MUZZ: Thread-aware grey-box fuzzing for effective bug hunting in multithreaded programs

Chen, H; Guo, S; Xue, Y; Sui, Y; Zhang, C; Li, Y; Wang, H; Liu, Y

MUZZ: Thread-aware grey-box fuzzing for effective bug hunting in multithreaded programs

Chen, H Guo, S Xue, Y Sui, Y

Zhang, C Li, Y Wang, H Liu, Y

Permalink

Publication Type:: Conference Proceeding
Citation:: Proceedings of the 29th USENIX Security Symposium, 2020, pp. 2325-2342
Issue Date:: 2020-01-01

Open Access

Copyright Clearance Process

Recently Added
In Progress
Open Access

This item is open access.

Adobe PDF

Download Published versionAdobe PDF (541.4 kB)

View statistics

Full metadata record

Field	Value	Language
dc.contributor.author	Chen, H
dc.contributor.author	Guo, S
dc.contributor.author	Xue, Y
dc.contributor.author	Sui, Y https://orcid.org/0000-0002-9510-6574
dc.contributor.author	Zhang, C
dc.contributor.author	Li, Y
dc.contributor.author	Wang, H
dc.contributor.author	Liu, Y
dc.date.accessioned	2021-04-26T03:06:07Z
dc.date.available	2021-04-26T03:06:07Z
dc.date.issued	2020-01-01
dc.identifier.citation	Proceedings of the 29th USENIX Security Symposium, 2020, pp. 2325-2342
dc.identifier.isbn	9781939133175
dc.identifier.uri	http://hdl.handle.net/10453/148363
dc.description.abstract	Grey-box fuzz testing has revealed thousands of vulnerabilities in real-world software owing to its lightweight instrumentation, fast coverage feedback, and dynamic adjusting strategies. However, directly applying grey-box fuzzing to input-dependent multithreaded programs can be extremely inefficient. In practice, multithreading-relevant bugs are usually buried in the sophisticated program flows. Meanwhile, existing grey-box fuzzing techniques do not stress thread-interleavings that affect execution states in multithreaded programs. Therefore, mainstream grey-box fuzzers cannot adequately test problematic segments in multithreaded software, although they might obtain high code coverage statistics. To this end, we propose MUZZ, a new grey-box fuzzing technique that hunts for bugs in multithreaded programs. MUZZ owns three novel thread-aware instrumentations, namely coverage-oriented instrumentation, thread-context instrumentation, and schedule-intervention instrumentation. During fuzzing, these instrumentations engender runtime feedback to accentuate execution states caused by thread interleavings. By leveraging such feedback in the dynamic seed selection and execution strategies, MUZZ preserves more valuable seeds that expose bugs under a multithreading context. We evaluate MUZZ on twelve real-world multithreaded programs. Experiments show that MUZZ outperforms AFL in both multithreading-relevant seed generation and concurrency-vulnerability detection. Further, by replaying the target programs against the generated seeds, MUZZ also reveals more concurrency-bugs (e.g., data-races, thread-leaks) than AFL. In total, MUZZ detected eight new concurrency-vulnerabilities and nineteen new concurrency-bugs. At the time of writing, four reported issues have received CVE IDs.
dc.language	en
dc.relation.ispartof	Proceedings of the 29th USENIX Security Symposium
dc.rights	info:eu-repo/semantics/openAccess
dc.title	MUZZ: Thread-aware grey-box fuzzing for effective bug hunting in multithreaded programs
dc.type	Conference Proceeding
pubs.organisational-group	/University of Technology Sydney
pubs.organisational-group	/University of Technology Sydney/Faculty of Engineering and Information Technology
pubs.organisational-group	/University of Technology Sydney/Strength - AAII - Australian Artificial Intelligence Institute
pubs.organisational-group	/University of Technology Sydney/Faculty of Engineering and Information Technology/School of Computer Science
utslib.copyright.status	open_access	*
dc.date.updated	2021-04-26T03:06:06Z
pubs.publication-status	Published

Abstract:

Grey-box fuzz testing has revealed thousands of vulnerabilities in real-world software owing to its lightweight instrumentation, fast coverage feedback, and dynamic adjusting strategies. However, directly applying grey-box fuzzing to input-dependent multithreaded programs can be extremely inefficient. In practice, multithreading-relevant bugs are usually buried in the sophisticated program flows. Meanwhile, existing grey-box fuzzing techniques do not stress thread-interleavings that affect execution states in multithreaded programs. Therefore, mainstream grey-box fuzzers cannot adequately test problematic segments in multithreaded software, although they might obtain high code coverage statistics. To this end, we propose MUZZ, a new grey-box fuzzing technique that hunts for bugs in multithreaded programs. MUZZ owns three novel thread-aware instrumentations, namely coverage-oriented instrumentation, thread-context instrumentation, and schedule-intervention instrumentation. During fuzzing, these instrumentations engender runtime feedback to accentuate execution states caused by thread interleavings. By leveraging such feedback in the dynamic seed selection and execution strategies, MUZZ preserves more valuable seeds that expose bugs under a multithreading context. We evaluate MUZZ on twelve real-world multithreaded programs. Experiments show that MUZZ outperforms AFL in both multithreading-relevant seed generation and concurrency-vulnerability detection. Further, by replaying the target programs against the generated seeds, MUZZ also reveals more concurrency-bugs (e.g., data-races, thread-leaks) than AFL. In total, MUZZ detected eight new concurrency-vulnerabilities and nineteen new concurrency-bugs. At the time of writing, four reported issues have received CVE IDs.

Please use this identifier to cite or link to this item:

http://hdl.handle.net/10453/148363