DFTracker: detecting double-fetch bugs by multi-taint parallel tracking

A race condition is a common trigger for concurrency bugs. As a special case, a race condition can also occur across the kernel and user space causing a double-fetch bug, which is a field that has received little research attention. In our work, we first analyzed real-world double-fetch bug cases and extracted two specific patterns for double-fetch bugs. Based on these patterns, we proposed an approach of multi-taint parallel tracking to detect double-fetch bugs. We also implemented a prototype called DFTracker (double-fetch bug tracker), and we evaluated it with our test suite. Our experiments demonstrated that it could effectively find all the double-fetch bugs in the test suite including eight real-world cases with no false negatives and minor false positives. In addition, we tested it on Linux kernel and found a new double-fetch bug. The execution overhead is approximately 2x for single-file cases and approximately 9x for the whole kernel test, which is acceptable. To the best of the authors’ knowledge, this work is the first to introduce multi-taint parallel tracking to double-fetch bug detection—an innovative method that is specific to double-fetch bug features—and has better path coverage as well as lower runtime overhead than the widely used dynamic approaches.

[1]  Rodrigo Rodrigues,et al.  SKI: Exposing Kernel Concurrency Bugs through Systematic Schedule Exploration , 2014, OSDI.

[2]  Junfeng Yang,et al.  Pervasive detection of process races in deployed systems , 2011, SOSP.

[3]  Xu Zhou,et al.  Collaborative Technique for Concurrency Bug Detection , 2014, International Journal of Parallel Programming.

[4]  Sebastian Burckhardt,et al.  Effective Data-Race Detection for the Kernel , 2010, OSDI.

[5]  Dimitar Dimitrov,et al.  Commutativity race detection , 2014, PLDI.

[6]  Satish Narayanasamy,et al.  Race detection for event-driven mobile applications , 2014, PLDI.

[7]  Tanakorn Leesatapornwongsa,et al.  What Bugs Live in the Cloud? A Study of 3000+ Issues in Cloud Systems , 2014, SoCC.

[8]  George Candea,et al.  Data races vs. data race bugs: telling the difference with portend , 2012, ASPLOS XVII.

[9]  Robert N. M. Watson,et al.  Exploiting Concurrency Vulnerabilities in System Call Wrappers , 2007, WOOT.

[10]  Gynvael Coldwind,et al.  Identifying and Exploiting Windows Kernel Race Conditions via Memory Access Patterns , 2013 .

[11]  Michael Hicks,et al.  LOCKSMITH: Practical static race detection for C , 2011, TOPL.

[12]  Satish Narayanasamy,et al.  Maple: a coverage-driven testing tool for multithreaded programs , 2012, OOPSLA '12.

[13]  Felix Wilhelm Tracing Privileged Memory Accesses to Discover Software Vulnerabilities , 2015 .

[14]  Rupak Majumdar,et al.  Race detection for Android applications , 2014, PLDI.

[15]  Jun Chen,et al.  Towards a better collaboration of static and dynamic analyses for testing concurrent programs , 2008, PADTAD '08.

[16]  Nancy G. Leveson,et al.  An investigation of the Therac-25 accidents , 1993, Computer.

[17]  Shan Lu,et al.  ConSeq: detecting concurrency bugs through sequential errors , 2011, ASPLOS XVI.

[18]  Matt Bishop,et al.  Checking for Race Conditions in File Accesses , 1996, Comput. Syst..

[19]  Sorin Lerner,et al.  RELAY: static race detection on millions of lines of code , 2007, ESEC-FSE '07.

[20]  Dawson R. Engler,et al.  Static Analysis versus Software Model Checking for Bug Finding , 2004, VMCAI.

[21]  Steve J. Chapin,et al.  Detection of file-based race conditions , 2005, International Journal of Information Security.

[22]  David A. Wagner,et al.  MOPS: an infrastructure for examining security properties of software , 2002, CCS '02.

[23]  Xu Zhou,et al.  Detecting harmful data races through parallel verification , 2015, The Journal of Supercomputing.

[24]  Satish Narayanasamy,et al.  Automatically classifying benign and harmful data races using replay analysis , 2007, PLDI '07.

[25]  Koushik Sen,et al.  Race directed random testing of concurrent programs , 2008, PLDI '08.

[26]  Salvatore J. Stolfo,et al.  Concurrency attacks , 2012, HotPar'12.

[27]  Dawson R. Engler,et al.  RacerX: effective, static detection of race conditions and deadlocks , 2003, SOSP '03.

[28]  Xiang Cai,et al.  Exploiting Unix File-System Races via Algorithmic Complexity Attacks , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[29]  Junfeng Yang,et al.  Using model checking to find serious file system errors , 2004, TOCS.

[30]  George Candea,et al.  RaceMob: crowdsourced data race detection , 2013, SOSP.

[31]  Jeff Huang,et al.  Persuasive prediction of concurrency access anomalies , 2011, ISSTA '11.

[32]  Dawson R. Engler,et al.  ARCHER: using symbolic, path-sensitive analysis to detect memory access errors , 2003, ESEC/FSE-11.

[33]  Shan Lu,et al.  ConMem: detecting severe concurrency bugs through an effect-oriented approach , 2010, ASPLOS XV.

[34]  Grigore Rosu,et al.  Maximal sound predictive race detection with control flow abstraction , 2014, PLDI.

[35]  Thomas R. Gross,et al.  Protecting applications against TOCTTOU races by user-space caching of file metadata , 2012, VEE '12.

[36]  Crispin Cowan,et al.  RaceGuard: Kernel Protection From Temporary File Race Vulnerabilities , 2001, USENIX Security Symposium.