CQUAL type errors can be examined in two ways: source type errors and
path type errors. A source type error is a variable that is
used in such a way that a type error is generated. That is, the
variable is used in an unchecked
state in at least one function
that expects the variable to be checked
. A path type
error is a unique call path that leads to a type error.
Figure 11 shows an example path type error. Note
that for each source type error there may be multiple path type errors.
Table 1 shows both the source and path type error counts for Linux kernel subsystems. For source type errors, we also display the source type error rate, defined to be the percentage of controlled variables that are involved in type errors.
Table 1 shows two interesting facts: (1) over 500 path type errors are present in the kernel and (2) most of the type errors occur on one path. Fortunately for the LSM community, most the type errors identified by the analysis are false positives. However, examining this many type errors to find a few exploitable errors is not practical. Therefore, we need secondary analyses to remove obvious false positives. Second, since most types errors associate one source with one error path, so it may be that some of the sinks of the analysis (i.e., the functions with controlled operations) may not really require authorization.