MUZZ: Thread-aware Grey-box Fuzzing for Effective Bug Hunting in Multithreaded Programs
Hongxu Chen, Shengjian Guo, Yinxing Xue, Yuelei SuiCen Zhang, Yuekang Li, Haijun Wang, Yang Liu
1
Background
Bugs/vulnerabilities in multithreaded programs are subtle to be detected
Many programs rely on specific test inputs to trigger multithreading-relevant bugs
Existing fuzzing techniques cannot effectively generate multithreading-relevant tests
2
Motivation (1) – The problem
o Coverage depends on test inputse.g., the program may or may not execute ④
according to the condition of ③, purely dependent on inputs
o Coverage depends on thread-schedulinge.g., ① :“g_var+=1” ② : “g_var*=2”o T1: ① →T2: ① →T2: ② →T1: ②è
g_var=4o T1: ① →T2: ① →T1: ② →T2: ②è
g_var=4o T1: ① →T1: ② →T2: ① →T2: ②è
g_var=2
3
Motivation (2) – Existing Solutions
o Lacking Feedback to Track Thread-interleavings and Thread-contexte.g., ① → ①
o Lacking Schedule-intervention Across Executionso e.g., SAME interleaving during
fuzzing?
4
MUZZ Overview
Ⓐ: Static Analysis Guided InstrumentationⒷ: Adaptive Dynamic FuzzingⒸ: Vulnerability Detection AnalysisⒹ: ThreadSanitizer Aided Concurrency-bug Revealing
5
Approach (1) – Static Analysis
Identify Suspicious Interleaving Scope (Lm)o The statements should be executed
after one of TFork, while TJoin is not encountered yet
o The statements can only be executed before the invocation of TLock and after the invocation of TUnLock
o The statements should read or write at least one of the shared variables by different threads
6
Approach (2) – Coverage-oriented Instrumentation
Ø Instrument more in Lm, but with certain probabilities
Pe 𝑓 = min𝐸 𝑓 − 𝑁 𝑓 + 2
10 , 1.0
P𝑠 𝑓 = min Pe 𝑓 , Ps0
P𝑚 𝑓, 𝑏 = min Pe 𝑓 2𝑁𝑚 𝑏𝑁 𝑏 , P𝑚0
7
Approach (3) – Two Other Instrumentations
Ø Threading-context Instrumentation• Track thread IDs and TLock,
TUnLock, TJoin• Distinguish different transitions
between threads
Ø Schedule-intervention Instrumentation
• Using pthread_setschedparam to adjust thread priority and apply uniformly distributed random
• Increase thread scheduling diversities
8
Approach (4) – Seed Selection
Prioritize to select those seeds that:o Cover new regular traceso Cover new thread-interleavings
9
Approach (5) – Repeated Execution
10
Statistics of Target Programs
𝑇𝑝𝑝: Preprocessing time𝑁𝑏: Number of basicblocks𝑁𝑖: Number of instructions𝑁𝑖𝑖: Number of MUZZ-instrumented instructions
11
Evaluation (1) – Seed Generation
MUZZ has advantages in increasing the number and percentagesof multithreading-relevant seeds for multithreaded programs
12
Evaluation (2) – Vulnerability Detection
MUZZ demonstrates superiority in exercising more multithreading-relevant crashing states and detecting concurrency-vulnerabilities
13
Evaluation (3) – Concurrency-bug Revealing
MUZZ outperforms competitors in revealing concurrency-bugs with fuzzer-generated seeds
14
Top Related