One sentence summary
The author proposed PDiff, which is a reliable patch presence testing for downstream kernels, to solve the two main challenges (third-party customization and non-standard building configurations) in existing testing method.
Background
OS kernel is the core of computer software, many downstream vendors will choose open source kernel to conduct customized development (such as the linux kernel used in mobile phone and IoT devices). Downstream vendors are difficult to provide security at the same level of mainstream version, which makes them cannot use released patches timely. Current research exists two issues (patch delay and inaccurate) and two challenges (third-party customization and non-standard building configuration).
Related work
There are two existing technical routes. One is writing PoC (Proof of concept) to do penetration test, and figure out the existence of patches by triggering the vulnerability. The other is to generate signature from patched mainstream version, and searching on the targeted version. However, as the challengs exists (third-party customization and non-standard building configurations), these two techniques are not working on some cases.
Method
The author proposed PDiff to test the existence of patches in the downstream kernel. The method can be divided into three phares.
- Recognize the influenced area of patches, and collect the influenced path by patch. Then auother find the anchor block on patches related function to fine-grined the patch-related region.
- Generate the semantic based patch summary and construct the path digest.
- Based on patch summary, the author conduct patch existence test, the key idea is to compare the distance between path digest.
Experiment
The author did the experiment on 51 pathches and 398 kernel images, which included 115111 (image, patch) pairs. The experiments shows the result that the PDiff can handle the two main challenges in this field (third-party customization and building configurations)