krace data race fuzzing
play

Krace: Data Race Fuzzing for Kernel File Systems Meng Xu , Sanidhya - PowerPoint PPT Presentation

Aug 26, 2023 •202 likes •847 views

Introduction Title Krace: Data Race Fuzzing for Kernel File Systems Meng Xu , Sanidhya Kashyap, Hanqing Zhao, Taesoo Kim May 1, 2020 Meng Xu (Georgia Tech) Krace: Data Race Fuzzing for Kernel File Systems 1 May 1, 2020 Introduction Data

  1. Introduction Title Krace: Data Race Fuzzing for Kernel File Systems Meng Xu , Sanidhya Kashyap, Hanqing Zhao, Taesoo Kim May 1, 2020 Meng Xu (Georgia Tech) Krace: Data Race Fuzzing for Kernel File Systems 1 May 1, 2020

  2. Introduction Data race concept Let’s talk about data race De fi nition: Two memory accesses from di ff erent threads such that 1. They access the same memory location 2. At least one of them is a write operation 3. They may interleave without restrictions (i.e., locks, orderings, etc) Meng Xu (Georgia Tech) Krace: Data Race Fuzzing for Kernel File Systems May 1, 2020 2

  3. Introduction A classic data race example The classic race condition example counter = 0 for(i=0; i<50000; i++) { for(i=0; i<50000; i++) { counter++; counter++; } } Thread 1 Thread 2 What is the value of counter when both threads terminate? Any value between 50,000 to 100,000 Meng Xu (Georgia Tech) Krace: Data Race Fuzzing for Kernel File Systems May 1, 2020 3

  4. Introduction A classic data race example The classic race condition example counter = 0 for(i=0; i<50000; i++) { for(i=0; i<50000; i++) { lock(mutex); lock(mutex); counter++; counter++; unlock(mutex); unlock(mutex); } } Thread 1 Thread 2 What is the value of counter when both threads terminate? 100,000 Meng Xu (Georgia Tech) Krace: Data Race Fuzzing for Kernel File Systems May 1, 2020 4

  5. Introduction Kernel concurrency High level of concurrency in the Linux kernel 22 threads run in the background! Meng Xu (Georgia Tech) Krace: Data Race Fuzzing for Kernel File Systems May 1, 2020 5

  6. Introduction A data race in the kernel A data race in the kernel p is a global pointer initialized to null if (! p ) if (! p ) p = kmalloc(...); p = kmalloc(...); Information lost! Thread 1 Thread 2 Meng Xu (Georgia Tech) Krace: Data Race Fuzzing for Kernel File Systems May 1, 2020 6

  7. Introduction A data race in the kernel A data race in the kernel p is a global pointer initialized to null This data race can be easily detected… if we drive the execution into these code paths at runtime if (! p ) if (! p ) p = kmalloc(...); p = kmalloc(...); Information lost! Thread 1 Thread 2 Meng Xu (Georgia Tech) Krace: Data Race Fuzzing for Kernel File Systems May 1, 2020 7

  8. Background Fuzzing in general Fuzzing as a way to explore the program Start 1 2 3 4 5 6 7 8 9 End Meng Xu (Georgia Tech) Krace: Data Race Fuzzing for Kernel File Systems May 1, 2020 8

  9. Background Edge coverage Code coverage as an approximation Start 1 open(“some-file”, O_READ, ...) 2 3 4 5 6 7 8 9 End Meng Xu (Georgia Tech) Krace: Data Race Fuzzing for Kernel File Systems May 1, 2020 9

  10. Background Edge coverage Code coverage as an approximation Start 1 open(“some-file”, O_READ, ...) 2 3 open(“some-file”, O_WRITE, ...) 4 5 6 7 8 9 End Meng Xu (Georgia Tech) Krace: Data Race Fuzzing for Kernel File Systems May 1, 2020 10

  11. Background Edge coverage Code coverage as an approximation Start 1 open(“some-file”, O_READ, ...) 2 3 open(“some-file”, O_WRITE, ...) 4 open(“new-file”, O_READ, ...) 5 6 7 8 9 End Meng Xu (Georgia Tech) Krace: Data Race Fuzzing for Kernel File Systems May 1, 2020 11

