Fuzzing with automatically controlled interleavings to detect concurrency bugs

Ko, Youngjoo; Zhu, Bin; Kim, Jong

doi:10.1016/j.jss.2022.111379

Cited by 7 publications

(7 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Multiple attempts have been made to detect security vulnerabilities in concurrent programs with fuzzing [23], [34], [42]- [44]. Here, we organize these past efforts according to five categories in the taxonomy of Table 1.…”

Section: Gray-box Fuzzingmentioning

confidence: 99%

“…First and foremost, a mechanism to force the execution of a large number of different interleaving is required (Interleaving Control). Existing fuzzers like MUZZ [23] and ConAFL [34] manipulate the thread priorities at assembly level, others like Krace [44] inject sleep instruction to force a context switch, while AutoInterfuzzing [42] and Conzzer [45] instrument the code with explicit synchronization barriers or thread locks. Alternatively, the interleaving exploration can be left to the natural nondeterminism of the operating system like in ConFuzz [43].…”

Section: Gray-box Fuzzingmentioning

confidence: 99%

“…Recently, another concurrency-aware gray-box fuzzer has been proposed in [42]. This tool, called AutoInter-fuzzing, uses static analysis to identify instruction pairs that access the same memory location but are executed by different threads.…”

Section: B Fuzzingmentioning

confidence: 99%

See 2 more Smart Citations

Combining BMC and Fuzzing Techniques for Finding Software Vulnerabilities in Concurrent Programs

et al. 2022

View full text Add to dashboard Cite

Finding software vulnerabilities in concurrent programs is a challenging task due to the size of the state-space exploration, as the number of interleavings grows exponentially with the number of program threads and statements. We propose and evaluate EBF (Ensembles of Bounded Model Checking with Fuzzing) -a technique that combines Bounded Model Checking (BMC) and Gray-Box Fuzzing (GBF) to find software vulnerabilities in concurrent programs. Since there are no publicly-available GBF tools for concurrent code, we first propose OpenGBF -a new open-source concurrency-aware gray-box fuzzer that explores different thread schedules by instrumenting the code under test with random delays. Then, we build an ensemble of a BMC tool and OpenGBF in the following way. On the one hand, when the BMC tool in the ensemble returns a counterexample, we use it as a seed for OpenGBF, thus increasing the likelihood of executing paths guarded by complex mathematical expressions. On the other hand, we aggregate the outcomes of the BMC and GBF tools in the ensemble using a decision matrix, thus improving the accuracy of EBF. We evaluate EBF against state-of-the-art pure BMC tools and show that it can generate up to 14.9% more correct verification witnesses than the corresponding BMC tools alone. Furthermore, we demonstrate the efficacy of OpenGBF, by showing that it can find 24.2% of the vulnerabilities in our evaluation suite, while non-concurrency-aware GBF tools can only find 0.55%. Finally, thanks to our concurrency-aware OpenGBF, EBF detects a data race in the open-source wolfMqtt library and reproduces known bugs in several other real-world programs, which demonstrates its effectiveness in finding vulnerabilities in realworld software.

show abstract

Section: Gray-box Fuzzingmentioning

confidence: 99%

Section: Gray-box Fuzzingmentioning

confidence: 99%

See 1 more Smart Citation

Combining BMC and Fuzzing Techniques for Finding Software Vulnerabilities in Concurrent Programs

et al. 2022

View full text Add to dashboard Cite

show abstract

“…Unfortunately, the static analysis tool utilized by ConAFL is not available [37]. AutoInter-fuzzing [38] is a very recent thread-aware GBF that also employs static analysis to locate sensitive operations. Specifically, it isolates pairs of instructions that access the same memory location across different threads.…”

Section: Gray-box Fuzzingmentioning

confidence: 99%

“…However, a discussion on the advantage of this technique over random scheduling is missing. Recently, another concurrencyaware fuzzer has been proposed in [38]. This gray-box fuzzer, called AutoInter-fuzzing, uses static analysis to narrow the search space and identify pairs of instructions that access the same memory location but are executed by different threads.…”

Section: B Fuzzingmentioning

confidence: 99%

Combining BMC and Fuzzing Techniques for Finding Software Vulnerabilities in Concurrent Programs

Fatimah¹,

Menezes²,

Manino³

et al. 2022

Preprint

View full text Add to dashboard Cite

Finding software vulnerabilities in concurrent programs is a challenging task due to the size of the state-space exploration, as the number of interleavings grows exponentially with the number of program threads and statements. We propose and evaluate EBF (Ensembles of Bounded Model Checking with Fuzzing) -a technique that combines Bounded Model Checking (BMC) and Gray-Box Fuzzing (GBF) to find software vulnerabilities in concurrent programs. Since there are no publiclyavailable GBF tools for concurrent code, we first propose a novel concurrency-aware gray-box fuzzer that explores different thread schedules by instrumenting the code under test with random delays controlled by the fuzzing engine. Then, we build an ensemble of one BMC and one GBF tool in the following way. On the one hand, when the BMC tool in the ensemble returns a counterexample, we use it as a seed for our GBF tool, thus increasing the likelihood of executing paths guarded by complex mathematical expressions. On the other hand, we aggregate the outcomes of the BMC and GBF tools in the ensemble using a decision matrix, thus improving the accuracy of EBF. We evaluate EBF against state-of-the-art pure BMC tools and show that it can generate up to 14.9% more correct verification witnesses than BMC alone. Furthermore, we demonstrate the efficacy of our concurrency-aware GBF, by showing that it can find 21.4% of the vulnerabilities in our evaluation suite, while non-concurrency-aware GBF tools can only find 0.55%. Finally, thanks to our concurrency-aware GBF tool, EBF detects a data race in the open-source wolfMqtt library, which demonstrates its effectiveness in finding vulnerabilities in real-world software.

show abstract

When Memory Corruption Met Concurrency: Vulnerabilities in Concurrent Programs

2023

View full text Add to dashboard Cite

Concurrent programs are widespread in modern systems. They make better use of processor resources but inevitably introduce a new set of problems in terms of reliability and security. Concurrency bugs usually lead to program crashes and unexpected behavior, and are an active research topic. From a security perspective, concurrency vulnerabilities are those that exhibit harmful behavior exclusively in concurrent executions. They can take place in a diverse range of environments, such as in operating system kernels, file system operations, or general-purpose multithreaded programs. A particular characteristic of concurrency is that it not only introduces new problems, but also enables traditional vulnerabilities to be triggered in concurrent-specific ways. Those that lead to dangerous security vulnerabilities usually cause memory corruption, a strong and flexible primitive for exploitation, and are known as concurrency memory corruption vulnerabilities. In this paper, we systematically analyze concurrency vulnerabilities in C and C++ programs, their exploitation and their detection, focusing on concurrency memory corruption vulnerabilities. We organize previous work on concurrency bug characteristics and detection, and highlight the differences in relation to vulnerabilities. Then, we examine the existence of concurrency vulnerabilities in real-world programs by searching the CVE database and point out a growing trend. Further, we analyze and compare existing detection approaches towards concurrency memory corruption.

show abstract

Fuzzing with automatically controlled interleavings to detect concurrency bugs

Cited by 7 publications

References 17 publications

Combining BMC and Fuzzing Techniques for Finding Software Vulnerabilities in Concurrent Programs

Combining BMC and Fuzzing Techniques for Finding Software Vulnerabilities in Concurrent Programs

Combining BMC and Fuzzing Techniques for Finding Software Vulnerabilities in Concurrent Programs

When Memory Corruption Met Concurrency: Vulnerabilities in Concurrent Programs

Contact Info

Product

Resources

About