A Kernel Data Race Detection Method Based on Inference-Verification Mode

ZHENG Hao-ran; BAI Jia-ju; ZHANG Cen; GUAN Zhen-yu

doi:10.12263/DZXB.20250792

您当前的位置：

首页 >

文章列表页 >

A Kernel Data Race Detection Method Based on Inference-Verification Mode

PAPERS | 更新时间：2026-02-05

- A Kernel Data Race Detection Method Based on Inference-Verification Mode
- ACTA ELECTRONICA SINICA Vol. 53, Issue 10, Pages: 3593-3607(2025)
- 作者机构：
  
  北京航空航天大学网络空间安全学院，北京 100191
- 作者简介：
- 基金信息：
  
  National Natural Science Foundation of China(62572021);Beijing Natural Science Foundation(4252019)
- DOI：10.12263/DZXB.20250792
  CLC： TP316;
- Received：10 September 2025，
  
  Accepted：20 October 2025，
  
  Published：25 October 2025
- 稿件说明：
移动端阅览
郑浩然, 白家驹, 张涔, 等. 一种基于推断-验证模式的内核数据竞争检测方法[J]. 电子学报, 2025, 53(10): 3593-3607.

ZHENG Hao-ran, BAI Jia-ju, ZHANG Cen, et al. A Kernel Data Race Detection Method Based on Inference-Verification Mode[J]. Acta Electronica Sinica, 2025, 53(10): 3593-3607.
郑浩然, 白家驹, 张涔, 等. 一种基于推断-验证模式的内核数据竞争检测方法[J]. 电子学报, 2025, 53(10): 3593-3607. DOI：10.12263/DZXB.20250792

ZHENG Hao-ran, BAI Jia-ju, ZHANG Cen, et al. A Kernel Data Race Detection Method Based on Inference-Verification Mode[J]. Acta Electronica Sinica, 2025, 53(10): 3593-3607. DOI：10.12263/DZXB.20250792

摘要

数据竞争是操作系统内核中最隐蔽且危害最严重的并发问题之一.当两个或多个内核执行线程在缺少适当同步机制的情况下，并发访问同一块共享内存，且至少有一个访问是写操作时会导致数据竞争.数据竞争会引发数据损坏、逻辑错误和内核崩溃，甚至可能被攻击者利用构造提权或拒绝服务攻击.因此，在操作系统开发与测试阶段，设计高效且精准的数据竞争检测机制，对保障系统的稳定性和安全性至关重要.然而，内核并发环境的复杂性与不确定性为数据竞争的检测带来了巨大挑战，现有的动态检测方法因需要追踪锁集或发生序关系、检测严重依赖内核自发产生的线程交错，存在性能开销大、复杂问题发现能力弱等局限性，严重影响了数据竞争检测的效率与准确性.为解决上述挑战，本文提出了一种基于推断-验证模式的内核数据竞争检测方法RIV（Racepair Inference-Validator）.RIV的核心思想源是“推断-验证”检测模式.RIV先通过分析线程执行情况与内存访问信息来推断潜在竞争变量对，再通过内存观测点与延时注入方式对潜在竞争变量对进行定向验证，以实现数据竞争的精确检测与复现.同时，RIV利用静态污点分析识别潜在共享变量，以减少被插桩代码量和降低运行性能开销；并通过采集变量访问的内存地址和发生时间，确保数据竞争检测准确度.为了验证RIV的有效性，本文在6款广泛使用的Linux内核模块上进行了实验评估，发现了31个真实的数据竞争且没有被误报，其中12个被Linux内核开发者确认.在性能对比方面，相比现有内核数据竞争检测方法KCSAN、DILP及SDILP，RIV分别提升1.5倍、6.7倍与1.8倍性能，并基于独特的推断-验证机制发现了更多真实的数据竞争，证明了其在解决复杂竞争发现能力弱这一核心问题上的突破.综上所述，RIV为操作系统内核的并发安全提供了一种高效、精准且实用的自动化检测方案.

