Mining Windows Kernel API Rules

16
Mining Windows Kernel API Rules Jinlin Yang [email protected] 09/28/2005 CS696

TAGS:

description

Mining Windows Kernel API Rules. Jinlin Yang [email protected] 09/28/2005CS696. My Background. Bounded exhaustive testing, 09/2001-01/2004 - PowerPoint PPT Presentation

Transcript of Mining Windows Kernel API Rules

Page 1: Mining Windows Kernel API Rules

Mining Windows Kernel API Rules

Jinlin Yang

[email protected]

09/28/2005 CS696

mailto:[email protected]
Page 2: Mining Windows Kernel API Rules

09/28/2005 Jinlin Yang, CS696 2

My Background

• Bounded exhaustive testing, 09/2001-01/2004– D. Coppit, J. Yang, S. Khurshid, W. Le, and K. Sullivan. Software Assurance by Bounded

Exhaustive Testing. IEEE Transactions on Software Engineering. April 2005

– K. Sullivan, J. Yang, D. Coppit, S. Khurshid, and D. Jackson. Software Assurance by Bounded Exhaustive Testing. ISSTA ‘04

• Temporal properties inference, 01/2004-present– J. Yang and D. Evans. Dynamically Inferring Temporal Properties. PASTE ’04

– J. Yang and D. Evans. Automatically Inferring Temporal Properties for Program Evolution. ISSRE ’04

– J. Yang and D. Evans. Automatically Discovering Temporal Properties for Program Verification. Submitted to FMSD

– J. Yang, D. Evans, D. Bhardwah, T. Bhat, and M. Das. Terracotta: Mining Temporal API Rules from Imperfect Traces. Submitted to ICSE ‘06

Page 3: Mining Windows Kernel API Rules

09/28/2005 Jinlin Yang, CS696 3

Overview

• Problem: unavailability of specification is a big issue in defect detection

• Solution: automatically inferring specification from execution traces

• Benefits: better understanding of legacy code and opportunity to find more defects– Experiments on finding kernel API rules– Found one previously unknown bug in Windows– Found interesting properties that should have been checked

Page 4: Mining Windows Kernel API Rules

09/28/2005 Jinlin Yang, CS696 4

Problem

• Defect detection technique• Generic properties

– E.g. pointer and buffer usage– PREfix [Bush et al, SP&E00], PREfast– Very effective

• Application specific properties– E.g. lock/unlock, resource creation/deletion– SLAM/SDV [Ball et al, SPIN01], ESP [Das et al, PLDI02]

• Where do we get such properties?

Page 5: Mining Windows Kernel API Rules

09/28/2005 Jinlin Yang, CS696 5

My Approach

ProgramInstrumented

Program

Instrumentation

Test Suite

ExecutionTraces

Running

Inferred Properties

PropertyTemplates

Inference

Post-processing

Report

J. Yang and D. Evans. Dynamically inferring temporal properties. PASTE ‘04.

Page 6: Mining Windows Kernel API Rules

09/28/2005 Jinlin Yang, CS696 6

An Example

• Alternating template

(PS)*, P≠S. P and S are placeholders

Lock::acq Lock::rel Lock::acq Lock::rel

P=Lock::acq and S=Lock::rel

P=Lock::rel and S=Lock::acq

PSPS

SPSP

Lock::acqLock::rel

Lock::relLock::acq

Page 7: Mining Windows Kernel API Rules

09/28/2005 Jinlin Yang, CS696 7

Implementation

• Terracotta– Inference engine– Context-aware trace analysis– Heuristics for prioritizing and presenting

properties

• Performance linear to length of trace and number of distinct events

• More information

http://www.cs.virginia.edu/terracotta

http://www.cs.virginia.edu/terracotta
http://www.cs.virginia.edu/terracotta
http://www.cs.virginia.edu/terracotta
Page 8: Mining Windows Kernel API Rules

09/28/2005 Jinlin Yang, CS696 8

Lessons

• Missing interesting properties– Original algorithm requires 100% satisfaction

• Real world is never perfect – Trace collected by sampling– Object information unavailable – Imperfect programs

• Can we develop better inference to handle this?

