【USENIX Security2020论文分享】百度研究院高级安全研究员郭生健——MUZZ:Thread-aware Grey-box Fuzzing for Effective Bug Hunting in Multithreaded Programs

8月13日,来自百度研究院的高级安全研究员郭生健分享了他们发表在USENIX Security2020的 《MUZZ: Thread-aware Grey-box Fuzzing for Effective Bug Hunting in Multithreaded Programs》,在这篇论文中,作者提出了一个专用的灰盒模糊测试框架Muzz,其通过探索程序输入与线程交错相关的多线程程序执行状态来检测并发错误文中将多线程相关的目标并发错误分为:1.并发漏洞;2.并发错误,Muzz通过重放生成的模糊测试种子并使用例如TSan的并发错误检测工具来检测这些错误。

演讲主题:MUZZ: Thread-aware Grey-box Fuzzing for Effective Bug Hunting in Multithreaded Programs


Grey-box fuzz testing has revealed thousands of vulnerabilities in real-world software owing to its lightweight instrumentation, fast coverage feedback, and dynamic adjusting strategies. However, directly applying grey-box fuzzing to input-dependent multithreaded programs can be extremely inefficient. In practice, multithreading-relevant bugs are usually buried in the sophisticated program flows. Meanwhile, existing grey-box fuzzing techniques do not stress thread-interleavings that affect execution states in multithreaded programs. Therefore, mainstream grey-box fuzzers cannot adequately test problematic segments in multithreaded software, although they might obtain high code coverage statistics.

To this end, we propose Muzz, a new grey-box fuzzing technique that hunts for bugs in multithreaded programs. Muzz owns three novel thread-aware instrumentations, namely coverage-oriented instrumentation, thread-context instrumentation, and schedule-intervention instrumentation. During fuzzing, these instrumentations engender runtime feedback to accentuate execution states caused by thread interleavings. By leveraging such feedback in the dynamic seed selection and execution strategies, Muzz preserves more valuable seeds that expose bugs under a multithreading context.

We evaluate Muzz on twelve real-world multithreaded programs. Experiments show that Muzz outperforms AFL in both multithreading-relevant seed generation and concurrency-vulnerability detection. Further, by replaying the target programs against the generated seeds, Muzz also reveals more concurrency-bugs (e.g., data-races, thread-leaks) than AFL. In total, Muzz detected eight new concurrency-vulnerabilities and nineteen new concurrency-bugs. At the time of writing, four reported issues have received CVE IDs.


郭生健  百度研究院(美国硅谷)安全组

郭生健博士系百度研究院(美国硅谷)安全组高级安全研究员,其主要研究方向为功能特性驱动的多线程/多任务软件的状态空间规约及剪枝,面向工业级无人驾驶软件系统的安全分析,基于符号执行的CPU缓存侧信道泄露的分析和检测,以及基于Fuzzing的混合测试及漏洞检测。郭博士近年来在软件工程以及安全领域A类会议发表研究长文十余篇,是软工顶会FSE 2018的 Distinguished Paper Award以及百度2019年度TPG TC技术创新奖获得者。

Bookmark the permalink.

Comments are closed.