Catch Me If You Can: Deterministic Discovery of Race Conditions with Fuzzing

-

Discover how to deterministically detect and debug race conditions in operating systems, device drivers, and embedded systems using fuzzing and cooperative scheduling.

Key takeaways
  • Deterministic discovery of race conditions with fuzzing involves creating a mock scheduler to control the scheduling of threads and simulate preemptions.
  • Fuzzing can effectively address race condition bugs by leveraging deterministic scheduling and coverage guided fuzzing.
  • Cooperative scheduling is a key concept in deterministic scheduling, where threads voluntarily yield control to the scheduler, allowing for more predictable behavior.
  • The proposed approach involves creating a fuzzer that can handle cooperative scheduling, allowing for the discovery of race condition bugs.
  • The fuzzer uses libfuzzer as the fuzzing engine and generates test cases that describe sequences of sub-primitive operations for creating, deleting, and switching between threads or contexts.
  • The fuzzer collects coverage and mutates test cases, allowing it to find bugs that are triggered by race conditions.
  • The approach has been successfully applied to the iOS kernel, Android, and other systems.
  • The benefits of deterministic discovery of race conditions with fuzzing include the ability to find bugs that are difficult to detect with traditional methods, such as static analysis and auditing.
  • The approach can also be used to identify areas where race conditions are likely to occur, allowing for more effective testing and bug fixing.
  • Deterministic scheduling can be used in a variety of systems, including those that use preemptive scheduling, cooperative scheduling, or a combination of both.
  • The proposed approach can be used to find race condition bugs in a variety of areas, including operating systems, device drivers, and embedded systems.
  • The use of deterministic scheduling and fuzzing can be used to identify areas where race conditions are likely to occur, allowing for more effective testing and bug fixing.
  • The approach has been successfully applied to a variety of systems, including the iOS kernel, Android, and other systems.
  • The benefits of deterministic discovery of race conditions with fuzzing include the ability to find bugs that are difficult to detect with traditional methods, such as static analysis and auditing.
  • The approach can also be used to identify areas where race conditions are likely to occur, allowing for more effective testing and bug fixing.