DOCSLIB.ORG

A Randomized Dynamic Program Analysis Technique for Detecting Real Deadlocks

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

A Randomized Dynamic Program Analysis Technique for Detecting Real Deadlocks Pallavi Joshi Chang-Seo Park Mayur Naik Koushik Sen Intel Research, Berkeley, USA EECS Department, UC Berkeley, USA [email protected] {pallavi,parkcs,ksen}@cs.berkeley.edu Abstract large multi-threaded programs due to the exponential increase in We present a novel dynamic analysis technique that finds real dead- the number of thread schedules with execution length. locks in multi-threaded programs. Our technique runs in two stages. Several program analysis techniques, both static [19, 10, 2, 9, In the first stage, we use an imprecise dynamic analysis technique 27, 29, 21] and dynamic [12, 13, 4, 1], have been developed to de- to find potential deadlocks in a multi-threaded program by observ- tect and predict deadlocks in multi-threaded programs. Static tech- ing an execution of the program. In the second stage, we control niques often give no false negatives, but they often report many a random thread scheduler to create the potential deadlocks with false positives. For example, the static deadlock detector developed by Williams et al. [29] reports 100,000 deadlocks in Sun’s JDK high probability. Unlike other dynamic analysis techniques, our ap- 1 proach has the advantage that it does not give any false warnings. 1.4 , out of which only 7 are real deadlocks. Type and annotation We have implemented the technique in a prototype tool for Java, based techniques [5, 10] help to avoid deadlocks during coding, and have experimented on a number of large multi-threaded Java but they impose the burden of annotation on programmers. Predic- programs. We report a number of previously known and unknown tive dynamic techniques such as Goodlock [13] and its improve- real deadlocks that were found in these benchmarks. ments [4, 1] give both false negatives and false positives. For exam- ple, in our experiments we have found that an improved Goodlock Categories and Subject Descriptors D.2.5 [Software Engineer- can report as many as 254 false positives for our Jigsaw web server. ing]: Testing and Debugging; D.2.4 [Software Engineering]: Soft- Being imprecise in nature, most of these tools require manual in- ware/Program Verification spection to see if a deadlock is real or not. Nevertheless, these tech- General Terms Languages, Reliability, Verification niques are effective in finding deadlocks because they can predict deadlocks that could potentially happen during a real execution— Keywords deadlock detection, dynamic program analysis, con- for such a prediction, static analyses do not need to see an actual ex- currency ecution and dynamic analyses need to see only one multi-threaded execution. 1. Introduction Dynamic analysis based deadlock detection can be made precise by taking the happens-before relation [18] into account. However, A common cause for unresponsiveness in software systems is a it has several problems. First, it reduces the predictive power of deadlock situation. In shared-memory multi-threaded systems, a dynamic techniques—it fails to report deadlocks that could happen deadlock is a liveness failure that happens when a set of threads in a significantly different thread schedule. Second, it can perturb blocks forever because each thread in the set is waiting to ac- an execution significantly and can fail to report a deadlock that can quire a lock held by another thread in the set. Deadlock is a happen when no dynamic analysis is performed. common form of bug in today’s software—Sun’s bug database at We propose a new dynamic technique for detecting real dead- http://bugs.sun.com/ shows that 6,500 bug reports out of locks in multi-threaded programs, called DEADLOCKFUZZER, 198,000 contain the keyword ‘deadlock’. There are a few reasons which combines an imprecise dynamic deadlock detection tech- for the existence of deadlock bugs in multi-threaded programs. nique with a randomized thread scheduler to create real dead- First, software systems are often written by many programmers; locks with high probability. The technique works in two phases. therefore, it becomes difficult to follow a lock order discipline that In the first phase, we use an informative and a simple variant could avoid deadlock. Second, programmers often introduce dead- of the Goodlock algorithm, called informative Goodlock, or sim- locks when they fix race conditions by adding new locks. Third, ply iGoodlock, to discover potential deadlock cycles in a multi- software systems can allow incorporation of third-party software threaded program. For example, iGoodlock could report a cycle (e.g. plugins); third-party software may not follow the locking dis- ′ ′ of the form (t1,l1,l2, [c1, c2])(t2,l2,l1, [c , c ]), which says that cipline followed by the parent software and this sometimes results 1 2 there could be a deadlock if thread t1 tries to acquire lock l2 