UniSan: Uninitialized Data Leak Sanitizer

Overview

UniSan aims to eliminate all information leaks caused by uninitialized data reads in OS kernels. OS kernels employ security mechanisms, kASLR and StackGuard, to prevent code-reuse and privilege escalation attacks. However, the common information leaks in OS kernels render these security mechanisms ineffective. Clearly, information leaks may also directly leak sensitive data such as cryptographic keys in OS kernels. According to a previous study and our study, most kernel information leaks are caused by uninitialized data reads.

UniSan is a novel, compiler-based approach that uses byte-level, flow-sensitive, context-sensitive, and field-sensitive initialization analysis and reachability analysis to check whether an allocation has been fully initialized when it leaves kernel space; if not, it automatically instruments the kernel to zero-initialize this allocation. UniSan is robust because its zero-initialization to allocations would not break original semantics. Also, UniSan is conservative to eliminate false negatives. We implemented UniSan as passes of LLVM. By applying it to the latest Linux kernel and Android kernel, we confirmed that UniSan can successfully prevent known and many new uninitialized data leak vulnerabilities, with a negligible performance overhead.

Publications

  • UniSan: Proactive Kernel Memory Initialization to Eliminate Data Leakages (ACM CCS 2016) [paper]

Discovered Vulnerabilities

  • CVE-2016-5243: stack object link_info in tipc_nl_compat_link_dump() is discloseed without being initialized, causing kernel infoleak of up to 60 bytes.
  • CVE-2016-4569: stack object dte_facilities in x25_negotiate_facilities() is disclosed without being initialized, causing kernel infoleak of up to 8 bytes.
  • CVE-2016-4578: ASLA: Two Linux kernel information leak vulnerabilities in timer
  • CVE-2016-4569: ASLA: a Linux kernel information leak vulnerability in timer (stack object tread)
  • CVE-2016-4486: netlink: an uninitialized data leak in linux kernel (stack object map in net/core/rtnetlink.c)
  • CVE-2016-4482: usb: an uninitialized data leak in linux kernel (stack object ci in devio.c)
  • CVE-2016-4485: llc: an uninitialized data leak in linux kernel (stack object info in file net/llc/af_llc.c)
  • CVE-2016-5244: rds: stack object minfo in net/rds/recv.c is disclosed without being fully initialized, causing 1 byte kernel infoleak.
  • Many more...