• Too many noises in results– Interesting properties are buried in a group of uninteresting ones

• Can we develop heuristics to select interesting ones?

Page 9: Mining Windows Kernel API Rules

09/28/2005 Jinlin Yang, CS696 9

Refinement of Inference

• How to detect interesting properties in face of imperfect traces?

• Example– PS PS PS PS PS PS PS PS PS PPP– The dominant behavior is P and S alternate– 10 subtraces, 90% satisfy Alternating

Page 10: Mining Windows Kernel API Rules

09/28/2005 Jinlin Yang, CS696 10

Refinement of Inference (2)

• How to pick out interesting properties?

• Which one is more likely to be interesting?– Heuristics: CD is often more interesting– Compute call graph for windows binaries– Keep AB if B is not reachable from A

void A(){ ... B(); ...}

Case 1

void x(){ C(); ... D();}

Case 2

void KeSetTimer(){ KeSetTimerEx();}

void x(){ ExAcquireFastMutexUnsafe(&m); ... ExReleaseFastMutexUnsafe(&m);}

Page 11: Mining Windows Kernel API Rules

09/28/2005 Jinlin Yang, CS696 11

Refinement of Inference (3)

• Heuristics: the more similar two events are, the more likely that the properties is interesting

• Relative edit distance between A and B– Partition A and B into words

– A has wA words, B has wB, w common words

• For example:– Ke Acquire In Stack Queued Spin Lock

Ke Release In Stack Queued Spin Lock– Similarity = 85.7%

wwdistBA

AB

w

2

Page 12: Mining Windows Kernel API Rules

09/28/2005 Jinlin Yang, CS696 12

Results: Kernel

• Approximation– PAL threshold = 0.90

– 7611 properties

• Call-graph and edit distance based reduction– Use the call-graph of ntoskrnl.exe, edit dist > 0.5– 142 properties. 53 times reduction!– Small enough for manual inspection

• 56 apparently interesting properties (40%)– Locking discipline– Resource allocation and deletion

Page 13: Mining Windows Kernel API Rules

09/28/2005 Jinlin Yang, CS696 13

Result: Kernel (2)

• Found interesting properties that should be checked– Several types of kernel SpinLock– The Static Device Verifier should have checked them

• ESP found one previously unknown bug in ntfs.sys – Double-acquire of FastMutex– Confirmed and fixed by the responsible developers

M. Das, S. Lerner, and M. Seigle. ESP: Path-Sensitive Program Verification in Polynomial Time. PLDI ‘02

Static Driver Verifier: Finding Bugs in Device Drivers at Compile-Time. WinHEC, April 2004.

Page 14: Mining Windows Kernel API Rules

09/28/2005 Jinlin Yang, CS696 14

Summary of Experiments

• We inferred interesting rules about kernel APIs!– SDV already encodes some propertieshttp://download.microsoft.com/download/5/b/5/5b5bec17-ea71-4653-9539-204a672f11cf/SDV-intro.doc

– We inferred undocumented ones too

• Inference scales well to realistic traces• Approximation is effective in tolerating imperfect traces

and detect dominant patterns• Call-graph and edit distance based reduction is very

effective• Check with defect detection tool is promising• Other experiments: Vulcan APIs, Daisy file system

http://download.microsoft.com/download/5/b/5/5b5bec17-ea71-4653-9539-204a672f11cf/SDV-intro.doc
Page 15: Mining Windows Kernel API Rules