Abstract

Data race is one of the most critical concurrency issues in operating system kernels. A data race occurs when two or more kernel execution threads concurrently access the same shared memory location without proper synchronization

and at least one of the accesses is a write. Data races can cause data corruption

logical errors

and kernel crashes

and can even be exploited by attackers to construct privilege escalation or denial-of-service attacks. Thus

designing efficient and precise data race detection mechanisms during the operating system development and testing phases is crucial for ensuring system stability and security. However

the complexity and non-determinism of the kernel’s concurrent environment pose significant challenges to data race detection. Existing dynamic detection methods suffer from limitations such as high runtime overhead and a weak capability of finding complex races

as they need to track locksets or happens-before relationships and rely heavily on spontaneous thread interleaving produced by the kernel. These issues severely impact the efficiency and accuracy of data race detection. To address these challenges

this paper proposes RIV (Racepair Inference-Validator)

a kernel data race detection method based on an “inference-verification” model. The core idea of RIV is its “inference-verification” detection model: RIV first infers potential racy variable pairs by analyzing thread execution traces and memory access patterns

and then performs directed verification of these potential racy variable pairs through memory watchpoints and delayed injection

to achieve precise detection and reliable reproduction of data races. Meanwhile

RIV uses static taint analysis to identify potential shared variables

reducing code instrumentation and decrease runtime overhead. By capturing memory addresses and timing information of variable accesses

RIV can ensure high detection accuracy. To validate the effectiveness of RIV

we conducted experimental evaluations on 6 widely used Linux kernel modules. We discovered 31 real data races with no false positives

12 of which have been confirmed by Linux kernel developers. In performance comparisons

RIV demonstrated performance improvements of 1.5 times

6.7 times

and 1.8 times over existing kernel data race detection methods KCSAN

DILP

and SDILP

respectively. Furthermore

based on its unique “inference-verification” model

RIV discovered more real data races

proving its breakthrough in addressing the core problem of a weak ability to find complex races. In conclusion

RIV provides an efficient

precise

and practical automated detection solution for the concurrency security of operating system kernels.

关键词

Keywords

references

CHEN H G , MAO Y D , WANG X , et al . Linux kernel vulnerabilities: State-of-the-art defenses and open problems [C ] // Proceedings of the Second Asia-Pacific Workshop on Systems . New York : ACM , 2011 : 1 - 5 .

LU S , PARK S , SEO E , et al . Learning from mistakes: A comprehensive study on real world concurrency bug characteristics [J ] . ACM SIGOPS Operating Systems Review , 2008 , 42 ( 2 ): 329 - 339 .

RYZHYK L , CHUBB P , KUZ I , et al . Dingo: Taming device drivers [C ] // Proceedings of the 4th ACM European Conference on Computer Systems . New York : ACM , 2009 : 275 - 288 .

TAN L , LIU C , LI Z M , et al . Bug characteristics in open source software [J ] . Empirical Software Engineering , 2014 , 19 ( 6 ): 1665 - 1705 .

LINUS T . CVE-2016-5195 [EB/OL ] . ( 2016-10-18 )[ 2025-05-26 ] . https://nvd.nist.gov/vuln/detail/CVE-2016-5195 https://nvd.nist.gov/vuln/detail/CVE-2016-5195 .

KELLERMANN M . CVE-2022-0847 [EB/OL ] . ( 2022-02-21 )[ 2025-05-26 ] . https://nvd.nist.gov/vuln/detail/CVE-2022-0847 https://nvd.nist.gov/vuln/detail/CVE-2022-0847 .

LINUS T . CVE-2022-0185 [EB/OL ] . ( 2022-01-18 )[ 2025-05-26 ] . https://nvd.nist.gov/vuln/detail/CVE-2022-0185 https://nvd.nist.gov/vuln/detail/CVE-2022-0185 .

GREG K H . CVE-2025-21998 [EB/OL ] . ( 2025-03-28 )[ 2025-05-26 ] . https://nvd.nist.gov/vuln/detail/CVE-2025-21998 https://nvd.nist.gov/vuln/detail/CVE-2025-21998 .

ENGLER D , ASHCRAFT K . RacerX: Effective, static detection of race conditions and deadlocks [J ] . ACM SIGOPS Operating Systems Review , 2003 , 37 ( 5 ): 237 - 252 .

VOUNG J W , JHALA R , LERNER S . RELAY: Static race detection on millions of lines of code [C ] // Proceedings of the the 6th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering . New York : ACM , 2007 : 205 - 214 .

KAHLON V , SINHA N , KRUUS E , et al . Static data race detection for concurrent programs with asynchronous calls [C ] // Proceedings of the 7th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering . New York : ACM , 2009 : 13 - 22 .

PRATIKAKIS P , FOSTER J S , HICKS M . LOCKSMITH: Practical static race detection for C [J ] . ACM Transactions on Programming Languages and Systems , 2011 , 33 ( 1 ): 1 - 55 .

VOJDANI V , APINIS K , RÕTOV V , et al . Static race detection for device drivers: The Goblint approach [C ] // Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering . New York : ACM , 2016 : 391 - 402 .

