Leaking pointers from the kernel can be useful to an attacker. Normally, pointers are printed using a special identifier, %pK, which will sanitize them. However, there are times when a kernel pointer is unintentionally revealed, for example because a kernel developer is lazy and uses a different identifier, or because a value is computed indirectly from a pointer in such a way that the pointer is revealed.
When I thought about it, this seemed to be the perfect candidate for static analysis! Unfortunately, my knowledge of the theory behind static analysis is limited. I would like to know if there is any research into using automated static analysis to identify candidates for pointer information leakage in the Linux kernel, and whether or not it is plausible technique in general. If it is not, then why?
