static validation of Lockdep assertions, reader-writer lock checks, and responsible reporting to kernel developers. The work provides a scalable, open-source tool for improving kernel locking discipline and security, with practical impact demonstrated by real-world patching outcomes.

Abstract

Race conditions are a class of bugs in software where concurrent accesses to shared resources are not protected from each other. Consequences of race conditions include privilege escalation, denial of service, and memory corruption which can potentially lead to arbitrary code execution. However, in large code bases the exact rules as to which fields should be accessed under which locks are not always clear. We propose a novel static technique that infers rules for how field accesses should be locked, and then checks the code against these rules. Traditional static analysers for detecting race conditions are based on lockset analysis. Instead, we propose an outlier-based technique enhanced with a context-sensitive mechanism that scales well. We have implemented this analysis in LLIF, and evaluated it to find incorrectly protected field accesses in Linux v5.14.11. We thoroughly evaluate its ability to find race conditions, and study the causes for false positive reports. In addition, we reported a subset of the issues and submitted patches. The maintainers confirmed 24 bugs.

Figures (6)

• Figure 1: Example of a diagram illustrating the context distance weighting. Dashed rectangles indicate an unlocked access, full rectangles indicates a locked access.
• Figure 1: Forward-ported vulnerabilities, with the minimal threshold required to detect them, and the number of locked & unlocked accesses found.
• Figure 2: Categorised cases at 16.67% threshold, including a comparison of the influence of the heuristics and context-sensitivity. H indicates the heuristics, C indicates context-sensitivity. A plus symbol means the technique is enabled while a minus symbol means it is disabled.
• Figure 3: Division of reported issues in probable true positives, false positives, and unknowns (relative numbers)
• Figure 3: Comparison with related static and hybrid analysers for locking bugs in kernels. The RC, DL, SAC and UAF in the Goal field represent race condition, deadlock, sleep-in-atomic context and use-after-free. LS means lockset, SLS means symbolic lockset, RLS means relative lockset, C means custom and O means outlier-based. indicates the whole kernel is analysed, indicates device drivers and filesystems are analysed and indicates only device drivers are analysed.