Detecting concurrency vulnerabilities based on partial orders of memory and thread events

Memory vulnerabilities are the main causes of software security problems. However, detecting vulnerabilities in multi-threaded programs is challenging because many vulnerabilities occur under specific executions, and it is hard to explore all possible executions of a multi-threaded program. Existing approaches are either computationally intensive or likely to miss some vulnerabilities due to the complex thread interleaving. This paper introduces a novel approach to detect concurrency memory vulnerabilities based on partial orders of events. A partial order on a set of events represents the definite execution orders of events. It allows constructing feasible traces exposing specific vulnerabilities by exchanging the execution orders of vulnerability-potential events. It also reduces the search space of possible executions and thus improves computational efficiency. We propose new algorithms to extract vulnerability-potential event pairs for three kinds of memory vulnerabilities. We also design a novel algorithm to compute a potential event pair's feasible set, which contains the relevant events required by a feasible trace. Our method extends existing approaches for data race detection by considering that two events are protected by the same lock. We implement a prototype of our approach and conduct experiments to evaluate its performance. Experimental results show that our tool exhibits superiority over state-of-the-art algorithms in both effectiveness and efficiency.

[1]  David Brumley,et al.  All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask) , 2010, 2010 IEEE Symposium on Security and Privacy.

[2]  Choongwoo Han,et al.  The Art, Science, and Engineering of Fuzzing: A Survey , 2018, IEEE Transactions on Software Engineering.

[3]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[4]  Konstantin Serebryany,et al.  MemorySanitizer: Fast detector of uninitialized memory use in C++ , 2015, 2015 IEEE/ACM International Symposium on Code Generation and Optimization (CGO).

[5]  Grigore Rosu,et al.  Maximal sound predictive race detection with control flow abstraction , 2014, PLDI.

[6]  Insik Shin,et al.  Razzer: Finding Kernel Race Bugs through Fuzzing , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[7]  Edith Schonberg,et al.  On-the-fly detection of access anomalies , 2018, PLDI '89.

[8]  Michael D. Bond,et al.  High-coverage, unbounded sound predictive race detection , 2018, PLDI.

[9]  Koen De Bosschere,et al.  TRaDe: Data Race Detection for Java , 2001, International Conference on Computational Science.

[10]  ANDREAS PAVLOGIANNIS Fast, sound, and effectively complete dynamic race prediction , 2020, Proc. ACM Program. Lang..

[11]  Cen Zhang,et al.  MUZZ: Thread-aware Grey-box Fuzzing for Effective Bug Hunting in Multithreaded Programs , 2020, USENIX Security Symposium.

[12]  Derek Bruening,et al.  AddressSanitizer: A Fast Address Sanity Checker , 2012, USENIX Annual Technical Conference.

[13]  Harish Patil,et al.  Pin: building customized program analysis tools with dynamic instrumentation , 2005, PLDI '05.

[14]  Bin Liang,et al.  Detecting concurrency memory corruption vulnerabilities , 2019, ESEC/SIGSOFT FSE.

[15]  Taesoo Kim,et al.  Krace: Data Race Fuzzing for Kernel File Systems , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[16]  Mahesh Viswanathan,et al.  Dynamic race prediction in linear time , 2017, PLDI.

[17]  Cristiano Giuffrida,et al.  ConFuzz—A Concurrency Fuzzer , 2019, First International Conference on Sustainable Technologies for Computational Intelligence.

[18]  Madan Musuvathi,et al.  Iterative context bounding for systematic testing of multithreaded programs , 2007, PLDI '07.

[19]  Konstantin Serebryany,et al.  ThreadSanitizer: data race detection in practice , 2009, WBIA '09.

[20]  Leslie Lamport,et al.  How to Make a Multiprocessor Computer That Correctly Executes Multiprocess Programs , 2016, IEEE Transactions on Computers.

[21]  Michael D. Bond,et al.  PACER: proportional detection of data races , 2010, PLDI '10.

[22]  Juan Caballero,et al.  Undangle: early detection of dangling pointers in use-after-free and double-free vulnerabilities , 2012, ISSTA 2012.

[23]  Jeff Huang,et al.  UFO: Predictive Concurrency Use-After-Free Detection , 2018, 2018 IEEE/ACM 40th International Conference on Software Engineering (ICSE).

[24]  Anna Philippou,et al.  Tools and Algorithms for the Construction and Analysis of Systems , 2018, Lecture Notes in Computer Science.

[25]  Leslie Lamport,et al.  Time, clocks, and the ordering of events in a distributed system , 1978, CACM.

[26]  Dawn Xiaodong Song,et al.  SoK: Eternal War in Memory , 2013, 2013 IEEE Symposium on Security and Privacy.

[27]  Hai Jin,et al.  A Heuristic Framework to Detect Concurrency Vulnerabilities , 2018, ACSAC.

[28]  Yannis Smaragdakis,et al.  Sound predictive race detection in polynomial time , 2012, POPL '12.

[29]  Francesco Sorrentino,et al.  Predicting null-pointer dereferences in concurrent programs , 2012, SIGSOFT FSE.

[30]  Assaf Schuster,et al.  Efficient on-the-fly data race detection in multithreaded C++ programs , 2003, PPoPP '03.

[31]  Stephen N. Freund,et al.  FastTrack: efficient and precise dynamic race detection , 2009, PLDI '09.