at in deadlock bugs [17]. program location c2 after acquiring lock l1 at program location c1 Deadlocks are often difficult to find during the testing phase ′ and thread t2 tries to acquire lock l1 at program location c2 af- because they happen under very specific thread schedules. Coming ′ ter acquiring lock l2 at program location c . In the second phase, up with these subtle thread schedules through stress testing or 1 DEADLOCKFUZZER executes the program with a random sched- random testing is often difficult. Model checking [15, 11, 7, 14, 6] ule in order to create a real deadlock corresponding to a cycle removes these limitations of testing by systematically exploring reported in the previous phase. For example, consider the cycle all thread schedules. However, model checking fails to scale for 1 They reduce the number of reports to 70 after applying various unsound Permission to make digital or hard copies of all or part of this work for personal or heuristics classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. PLDI’09, June 15–20, 2009, Dublin, Ireland. Copyright c 2009 ACM 978-1-60558-392-1/09/06. $5.00 ′ ′ (t1,l1,l2, [c1, c2])(t2,l2,l1, [c1, c2]) again. At each program state, bugging. This relieves the manual inspection burden associated the random scheduler picks a thread and executes its next statement with other imprecise techniques such as Goodlock. with the following exception. If t1 is about to acquire lock l2 at lo- • We propose two kinds of object abstraction techniques that help cation c2 after acquiring lock l1 at location c1, then the random us correlate thread and lock objects between iGoodlock and the scheduler pauses the execution of thread t1. Similarly, the random randomized scheduling algorithm. scheduler pauses the execution of thread t2 if it is about to acquire ′ ′ • lock l1 at location c2 after acquiring lock l2 at location c1. In this We have implemented DEADLOCKFUZZER in a tool for Java biased random schedule, it is very likely that both the threads will and have discovered subtle previously known and unknown reach a state where t1 is trying to acquire l2 while holding l1 and t2 deadlocks in large applications. To the best of our knowledge, is trying to acquire l1 while holding l2. This results in a real dead- DEADLOCKFUZZER is the first precise dynamic deadlock anal- lock. In summary, DEADLOCKFUZZER actively controls a random- ysis tool for Java that has been applied to large Java applica- ized thread scheduler based on a potential deadlock cycle reported tions. by an imprecise deadlock detection technique. The above technique poses the following key challenge. Phase 2. Algorithm II assumes that Phase I can provide it with precise knowledge about the thread and lock objects involved in the deadlock cycle. Unfor- The DEADLOCKFUZZER algorithm consists of two phases. In the tunately, since thread and lock objects are created dynamically at first phase, we execute a multi-threaded program and find poten- runtime, their addresses cannot be used to identify them across ex- tial deadlocks that could happen in some execution of the program. This phase uses a modified Goodlock algorithm, called informative ecutions, i.e. in the above example, addresses of t1,t2,l1,l2 do not remain the same between Phase I and Phase II executions. There- Goodlock, or simply iGoodlock, which identifies potential dead- fore, we need some mechanism to identify the same objects across locks even if the observed execution does not deadlock. We call executions. Specifically, we need a form of object abstraction such the modified algorithm informative because we provide suitable that if two dynamic objects in different executions are the same, debugging information to identify the cause of the deadlock—this they must have the same abstraction. For example, the label of a debugging information is used by the second phase to create real statement at which an object is created can be used as its abstrac- deadlocks with high probability. A limitation of iGoodlock is that tion. Such an abstraction of an object does not change across execu- it can give false positives because it does not consider the happens- tions. However, an abstraction could be the same for several objects before relation between the transitions in an execution. As a result the user is required to manually inspect such potential deadlocks. (e.g. if both l1 and l2 in the above example are created by the same statement). In this paper, we propose two techniques for comput- The second phase removes this burden from the user. In this phase, ing the abstraction of an object that helps us to distinguish between a random thread scheduler is biased to generate an execution that different objects more precisely—the first technique is motivated creates a real deadlock reported in the previous phase with high by the notion of k-object-sensitivity in static analysis [20] and the probability.
Recommended publications
  • Three Architectural Models for Compiler-Controlled Speculative

