MUZZ: Thread-aware Grey-box Fuzzing for Effective Bug Hunting in Multithreaded Programs

Hongxu Chen, Shengjian Guo, Yinxing Xue, Yuelei SuiCen Zhang, Yuekang Li, Haijun Wang, Yang Liu

1

Background

Bugs/vulnerabilities in multithreaded programs are subtle to be detected

Many programs rely on specific test inputs to trigger multithreading-relevant bugs

Existing fuzzing techniques cannot effectively generate multithreading-relevant tests

2

Motivation (1) – The problem

o Coverage depends on test inputse.g., the program may or may not execute ④

according to the condition of ③, purely dependent on inputs

o Coverage depends on thread-schedulinge.g., ① :“g_var+=1” ② : “g_var*=2”o T1: ① →T2: ① →T2: ② →T1: ②è

g_var=4o T1: ① →T2: ① →T1: ② →T2: ②è

g_var=4o T1: ① →T1: ② →T2: ① →T2: ②è

g_var=2

3

Motivation (2) – Existing Solutions

o Lacking Feedback to Track Thread-interleavings and Thread-contexte.g., ① → ①

o Lacking Schedule-intervention Across Executionso e.g., SAME interleaving during

fuzzing?

4

MUZZ Overview

Ⓐ: Static Analysis Guided InstrumentationⒷ: Adaptive Dynamic FuzzingⒸ: Vulnerability Detection AnalysisⒹ: ThreadSanitizer Aided Concurrency-bug Revealing

5

Approach (1) – Static Analysis

Identify Suspicious Interleaving Scope (Lm)o The statements should be executed

after one of TFork, while TJoin is not encountered yet

o The statements can only be executed before the invocation of TLock and after the invocation of TUnLock

o The statements should read or write at least one of the shared variables by different threads

6

Approach (2) – Coverage-oriented Instrumentation

Ø Instrument more in Lm, but with certain probabilities

Pe 𝑓 = min𝐸 𝑓 − 𝑁 𝑓 + 2

10 , 1.0

P𝑠 𝑓 = min Pe 𝑓 , Ps0

P𝑚 𝑓, 𝑏 = min Pe 𝑓 2𝑁𝑚 𝑏𝑁 𝑏 , P𝑚0

7

Approach (3) – Two Other Instrumentations

Ø Threading-context Instrumentation• Track thread IDs and TLock,

TUnLock, TJoin• Distinguish different transitions

between threads

Ø Schedule-intervention Instrumentation

• Using pthread_setschedparam to adjust thread priority and apply uniformly distributed random

• Increase thread scheduling diversities

8

Approach (4) – Seed Selection

Prioritize to select those seeds that:o Cover new regular traceso Cover new thread-interleavings

9

Approach (5) – Repeated Execution

10

Statistics of Target Programs

𝑇𝑝𝑝: Preprocessing time𝑁𝑏: Number of basicblocks𝑁𝑖: Number of instructions𝑁𝑖𝑖: Number of MUZZ-instrumented instructions

11

Evaluation (1) – Seed Generation

MUZZ has advantages in increasing the number and percentagesof multithreading-relevant seeds for multithreaded programs

12

Evaluation (2) – Vulnerability Detection

MUZZ demonstrates superiority in exercising more multithreading-relevant crashing states and detecting concurrency-vulnerabilities

13

Evaluation (3) – Concurrency-bug Revealing

MUZZ outperforms competitors in revealing concurrency-bugs with fuzzer-generated seeds

14

Q&AHongxu Chenhongxu.chen@ntu.edu.sg

15