  12. Background Edge coverage Code coverage as an approximation Start 1 open(“some-file”, O_READ, ...) 2 3 open(“some-file”, O_WRITE, ...) Coverage growth stalled! 4 open(“new-file”, O_READ, ...) 5 ...... 20 trials 6 open(“some-file”, O_RDWR, ...) 7 8 9 End Meng Xu (Georgia Tech) Krace: Data Race Fuzzing for Kernel File Systems May 1, 2020 12

  13. Background Edge coverage Code coverage as an approximation Start 1 open(“some-file”, O_READ, ...) 2 3 open(“some-file”, O_WRITE, ...) 10 4 open(“new-file”, O_READ, ...) 11 12 5 ...... 20 trials 13 6 open(“some-file”, O_RDWR, ...) 7 8 14 rename(“new-file”, “old-file”) 9 End Meng Xu (Georgia Tech) Krace: Data Race Fuzzing for Kernel File Systems May 1, 2020 13

  14. Background Existing kernel fuzzers The conventional fuzzing process Syscall Program Crashed? Test case generator executor Memory error Feedback code coverage Meng Xu (Georgia Tech) Krace: Data Race Fuzzing for Kernel File Systems May 1, 2020 14

  15. Background Existing kernel fuzzers The conventional fuzzing process Syscall Program Crashed? Test case generator executor Memory error The code coverage metric backs all modern kernel fuzzers including Syzkaller, kAFL, and their follow-ups, and is one of the key Feedback reason why over 200 memory errors were found and reported during the past few years! code coverage Meng Xu (Georgia Tech) Krace: Data Race Fuzzing for Kernel File Systems May 1, 2020 15

  16. Background Motivation Back to our data race example p is a global pointer initialized to null if (! p ) if (! p ) p = kmalloc(...); p = kmalloc(...); Thread 1 Thread 2 *Assume sequential consistency. Meng Xu (Georgia Tech) Krace: Data Race Fuzzing for Kernel File Systems May 1, 2020 16

  17. Background Motivation Back to our data race example p is a global pointer initialized to null No CRASH when the data race is triggered! if (! p ) if (! p ) p = kmalloc(...); p = kmalloc(...); Thread 1 Thread 2 *Assume sequential consistency. Meng Xu (Georgia Tech) Krace: Data Race Fuzzing for Kernel File Systems May 1, 2020 17

  18. Design Data race checker Bring out data races explicitly with a checker Signaled? Data race checker Data race Syscall Program Crashed? Test case generator executor Memory error Feedback code coverage Meng Xu (Georgia Tech) Krace: Data Race Fuzzing for Kernel File Systems May 1, 2020 18

  19. Design Data race checker Checking data races - locking Syscall Workqueue Fork-style - Work queues - Kernel threads - RCU callbacks - Timer functions lock - Software-based interrupts - Inter-processor interrupts W lock Join-style unlock R - Wait_* (e.g., wait_event) - Semaphores unlock Publisher-subscriber - RCU pointer operations Meng Xu (Georgia Tech) Krace: Data Race Fuzzing for Kernel File Systems May 1, 2020 19

  20. Design Data race checker Checking data races - ordering (causality) Syscall Timer Workqueue Fork-style - Work queues - Kernel threads W - RCU callbacks - Timer functions delayed_work - Software-based interrupts <timer start> - Inter-processor interrupts Join-style - Wait_* (e.g., wait_event) <timer end> - Semaphores queue_work <work start> Publisher-subscriber R - RCU pointer operations Meng Xu (Georgia Tech) Krace: Data Race Fuzzing for Kernel File Systems May 1, 2020 20

  21. Design Data race checker Bring out data races explicitly with a checker Signaled? Data race checker Data race Syscall Program Crashed? Test case generator executor Memory error Feedback code coverage Meng Xu (Georgia Tech) Krace: Data Race Fuzzing for Kernel File Systems May 1, 2020 21

