finding semantic bugs in file systems with an extensible
play

Finding Semantic Bugs in File Systems with an Extensible Fuzzing - PowerPoint PPT Presentation

Feb 28, 2024 •186 likes •943 views

Finding Semantic Bugs in File Systems with an Extensible Fuzzing Framework Seulbae Kim, Meng Xu * , Sanidhya Kashyap * , Jungyeon Yoon, Wen Xu, Taesoo Kim * On the job market Demonstration Fuzzing F2FS in Linux v5.0-rc7 for crash consistency

  1. Finding Semantic Bugs in File Systems with an Extensible Fuzzing Framework Seulbae Kim, Meng Xu * , Sanidhya Kashyap * , Jungyeon Yoon, Wen Xu, Taesoo Kim * On the job market

  2. Demonstration Fuzzing F2FS in Linux v5.0-rc7 for crash consistency Result at the end of the talk! 2

  3. Question: Can file systems be bug-free? 3

  4. Can file systems be bug-free? ● Code base is massive 4

  5. Can file systems be bug-free? Not likely ● Code base is massive 39 KLoC 98 KLoC 94 KLoC + common VFS layer (53 KLoC)! 5

  6. Can file systems be bug-free? Not likely ● Code base is massive and evolving 39 KLoC 98 KLoC 94 KLoC 6

  7. Can file systems be bug-free? Not likely ● Code base is massive and evolving 39 KLoC 98 KLoC 94 KLoC 100+ ext4, Btrfs, XFS bugs were reported in 2019 7

  8. File system bugs are devastating ● Bugs and effects Crash consistency bug Data loss / corruption ! Specification violation Unexpected runtime error ! Logic bug Incorrect result ! Memory error DoS / Privilege escalation ! 8

  9. Previous approaches to find FS bugs Regression Model Verified Fuzzing Testing Checking File System FiSC (OSDI’04) FSCQ (SOSP’15) Linux Test Project eXplode (OSDI’06) Syzkaller (Google) Yggdrasil (OSDI’16) xfstests Juxta kAFL (SOSP’15) (Security’17) DFSCQ (SOSP’17) fsck Ferrite (ASPLOS’16) Janus (S&P’19) SFSCQ (OSDI’18) B3 (OSDI’18) 9

  10. Previous approaches to find FS bugs Regression Model Verified Fuzzing Testing Checking File System FiSC (OSDI’04) FSCQ (SOSP’15) Linux Test Project eXplode (OSDI’06) Syzkaller (Google) Yggdrasil (OSDI’16) xfstests Juxta kAFL (SOSP’15) (Security’17) DFSCQ (SOSP’17) fsck Ferrite (ASPLOS’16) Janus (S&P’19) SFSCQ (OSDI’18) B3 (OSDI’18) Only test known cases 10

  11. Previous approaches to find FS bugs Regression Model Verified Fuzzing Testing Checking File System FiSC (OSDI’04) FSCQ (SOSP’15) Linux Test Project eXplode (OSDI’06) Syzkaller (Google) Yggdrasil (OSDI’16) xfstests Juxta kAFL (SOSP’15) (Security’17) DFSCQ (SOSP’17) fsck Ferrite (ASPLOS’16) Janus (S&P’19) SFSCQ (OSDI’18) B3 (OSDI’18) High false positive Only test Limited to known known cases test cases 11

  12. Previous approaches to find FS bugs Regression Model Verified Fuzzing Testing Checking File System FiSC (OSDI’04) FSCQ (SOSP’15) Linux Test Project eXplode (OSDI’06) Syzkaller (Google) Yggdrasil (OSDI’16) xfstests Juxta kAFL (SOSP’15) (Security’17) DFSCQ (SOSP’17) fsck Ferrite (ASPLOS’16) Janus (S&P’19) SFSCQ (OSDI’18) B3 (OSDI’18) High false positive Only test Large unverified parts Limited to known known cases (buggy) test cases 12

  13. Previous approaches to find FS bugs Regression Model Verified Fuzzing Testing Checking File System FiSC FiSC (OSDI’04) (OSDI’04) FSCQ (SOSP’15) Linux Test Project eXplode eXplode (OSDI’06) (OSDI’06) Syzkaller (Google) Yggdrasil (OSDI’16) xfstests Juxta Juxta kAFL (SOSP’15) (SOSP’15) (Security’17) DFSCQ (SOSP’17) fsck Ferrite Ferrite (ASPLOS’16) (ASPLOS’16) Janus (S&P’19) SFSCQ (OSDI’18) B3 B3 (OSDI’18) (OSDI’18) High false positive Only test Large unverified parts Limited to known ? known cases (buggy) test cases 13

