K-Miner: Uncovering Memory Corruption in Linux

Memory-corruption vulnerabilities in kernel code remain a continuing problem for system security. For this reason, many techniques have been proposed and implemented over time to automatically find and prevent exploitation of such bugs at run time. Dynamic techniques, such as random testing (or fuzzing), have gained increasing interest due to their success in uncovering real-world vulnerabilities in kernel code.

However, random testing is fundamentally limited since (1) it requires real-world input to meaningfully test code and (2) to achieve full coverage it would have to scan the entire input domain, which is infeasible. In contrast to the dynamic approaches, which operate at run time, static analysis reasons about abstract program representations at compile time. Additionally, data-flow analysis has been used for a long time to eradicate bugs completely automatically in complex user-space programs successfully.

K-Miner is a data-flow analysis framework to analyze kernel code with existing methods, and builds on top of the popular LLVM compiler suite. We patch the kernel build files to create an LLVM-IR kernel bitcode image, which serves as the main input to our framework. However, existing user-space checkers require a top-level entry point from which to start the analysis. By partitioning the kernel along its system call interface, we conduct meaningful data-flow analysis in the kernel context, while also enabling scalable, complex analyses for the large kernel code base.

For more details check our paper and our code.

UPDATE: Since github does not allow files >100MB, we provide our pre-built kernel bitcode images here for reference and ease of use:
FileChecksum (SHA-512)
vmlinux_v3.19.bc (282M)e83cf098f8500d5bda320381ab991f5c2800f5829b71ad5aaa2291dfcb8287156d20419bd0c8f78f1e153aba4b7b4ca19f91ad46caff90ff3a01fb94ec27840b
vmlinux_v4.2.bc (298M)3219dd6403051301b04301306bee1146a589539329e09014db649e4e447f73464378af3ba83aad20d05a76fd3f79953ed1c4973196f3b30af39af67a093c3a7c
vmlinux_v4.6.bc (300M)be6b770afbeb92a20a43e93d40d7a60e3c641943effb162d90872bde241cedd572d4f96e047b99b2ec2367f426c98a426663b3456fe9cde83bd0e13ec72d0b2d
vmlinux_v4.10.bc (353M)1ecb5348fbe80ab5fa83eb765acd211eafcb9fd18bb6e4b5af7567bd34ea3b7d05812fad53970af4fe9a95d2c4379cfa5c2c7009ad5b476becc25334828d70bf
vmlinux_v4.12.bc (364M)b29cda5d6b2225e119e1114cba1c54301f5e6d4fbc9898441b69a6b357aeda9df8baef69fc5355f40405dc051df1641f87cf35d128676097b74403a4d35f4b9d