  22. Design Interactions between threads A slightly complicated data race G[ … ] is all null at initialization sys_readlink (path, ...): sys_truncate (size, ...): global A = 1; global A = 0; local y; local x; if (size > 4096) { if (IS_DIR(path)) { x = A + 1; y = A * 2; if (! G[ x ] ) if (! G[ y ] ) G[ x ] = kmalloc(...); G[ y ] = kmalloc(...); } } Thread 1 Thread 2 *Assume sequential consistency. Meng Xu (Georgia Tech) Krace: Data Race Fuzzing for Kernel File Systems May 1, 2020 22

  23. Design Interactions between threads A slightly complicated data race G[ … ] is all null at initialization sys_readlink (path, ...): sys_truncate (size, ...): global A = 1; global A = 0; local y; local x; if (size > 4096) { if (IS_DIR(path)) { x = A + 1; y = A * 2; if (! G[ x ] ) if (! G[ y ] ) G[ x ] = kmalloc(...); G[ y ] = kmalloc(...); } } Thread 1 Thread 2 *Assume sequential consistency. Meng Xu (Georgia Tech) Krace: Data Race Fuzzing for Kernel File Systems May 1, 2020 23

  24. Design Interactions between threads Case simpli fi ed A = 1; A = 0; x = A + 1; y = A * 2; Thread 1 Thread 2 Can we reach x == y? Meng Xu (Georgia Tech) Krace: Data Race Fuzzing for Kernel File Systems May 1, 2020 24

  25. Design Interactions between threads Case simpli fi ed A = 1; A = 1; A = 1; x = A + 1; A = 0; A = 0; A = 0; x = A + 1; y = A * 2; y = A * 2; y = A * 2; x = A + 1; A = 1; A = 0; x = A + 1; x = 2, y = 0 x = 1, y = 0 x = 1, y = 0 y = A * 2; Thread 1 Thread 2 A = 0; A = 0; A = 0; Can we reach x == y? y = A * 2; A = 1; A = 1; x = A + 1; A = 1; y = A * 2; x = A + 1; x = A + 1; y = A * 2; x = 2, y = 0 x = 2, y = 2 x = 2, y = 2 Meng Xu (Georgia Tech) Krace: Data Race Fuzzing for Kernel File Systems May 1, 2020 25

  26. Design Interactions between threads All interleavings yield to the same code coverage! A = 1; A = 1; A = 1; global A = 1; local x; x = A + 1; A = 0; A = 0; if (IS_DIR(path)) A = 0; x = A + 1; y = A * 2; x = A + 1; y = A * 2; y = A * 2; x = A + 1; if (! G[ x ] ) x = 2, y = 0 x = 1, y = 0 x = 1, y = 0 G[ x ] = kmalloc(...); ... A = 0; A = 0; A = 0; global A = 0; local y; y = A * 2; A = 1; A = 1; if (size > 4096) x = A + 1; A = 1; y = A * 2; y = A * 2; x = A + 1; x = A + 1; y = A * 2; if (! G[ y ] ) G[ y ] = kmalloc(...); x = 2, y = 0 x = 2, y = 2 x = 2, y = 2 ... Meng Xu (Georgia Tech) Krace: Data Race Fuzzing for Kernel File Systems May 1, 2020 26

  27. Design Missing information in edge coverage Incompleteness of CFG edge coverage Meng Xu (Georgia Tech) Krace: Data Race Fuzzing for Kernel File Systems May 1, 2020 27

Recommend

Razzer: Finding Kernel Race Bugs thro ugh Fuzzing Dae R. Jeong Kyungtae Kim Basavesh

Razzer: Finding Kernel Race Bugs thro ugh Fuzzing Dae R. Jeong Kyungtae Kim Basavesh

Razzer: Finding Kernel Race Bugs thro ugh Fuzzing Dae R. Jeong Kyungtae Kim Basavesh Shivakumar Byoungyoung Lee Insik Shin Korea Advanced Institute of Science and Technology Seoul National University Purdue

3.64k views • 23 slides
Finding Race Conditions in Kernels from fuzzing to symbolic execution Meng Xu July 16, 2020 Meng

Finding Race Conditions in Kernels from fuzzing to symbolic execution Meng Xu July 16, 2020 Meng