  14. Our approach: Fuzzing file systems ● Feedback-driven fuzzing is a complementary solution ○ Produces effective test cases on-the-fly 🙃 ○ Proven to be scalable in practice 🙃 ○ ● Known file system fuzzers ○ VM-based kernel fuzzers ■ kAFL (Security’17), Syzkaller (Google) ○ LibOS-based fuzzer ■ Janus (S&P’19) - our previous work! 14

  15. Our approach: Fuzzing file systems ● Feedback-driven fuzzing is a complementary solution ○ Produces effective test cases on-the-fly 🙃 🙃 Janus discovered 90 memory-safety bugs ○ Proven to be scalable in practice from file systems in 2018 🙃 ○ ● Known file system fuzzers ○ VM-based kernel fuzzers ■ kAFL (Security’17), Syzkaller (Google) ○ LibOS-based fuzzer ■ Janus (S&P’19) - our previous work! 15

  16. Our approach: Fuzzing file systems ● Feedback-driven fuzzing is a complementary solution ○ Produces effective test cases on-the-fly 🙃 🙃 Janus discovered 90 memory-safety bugs ○ Proven to be scalable in practice from file systems in 2018 🙃 ○ ● Known file system fuzzers ○ VM-based kernel fuzzers ■ kAFL (Security’17), Syzkaller (Google) However, existing file system fuzzers ○ LibOS-based fuzzer ■ focus only on memory-safety bugs 🙂 Janus (S&P’19) - our previous work! 16

  17. File system bugs in various flavors ● Memory-safety bugs (focus of existing fuzzers) 12 % (219) 88 % (1786) *Reference: Lu, Lanyue, et al. “A study of Linux file system evolution.” 17 FAST’13

  18. File system bugs in various flavors ● Memory-safety bugs (focus of existing fuzzers) 12 % (219) ● Semantic bugs ○ Crash consistency bug 88 % ○ Specification violation (1786) ○ Logic bug ○ ... *Reference: Lu, Lanyue, et al. “A study of Linux file system evolution.” 18 FAST’13

  19. File system bugs in various flavors ● Memory-safety bugs (focus of existing fuzzers) 12 % (219) ● Semantic bugs ○ Crash consistency bug 88 % We’d like to take advantage of fuzzing ○ Specification violation (1786) ○ Logic bug for finding semantic bugs ○ ... *Reference: Lu, Lanyue, et al. “A study of Linux file system evolution.” 19 FAST’13

  20. Challenge: Semantic bugs are harder to detect ● Key idea in fuzzing: “Crashes” are feedback to fuzzers Fuzzing for memory-safety bugs Target FUZZER program 20

  21. Challenge: Semantic bugs are harder to detect ● Key idea in fuzzing: “Crashes” are feedback to fuzzers Fuzzing for memory-safety bugs input Target FUZZER program 21

  22. Challenge: Semantic bugs are harder to detect ● Key idea in fuzzing: “Crashes” are feedback to fuzzers Fuzzing for memory-safety bugs input Target FUZZER program if BUG, crash 22

  23. Challenge: Semantic bugs are harder to detect ● Key idea in fuzzing: “Crashes” are feedback to fuzzers Fuzzing for memory-safety bugs input Target FUZZER program if BUG, crash feedback (e.g., SIGSEGV) Detected! 23

  24. Challenge: Semantic bugs are harder to detect ● Problem: Semantic bugs fail SILENTLY (i.e., no feedback) Fuzzing for semantic bugs Fuzzing for memory-safety bugs (e.g., spec. violation) input Target Target FUZZER FUZZER program program if BUG, crash feedback (e.g., SIGSEGV) Detected! 24

  25. Challenge: Semantic bugs are harder to detect ● Problem: Semantic bugs fail SILENTLY (i.e., no feedback) Fuzzing for semantic bugs Fuzzing for memory-safety bugs (e.g., spec. violation) input input Target Target FUZZER FUZZER program program if BUG, crash feedback (e.g., SIGSEGV) Detected! 25

