OWL: Understanding and Detecting Concurrency Attacks

Just like bugs in single-threaded programs can lead to vulnerabilities, bugs in multithreaded programs can also lead to concurrency attacks. We studied 31 real-world concurrency attacks, including privilege escalations, hijacking code executions, and bypassing security checks. We found that compared to concurrency bugs' traditional consequences (e.g., program crashes), concurrency attacks' consequences are often implicit, extremely hard to be observed and diagnosed by program developers. Moreover, in addition to bug-inducing inputs, extra subtle inputs are often needed to trigger the attacks. These subtle features make existing tools ineffective to detect concurrency attacks. To tackle this problem, we present OWL, the first practical tool that models general concurrency attacks' implicit consequences and automatically detects them. We implemented OWL in Linux and successfully detected five new concurrency attacks, including three confirmed and fixed by developers, and two exploited from previously known and well-studied concurrency bugs. OWL has also detected seven known concurrency attacks. Our evaluation shows that OWL eliminates 94.1% of the reports generated by existing concurrency bug detectors as false positive, greatly reducing developers' efforts on diagnosis. All OWL source code, concurrency attack exploit scripts, and results are available on github.com/hku-systems/owl.

[1]  Alastair F. Donaldson,et al.  Software Model Checking , 2014, Computing Handbook, 3rd ed..

[2]  Junfeng Yang,et al.  Stable Deterministic Multithreading through Schedule Memoization , 2010, OSDI.

[3]  Mattia Monga,et al.  On Race Vulnerabilities in Web Applications , 2008, DIMVA.

[4]  George Candea,et al.  RaceMob: crowdsourced data race detection , 2013, SOSP.

[5]  Vikram S. Adve,et al.  Making context-sensitive points-to analysis with heap cloning practical for the real world , 2007, PLDI '07.

[6]  Junfeng Yang,et al.  Automatically generating malicious disks using symbolic execution , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[7]  Margaret Martonosi,et al.  Concurrent predicates: a debugging technique for every parallel programmer , 2013, PACT 2013.

[8]  Sudheendra Hangal,et al.  Tracking down software bugs using automatic anomaly detection , 2002, ICSE '02.

[9]  Yuanyuan Zhou,et al.  PRES: probabilistic replay with execution sketching on multiprocessors , 2009, SOSP '09.

[10]  Dawson R. Engler,et al.  Practical, Low-Effort Equivalence Verification of Real Code , 2011, CAV.

[11]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[12]  Salvatore J. Stolfo,et al.  Concurrency attacks , 2012, HotPar'12.

[13]  Calton Pu,et al.  TOCTTOU vulnerabilities in UNIX-style file systems: an anatomical study , 2005, FAST'05.

[14]  Scott A. Mahlke,et al.  Gadara: Dynamic Deadlock Avoidance for Multithreaded Programs , 2008, OSDI.

[15]  Patrice Godefroid,et al.  Automated Whitebox Fuzz Testing , 2008, NDSS.

[16]  Vitaly Chipounov,et al.  Selective Symbolic Execution , 2009 .

[17]  Donald Yeung,et al.  Application-Level Correctness and its Impact on Fault Tolerance , 2007, 2007 IEEE 13th International Symposium on High Performance Computer Architecture.

[18]  Alexander G. Vidergar,et al.  Concurrency Attacks in Web Applications , 2008 .

[19]  Koushik Sen,et al.  Concurrent breakpoints , 2012, PPoPP '12.

[20]  Junfeng Yang,et al.  Pervasive detection of process races in deployed systems , 2011, SOSP.

[21]  Xu Zhou,et al.  Collaborative Technique for Concurrency Bug Detection , 2014, International Journal of Parallel Programming.

[22]  V. Rich Personal communication , 1989, Nature.

[23]  Rodrigo Rodrigues,et al.  SKI: Exposing Kernel Concurrency Bugs through Systematic Schedule Exploration , 2014, OSDI.

[24]  Christopher Krügel,et al.  Toward Automated Detection of Logic Vulnerabilities in Web Applications , 2010, USENIX Security Symposium.

[25]  Edith Schonberg,et al.  An empirical comparison of monitoring algorithms for access anomaly detection , 2011, PPOPP '90.

[26]  Shan Lu,et al.  ConSeq: detecting concurrency bugs through sequential errors , 2011, ASPLOS XVI.

[27]  Hovav Shacham,et al.  On the effectiveness of address-space randomization , 2004, CCS '04.

[28]  Yuanyuan Zhou,et al.  AVIO: Detecting Atomicity Violations via Access-Interleaving Invariants , 2007, IEEE Micro.

[29]  Nancy G. Leveson,et al.  An investigation of the Therac-25 accidents , 1993, Computer.

[30]  Koushik Sen,et al.  CUTE: a concolic unit testing engine for C , 2005, ESEC/FSE-13.

[31]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[32]  Adam Kiezun,et al.  Grammar-based whitebox fuzzing , 2008, PLDI '08.

