Explore kernel file system data race fuzzing in this IEEE conference talk. Learn about concurrency challenges in the Linux kernel, conventional fuzzing processes, and their limitations in detecting data races. Discover how to explicitly bring out data races using checkers, and understand the importance of locking and ordering in race detection. Examine a multi-dimensional approach to coverage in fuzzing, focusing on the concurrency dimension. Delve into concurrency coverage tracking, aliased-instruction coverage, and active interleaving exploration through delay injection. Gain insights into the relationship between alias coverage growth and edge coverage, and understand the contributions of this research to improving kernel file system security.
Overview
Syllabus
Intro
Let's talk about data race
The classic race condition example
High level of concurrency in the Linux kernel
A data race in the kernel
Fuzzing as a way to explore the program
Code coverage as an approximation
The conventional fuzzing process
Back to our data race example
Bring out data races explicitly with a checker
Checking data races - locking
Checking data races - ordering (causality)
A slightly complicated data race
Case simplified
All interleavings yield to the same code coverage!
Incompleteness of CFG edge coverage
A multi-dimensional view of coverage in fuzzing
Visualizing the concurrency dimension
Bring fuzzing to the concurrency dimension
Concurrency coverage tracking
A straw-man solution
Observations on practical interleaving tracking
Aliased-instruction coverage
Active interleaving exploration - ideal case
Active interleaving exploration through delay injection
Bring them all together
Alias coverage growth will be saturating
Edge and alias coverage goes generally in synchronization
Conclusion and contribution
Taught by
IEEE Symposium on Security and Privacy