  26. Challenge: Semantic bugs are harder to detect ● Problem: Semantic bugs fail SILENTLY (i.e., no feedback) Fuzzing for semantic bugs Fuzzing for memory-safety bugs (e.g., spec. violation) input input Target Target FUZZER FUZZER program program if BUG, function returns ? if BUG, crash feedback a wrong value internally (e.g., SIGSEGV) Detected! 26

  27. Challenge: Semantic bugs are harder to detect ● Problem: Semantic bugs fail SILENTLY (i.e., no feedback) Fuzzing for semantic bugs Fuzzing for memory-safety bugs (e.g., spec. violation) input input Target Target FUZZER FUZZER program program if BUG, function returns ? if BUG, crash feedback a wrong value internally (e.g., SIGSEGV) Not detected 🙂 Detected! 27

  28. Challenge: Semantic bugs are harder to detect ● Problem: Semantic bugs fail SILENTLY (i.e., no feedback) Fuzzing for semantic bugs Fuzzing for memory-safety bugs (e.g., spec. violation) input input Target Target FUZZER FUZZER program program if BUG, function returns ! if BUG, crash feedback a wrong value internally (e.g., SIGSEGV) Detected! Checker feedback Detected 🙃 28

  29. Challenge: Semantic bugs are harder to detect ● Problem: Semantic bugs fail SILENTLY (i.e., no feedback) Fuzzing for semantic bugs Fuzzing for memory-safety bugs (e.g., spec. violation) input input Target Target FUZZER FUZZER program program if BUG, function returns ! if BUG, crash feedback a wrong value internally (e.g., SIGSEGV) Accurate checker for each bug type Retval Detected! checker signal needs to be integrated to fuzzing! Detected :) 29

  30. Proposed solution: Hydra A turnkey solution for file system fuzzing 30

  31. HYDRA overview (high-level) LibOS-based Test case BUG! Input generator Checker Test Executor Feedback 31

  32. HYDRA overview - Input generator AFL variant* LibOS-based Test case BUG! Input generator Checker Test Executor Feedback 32 * Fuzzing File Systems via Two-Dimensional Input Space Exploration - IEEE S&P 2019

  33. HYDRA overview - Test case FS image + AFL variant* System calls LibOS-based Test case BUG! Input generator Checker Test Executor Feedback 33 * Fuzzing File Systems via Two-Dimensional Input Space Exploration - IEEE S&P 2019

Recommend

Cross-checking Semantic Correctness: The Case of Finding File System Bugs Changwoo Min , Sanidhya

Cross-checking Semantic Correctness: The Case of Finding File System Bugs Changwoo Min , Sanidhya

Cross-checking Semantic Correctness: The Case of Finding File System Bugs Changwoo Min , Sanidhya Kashyap, Byoungyoung Lee, Chengyu Song, Taesoo Kim Georgia Institute of Technology School of Computer Science Two promising approaches to make

1.25k views • 85 slides
Understanding and Finding Crash-Consistency Bugs in Parallel File Systems Jinghan Sun , Chen Wang,

Understanding and Finding Crash-Consistency Bugs in Parallel File Systems Jinghan Sun , Chen Wang,

Understanding and Finding Crash-Consistency Bugs in Parallel File Systems Jinghan Sun , Chen Wang, Jian Huang, and Marc Snir University of Illinois at Urbana-Champaign Contact: Jinghan Sun (js39@illinois.edu) PFS failures are frequent and

912 views • 17 slides
FUSE: Finding File Upload Bugs via Penetration Testing Taekjin Lee, Seongil Wi , Suyoung Lee,

FUSE: Finding File Upload Bugs via Penetration Testing Taekjin Lee, Seongil Wi , Suyoung Lee,

FUSE: Finding File Upload Bugs via Penetration Testing Taekjin Lee, Seongil Wi , Suyoung Lee, Sooel Son KAIST Upload Functionality Sharing user-provided content has become a de facto standard feature of modern web applications 2 File

995 views • 61 slides
Construction of a Semantic Model Construction of a Semantic Model for a Typed Assembly Language

Construction of a Semantic Model Construction of a Semantic Model for a Typed Assembly Language

