Thread-sensitive fuzzing for concurrency bug detection
Abstract: Fuzzing is a commonly used method for identifying bugs and vulnerabilities in software. However, current methods for improving fuzzing in concurrency environments often lack a detailed analysis of the program’s concurrent state space. This leads to inefficient execution of previously verified concurrent states and missed information. We have developed TSAFL, a novel concurrency fuzzing framework that aims to detect the running state of concurrency programs and uncover hard-to-find vulnerabilities. TSAFL builds upon AFL’s concurrency vulnerability detection capabilities by incorporating three new techniques. Firstly, we introduce two new coverage metrics to measure concurrency: concurrent behavior window and CFG prediction. These metrics enhance the TSAFL’s capabilities to explore more thread interleavings. The second technique adds efficient thread-interleaved scheduling to fuzzing combined with period scheduling. Several methods are proposed to avoid problems caused by simply using period scheduling to accurately detect and verify all concurrent state spaces. Thirdly, we propose a multi-objective optimization mechanism based on the characteristics of concurrent fuzz testing to fully utilize the information in the seed files. Using these three techniques, our concurrency fuzzing approach effectively covers infrequent thread interleavings with concrete context information. We evaluated TSAFL on user-level applications, and experiments show that TSAFL outperforms AFL++ and MOPT in multithreading-related seed generation and concurrent vulnerability detection.
Loading