One-Sentence Summary
The authors proposed PDiff, a reliable patch-presence testing technique for downstream kernels that addresses two major challenges in existing methods: third-party customization and non-standard build configurations.
Background
The OS kernel is the core of computer software, and many downstream vendors choose an open-source kernel for customized development, such as the Linux kernels used in mobile phones and IoT devices. It is difficult for downstream vendors to provide the same level of security as the upstream version, which prevents them from applying released patches in a timely manner. Current research faces two issues, patch delay and inaccuracy, as well as two challenges, third-party customization and non-standard build configurations.
Related Work
There are two existing technical approaches. One writes a PoC (proof of concept) to perform a penetration test and determine whether a patch exists by triggering the vulnerability. The other generates a signature from the patched upstream version and searches for it in the target version. However, because of the challenges mentioned above (third-party customization and non-standard build configurations), these two techniques do not work in some cases.
Method
The authors proposed PDiff to test whether patches are present in downstream kernels. The method can be divided into three phases.
- Identify the area affected by a patch and collect the paths it influences. Then the authors find the anchor block in the patch-related function to refine the patch-related region.
- Generate the semantic-based patch summary and construct the path digest.
- Conduct the patch-presence test based on the patch summary. The key idea is to compare the distance between path digests.
Experiment
The authors evaluated PDiff on 51 patches and 398 kernel images, covering 115,111 image-patch pairs. The experiments show that PDiff can handle the two main challenges in this field: third-party customization and non-standard build configurations. 