Construction of a Semantic Model Construction of a Semantic Model for a Typed Assembly Language Gang Tan, Andrew Appel, Kedar Swadi and Dinghao Wu Princeton University Jan 11, 2004 Extensible systems Extensible systems code extensions host

228 views • 22 slides
Trigger Scripts For Trigger Scripts For Extensible File Extensible File Systems Systems

Trigger Scripts For Trigger Scripts For Extensible File Extensible File Systems Systems

Trigger Scripts For Trigger Scripts For Extensible File Extensible File Systems Systems Cameron Macdonell Macdonell Cameron Overview Overview The The Scruf Scruf Framework Framework Examples of Extended File Systems

470 views • 18 slides
Outline Bugs! 1 Avoiding and Finding bugs 2 Bugs still happen 3 Why do bugs still happen ?!

Outline Bugs! 1 Avoiding and Finding bugs 2 Bugs still happen 3 Why do bugs still happen ?!

Failure is not an option * A journey through software bugs Philippe Biondi Nov 20 th 2015 / GreHack Failure is not an option * Outline Bugs! 1 Avoiding and Finding bugs 2 Bugs still happen 3 Why do bugs still happen ?! 4 Living with bugs

966 views • 63 slides
Finding Bugs Last time Run-time reordering transformations Today Program Analysis for

Finding Bugs Last time Run-time reordering transformations Today Program Analysis for

Finding Bugs Last time Run-time reordering transformations Today Program Analysis for finding bugs, especially security bugs problem specification motivation approaches remaining issues CS553 Lecture Finding Bugs 2

461 views • 8 slides
Finding Crash-Consistency Bugs with Bounded Black-Box Testing Jayashree Mohan , Ashlie Martinez,

Finding Crash-Consistency Bugs with Bounded Black-Box Testing Jayashree Mohan , Ashlie Martinez,

Finding Crash-Consistency Bugs with Bounded Black-Box Testing Jayashree Mohan , Ashlie Martinez, Soujanya Ponnapalli, Pandian Raju, Vijay Chidambaram Crashes I crashed This is very File saved! important File missing Image

878 views • 87 slides
1 Example Bugs Type Qualifiers [Shankar, et al 01] Idea null dereference Add tainted and

1 Example Bugs Type Qualifiers [Shankar, et al 01] Idea null dereference Add tainted and

Finding Bugs Problem Last time What is a bug? a path in the code that causes a run-time exception Alias/Pointer analysis a path through the code that causes incorrect results Today Issues Program Analysis for finding bugs,

214 views • 4 slides
1 Bug Triage Regression Testing Decide which bugs to fix Good: rerun the test that failed

1 Bug Triage Regression Testing Decide which bugs to fix Good: rerun the test that failed

What is a bug? Formally, a software defect A Bugs life SUT fails to perform to spec SUT causes something else to fail SUT functions, but does not satisfy Finding and Managing Bugs usability criteria CSE 403 If the

643 views • 3 slides
EMMA Extensible Multimodal Annotation markup language Canonical structure semantic

EMMA Extensible Multimodal Annotation markup language Canonical structure semantic

EMMA Extensible Multimodal Annotation markup language Canonical structure semantic interpretations for a variety of inputs including: Speech Natural language text GUI Ink 1 James A. Larson EMMA EMMA Extensible Multimodal

376 views • 15 slides
Building an Extensible File System via Policy-based Data

Building an Extensible File System via Policy-based Data

Building an Extensible File System via Policy-based Data Management Hao Xu Jewel H. Ward Mike Conway Arcot Rajasekar Reagan W. Moore (iRODS

985 views • 38 slides
Whitebox Fuzzing David Molnar Microsoft Research Problem: Security Bugs in File Parsers Hundreds

Whitebox Fuzzing David Molnar Microsoft Research Problem: Security Bugs in File Parsers Hundreds

Whitebox Fuzzing David Molnar Microsoft Research Problem: Security Bugs in File Parsers Hundreds of file formats are supported in Windows, Office, et al. Many written in C/C++ Programming errors security bugs! Random choice of x: one

493 views • 35 slides
Chapter 6: File Systems File systems n Files n Directories & naming n File system

Chapter 6: File Systems File systems n Files n Directories & naming n File system

Chapter 6: File Systems File systems n Files n Directories & naming n File system implementation n Example file systems Chapter 6 CS 1550, cs.pitt.edu 2 (originaly modified by Ethan Long-term information storage n Must store large amounts

