Automatic Detection of Reference Counting Bugs in Linux Kernel Drivers
Joe Hattori, Naoki Kobayashi, Ken Sakayori
TLDR
DrvHorn automatically detects reference counting bugs in Linux kernel drivers, finding 545 bugs (424 new) with a low false positive rate.
Key contributions
- Introduces DrvHorn, an automated tool for detecting reference counting bugs in Linux kernel drivers.
- Reduces bug verification to an assertion checking problem using the Linux driver interface.
- Discovered 545 bugs (424 new) in v6.6 Linux kernel, with a 29.9% false positive rate.
- Submitted patches for new bugs, with 45 already merged into the Linux kernel.
Why it matters
Reference counting bugs are critical for Linux kernel stability and security. DrvHorn provides an effective automated solution, discovering hundreds of new bugs with a low false positive rate. Its practical impact is shown by 45 merged patches, enhancing kernel robustness.
Original Abstract
Reference counting bugs in Linux kernel drivers can lead to severe resource mismanagement and security vulnerabilities. We introduce DrvHorn, a novel automated tool to detect these bugs by reducing reference counting verification to an assertion checking problem leveraging the Linux driver interface. Through efficient modeling of the Linux kernel and aggressive program slicing, DrvHorn discovered 545 bugs, of which 424 were previously unknown, across all platform drivers in v6.6 Linux kernel, with a lower false positive rate of 29.9% compared to prior studies. To address the root causes of these newly discovered bugs, we submitted patches to the Linux kernel, and 45 of them were merged.
📬 Weekly AI Paper Digest
Get the top 10 AI/ML arXiv papers from the week — summarized, scored, and delivered to your inbox every Monday.