Home ~ ~ About ~ ~ Sample Results ~ ~ Usage ~ ~ Get It ~ ~ Forums
Get It ~ Linux Taint Analyzer ~ Windows Analysis Manager ~ Externals

Linux Kernel Taint Analyzer

This analyzer finds sites where data from userspace is used in an unsafe manner in the linux kernel.

Example: 


unsigned int i;

copy_from_user( &i, from, sizeof(unsigned int));

/* ...skipping lines... */

copy_to_user( to, from, i ); /* 1 */
s[i];                        /* 2 */
vmalloc( i, GFP_KERNEL );    /* 3 */
In 1) we see i used as a length argument when its upper bound has not been established. This would allow a malicious user to gain unauthorized access to kernel memory.

In 2) i is used as an array subscript.

In 3) i is used as the size parameter to a kernel memory allocation function.

The analyzer is able to determine when tainted values are made safe via a bounds check such as the following: 

if ( i > UPPER_LIMIT ) return -EINVAL;

Results:

Kernel Distinct Source Lines1 Bugs2
2.6.0 3,306,475 73 View Bugs
2.6.9 3,677,696 39 View Bugs
2.6.18 4,451,039 57 View Bugs

1Simple newline count of distinct lines in source and header files.
2Some duplicates and false positives have been removed (approx. 30%). Some of these remaining potential bugs may be false positives (approx. 20%).

To install:

~ This is release 0.9b of the CQSAT kernel taint analyzer for Intel x86 platforms.

~ Download the tarball cqsat-lk-0.9b.tar.gz

~ As root, unroll the tarball in /usr/share: 

# cd /usr/share && gzip -cd /tmp/cqsat-lk-0.9b.tar.gz | tar xf -
~ As root, run /usr/share/cqsat/bin/install.sh. This script only copies the main binary and manpage: 
# /usr/share/cqsat/bin/install.sh
~ Depending on your system configuration you may need to configure CQSAT to use a different compiler. Review the information on the externals page.

~ NOTE: This is experimental beta-level software. You may encounter bugs and/or incompatibilities based on your specific environment and build configuration. Additionally, please note that this package is provided as a sample only without fee and as such many components and features have been omitted. Feedback is appreciated: feedback@cqsat.com.

Copyright © 2005-2008 CQSAT.com, All rights reserved. Contact Us.