09/28/2005 Jinlin Yang, CS696 15

Conclusion

• Constructing interesting properties is important and difficult

• Automatic inference from execution traces is light-weight and effective

• Practical values– Helping developers understand legacy code– Giving us opportunity of leveraging sophisticated static analysis

tools to find application specific defects

Page 16: Mining Windows Kernel API Rules

09/28/2005 Jinlin Yang, CS696 16

Q & A

• For more information

[email protected]

http://www.cs.virginia.edu/terracotta

• Great collaborators– UVa

David Evans, Ed Mitchell

– Microsoft

Stephen Adams,

Deepali Bhardwaj,

Thirumalesh Bhat,

Manuvir Das,

Damian Hasse,

Marne Staples, Rick Vicik,

Jason Yang, Zhe Yang

mailto:[email protected]
http://www.cs.virginia.edu/terracotta

Mining Energy-Greedy API Usage Patterns in Android …denys/pubs/MSR14-Android-energy-CRC.pdf · Mining Energy-Greedy API Usage Patterns in Android Apps: ... 3 510 % of the total

Mining Energy-Greedy API Usage Patterns in Android …denys/pubs/MSR14-Android-energy-CRC.pdf · Mining Energy-Greedy API Usage Patterns in Android Apps: ... 3 510 % of the total

Data mining in genetics - USPvision.ime.usp.br/~jb/lectures/bioinformatics/datamining.pdf · Data mining. P1 P2 Pn Pi : analytical and mining procedures ( kernel parallel ) Objected

Data mining in genetics - USPvision.ime.usp.br/~jb/lectures/bioinformatics/datamining.pdf · Data mining. P1 P2 Pn Pi : analytical and mining procedures ( kernel parallel ) Objected

Graph mining with kernel self-organizing map

Graph mining with kernel self-organizing map

Kernel Crypto API Cryptographic Module version 1.0 FIPS ... · The Ubuntu Kernel Crypto API Cryptographic Module (hereafter referred to as “the module”) is a software module running

Kernel Crypto API Cryptographic Module version 1.0 FIPS ... · The Ubuntu Kernel Crypto API Cryptographic Module (hereafter referred to as “the module”) is a software module running

Mining API mapping for language migration - Presentation

Mining API mapping for language migration - Presentation

Kernel 8.0 and Kernel Toolkit 7.3 Developer's Guide Web viewDeveloper’s Guide. ... Added the following APIs to the “Application Programming Interface (API) ... 572. 31.7.16$$COT^XLFMTH():

Kernel 8.0 and Kernel Toolkit 7.3 Developer's Guide Web viewDeveloper’s Guide. ... Added the following APIs to the “Application Programming Interface (API) ... 572. 31.7.16$$COT^XLFMTH():

Mining Point Cloud Local Structures by Kernel Correlation and …openaccess.thecvf.com/content_cvpr_2018/papers/Shen... · 2018-06-11 · Mining Point Cloud Local Structures by Kernel

Mining Point Cloud Local Structures by Kernel Correlation and …openaccess.thecvf.com/content_cvpr_2018/papers/Shen... · 2018-06-11 · Mining Point Cloud Local Structures by Kernel

ACR89U Handheld Smart Card Readerdownloads.acs.com.hk/drivers/en/API-ACR89U-1.00.pdf · (FreeRTOS) Kernel. FreeRTOS kernel is a scale-able real time kernel designed specifically for

ACR89U Handheld Smart Card Readerdownloads.acs.com.hk/drivers/en/API-ACR89U-1.00.pdf · (FreeRTOS) Kernel. FreeRTOS kernel is a scale-able real time kernel designed specifically for

Kernel 8.0: Patches XU*8.0*608, 607, and 672 Lock Manager ...2.2 Application Programming Interface (API)—Lock Dictionary ..... 45 Kernel 8.0: Patches XU*8.0*608, 607, and 672 Lock

Kernel 8.0: Patches XU*8.0*608, 607, and 672 Lock Manager ...2.2 Application Programming Interface (API)—Lock Dictionary ..... 45 Kernel 8.0: Patches XU*8.0*608, 607, and 672 Lock

Workload Consolidation with ACRNTM Hypervisor · Trusty API vPIC/vLAPIC/ vIOAPIC/vMSI ACRN Device Model (Mediators) VM Manager Linux VM virtio FE Drivers User Kernel User Kernel VM

