Advertisement

ConFuzz—A Concurrency Fuzzer

  • Nischai VineshEmail author
  • Sanjay Rawat
  • Herbert Bos
  • Cristiano Giuffrida
  • M Sethumadhavan
Conference paper
Part of the Advances in Intelligent Systems and Computing book series (AISC, volume 1045)

Abstract

Concurrency bugs are as equally vulnerable as the bugs found in the single-threaded programs and these bugs can be exploited using concurrency attacks. Unfortunately, there is not much literature available in detecting various kinds of concurrency issues in a multi-threaded program due to its complexity and uncertainty. In this paper, we aim at detecting concurrency bugs by using directed evolutionary fuzzing with the help of static analysis of the source code. Concurrency bug detection involves two main entities: an input and a particular thread execution order. The evolutionary part of fuzzing will prefer inputs that involve memory access patterns across threads (data flow interleaving) and thread ordering that disturb the data dependence more and direct them to trigger concurrency bugs. This paper suggests the idea of a concurrency fuzzer, which is first of its kind. We use a combination of LLVM, Thread Sanitizer and fuzzing techniques to detect various concurrency issues in an application. The source code of the application is statically analyzed for various paths, from the different thread related function calls to the main function. Every basic block in these paths are assigned a unique ID and a weight based on the distance of the basic block from the thread function calls. These basic blocks are instrumented to print their ID and weight upon execution. The knowledge about the basic blocks in the sliced paths are used to generate new sets of inputs from the old ones, thus covering even more basic blocks in the path and thereby increasing the chances of hitting a concurrency warning. We use Thread Sanitizer present in the LLVM compiler infrastructure to detect the concurrency bug warnings while executing each input. The inputs are directed to discover even new address locations with possible concurrency issues. The system was tested on three simple multi-threaded applications pigz, pbzip2, and pixz. The results show a quicker detection of unique addresses in the application with possible concurrency issues.

Keywords

Concurrency fuzzing Concurrency bugs LLVM Fuzzing Static analysis Source code analysis 