ANDRIANOV P , MUTILIN V , KHOROSHILOV A . Cpalockator: Thread-modular analysis with projections (competition contribution) [M ] // Tools and Algorithms for the Construction and Analysis of Systems . Cham : Springer International Publishing , 2021 : 423 - 427 .

CHEN S , LIN Z , ZHANG Y . Controlled data races in enclaves: Attacks and detection [C ] // 32nd USENIX Security Symposium . California : USENIX Association , 2023 : 4069 - 4086 .

CAI Y D , YAO P S , YE C F , et al . Place your locks well: Understanding and detecting lock misuse bugs [C ] // USENIX Security Symposium . California : USENIX Association , 2023 : 1 - 18 .

LI T , BAI J J , HAN G D , et al . LR-Miner: Static race detection in OS kernels by mining locking rules [C ] // 33rd USENIX Security Symposium . California : USENIX Association , 2024 : 6149 - 6166 .

SALES E , INVERSO O , TUOSTO E . Accurate static data race detection for C [M ] // Formal Methods . Cham : Springer Nature Switzerland , 2024 : 443 - 462 .

CAI Y , ZHANG J , CAO L W , et al . A deployable sampling strategy for data race detection [C ] // Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering . New York : ACM , 2016 : 810 - 821 .

CHEN Q L , BAI J J , JIANG Z M , et al . Detecting data races caused by inconsistent lock protection in device drivers [C ] // 2019 IEEE 26th International Conference on Software Analysis, Evolution and Reengineering . Piscataway : IEEE , 2019 : 366 - 376 .

ARAHORI Y . RangeLocker: Adaptive range-sensitive lockset analysis for precise dynamic race detection [C ] // 2019 IEEE 19th International Symposium on High Assurance Systems Engineering . Piscataway : IEEE , 2019 : 184 - 191 .

RYAN G , SHAH A , SHE D D , et al . Precise detection of kernel data races with probabilistic lockset analysis [C ] // 2023 IEEE Symposium on Security and Privacy . Piscataway : IEEE , 2023 : 2086 - 2103 .

OLIVEIRA J , GONÇALVES J , MATOS M . HawkSet: Automatic, application-agnostic, and efficient concurrent PM bug detection [C ] // Proceedings of the Twentieth European Conference on Computer Systems . New York : ACM , 2025 : 1092 - 1108 .

FLANAGAN C , FREUND S N . FastTrack: Efficient and precise dynamic race detection [J ] . ACM SIGPLAN Notices , 2009 , 44 ( 6 ): 121 - 133 .

JIANG Y Y , YANG Y , XIAO T , et al . DRDDR: A lightweight method to detect data races in Linux kernel [J ] . The Journal of Supercomputing , 2016 , 72 ( 4 ): 1645 - 1659 .

LI G P , LU S , MUSUVATHI M , et al . Efficient scalable thread-safety-violation detection: Finding thousands of concurrency bugs during testing [C ] // Proceedings of the 27th ACM Symposium on Operating Systems Principles . New York : ACM , 2019 : 162 - 180 .

YU K P , WANG C X , CAI Y , et al . Detecting concurrency vulnerabilities based on partial orders of memory and thread events [C ] // Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering . New York : ACM , 2021 : 280 - 291 .

GORJIARA H , XU G H , DEMSKY B . Yashme: Detecting persistency races [C ] // Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems . New York : ACM , 2022 : 830 - 845 .

BOND M D , COONS K E , MCKINLEY K S . PACER: Proportional detection of data races [J ] . ACM SIGPLAN Notices , 2010 , 45 ( 6 ): 255 - 268 .

ERICKSON J , MUSUVATHI M , BURCKHARDT S , et al . Effective data-race detection for the kernel [C ] // Proceedings of the 9th USENIX conference on Operating systems design and implementation . California : USENIX Association , 2010 : 151 - 162 .

ELVER M , VYUKOV D . KCSAN [EB/OL ] . ( 2022-09-28 )[ 2025-05-26 ] . https://github.com/google/kernel-sanitizers/blob/master/KCSAN.md https://github.com/google/kernel-sanitizers/blob/master/KCSAN.md .

JEONG D R , KIM K , SHIVAKUMAR B , et al . Razzer: Finding kernel race bugs through fuzzing [C ] // 2019 IEEE Symposium on Security and Privacy . Piscataway : IEEE , 2019 : 754 - 768 .

