A Heuristic Framework to Detect Concurrency Vulnerabilities

With a growing usage of multi-core hardware and software to exploit hardware capability, concurrency vulnerabilities have become an inevitable threat to the security of today's IT industry. Existing concurrent program detection schemes focus mainly on concurrency errors such as data race, atomic violation, etc., with little attention paid to detect concurrency vulnerabilities that may be exploited to infringe security. In this paper, we propose a heuristic framework that combines both static analysis and dynamic approach to detect concurrency vulnerabilities, particularly concurrency buffer overflow, concurrency double free, and concurrency use-after-free. In this framework, we collect sensitive concurrent operations and operation patterns of each concurrency vulnerability by studying real-world concurrency vulnerabilities, and apply static analysis to locate these sensitive concurrent operations in a concurrent program, compare with the operation patterns to categorize each finding into a potential type of concurrency vulnerability. Then we apply forced scheduling in fuzz testing of the program to explore the execution orders that likely trigger the potential concurrency vulnerabilities. We also introduce random scheduling into a fuzzer such as AFL to enable AFL to effectively explore thread interleavings in a concurrent program, which significantly enhances the power of AFL in detecting concurrency bugs and vulnerabilities in a concurrent program. To the best of our knowledge, we are the first to enable a fuzzer to effectively explore thread interleavings to detect concurrency vulnerabilities. By applying the proposed framework, we have discovered some unreported bugs in some real-world concurrent C programs. This demonstrates the effectiveness of our proposed framework.