{"606333":{"#nid":"606333","#data":{"type":"news","title":"Georgia Tech Researchers Find New Way to Detect Logic Bugs","body":[{"value":"\u003Cp\u003EResearchers in Georgia Tech\u0026rsquo;s School of Computer Science have modeled and detected a unique type of logic bug, a nefarious brand of malware that causes a system to operate incorrectly without crashing and creates vulnerabilities.\u003C\/p\u003E\r\n\r\n\u003Cp\u003EThe double-fetch bug, presented in a paper at the \u003Ca href=\u0022https:\/\/www.ieee-security.org\/TC\/SP2018\/\u0022\u003E\u003Cem\u003E2\u003C\/em\u003E018 IEEE Symposium on Security and Privacy\u003C\/a\u003E on May 21-23 in San Francisco, is a special type of logic bug that can cause data inconsistencies in the program\u0026rsquo;s execution path and compromise security.\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u0026ldquo;We think we can find a systematic way to model and detect the double-fetch bug,\u0026rdquo; said SCS Ph.D. student \u003Ca href=\u0022https:\/\/www.cc.gatech.edu\/~mxu80\/\u0022\u003E\u003Cstrong\u003EMeng Xu\u003C\/strong\u003E\u003C\/a\u003E\u003Cstrong\u003E,\u003C\/strong\u003E one of the researchers on the project. \u0026ldquo;We hope we can apply this experience to detect other types of logic bugs in kernels.\u0026rdquo;\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Cstrong\u003EDefining the double-fetch bug\u003C\/strong\u003E\u003C\/p\u003E\r\n\r\n\u003Cp\u003EThe kernel is the core of an operating system. One bug in the kernel can take down the entire application. Yet this type of bug is inherently hard to detect.\u003C\/p\u003E\r\n\r\n\u003Cp\u003EA double-fetch bug operates when a kernel reads the userspace memory (i.e. random access memory calls) more than once while simultaneously a user thread scrambles the information in the region. This causes data inconsistences that open the kernel up to security vulnerabilities.\u003C\/p\u003E\r\n\r\n\u003Cp\u003EThe researchers created a tool called Deadline to identify and cull double-fetch bugs in three steps.\u003C\/p\u003E\r\n\r\n\u003Col\u003E\r\n\t\u003Cli\u003EThey formally define the conditions that two consecutive userspace fetches have to satisfy before it\u0026rsquo;s a considered a double-fetch bug.\u003C\/li\u003E\r\n\t\u003Cli\u003EThey use a static analysis (a way to examine the code without running the program) to collect as many fetch pairs as possible based on the kernel source code.\u003C\/li\u003E\r\n\t\u003Cli\u003EThey apply symbolic checking (converting the code into symbolic representations tested against the double-fetch criteria) on each of the fetch pairs to determine whether they are double-fetch bugs.\u003C\/li\u003E\r\n\u003C\/ol\u003E\r\n\r\n\u003Cp\u003E\u003Cstrong\u003EThinking outside the kernel\u003C\/strong\u003E\u003C\/p\u003E\r\n\r\n\u003Cp\u003EUsing this method, the researchers tested Deadline on Linux and FreeBSD kernels, finding 23 new bugs in Linux and one in FreeBSD.\u003C\/p\u003E\r\n\r\n\u003Cp\u003EDouble-fetch bugs may lurk in more than just kernels, but any memory region divided into subregions or reading a system multiple times. This means double-fetch bugs could be in hypervisors (Xen, KVM), trusted execution environments (SGX, TrustZone), and even OS-like userspace programs like Chrome.\u003C\/p\u003E\r\n\r\n\u003Cp\u003EYet this research could go beyond double-fetch bugs. They believe this method \u0026mdash; creating a formal definition for a systematic approach, using static analysis for scalability and coverage, and verifying with symbolic checking for precision \u0026mdash; can be used to create more bug-finding tools.\u003C\/p\u003E\r\n\r\n\u003Cp\u003EThis research was presented in a paper, titled \u003Ca href=\u0022https:\/\/www.computer.org\/csdl\/proceedings\/sp\/2018\/4353\/00\/435301a270-abs.html\u0022\u003E\u003Cem\u003EPrecise and Scalable Detection of Double-Fetch Bugs in Kernels\u003C\/em\u003E\u003C\/a\u003E, at \u003Ca href=\u0022https:\/\/www.ieee-security.org\/TC\/SP2018\/\u0022\u003E\u003Cem\u003E2\u003C\/em\u003E018 IEEE Symposium on Security and Privacy\u003C\/a\u003E. The research is the work of SCS Ph.D. students Meng Xu and \u003Ca href=\u0022http:\/\/0-14n.github.io\/\u0022\u003E\u003Cstrong\u003EChenxiong Qian\u003C\/strong\u003E\u003C\/a\u003E, University of Minnesota Assistant Professor \u003Cstrong\u003EKangjie Lu\u003C\/strong\u003E, Chairman and Scientific Director of the CISPA Helmholtz Center i.G. \u003Cstrong\u003EMichael Backes\u003C\/strong\u003E, and SCS Assistant Professor \u003Ca href=\u0022https:\/\/taesoo.kim\/\u0022\u003E\u003Cstrong\u003ETaesoo Kim\u003C\/strong\u003E\u003C\/a\u003E.\u003C\/p\u003E\r\n","summary":null,"format":"limited_html"}],"field_subtitle":"","field_summary":"","field_summary_sentence":[{"value":"Georgia Tech researchers created Deadline, a new tool to find double-fetch bugs."}],"uid":"34541","created_gmt":"2018-05-21 15:53:39","changed_gmt":"2018-05-21 16:13:12","author":"Tess Malone","boilerplate_text":"","field_publication":"","field_article_url":"","dateline":{"date":"2018-05-21T00:00:00-04:00","iso_date":"2018-05-21T00:00:00-04:00","tz":"America\/New_York"},"extras":[],"hg_media":{"606334":{"id":"606334","type":"image","title":"Double-fetch bug","body":null,"created":"1526919164","gmt_created":"2018-05-21 16:12:44","changed":"1526919164","gmt_changed":"2018-05-21 16:12:44","alt":"Two dogs fetch","file":{"fid":"231255","name":"2786948178_fa220ddd6f_b.jpg","image_path":"\/sites\/default\/files\/images\/2786948178_fa220ddd6f_b.jpg","image_full_path":"http:\/\/www.tlwarc.hg.gatech.edu\/\/sites\/default\/files\/images\/2786948178_fa220ddd6f_b.jpg","mime":"image\/jpeg","size":326945,"path_740":"http:\/\/www.tlwarc.hg.gatech.edu\/sites\/default\/files\/styles\/740xx_scale\/public\/images\/2786948178_fa220ddd6f_b.jpg?itok=zjkOgw45"}}},"media_ids":["606334"],"groups":[{"id":"47223","name":"College of Computing"},{"id":"50875","name":"School of Computer Science"}],"categories":[],"keywords":[],"core_research_areas":[{"id":"145171","name":"Cybersecurity"}],"news_room_topics":[],"event_categories":[],"invited_audience":[],"affiliations":[],"classification":[],"areas_of_expertise":[],"news_and_recent_appearances":[],"phone":[],"contact":[{"value":"\u003Cp\u003ETess Malone, Communications Officer\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Ca href=\u0022mailto:tess.malone@cc.gatech.edu\u0022\u003Etess.malone@cc.gatech.edu\u003C\/a\u003E\u003C\/p\u003E\r\n","format":"limited_html"}],"email":["tess.malone@cc.gatech.edu"],"slides":[],"orientation":[],"userdata":""}}}