    Three Architectural Models for Compiler-Controlled Speculative

    Three Architectural Mo dels for Compiler-Controlled Sp eculative Execution Pohua P. Chang Nancy J. Warter Scott A. Mahlke Wil liam Y. Chen Wen-mei W. Hwu Abstract To e ectively exploit instruction level parallelism, the compiler must move instructions across branches. When an instruction is moved ab ove a branch that it is control dep endent on, it is considered to b e sp eculatively executed since it is executed b efore it is known whether or not its result is needed. There are p otential hazards when sp eculatively executing instructions. If these hazards can b e eliminated, the compiler can more aggressively schedule the co de. The hazards of sp eculative execution are outlined in this pap er. Three architectural mo dels: re- stricted, general and b o osting, whichhave increasing amounts of supp ort for removing these hazards are discussed. The p erformance gained by each level of additional hardware supp ort is analyzed using the IMPACT C compiler which p erforms sup erblo ckscheduling for sup erscalar and sup erpip elined pro cessors. Index terms - Conditional branches, exception handling, sp eculative execution, static co de scheduling, sup erblo ck, sup erpip elining, sup erscalar. The authors are with the Center for Reliable and High-Performance Computing, University of Illinois, Urbana- Champaign, Illinoi s, 61801. 1 1 Intro duction For non-numeric programs, there is insucient instruction level parallelism available within a basic blo ck to exploit sup erscalar and sup erpip eli ned pro cessors [1][2][3]. Toschedule instructions b eyond the basic blo ck b oundary, instructions havetobemoved across conditional branches.
  • Advanced Systems Security: Symbolic Execution

    Advanced Systems Security: Symbolic Execution

    Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:! Symbolic Execution Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1 Problem • Programs have flaws ‣ Can we find (and fix) them before adversaries can reach and exploit them? • Then, they become “vulnerabilities” Systems and Internet Infrastructure Security (SIIS) Laboratory Page 2 Vulnerabilities • A program vulnerability consists of three elements: ‣ A flaw ‣ Accessible to an adversary ‣ Adversary has the capability to exploit the flaw • Which one should we focus on to find and fix vulnerabilities? ‣ Different methods are used for each Systems and Internet Infrastructure Security (SIIS) Laboratory Page 3 Is It a Flaw? • Problem: Are these flaws? ‣ Failing to check the bounds on a buffer write? ‣ printf(char *n); ‣ strcpy(char *ptr, char *user_data); ‣ gets(char *ptr) • From man page: “Never use gets().” ‣ sprintf(char *s, const char *template, ...) • From gnu.org: “Warning: The sprintf function can be dangerous because it can potentially output more characters than can fit in the allocation size of the string s.” • Should you fix all of these? Systems and Internet Infrastructure Security (SIIS) Laboratory Page 4 Is It a Flaw? • Problem: Are these flaws? ‣ open( filename, O_CREAT );
  • Opportunities and Open Problems for Static and Dynamic Program Analysis Mark Harman∗, Peter O’Hearn∗ ∗Facebook London and University College London, UK

    Opportunities and Open Problems for Static and Dynamic Program Analysis Mark Harman∗, Peter O’Hearn∗ ∗Facebook London and University College London, UK