Finding Race Conditions in Kernels from fuzzing to symbolic execution Meng Xu July 16, 2020 Meng Xu (Georgia Tech) Finding Race Conditions in Kernels 1 July 16, 2020 The game of attack and defense Bug fi nding Exploitation Pro fi t Meng Xu

2.82k views • 173 slides
through Fuzzing Dae R. Jeong Kyungtae Kim Basavesh Shivakumar Byoungyoung Lee

through Fuzzing Dae R. Jeong Kyungtae Kim Basavesh Shivakumar Byoungyoung Lee

Razzer: Finding Kernel Race Bugs through Fuzzing Dae R. Jeong Kyungtae Kim Basavesh Shivakumar Byoungyoung Lee Insik Shin Korea Advanced Institute of Science and Technology Seoul National University Purdue

1.17k views • 47 slides
Looking Inside a Race Detector kavya @kavya719 data race detection data races when two+

Looking Inside a Race Detector kavya @kavya719 data race detection data races when two+

Looking Inside a Race Detector kavya @kavya719 data race detection data races when two+ threads concurrently access a shared memory location, at least one access is a write. data race // Shared variable R R R var count = 0 W R

695 views • 57 slides
Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction

Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction

Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction Fuzzing Media Content in Android Data Generation Fuzzing the Stagefright Framework Logging &amp; Triage Mechanisms 2 Introduction Fuzzing

1.12k views • 38 slides
Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me Motivation Introduction of fuzzing and afl fuzzer Necessary changes to the core and configuration Testing setup Example SIP messages and

1.03k views • 35 slides
Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is fuzzing/fuzz testing? Why AFL? How does it work with GNAT Pro/Ada? Premise: Fuzz Testing Definition: Stable Software Software that is highly

650 views • 16 slides
Data Race-Free and Speculative Models Zach Pomper Maxwell Johnson DeNovo: Data Race-Free Model

Data Race-Free and Speculative Models Zach Pomper Maxwell Johnson DeNovo: Data Race-Free Model

Data Race-Free and Speculative Models Zach Pomper Maxwell Johnson DeNovo: Data Race-Free Model Modern consistency provides the programmer too much freedom Wild shared memory behaviors Requires sophisticated, complicated,

184 views • 15 slides
Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101 Agenda GEEKZONE Overview of fuzzing techniques Tutorials on specific open-source fuzzers Demonstrations DIY fuzzing! Who

825 views • 50 slides
2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

From Blackbox Fuzzing to Whitebox Fuzzing towards Verification 2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid Microsoft Research ISSTA2010 Page 1 July 2010 Acknowledgments Joint work with:

633 views • 38 slides
Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico

Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico

Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico Politecnico di Milano October 25, 2018 1 Index Coverage-guided fuzzing An overview of rev.ng Experimental results 2 Fuzzing 3 Fuzzing 1 Generate

1.36k views • 72 slides
Race and Ethnicity Covariates Race and ethnicity are a good illustratjon of the trade-ofgs

Race and Ethnicity Covariates Race and ethnicity are a good illustratjon of the trade-ofgs

Race and Ethnicity Covariates Race and ethnicity are a good illustratjon of the trade-ofgs between clinical and research data Race and ethnicity data in prospectjvely collected research datasets are usually reliable and valid Questjon:

203 views • 6 slides
Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange

Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange

Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange Division R&amp;D firstname dot lastname at orange-ftgroup dot com research &amp; development Forewords Wi-Fi Fuzzing/BlackHat EU 2007/Laurent Butti p

1.05k views • 78 slides
Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing what is fuzzing, why fuzz, fuzzing types How to fuzz fuzz target, fuzzing engine, libFuzzer Media processing as a target

551 views • 19 slides
Race Race In D&amp;D, race refers to any intelligent humanoid species Dwarf Elf

Race Race In D&amp;D, race refers to any intelligent humanoid species Dwarf Elf

Race Race In D&amp;D, race refers to any intelligent humanoid species Dwarf Elf Halfling Human Gnome Half-Elf Half-Orc Tiefling Race Select a race now and record it near the top Rock gnome of your character sheet

713 views • 43 slides
So You Want to Race to Bermuda Marion Bermuda Race Starts June 19, 2015 So You Want to Race to

So You Want to Race to Bermuda Marion Bermuda Race Starts June 19, 2015 So You Want to Race to

So You Want to Race to Bermuda Marion Bermuda Race Starts June 19, 2015 So You Want to Race to Bermuda Why You Should Go The History The Race Preparing for The Race The Boat The Crew Post Race Where to begin 2

881 views • 66 slides
T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1

T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1

T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1 2 Fuzzing as a bug finding approach Fuzzing is highly effective in finding bugs (CVEs) Developers use it as proactive defense measure:

844 views • 32 slides
FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr.

FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr.

MASTER SEMINAR WS16/17 PROF. DR. ALEXANDER PRETSCHNER SAAHIL OGNAWALA FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr. Alexander Pretschner Head of Chair XXII Software Engineering @TUM since

489 views • 21 slides
NEUZZ: Efficient Fuzzing with Neural Program Smoothing Dongdong She, Kexin Pei, Dave Epstein,

NEUZZ: Efficient Fuzzing with Neural Program Smoothing Dongdong She, Kexin Pei, Dave Epstein,

NEUZZ: Efficient Fuzzing with Neural Program Smoothing Dongdong She, Kexin Pei, Dave Epstein, Junfeng Yang, Baishakhi Ray, and Suman Jana Columbia University 1 Fuzzing: a popular way to uncover bugs [Liang et al. 2019] 2 Evolutionary Fuzzing

1.02k views • 26 slides
INTRODUCTION THE WORLD CUP OF AIR RACING P 1 AIR RACE 1 WORLD CUP AIR RACE 1 WORLD CUP THE

INTRODUCTION THE WORLD CUP OF AIR RACING P 1 AIR RACE 1 WORLD CUP AIR RACE 1 WORLD CUP THE

INTRODUCTION THE WORLD CUP OF AIR RACING P 1 AIR RACE 1 WORLD CUP AIR RACE 1 WORLD CUP THE FUTURE OF FAST 127 1.35 Billion Cumulative Audience Reach Countries TV cover The Air Race 1 World Cup Air Race 1 is the fastest motorsport in the

364 views • 10 slides
ParmeSan: Sanitizer-guided Greybox Fuzzing USENIX 2020 *some pages borrowed from Zheyu Ma

ParmeSan: Sanitizer-guided Greybox Fuzzing USENIX 2020 *some pages borrowed from Zheyu Ma

ParmeSan: Sanitizer-guided Greybox Fuzzing USENIX 2020 *some pages borrowed from Zheyu Ma background What is fuzzing: feed random inputs to trigger as many crashes and hangs as possible What is state-of-the-art of fuzzing research:

494 views • 18 slides
Race 1 Peer Teaching What role do you think race plays in international relations? 2 Race

Race 1 Peer Teaching What role do you think race plays in international relations? 2 Race

Race 1 Peer Teaching What role do you think race plays in international relations? 2 Race in IR In 1925, W.E.B. DuBois argued that WWI traced its origins to competition between (white) Europeans for (black) African labor. Tension

448 views • 13 slides
FUZZIFICATION : Anti-Fuzzing Techniques Jinho Jung , Hong Hu, David Solodukhin, Daniel Pagan, Kyu

FUZZIFICATION : Anti-Fuzzing Techniques Jinho Jung , Hong Hu, David Solodukhin, Daniel Pagan, Kyu

FUZZIFICATION : Anti-Fuzzing Techniques Jinho Jung , Hong Hu, David Solodukhin, Daniel Pagan, Kyu Hyung Lee*, Taesoo Kim * 1 Fuzzing Discovers Many Vulnerabilities 2 Fuzzing Discovers Many Vulnerabilities 3 Testers Find Bugs with Fuzzing

1.13k views • 65 slides
Marion to Bermuda Race 2021 Race Starts: June 18, 2021 So You Want to Race to Bermuda Why

Marion to Bermuda Race 2021 Race Starts: June 18, 2021 So You Want to Race to Bermuda Why

Marion to Bermuda Race 2021 Race Starts: June 18, 2021 So You Want to Race to Bermuda Why You Should Go The History The Race Preparing for The Race The Boat The Crew Post Race Where to begin 2 Why Marion to

1.14k views • 71 slides

More recommend