UniSan aims to eliminate all information leaks caused by uninitialized data reads in OS kernels. OS kernels employ security mechanisms, kASLR and StackGuard, to prevent code-reuse and privilege escalation attacks. However, the common information leaks in OS kernels render these security mechanisms ineffective. Clearly, information leaks may also directly leak sensitive data such as cryptographic keys in OS kernels. According to a previous study and our study, most kernel information leaks are caused by uninitialized data reads.
UniSan is a novel, compiler-based approach that uses byte-level, flow-sensitive, context-sensitive, and field-sensitive initialization analysis and reachability analysis to check whether an allocation has been fully initialized when it leaves kernel space; if not, it automatically instruments the kernel to zero-initialize this allocation. UniSan is robust because its zero-initialization to allocations would not break original semantics. Also, UniSan is conservative to eliminate false negatives. We implemented UniSan as passes of LLVM. By applying it to the latest Linux kernel and Android kernel, we confirmed that UniSan can successfully prevent known and many new uninitialized data leak vulnerabilities, with a negligible performance overhead.
This repository has analysis tool and LLVM. LLVM related files follow their own license(LICENSE.LLVM), and analysis tool is provided under the terms of the MIT license.
$ cd unisan
# Build LLVM that contains the instrumentation pass of UniSan
$ cd llvm-3.7.1
$ ./build-llvm.sh
# Build the analysis pass of UniSan
$ cd ../analysis
$ make
# Now, the UniSan binary is located at analysis/build/unisan
# If you want to analyze a list of bitcode file, put the paths of the bitcode files in a list file, e.g., "bitcode.list". Then run:
$ ./unisan -safe-alloc @bitcode.list
# If you want to analyze a single bitcode file, say "test.bc", run:
$ ./unisan -safe-alloc test.bc
# The statistics are printed out on stdout, while the info of unsafe allocations is saved in a temporary file: /tmp/UnsafeAllocs.txt.
- Use the "clang" of UniSan, i.e., the one you just built in llvm-3.7.1. If you use the LLVMLinux project, this step can be done by editing "CLANG" and "LLC" in file "llvmlinux/toolchain/clang/clang-native.mk".
- Enable the instrumentation pass of UniSan: use option "-fsanitize=alloc"
- Make sure you have run UniSan's analysis pass. Once you run clang to compile your code, UniSan will secure the unsafe allocations based on /tmp/UnsafeAllocs.txt.
- Analysis pass: unisan/analysis/src/lib/
- Instrumentation pass: llvm-3.7.1/llvm/lib/Transforms/Instrumentation/AllocSanitizer.cpp
- UniSan paper (ACM CCS'16): https://dl.acm.org/doi/abs/10.1145/2976749.2978366
- Webpage for UniSan: https://sslab.gtisc.gatech.edu/pages/unisan.html
@inproceedings{lu2016unisan,
title={Unisan: Proactive kernel memory initialization to eliminate data leakages},
author={Lu, Kangjie and Song, Chengyu and Kim, Taesoo and Lee, Wenke},
booktitle={Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security},
pages={920--932},
year={2016}
}