Researchers in Georgia Tech’s School of Computer Science have modeled and detected a unique type of logic bug, a nefarious brand of malware that causes a system to operate incorrectly without crashing and creates vulnerabilities.

The double-fetch bug, presented in a paper at the 2018 IEEE Symposium on Security and Privacy on May 21-23 in San Francisco, is a special type of logic bug that can cause data inconsistencies in the program’s execution path and compromise security.

“We think we can find a systematic way to model and detect the double-fetch bug,” said SCS Ph.D. student Meng Xu, one of the researchers on the project. “We hope we can apply this experience to detect other types of logic bugs in kernels.”

Defining the double-fetch bug

The kernel is the core of an operating system. One bug in the kernel can take down the entire application. Yet this type of bug is inherently hard to detect.

A double-fetch bug operates when a kernel reads the userspace memory (i.e. random access memory calls) more than once while simultaneously a user thread scrambles the information in the region. This causes data inconsistences that open the kernel up to security vulnerabilities.

The researchers created a tool called Deadline to identify and cull double-fetch bugs in three steps.

1. They formally define the conditions that two consecutive userspace fetches have to satisfy before it’s a considered a double-fetch bug.
2. They use a static analysis (a way to examine the code without running the program) to collect as many fetch pairs as possible based on the kernel source code.
3. They apply symbolic checking (converting the code into symbolic representations tested against the double-fetch criteria) on each of the fetch pairs to determine whether they are double-fetch bugs.

Thinking outside the kernel

Using this method, the researchers tested Deadline on Linux and FreeBSD kernels, finding 23 new bugs in Linux and one in FreeBSD.

Double-fetch bugs may lurk in more than just kernels, but any memory region divided into subregions or reading a system multiple times. This means double-fetch bugs could be in hypervisors (Xen, KVM), trusted execution environments (SGX, TrustZone), and even OS-like userspace programs like Chrome.

Yet this research could go beyond double-fetch bugs. They believe this method — creating a formal definition for a systematic approach, using static analysis for scalability and coverage, and verifying with symbolic checking for precision — can be used to create more bug-finding tools.

This research was presented in a paper, titled Precise and Scalable Detection of Double-Fetch Bugs in Kernels, at 2018 IEEE Symposium on Security and Privacy. The research is the work of SCS Ph.D. students Meng Xu and Chenxiong Qian, University of Minnesota Assistant Professor Kangjie Lu, Chairman and Scientific Director of the CISPA Helmholtz Center i.G. Michael Backes, and SCS Assistant Professor Taesoo Kim.