    1 From Start-ups to Scale-ups: Opportunities and Open Problems for Static and Dynamic Program Analysis Mark Harman∗, Peter O’Hearn∗ ∗Facebook London and University College London, UK Abstract—This paper1 describes some of the challenges and research questions that target the most productive intersection opportunities when deploying static and dynamic analysis at we have yet witnessed: that between exciting, intellectually scale, drawing on the authors’ experience with the Infer and challenging science, and real-world deployment impact. Sapienz Technologies at Facebook, each of which started life as a research-led start-up that was subsequently deployed at scale, Many industrialists have perhaps tended to regard it unlikely impacting billions of people worldwide. that much academic work will prove relevant to their most The paper identifies open problems that have yet to receive pressing industrial concerns. On the other hand, it is not significant attention from the scientific community, yet which uncommon for academic and scientific researchers to believe have potential for profound real world impact, formulating these that most of the problems faced by industrialists are either as research questions that, we believe, are ripe for exploration and that would make excellent topics for research projects. boring, tedious or scientifically uninteresting. This sociological phenomenon has led to a great deal of miscommunication between the academic and industrial sectors. I. INTRODUCTION We hope that we can make a small contribution by focusing on the intersection of challenging and interesting scientific How do we transition research on static and dynamic problems with pressing industrial deployment needs. Our aim analysis techniques from the testing and verification research is to move the debate beyond relatively unhelpful observations communities to industrial practice? Many have asked this we have typically encountered in, for example, conference question, and others related to it.
  • A Parallel Program Execution Model Supporting Modular Software Construction

    A Parallel Program Execution Model Supporting Modular Software Construction

    A Parallel Program Execution Model Supporting Modular Software Construction Jack B. Dennis Laboratory for Computer Science Massachusetts Institute of Technology Cambridge, MA 02139 U.S.A. [email protected] Abstract as a guide for computer system design—follows from basic requirements for supporting modular software construction. A watershed is near in the architecture of computer sys- The fundamental theme of this paper is: tems. There is overwhelming demand for systems that sup- port a universal format for computer programs and software The architecture of computer systems should components so users may benefit from their use on a wide reflect the requirements of the structure of pro- variety of computing platforms. At present this demand is grams. The programming interface provided being met by commodity microprocessors together with stan- should address software engineering issues, in dard operating system interfaces. However, current systems particular, the ability to practice the modular do not offer a standard API (application program interface) construction of software. for parallel programming, and the popular interfaces for parallel computing violate essential principles of modular The positions taken in this presentation are contrary to or component-based software construction. Moreover, mi- much conventional wisdom, so I have included a ques- croprocessor architecture is reaching the limit of what can tion/answer dialog at appropriate places to highlight points be done usefully within the framework of superscalar and of debate. We start with a discussion of the nature and VLIW processor models. The next step is to put several purpose of a program execution model. Our Parallelism processors (or the equivalent) on a single chip.
  • The Art, Science, and Engineering of Fuzzing: a Survey

    The Art, Science, and Engineering of Fuzzing: a Survey

    1 The Art, Science, and Engineering of Fuzzing: A Survey Valentin J.M. Manes,` HyungSeok Han, Choongwoo Han, Sang Kil Cha, Manuel Egele, Edward J. Schwartz, and Maverick Woo Abstract—Among the many software vulnerability discovery techniques available today, fuzzing has remained highly popular due to its conceptual simplicity, its low barrier to deployment, and its vast amount of empirical evidence in discovering real-world software vulnerabilities. At a high level, fuzzing refers to a process of repeatedly running a program with generated inputs that may be syntactically or semantically malformed. While researchers and practitioners alike have invested a large and diverse effort towards improving fuzzing in recent years, this surge of work has also made it difficult to gain a comprehensive and coherent view of fuzzing. To help preserve and bring coherence to the vast literature of fuzzing, this paper presents a unified, general-purpose model of fuzzing together with a taxonomy of the current fuzzing literature. We methodically explore the design decisions at every stage of our model fuzzer by surveying the related literature and innovations in the art, science, and engineering that make modern-day fuzzers effective. Index Terms—software security, automated software testing, fuzzing. ✦ 1 INTRODUCTION Figure 1 on p. 5) and an increasing number of fuzzing Ever since its introduction in the early 1990s [152], fuzzing studies appear at major security conferences (e.g. [225], has remained one of the most widely-deployed techniques [52], [37], [176], [83], [239]). In addition, the blogosphere is to discover software security vulnerabilities. At a high level, filled with many success stories of fuzzing, some of which fuzzing refers to a process of repeatedly running a program also contain what we consider to be gems that warrant a with generated inputs that may be syntactically or seman- permanent place in the literature.
  • Visual Representations of Executing Programs