1.01k views • 66 slides
Chapter 6: File Systems File systems Files Directories & naming File system

Chapter 6: File Systems File systems Files Directories & naming File system

Chapter 6: File Systems File systems Files Directories & naming File system implementation Example file systems Chapter 6 CMPS 111, UC Santa Cruz 2 Long-term information storage Must store large amounts of data

829 views • 57 slides
Using Crash Hoare Logic for Certifying the FSCQ File System Haogang Chen, Daniel Ziegler, Tej

Using Crash Hoare Logic for Certifying the FSCQ File System Haogang Chen, Daniel Ziegler, Tej

Using Crash Hoare Logic for Certifying the FSCQ File System Haogang Chen, Daniel Ziegler, Tej Chajed, Adam Chlipala, Frans Kaashoek, and Nickolai Zeldovich MIT CSAIL 1 / 1 File systems are complex and have bugs File systems are complex (e.g.,

765 views • 52 slides
Using Crash Hoare Logic for Certifying the FSCQ File System Haogang Chen, Daniel Ziegler, Tej

Using Crash Hoare Logic for Certifying the FSCQ File System Haogang Chen, Daniel Ziegler, Tej

Using Crash Hoare Logic for Certifying the FSCQ File System Haogang Chen, Daniel Ziegler, Tej Chajed, Adam Chlipala, Frans Kaashoek, and Nickolai Zeldovich MIT CSAIL 1 / 27 File systems are complex and have bugs File systems are complex (e.g.,

1.18k views • 50 slides
Finding variability bugs in Linux Iago Abal Rivas IT Universitetet i Kbenhavn Joint work with

Finding variability bugs in Linux Iago Abal Rivas IT Universitetet i Kbenhavn Joint work with

Finding variability bugs in Linux Iago Abal Rivas IT Universitetet i Kbenhavn Joint work with Andrzej Wsowski and Claus Brabrand FOSD Meeting 2014 1 / 28 Agenda 40 variability bugs in Linux: A Qualitative Study (10m) Method Example

540 views • 36 slides
Defect Detection Thomas Zimmermann The First Bug September 9, 1947 More Bugs More Bugs More

Defect Detection Thomas Zimmermann The First Bug September 9, 1947 More Bugs More Bugs More

Defect Detection Thomas Zimmermann The First Bug September 9, 1947 More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs Facts on Debugging Software bugs are

840 views • 63 slides
An Extensible Natural-Language Query Interface to an Event-Based Semantic Web Triplestore Richard

An Extensible Natural-Language Query Interface to an Event-Based Semantic Web Triplestore Richard

An Extensible Natural-Language Query Interface to an Event-Based Semantic Web Triplestore Richard Frost (Professor Emeritus) Shane Peelar (Doctoral Candidate) { richard , peelar}@uwindsor.ca School of Computer Science University of Windsor

384 views • 34 slides
File Systems: All data structures are cached for better performance Create a new file

File Systems: All data structures are cached for better performance Create a new file

File Systems: Consistency Issues What about Multiple Updates? File systems maintain many data structures Several file system operations update multiple data structures Free list/bit vector Directories Examples: File headers and inode

257 views • 3 slides
Distributed File Systems Distributed File Systems A distributed file system (DFS) is a

Distributed File Systems Distributed File Systems A distributed file system (DFS) is a

Distributed File Systems Distributed File Systems A distributed file system (DFS) is a distributed Definitions implementation of a classical time-sharing model of a file Distributed system - A number of loosely coupled system. machines

997 views • 8 slides
File Systems: Semantics & Structure What is a File a file is a named collection of

File Systems: Semantics & Structure What is a File a file is a named collection of

5/15/2017 File Systems: Semantics & Structure What is a File a file is a named collection of information 11A. File Semantics primary roles of file system: 11B. Namespace Semantics to store and retrieve data 11C. File

352 views • 16 slides
File Systems: Semantics & Structure What is a File a file is a named collection of

File Systems: Semantics & Structure What is a File a file is a named collection of

5/16/2018 File Systems: Semantics & Structure What is a File a file is a named collection of information 11A. File Semantics primary roles of file system: 11B. Namespace Semantics to store and retrieve data 11C. File

373 views • 13 slides

More recommend