Comment
Author: Admin | 2025-04-28
K-Miner: Data-Flow Analysis for the Linux Kernel _ ____ __ __ | |/ / \/ (_)_ _ ___ _ _ | ' Requirements:Install LLVM/Clang (Version 3.8.1):http://linuxdeveloper.blogspot.de/2012/12/building-llvm-32-from-source.htmlhttp://llvm.org/docs/CMake.htmlBuild KMiner:cmake ..make -j4ln -s /path_to_kminer_build/bin/kminer ~/.local/bin/kminer">cd KMinermkdir buildcd buildexport LLVM_DIR=cmake ..make -j4ln -s /path_to_kminer_build/bin/kminer ~/.local/bin/kminerTest KMiner:Build the Kernel:In order to analyze the kernels sourcecode it is necessary to convert the code into LLVM-Bitcode.This entire process can be skipped for kernel version (3.19, 4.2, 4.6, 4.10 and 4.12) as their LLVM-Bitcodes are already compiled.Clone the Linux kernel and apply the patches that enable compilation with LLVM/Clang. Follow the README in clang-kernel-build. Afterwards, the file "/scripts/Makefile.build" has to be modified.To patch Kernel Makefiles, do patch kernel/scripts/Makefile.build clang-kernel-build/Makefile.build.patch.Because the Makefiles might differ with different versions it might be necessary to change the rules manually (in scripts/Makefile.build):Disable the "CONFIG_MODVERSION=n" in .configadd below "ifndef CONFIG_MODVERSIONS" (top .o.c rule, line 201):cmd_cc_o_c = \ if [ $(@) != "scripts/mod/empty.o" ]; then \ $(CC) $(c_flags) -save-temps=obj -o $@ -c $Add LLVM-IR bitcode target rule from C-source files (line 280):...$(obj)/%.bc: $(src)/%.c $(call if_changed_rule,cc_o_c)Add LLVM-IR bitcode target rule from ASM source files (line 320):quiet_cmd_as_bc_S = $(CC) -emit-llvm $(quiet_modtag) $@cmd_as_bc_S = $(CC) $(a_flags) -emit-llvm -c -o $@ $If we have bitcode-files that can be linked together create a command, otherwise create an empty targetfile (line 358): $@)#rm -f $@; $(AR) rcs$(KBUILD_ARFLAGS) $@)elsecmd_link_bc_target = echo "" > $@endif">tmp = $(patsubst %.o, %.bc, $(obj-y))bc-y = $(filter-out $(asm_ign), $(tmp))#$(foreach ign, $(asm_ign), $(eval link_bc-y = $(filter-out $ign, $(link_bc-y))))#quiet_cmd_link_o_target_bc = llvm-link $@ifneq ($(bc-y),"")cmd_link_bc_target = $(if $(strip $(bc-y)),\ llvm-link -o $@ $(filter $(bc-y), $^) \ $(cmd_secanalysis),\ echo "" > $@)#rm -f $@; $(AR) rcs$(KBUILD_ARFLAGS) $@)elsecmd_link_bc_target = echo "" > $@endifAdd rule to link bitcode-files (line 382):$(builtin-target_bc): $(bc-y) FORCE $(call if_changed,link_bc_target)Link library bc objects (line 410):lib_bc-y := $(patsubst %.o, %.bc, $(lib-y))cmd_link_bc_l_target = llvm-link -o $@.bc $(lib_bc-y)$(lib-target): $(lib-y) FORCE $(call if_changed,link_l_target) $(call if_changed,link_bc_l_target)Add rule to link multiple bitcode-files (line 429):quiet_cmd_link_bc_multi-y = llvm-link $@cmd_link_bc_multi-y = llvm-link -o $(patsubst %.o, %.bc, $@) \ $(patsubst %.o, %.bc, $(link_multi_deps))Add the previously created rule to the original dependencies (line 442):$(multi-used-y): FORCE $(call if_changed,link_multi-y) $(call if_changed,link_bc_multi-y)Now compile the Kernel:make defconfigmake HOSTCC=clang CC=clang SHELL=/bin/bashAnd you should see many .bc files being created (in addition to the default built artifacts). Now you should be able to link the vmlinux.bc image. If the linking process fails for some reason, try another linker, or link the bitcode yourself (e.g., obtain the file list from the command used to link vmlinux during the build):">llvm-link -o vmlinux.bc Manual:kminer [options] [checker] Select a system call that should be analyzed. -driver= Select a driver that should be analyzed. -initcall-contexts= File used for import and export of the pre-analysis. -report= Outputfile -cg_ignore= Filter functions that should be ignored. -export-bugs= File to store the bugs that where found. -import-bugs= File of bugs that should be imported. -uarl-sinks= Contains the functions that will interpreted as delete functions within the use-after-return checker. -uar-timeout= Timeout of single variable check within the use-after-return checker. -num-threads= Number of threads the analysis should use. (At the moment mainly the use-after-return check uses multithreading) -rm-deref Ignore
Add Comment