    Visual Representations of Executing Programs

    Visual Representations of Executing Programs Steven P. Reiss Department of Computer Science Brown University Providence, RI 02912-1910 401-863-7641, FAX: 401-863-7657 {spr}@cs.brown.edu Abstract Programmers have always been curious about what their programs are doing while it is exe- cuting, especially when the behavior is not what they are expecting. Since program execution is intricate and involved, visualization has long been used to provide the programmer with appro- priate insights into program execution. This paper looks at the evolution of on-line visual repre- sentations of executing programs, showing how they have moved from concrete representations of relatively small programs to abstract representations of larger systems. Based on this examina- tion, we describe the challenges implicit in future execution visualizations and methodologies that can meet these challenges. 1. Introduction An on-line visual representation of an executing program is a graphical display that provides information about what a program is doing as the program does it. Visualization is used to make the abstract notion of a computer executing a program concrete in the mind of the programmer. The concurrency of the visualization in con- junction with the execution lets the programmer correlate real time events (e.g., inputs, button presses, error messages, or unexpected delays) with the visualization, making the visualization more useful and meaningful. Visual representations of executing programs have several uses. First, they have traditionally been used for program understanding as can be seen from their use in most algorithm animation systems [37,52]. Second, in various forms they have been integrated into debuggers and used for debugging [2,31].
  • Identifying Executable Plans

    Identifying Executable Plans

    Identifying executable plans Tania Bedrax-Weiss∗ Jeremy D. Frank Ari K. J´onssony Conor McGann∗ NASA Ames Research Center, MS 269-2 Moffett Field, CA 94035-1000, ftania,frank,jonsson,[email protected] Abstract AI solutions for planning and plan execution often use declarative models to describe the domain of interest. Generating plans for execution imposes a different set The planning system typically uses an abstract, long- of requirements on the planning process than those im- term model and the execution system typically uses a posed by planning alone. In highly unpredictable ex- ecution environments, a fully-grounded plan may be- concrete, short-term model. In most systems that deal come inconsistent frequently when the world fails to with planning and execution, the language used in the behave as expected. Intelligent execution permits mak- declarative model for planning is different than the lan- ing decisions when the most up-to-date information guage used in the execution model. This approach en- is available, ensuring fewer failures. Planning should forces a rigid separation between the planning model acknowledge the capabilities of the execution system, and the execution model. The execution system and the both to ensure robust execution in the face of uncer- planning system have to agree on the semantics of the tainty, which also relieves the planner of the burden plan, and having two separate models requires the sys- of making premature commitments. We present Plan tem designer to replicate the information contained in Identification Functions (PIFs), which formalize what the planning model in the execution model.
  • INTRODUCTION to .NET FRAMEWORK NET Framework .NET Framework Is a Complete Environment That Allows Developers to Develop, Run, An

    INTRODUCTION to .NET FRAMEWORK NET Framework .NET Framework Is a Complete Environment That Allows Developers to Develop, Run, An