[33]  George Candea,et al.  Automated software testing as a service , 2010, SoCC '10.

[34]  Thomas Ball,et al.  Finding and Reproducing Heisenbugs in Concurrent Programs , 2008, OSDI.

[35]  Wei Zhang,et al.  Automated Concurrency-Bug Fixing , 2012, OSDI.

[36]  Baris Kasikci,et al.  Techniques for Detection, Root Cause Diagnosis, and Classification of In-Production Concurrency Bugs , 2015 .

[37]  Michael Burrows,et al.  Eraser: a dynamic data race detector for multithreaded programs , 1997, TOCS.

[38]  George Candea,et al.  Failure sketching: a technique for automated root cause diagnosis of in-production failures , 2015, SOSP.

[39]  Sorin Lerner,et al.  RELAY: static race detection on millions of lines of code , 2007, ESEC-FSE '07.

[40]  Satish Narayanasamy,et al.  Parallelizing data race detection , 2013, ASPLOS '13.

[41]  Andrew C. Myers,et al.  A decentralized model for information flow control , 1997, SOSP.

[42]  Zhiqiang Ma,et al.  Ad Hoc Synchronization Considered Harmful , 2010, OSDI.

[43]  Ravishankar K. Iyer,et al.  Characterization of linux kernel behavior under errors , 2003, 2003 International Conference on Dependable Systems and Networks, 2003. Proceedings..

[44]  Dawson R. Engler,et al.  A few billion lines of code later , 2010, Commun. ACM.

[45]  Miguel Castro,et al.  Bouncer: securing software by blocking bad input , 2007, SOSP.

[46]  Konrad Rieck,et al.  Modeling and Discovering Vulnerabilities with Code Property Graphs , 2014, 2014 IEEE Symposium on Security and Privacy.

[47]  Horatiu Jula,et al.  Deadlock Immunity: Enabling Systems to Defend Against Deadlocks , 2008, OSDI.

[48]  Peter Bailis,et al.  ACIDRain: Concurrency-Related Attacks on Database-Backed Web Applications , 2017, SIGMOD Conference.

[49]  Junfeng Yang,et al.  Verifying systems rules using rule-directed symbolic execution , 2013, ASPLOS '13.

[50]  Vitaly Shmatikov,et al.  A security policy oracle: detecting security holes using multiple API implementations , 2011, PLDI '11.

[51]  Trent Jaeger,et al.  Using CQUAL for Static Analysis of Authorization Hook Placement , 2002, USENIX Security Symposium.

[52]  Koushik Sen,et al.  Randomized active atomicity violation detection in concurrent programs , 2008, SIGSOFT '08/FSE-16.

[53]  Koushik Sen,et al.  Race directed random testing of concurrent programs , 2008, PLDI '08.

[54]  Mona Attariyan,et al.  X-ray: Automating Root-Cause Diagnosis of Performance Anomalies in Production Software , 2012, OSDI.

[55]  Yuanyuan Zhou,et al.  CTrigger: exposing atomicity violation bugs from their hiding places , 2009, ASPLOS.

[56]  Dawson R. Engler,et al.  RacerX: effective, static detection of race conditions and deadlocks , 2003, SOSP '03.

[57]  Dawson R. Engler,et al.  EXE: automatically generating inputs of death , 2006, CCS '06.

[58]  Yuanyuan Zhou,et al.  Learning from mistakes: a comprehensive study on real world concurrency bug characteristics , 2008, ASPLOS.

[59]  Stephanie Forrest,et al.  Intrusion Detection Using Sequences of System Calls , 1998, J. Comput. Secur..

[60]  Miguel Castro,et al.  Better bug reporting with better privacy , 2008, ASPLOS 2008.

[61]  Dawson R. Engler,et al.  Under-Constrained Symbolic Execution: Correctness Checking for Real Code , 2015, USENIX Annual Technical Conference.

[62]  Nicholas Nethercote,et al.  Valgrind: a framework for heavyweight dynamic binary instrumentation , 2007, PLDI '07.

[63]  David A. Wagner,et al.  Intrusion detection via static analysis , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[64]  Junfeng Yang,et al.  Bypassing Races in Live Applications with Execution Filters , 2010, OSDI.

[65]  Konstantin Serebryany,et al.  ThreadSanitizer: data race detection in practice , 2009, WBIA '09.

[66]  Ion Stoica,et al.  ODR: output-deterministic replay for multicore debugging , 2009, SOSP '09.

[67]  Christopher Krügel,et al.  Driller: Augmenting Fuzzing Through Selective Symbolic Execution , 2016, NDSS.

[68]  Shan Lu,et al.  ConMem: detecting severe concurrency bugs through an effect-oriented approach , 2010, ASPLOS XV.

[69]  Xiao Ma,et al.  MUVI: automatically inferring multi-variable access correlations and detecting related semantic and concurrency bugs , 2007, SOSP.