CHEN H , GUO S , XUE Y , et al . MUZZ: Thread-aware grey-box fuzzing for effective bug hunting in multithreaded programs [C ] // 29th USENIX Security Symposium . California : USENIX Association , 2020 : 2325 - 2342 .

XU M , KASHYAP S , ZHAO H Q , et al . Krace: Data race fuzzing for kernel file systems [C ] // 2020 IEEE Symposium on Security and Privacy . Piscataway : IEEE , 2020 : 1643 - 1660 .

JIANG Z M , BAI J J , LU K J , et al . Context-sensitive and directional concurrency fuzzing for data-race detection [C ] // Proceedings 2022 Network and Distributed System Security Symposium . Internet Society , 2022 : 1 - 18 .

JEONG D R , LEE B , SHIN I , et al . SegFuzz: Segmentizing thread interleaving to discover kernel concurrency bugs through fuzzing [C ] // 2023 IEEE Symposium on Security and Privacy . Piscataway : IEEE , 2023 : 2104 - 2121 .

WOLFF D , SHI Z , DUCK G J , et al . Greybox fuzzing for concurrency testing [C ] // Proceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems , Volume 2 . New York : ACM , 2024: 482 - 498 .

STERN A . Explanation of the linux-kernel memory consistency model [EB/OL ] . ( 2017-10-01 )[ 2025-05-26 ] . https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/tools/memory-model/Documentation/explanation.txt https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/tools/memory-model/Documentation/explanation.txt .

BAI J J . CVE-2023-52855 [EB/OL ] . ( 2023-11-20 )[ 2025-05-26 ] . https://nvd.nist.gov/vuln/detail/CVE-2023-52855 https://nvd.nist.gov/vuln/detail/CVE-2023-52855 .

BAI J J , CHEN Q L , JIANG Z M , et al . Hybrid static-dynamic analysis of data races caused by inconsistent locking discipline in device drivers [J ] . IEEE Transactions on Software Engineering , 2022 , 48 ( 12 ): 5120 - 5135 .

LAMPORT L . Time, clocks, and the ordering of events in a distributed system [J ] . Communications of the ACM , 1978 , 21 ( 7 ): 558 - 565 .

NIGHTINGALE E B , PEEK D , CHEN P M , et al . Parallelizing security checks on commodity hardware [C ] // Proceedings of the 13th International Conference on Architectural Support for Programming Languages and Operating Systems . New York : ACM , 2008 : 308 - 318 .

BANERJEE S , DEVECSERY D , CHEN P M , et al . Iodine: Fast dynamic taint tracking using rollback-free optimistic hybrid analysis [C ] // 2019 IEEE Symposium on Security and Privacy . Piscataway : IEEE , 2019 : 490 - 504 .

DAVANIAN A , QI Z , QU Y , et al . DECAF++: Elastic whole-system dynamic taint analysis [C ] // 22nd International Symposium on Research in Attacks, Intrusions and Defenses . California : USENIX Association , 2019 : 31 - 45 .

OUYANG Y C , SHAO K L , CHEN K Q , et al . MirrorTaint: Practical non-intrusive dynamic taint tracking for JVM-based microservice systems [C ] // Proceedings of the 45th International Conference on Software Engineering . New York : ACM , 2023 : 2514 - 2526 .

ZHANG Y Y , LIU T Y , WANG Y Y , et al . HardTaint: Production-run dynamic taint analysis via selective hardware tracing [J ] . Proceedings of the ACM on Programming Languages , 2024 , 8 (OOPSLA 2 ): 1615 - 1640 .

Views

下载量

CSCD

Alert me when the article has been cited

提交

Tools

Publicity Resources

Cryptomining Malware Early Detection Method in Behavioral Diversity Period

Onboard High Rate Data Transmission of Massive Remote Sensing Data Using Small Size Buffer

Approach for Facilitating Structural Recovery by Clustering Use Cases

STUDY OF THE DEGRADATION CHARACTERISTICS FOR THE InGaAsP/InP DH LEDs

SPECTRA PROPERTIES OF YGG:Cr CRYSTAL

Related Author

GUAN Zhen-yu

ZHANG Cen

BAI Jia-ju

ZHENG Hao-ran

PING Yuan

CUI Yun-he

SHEN Guo-wei

GUO Chun

Related Institution

Cyber Science and Technology, Beihang University

State Key Laboratory of Public Big Data，College of Computer Science and Technology， Guizhou University

School of Information Engineering， Xuchang University

Department of Electronic Engineering and Information Science,University of Science and Technology of China

State Key Laboratory of Information Security,Institute of Software,Chinese Academy of Sciences

⁰