Automatic fault injection for driver robustness testing

Cong, Kai; Li, Lei; Yang, Zhenkun; Xie, Fei

doi:10.1145/2771783.2771811

Cited by 19 publications

(8 citation statements)

References 31 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Some approaches [20,44,60,71] use coverage-guided fuzzing to test infrequently-executed code, by automatically mutating and generating system calls according to code coverage. Some approaches [6,18,41,62] perform software fault injection to test error handling code, by deliberately corrupting the return values of kernel-interface calls. By using exact runtime information about OS execution, dynamic analysis can effectively reduce false positives in bug detection.…”

Section: Dynamic Analysismentioning

confidence: 99%

Path-sensitive and alias-aware typestate analysis for detecting OS bugs

Bai

Sui

et al. 2022

Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems

View full text Add to dashboard Cite

Operating system (OS) is the cornerstone for modern computer systems. It manages devices and provides fundamental service for user-level applications. Thus, detecting bugs in OSes is important to improve reliability and security of computer systems. Static typestate analysis is a common technique for detecting different types of bugs, but it is often inaccurate or unscalable for large-size OS code, due to imprecision of identifying alias relationships as well as high costs of typestate tracking and path-feasibility validation.In this paper, we present PATA, a novel path-sensitive and aliasaware typestate analysis framework to detect OS bugs. To improve the precision of identifying alias relationships in OS code, PATA performs a path-based alias analysis based on control-flow paths and access paths. With these alias relationships, PATA reduces the costs of typestate tracking and path-feasibility validation, to boost the efficiency of path-sensitive typestate analysis for bug detection. We have evaluated PATA on the Linux kernel and three popular IoT OSes (Zephyr, RIOT and TencentOS-tiny) to detect three common types of bugs (null-pointer dereferences, uninitializedvariable accesses and memory leaks). PATA finds 574 real bugs with a false positive rate of 28%. 206 of these bugs have been confirmed by the developers of the four OSes. We also compare PATA to seven state-of-the-art static approaches (Cppcheck, Coccinelle, Smatch, CSA, Infer, Saber and SVF). PATA finds many real bugs missed by them, with a lower false positive rate. CCS CONCEPTS• Software and its engineering → Software defect analysis; • Security and privacy → Operating systems security.

show abstract

Section: Dynamic Analysismentioning

confidence: 99%

Path-sensitive and alias-aware typestate analysis for detecting OS bugs

Bai

Sui

et al. 2022

Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems

View full text Add to dashboard Cite

show abstract

“…Some SFI-based approaches [14]- [16], [21], [50], [51] can test kernel-level device drivers. Mendona et al [21] propose a robustness-testing approach for Windows device drivers.…”

Section: B Software Fault Injectionmentioning

confidence: 99%

“…This approach injects random faults on the arguments of frequently called kernel interfaces in device drivers. ADFI [14] performs a bounded trace-based iterative generation strategy to relieve the problem of fault scenario explosion, and exploits a permutation-based replay mechanism to guarantee the fidelity of runtime fault injection. EH-Test [16] uses a pattern-based strategy to analyze driver code and extract possibly realistic injected faults, and uses single fault injection to cover error handling code in drivers.…”

Section: B Software Fault Injectionmentioning

confidence: 99%

Fuzzing Error Handling Code in Device Drivers Based on Software Fault Injection

Jiang

Bai

Lawall

et al. 2019

2019 IEEE 30th International Symposium on Software Reliability Engineering (ISSRE)

View full text Add to dashboard Cite

Device drivers remain a main source of runtime failures in operating systems. To detect bugs in device drivers, fuzzing has been commonly used in practice. However, a main limitation of existing fuzzing approaches is that they cannot effectively test error handling code. Indeed, these fuzzing approaches require effective inputs to cover target code, but much error handling code in drivers is triggered by occasional errors (such as insufficient memory and hardware malfunctions) that are not related to inputs. In this paper, based on software fault injection, we propose a new fuzzing approach named FIZZER, to test error handling code in device drivers. At compile time, FIZZER uses static analysis to recommend possible error sites that can trigger error handling code. During driver execution, by analyzing runtime information, it automatically fuzzes error-site sequences for fault injection to improve code coverage. We evaluate FIZZER on 18 device drivers in Linux 4.19, and in total find 22 real bugs. The code coverage is increased by over 15% compared to normal execution without fuzzing.

show abstract

“…Several are only able to inject faults into intermediate representations, and not into executable binaries [29], [23], [30], thus being unable to simulate faults that appear only at the executable binary level. Others have different limitations, such as: specific hardware platforms [22], [31], specific source code languages [32], [9], [30], or requiring simulating drivers [33]. Despite these limitations, many include useful techniques or developments that could be incorporated into future development of a general fault injection tool for executable binaries.…”

Section: A Future Workmentioning

confidence: 99%

An Automated Formal Process for Detecting Fault Injection Vulnerabilities in Binaries and Case Study on PRESENT

Given-Wilson

Jafri

Lanet

et al. 2017

2017 IEEE Trustcom/BigDataSE/Icess

View full text Add to dashboard Cite

Recently fault injection has increasingly been used both to attack software applications, and to test system robustness. Detecting fault injection vulnerabilities has been approached with a variety of different but limited methods. This paper proposes a general process without these limitations that uses model checking to detect fault injection vulnerabilities in binaries. The efficacy of this process is demonstrated by detecting vulnerabilities in the PRESENT binary.

show abstract

Automatic fault injection for driver robustness testing

Cited by 19 publications

References 31 publications

Path-sensitive and alias-aware typestate analysis for detecting OS bugs

Path-sensitive and alias-aware typestate analysis for detecting OS bugs

Fuzzing Error Handling Code in Device Drivers Based on Software Fault Injection

An Automated Formal Process for Detecting Fault Injection Vulnerabilities in Binaries and Case Study on PRESENT

Contact Info

Product

Resources

About