Overview
Syllabus
Intro
Let's talk about data race
The classic race condition example
High level of concurrency in the Linux kernel
A data race in the kernel
Fuzzing as a way to explore the program
Code coverage as an approximation
The conventional fuzzing process
Back to our data race example
Bring out data races explicitly with a checker
Checking data races - locking
Checking data races - ordering (causality)
A slightly complicated data race
Case simplified
All interleavings yield to the same code coverage!
Incompleteness of CFG edge coverage
A multi-dimensional view of coverage in fuzzing
Visualizing the concurrency dimension
Bring fuzzing to the concurrency dimension
Concurrency coverage tracking
A straw-man solution
Observations on practical interleaving tracking
Aliased-instruction coverage
Active interleaving exploration - ideal case
Active interleaving exploration through delay injection
Bring them all together
Alias coverage growth will be saturating
Edge and alias coverage goes generally in synchronization
Conclusion and contribution
Taught by
IEEE Symposium on Security and Privacy