Checkbochs
Checkbochs is written as an extension to the
bochs machine emulator. It
runs a machine disk image and checks for violations of common
system properties
through dynamic type checking. Using checkbochs,
we found a number of previously-unknown bugs of the following types:
- Null dereference errors in applications and kernel (found many. eg. grep, fsck, swapon)
- User/kernel pointer errors in kernel
(found one in linux kernel)
- Format-string vulnerabilities
- Race Conditions (found many in undergraduate coursework)
A big advantage of this approach (as opposed to static-analysis
approaches) is that it is possible to find type-errors which span
layers of different softwares. For example, many null-dereference
bugs found using Checkbochs were cases where the memory allocation
point and memory dereference points were in different software
distributions.
Hence, while our approach has the disadvantage that the code
being checked
must be executed for the bug to show up, it is useful in finding
classes of bugs that are otherwise very hard to find through static
analysis. Moreover, this approach can find bugs in applications
where source code is not available (eg. a windows system).
A preliminary report on our experiments using Checkbochs can be found
here.
The source code is distributed as a patch to bochs v2.1.1.
To apply the patch, follow instructions in README.
Source Distribution
People
- Sorav Bansal (graduate student and lead developer)
- Mendel Rosenblum (faculty advisor)
Return to Home