References

  1. 1.
  2. 2.
  3. 3.
    Musuvathi, M., Qadeer, S.: Iterative context bounding for systematic testing of multithreaded programs. In: pldi (2007)Google Scholar
  4. 4.
    Seo, E., Zhou, Y., Lu, S., Park, S.: Learning from mistakes a comprehensive study on real world concurrency bug characteristics. ACM Trans. Comput. Syst. 2(4), 277–288 (2008). ISSN 0734-2071Google Scholar
  5. 5.
    Common vulnerabilities and exposures database. http://cvedetails.com
  6. 6.
    Stolfo, S., Sethumadhavan, S., Yang, J., Cui, A.: Concurrency attacks. In: Fourth USENIX Workshop on Hot Topics in Parallelism (HOTPAR 12) (2012)Google Scholar
  7. 7.
    Fredriksen, L., Miller, B.P., So, B.: An empirical study of the reliability of unix utilities. Commun. ACM 33(12), 3244 (1990)Google Scholar
  8. 8.
    Kumar, A., Cojocar, L., Giuffrida, C., Rawat, S., Jain, V., Bos, H.: Vuzzer: application-aware evolutionary fuzzing. In: Proceedings of the Network and Distributed System Security Symposium (NDSS) (2017)Google Scholar
  9. 9.
    Apple developer page for llvm thread sanitizerGoogle Scholar
  10. 10.
  11. 11.
  12. 12.
  13. 13.
  14. 14.
  15. 15.
  16. 16.
  17. 17.
  18. 18.
  19. 19.
  20. 20.
    Linux kernel bug on uselib(). http://osvdb.org/show/osvdb/12791
  21. 21.
  22. 22.
    Msie javaprxy.dll com object exploit. http:// www.exploit-db.com/exploits/1079/
  23. 23.
  24. 24.
  25. 25.
  26. 26.
    Nelson, G., Sobalvarro, P., Anderson, T., Savage, S., Burrows, M.: Eraser: a dynamic data race detector for multithreaded programs. ACM Trans. Comput. Syst. 15(4), 391–411 (1997)CrossRefGoogle Scholar
  27. 27.
    Chen, W., Yu, Y., Rodeheffer, T.: Racetrack: efficient detection of data race conditions via adaptive tracking. In: Proceedings of the 20th ACM Symposium on Operating Systems Principles (SOSP 05), pp. 221–234 (2005)Google Scholar
  28. 28.
    Ashcraft, K., Engler, D.: Racerx: effective, static detection of race conditions and deadlocks. In: Proceedings of the 19th ACM Symposium on Operating Systems Principles (SOSP 03), pp. 237–252 (2003)Google Scholar
  29. 29.
    Hu, C., Ma, X., Jiang, W., Li, Z., Popa, R.A., Lu, S., Park, S., Zhou, Y.: Muvi: automatically inferring multivariable access correlations and detecting related semantic and concurrency bugs. In: Proceedings of the 21st ACM Symposium on Operating Systems Principles (SOSP 07), pp. 103–116 (2007)Google Scholar
  30. 30.
    Qin, F., Lu, S., Tucek, J., Zhou, Y.: Avio: detecting atomicity violations via access interleaving invariants. In: Twelfth International Conference on Architecture Support for Programming Languages and Operating Systems (ASPLOS 06), pp. 37–48 (2006)Google Scholar
  31. 31.
    Olichandran, R., Scherpelz, J., Jin, G., Lu, S., Zhang, W., Lim, J., Reps, T.: Conseq: detecting concurrency bugs through sequential errors. In: Sixteenth International Conference on Architecture Support for Program- ming Languages and Operating Systems (ASPLOS 11), pp. 251–264 (2011)Google Scholar
  32. 32.
    Sun, C., Zhang, W., Lu, S.: Conmem: detecting severe concurrency bugs through an effect-oriented approach. In: Fifteenth International Conference on Architecture Support for Programming Languages and Operating Systems (ASPLOS 10), pp. 179–192 (2010)Google Scholar
  33. 33.
    Chen, P.M., Flinn, J., Wester, B., Devecsery, D., Narayanasamy, S.: Parallelizing data race detection. In: Eighteenth International Conference on Architecture Support for Programming Languages and Operating Systems (ASPLOS 13), pp. 27–38 (2013)Google Scholar
  34. 34.
    Zamfir, C., Kasikci. B., Candea, G.: Racemob: crowdsourced data race detection. In: Proceedings of the 24th ACM Symposium on Operating Systems Principles (SOSP 13) (2013)Google Scholar
  35. 35.
    Martin, M.M.K., Nagarakatte, S., Burckhardt, S., Musuvathi, M.: Multicore acceleration of priority-based schedulers for concurrency bug detection. In: Proceedings of the 33rd ACM SIGPLAN Conference on Programming Language Design and Implementation(PLDI ’12) (2012)Google Scholar
  36. 36.
    Lu, S., Park, S., Zhou, Y.: Ctrigger: exposing atomicity violation bugs from their hiding places. In: Fourteenth International Conference on Architecture Support for Programming Languages and Operating Systems (ASPLOS 09), pp. 25–36 (2009)Google Scholar
  37. 37.
    Park, C.-S., Sen K.: Randomized active atomicity violation detection in concurrent programs. In: Proceedings of the 16th ACM SIGSOFT International Symposium on Foundations of Software Engineering (SIG- SOFT 08/FSE-16), pp. 135–145 (2008)Google Scholar
  38. 38.
    Sen, K.: Race directed random testing of concurrent programs. In: Proceedings of the ACM SIGPLAN 2008 Conference on Programming Language Design and Implementation (PLDI 08), pp. 11–21 (2008)Google Scholar
  39. 39.
    Pereira, C., Pokam, G., Kasikci, B., Schubert, B., Candea, G.: Failure sketching: a technique for automated root cause diagnosis of inproduction failures. In: Proceedings of the 25th ACM Symposium on Operating Systems Principles (SOSP 15) (2015)Google Scholar
  40. 40.
    Chow, M., Attariyan, M., Flinn, J.: X-ray: automat- ing root-cause diagnosis of performance anomalies in production software. In: OSDI (2012)Google Scholar
  41. 41.