Workload Consolidation with ACRNTM Hypervisor · Trusty API vPIC/vLAPIC/ vIOAPIC/vMSI ACRN Device Model (Mediators) VM Manager Linux VM virtio FE Drivers User Kernel User Kernel VM

Terracotta: Mining Temporal API Rules from Imperfect Traces · Terracotta: Mining Temporal API Rules from Imperfect Traces Jinlin Yang University of Virginia jinlin@cs.virginia.edu

Terracotta: Mining Temporal API Rules from Imperfect Traces · Terracotta: Mining Temporal API Rules from Imperfect Traces Jinlin Yang University of Virginia [email protected]

Mining Point Cloud Local Structures by Kernel Correlation ... · Mining Point Cloud Local Structures by Kernel Correlation and Graph Pooling Yiru Sheny yirus@g.clemson.edu Chen Fengz

Mining Point Cloud Local Structures by Kernel Correlation ... · Mining Point Cloud Local Structures by Kernel Correlation and Graph Pooling Yiru Sheny [email protected] Chen Fengz

Terracotta: Mining Temporal API Rules from Imperfect Traces · 2005-11-22 · Terracotta: Mining Temporal API Rules from Imperfect Traces Jinlin Yang University of Virginia jinlin@cs.virginia.edu

Terracotta: Mining Temporal API Rules from Imperfect Traces · 2005-11-22 · Terracotta: Mining Temporal API Rules from Imperfect Traces Jinlin Yang University of Virginia [email protected]

Data Mining and Statistical Learning - 2008 1 Kernel methods - overview Kernel smoothers Local regression Kernel density estimation Radial basis.

Data Mining and Statistical Learning - 2008 1 Kernel methods - overview Kernel smoothers Local regression Kernel density estimation Radial basis.

STRING KERNEL TESTING ACCELERATION USING MICRON S … · Motivation 3 • String Kernel (SK) is a widely used kernel in machine learning and text mining • Fast processing is required,

STRING KERNEL TESTING ACCELERATION USING MICRON S … · Motivation 3 • String Kernel (SK) is a widely used kernel in machine learning and text mining • Fast processing is required,

ACRN : A Big Little Hypervisor for IoT Development...Kernel User Kernel VM API Keystore Virtual Firmware Enclaves Enclaves Android World virtio FE Drivers User Kernel ... Dates below

ACRN : A Big Little Hypervisor for IoT Development...Kernel User Kernel VM API Keystore Virtual Firmware Enclaves Enclaves Android World virtio FE Drivers User Kernel ... Dates below

SFO15-200: TEE kernel driver - Amazon S3 · 2015-09-21 · Kernel driver - TEE subsystem Provides a generic API towards user space in Provides an API towards

SFO15-200: TEE kernel driver - Amazon S3 · 2015-09-21 · Kernel driver - TEE subsystem Provides a generic API towards user space in Provides an API towards

FIPS 140-2 Non-Proprietary Security Policy Oracle …...Oracle Linux 6 Kernel Crypto API Cryptographic Module with the version of the RPM file kernel-2.6.32 754.3.5.0.1.el6.x86_64.rpm

FIPS 140-2 Non-Proprietary Security Policy Oracle …...Oracle Linux 6 Kernel Crypto API Cryptographic Module with the version of the RPM file kernel-2.6.32 754.3.5.0.1.el6.x86_64.rpm

Data Mining the Twitter API: 2012 ALAO Annual Conference

Data Mining the Twitter API: 2012 ALAO Annual Conference

The Linux Kernel API - Egloospds14.egloos.com/pds/200902/24/48/kernel-api.pdf · 2009-02-24 · The Linux Kernel API This documentation is free software; you can redistribute it and/or

The Linux Kernel API - Egloospds14.egloos.com/pds/200902/24/48/kernel-api.pdf · 2009-02-24 · The Linux Kernel API This documentation is free software; you can redistribute it and/or