    INTRODUCTION TO .NET FRAMEWORK NET Framework .NET Framework is a complete environment that allows developers to develop, run, and deploy the following applications: Console applications Windows Forms applications Windows Presentation Foundation (WPF) applications Web applications (ASP.NET applications) Web services Windows services Service-oriented applications using Windows Communication Foundation (WCF) Workflow-enabled applications using Windows Workflow Foundation (WF) .NET Framework also enables a developer to create sharable components to be used in distributed computing architecture. NET Framework supports the object-oriented programming model for multiple languages, such as Visual Basic, Visual C#, and Visual C++. NET Framework supports multiple programming languages in a manner that allows language interoperability. This implies that each language can use the code written in some other language. The main components of .NET Framework? The following are the key components of .NET Framework: .NET Framework Class Library Common Language Runtime Dynamic Language Runtimes (DLR) Application Domains Runtime Host Common Type System Metadata and Self-Describing Components Cross-Language Interoperability .NET Framework Security Profiling Side-by-Side Execution Microsoft Intermediate Language (MSIL) The .NET Framework is shipped with compilers of all .NET programming languages to develop programs. Each .NET compiler produces an intermediate code after compiling the source code. 1 The intermediate code is common for all languages and is understandable only to .NET environment. This intermediate code is known as MSIL. IL Intermediate Language is also known as MSIL (Microsoft Intermediate Language) or CIL (Common Intermediate Language). All .NET source code is compiled to IL. IL is then converted to machine code at the point where the software is installed, or at run-time by a Just-In-Time (JIT) compiler.
  • EXE: Automatically Generating Inputs of Death

    EXE: Automatically Generating Inputs of Death

    EXE: Automatically Generating Inputs of Death Cristian Cadar, Vijay Ganesh, Peter M. Pawlowski, David L. Dill, Dawson R. Engler Computer Systems Laboratory Stanford University Stanford, CA 94305, U.S.A {cristic, vganesh, piotrek, dill, engler} @cs.stanford.edu ABSTRACT 1. INTRODUCTION This paper presents EXE, an effective bug-finding tool that Attacker-exposed code is often a tangled mess of deeply- automatically generates inputs that crash real code. Instead nested conditionals, labyrinthine call chains, huge amounts of running code on manually or randomly constructed input, of code, and frequent, abusive use of casting and pointer EXE runs it on symbolic input initially allowed to be “any- operations. For safety, this code must exhaustively vet in- thing.” As checked code runs, EXE tracks the constraints put received directly from potential attackers (such as sys- on each symbolic (i.e., input-derived) memory location. If a tem call parameters, network packets, even data from USB statement uses a symbolic value, EXE does not run it, but sticks). However, attempting to guard against all possible instead adds it as an input-constraint; all other statements attacks adds significant code complexity and requires aware- run as usual. If code conditionally checks a symbolic ex- ness of subtle issues such as arithmetic and buffer overflow pression, EXE forks execution, constraining the expression conditions, which the historical record unequivocally shows to be true on the true branch and false on the other. Be- programmers reason about poorly. cause EXE reasons about all possible values on a path, it Currently, programmers check for such errors using a com- has much more power than a traditional runtime tool: (1) bination of code review, manual and random testing, dy- it can force execution down any feasible program path and namic tools, and static analysis.
  • Code Transformation and Analysis Using Clang and LLVM Static and Dynamic Analysis

    Code Transformation and Analysis Using Clang and LLVM Static and Dynamic Analysis

    Code transformation and analysis using Clang and LLVM Static and Dynamic Analysis Hal Finkel1 and G´abor Horv´ath2 Computer Science Summer School 2017 1 Argonne National Laboratory 2 Ericsson and E¨otv¨osLor´adUniversity Table of contents 1. Introduction 2. Static Analysis with Clang 3. Instrumentation and More 1 Introduction Space of Techniques During this set of lectures we'll cover a space of techniques for the analysis and transformation of code using LLVM. Each of these techniques have overlapping areas of applicability: Static Analysis LLVM Instrumentation Source Transformation 2 Space of Techniques When to use source-to-source transformation: • When you need to use the instrumented code with multiple compilers. • When you intend for the instrumentation to become a permanent part of the code base. You'll end up being concerned with the textual formatting of the instrumentation if humans also need to maintain or enhance this same code. 3 Space of Techniques When to use Clang's static analysis: • When the analysis can be performed on an AST representation. • When you'd like to maintain a strong connection to the original source code. • When false negatives are acceptable (i.e. it is okay if you miss problems). https://clang-analyzer.llvm.org/ 4 Space of Techniques When to use IR instrumentation: • When the necessary conditions can be (or can only be) detected at runtime (often in conjunction with a specialized runtime library). • When you require stronger coverage guarantees than static analysis. • When you'd like to reduce the cost of the instrumentation by running optimizations before the instrumentation is inserted, after the instrumentation is inserted, or both.
  • Static Program Analysis As a Fuzzing Aid