    Deng, D., Liblit, B., Jin, G., Zhang, W., Lu, S.: Automated concurrency bug fixing. In: Proceedings of the Tenth Symposium on Operating Systems Design and Implementation (OSDI 12), pp. 221–236 (2012)Google Scholar
  42. 42.
    Cristian, Z., Jula, H., Tralamazza, D., George, C.: Deadlock immunity: enabling systems to defend against deadlocks. In: Proceedings of the Eighth Symposium on Operating Systems Design and Implementation (OSDI 08), pp. 295–308 (2008)Google Scholar
  43. 43.
    Kudlur, M., Lafortune, S., Wang, Y., Kelly, T., Mahlke, S.: Gadara: dynamic deadlock avoidance for multithreaded programs. In: Proceedings of the Eighth Symposium on Operating Systems Design and Implementation (OSDI 08), pp. 281–294 (2008)Google Scholar
  44. 44.
    Cui, H., Wu, J., Yang, J.: Bypassing races in live applications with execution filters. In: Proceedings of the Ninth Symposium on Operating Systems Design and Implementation (OSDI 10) (2010)Google Scholar
  45. 45.
    Whaley, J., Naik, M., Aiken, A.: Effective static race detection for java. In: Proceedings of the 27th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 06), pp. 308–319 (2006)Google Scholar
  46. 46.
  47. 47.
    Zhang, Weihua, Yu, Shiqiang, Wang, Haojun, Dai, Zhuofang, Chen, Haibo: Hardware support for concurrent detection of multiple concurrency bugs on fused cpu-gpu architectures. IEEE Trans. Comput. 65, 3083–3095 (2016)MathSciNetCrossRefGoogle Scholar
  48. 48.
    Alam, M.U., Begam, R., Rahman, S., Muzahid, A.: Concurrency bug detection and avoidance through continuous learning of invariants using neural networks in hardware (2013)Google Scholar
  49. 49.
    Gotovos, A., Christakis, M., Sagonas, K.: Systematic testing for detecting concurrency errors in erlang programs. In: Proceedings of the 2013 IEEE Sixth International Conference on Software Testing, Verification and Validation (ICST ’13), pp. 154–163 (2013)Google Scholar
  50. 50.
    Fredriksen, L., Miller, B.P., So, B.: An empirical study of the reliability of unix utilities. Commun. ACM 33(12), 32–44 (1990)CrossRefGoogle Scholar
  51. 51.
    Aitel, D.: An introduction to spike, the fuzzer creation kit. (presentation slides) (2002)Google Scholar
  52. 52.
    Sutton, M., Greene, A.: The art of file format fuzzing. In: Blackhat USA Conference (2005)Google Scholar
  53. 53.
    Leek, T., Ganesh, V., Rinard, M.: Taint-based directed whitebox fuzzing. In: Proceedings of the 31st International Conference on Software Engineering, pp. 474–484. IEEE Computer Society (2009)Google Scholar
  54. 54.
    Rebert, A., Cha, S.K., Avgerinos, T., Brumley, D.: Unleashing mayhem on binary code. In: 2012 IEEE Symposium on Security and Privacy (SP), pp. 380–394 (2012)Google Scholar
  55. 55.
    Neugschwandtner, M., Haller, I., Slowinska, A., Bos, H.: Dowsing for overflows: a guided fuzzer to find buffer boundary violations. In: USENIX Security Symposium, pp. 49–64 (2013)Google Scholar
  56. 56.
    American fuzzy loop (afl-fuzz). https://github.com/rc0r/afl-fuzz
  57. 57.
    Salls, C., Dutcher, A., Wang, R., Corbetta, J., Shoshitaishvili, Y., Kruegel, C., Stephens, N., Grosen, J., Vigna, G.: Driller: augmenting fuzzing through selective symbolic execution. In: NDSS, vol. 16, pp. 1–16 (2016)Google Scholar
  58. 58.
    Livshits, V.B., Lam, M.S.: Finding security errors in java programs with static analysis. In: Proceedings of the 14th Usenix Security Symposium, pp. 271–286 (2005)Google Scholar
  59. 59.
    Arp, D., Yamaguchi, F., Golde, N., Rieck, K.: Modeling and discovering vulnerabilities with code property graphs. In: Proceedings of the 2014 IEEE Symposium on Security and Privacy (SP 14), pp. 590–604 (2014)Google Scholar
  60. 60.
    Kruegel, C., Felmetsger, V., Cavedon, L., Vigna, G.: Toward automated detection of logic vulnerabilities in web applications. In: Proceedings of the 19th USENIX Conference on Security (USENIX Security 10), pp. 1010 (2010)Google Scholar
  61. 61.
    Fritz, C., Bodden, E., Bartel, A., Klein, J., Le Traon, Y., Octeau, D., Arzt, S., Rasthofer, S., McDaniel, P.: Flowdroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In: Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI14), pp. 259–269 (2014)Google Scholar
  62. 62.
    McKinley, K.S., Srivastava, V., Bond, M.D., Shmatikov, V.: A security policy oracle: detecting security holes using multiple api implementations. In: Proceedings of the 32nd ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 11), pp. 343–354 (2011)Google Scholar
  63. 63.
    Edwards, A., Zhang, X., Jaeger, T.: Using cqual for static analysis of authorization hook placement. In: Proceedings of the 11th USENIX Security Symposium, page p. 33–48 (2002)Google Scholar
  64. 64.
    Zhao, J., Ning, Y., Cui, H., Yang, J., Gu, R., Gan, B.: Understanding and Detecting Concurrency AttacksGoogle Scholar
  65. 65.

Copyright information

© Springer Nature Singapore Pte Ltd. 2020

Authors and Affiliations

  • Nischai Vinesh
    • 1
    Email author
  • Sanjay Rawat
    • 2
  • Herbert Bos
    • 2
  • Cristiano Giuffrida
    • 2
  • M Sethumadhavan
    • 1
  1. 1.TIFAC-CORE in Cyber Security, Amrita School of EngineeringAmrita Vishwa VidyapeethamCoimbatoreIndia
  2. 2.Department of Computer ScienceVrije UniversiteitAmsterdamThe Netherlands

Personalised recommendations