    Static Program Analysis As a Fuzzing Aid

    Static Program Analysis as a Fuzzing Aid Bhargava Shastry1( ), Markus Leutner1, Tobias Fiebig1, Kashyap Thimmaraju1, Fabian Yamaguchi2, Konrad Rieck2, Stefan Schmid3, Jean-Pierre Seifert1, and Anja Feldmann1 1 TU Berlin, Berlin, Germany [email protected] 2 TU Braunschweig, Braunschweig, Germany 3 Aalborg University, Aalborg, Denmark Abstract. Fuzz testing is an effective and scalable technique to per- form software security assessments. Yet, contemporary fuzzers fall short of thoroughly testing applications with a high degree of control-flow di- versity, such as firewalls and network packet analyzers. In this paper, we demonstrate how static program analysis can guide fuzzing by aug- menting existing program models maintained by the fuzzer. Based on the insight that code patterns reflect the data format of inputs pro- cessed by a program, we automatically construct an input dictionary by statically analyzing program control and data flow. Our analysis is performed before fuzzing commences, and the input dictionary is sup- plied to an off-the-shelf fuzzer to influence input generation. Evaluations show that our technique not only increases test coverage by 10{15% over baseline fuzzers such as afl but also reduces the time required to expose vulnerabilities by up to an order of magnitude. As a case study, we have evaluated our approach on two classes of network applications: nDPI, a deep packet inspection library, and tcpdump, a network packet analyzer. Using our approach, we have uncovered 15 zero-day vulnerabilities in the evaluated software that were not found by stand-alone fuzzers. Our work not only provides a practical method to conduct security evalua- tions more effectively but also demonstrates that the synergy between program analysis and testing can be exploited for a better outcome.
  • A Randomized Dynamic Program Analysis Technique for Detecting Real Deadlocks

    A Randomized Dynamic Program Analysis Technique for Detecting Real Deadlocks

    A Randomized Dynamic Program Analysis Technique for Detecting Real Deadlocks Pallavi Joshi Chang-Seo Park Mayur Naik Koushik Sen Intel Research, Berkeley, USA EECS Department, UC Berkeley, USA [email protected] {pallavi,parkcs,ksen}@cs.berkeley.edu Abstract cipline followed by the parent software and this sometimes results We present a novel dynamic analysis technique that finds real dead- in deadlock bugs [17]. locks in multi-threaded programs. Our technique runs in two stages. Deadlocks are often difficult to find during the testing phase In the first stage, we use an imprecise dynamic analysis technique because they happen under very specific thread schedules. Coming to find potential deadlocks in a multi-threaded program by observ- up with these subtle thread schedules through stress testing or ing an execution of the program. In the second stage, we control random testing is often difficult. Model checking [15, 11, 7, 14, 6] a random thread scheduler to create the potential deadlocks with removes these limitations of testing by systematically exploring high probability. Unlike other dynamic analysis techniques, our ap- all thread schedules. However, model checking fails to scale for proach has the advantage that it does not give any false warnings. large multi-threaded programs due to the exponential increase in We have implemented the technique in a prototype tool for Java, the number of thread schedules with execution length. and have experimented on a number of large multi-threaded Java Several program analysis techniques, both static [19, 10, 2, 9, programs. We report a number of previously known and unknown 27, 29, 21] and dynamic [12, 13, 4, 1], have been developed to de- real deadlocks that were found in these benchmarks.