Snowboard: Finding Kernel Concurrency Bugs through Systematic Inter-thread Communication Analysis

Authors:
Sishuai Gong

Purdue University, USA

Purdue University, USA
View Profile

,
Deniz Altinbüken

Google Research, USA

Google Research, USA
View Profile

,
Pedro Fonseca

Purdue University, USA

Purdue University, USA
View Profile

,
Petros Maniatis

Google Research, USA

Google Research, USA
View Profile

SOSP '21: Proceedings of the ACM SIGOPS 28th Symposium on Operating Systems PrinciplesOctober 2021Pages 66–83https://doi.org/10.1145/3477132.3483549

Published:26 October 2021Publication History

SOSP '21: Proceedings of the ACM SIGOPS 28th Symposium on Operating Systems Principles

Pages 66–83

ABSTRACT

Kernel concurrency bugs are challenging to find because they depend on very specific thread interleavings and test inputs. While separately exploring kernel thread interleavings or test inputs has been closely examined, jointly exploring interleavings and test inputs has received little attention, in part due to the resulting vast search space. Using precious, limited testing resources to explore this search space and execute just the right concurrent tests in the proper order is critical.

This paper proposes Snowboard a testing framework that generates and executes concurrent tests by intelligently exploring thread interleavings and test inputs jointly. The design of Snowboard is based on a concept called potential memory communication (PMC), a guess about pairs of tests that, when executed concurrently, are likely to perform memory accesses to shared addresses, which in turn may trigger concurrency bugs. To identify PMCs, Snowboard runs tests sequentially from a fixed initial kernel state, collecting their memory accesses. It then pairs up tests that write and read the same region into candidate concurrent tests. It executes those tests using the associated PMC as a scheduling hint to focus interleaving search only on those schedules that directly affect the relevant memory accesses. By clustering candidate tests on various features of their PMCs, Snowboard avoids testing similar behaviors, which would be inefficient. Finally, by executing tests from small clusters first, it prioritizes uncommon suspicious behaviors that may have received less scrutiny.

Snowboard discovered 14 new concurrency bugs in Linux kernels 5.3.10 and 5.12-rc3, of which 12 have been confirmed by developers. Six of these bugs cause kernel panics and filesystem errors, and at least two have existed in the kernel for many years, showing that this approach can uncover hard-to-find, critical bugs. Furthermore, we show that covering as many distinct pairs of uncommon read/write instructions as possible is the test-prioritization strategy with the highest bug yield for a given test-time budget.

References

Adil Ahmad, Sangho Lee, Pedro Fonseca, and Byoungyoung Lee. 2021. Kard: Lightweight Data Race Detection with per-Thread Memory Protection. In Proceedings of the 26th ACM International Conference on Architectural Support for Programming Languages and Operating Systems (Virtual, USA) (ASPLOS 2021). Association for Computing Machinery, New York, NY, USA, 647--660. https://doi.org/10.1145/3445814.3446727Google ScholarDigital Library
Jade Alglave, Luc Maranget, Paul E. McKenney, Andrea Parri, and Alan Stern. 2018. Frightening Small Children and Disconcerting Grown-Ups: Concurrency in the Linux Kernel. In Proceedings of the Twenty-Third International Conference on Architectural Support for Programming Languages and Operating Systems (Williamsburg, VA, USA) (ASPLOS '18). Association for Computing Machinery, New York, NY, USA, 405--418. https://doi.org/10.1145/3173162.3177156Google ScholarDigital Library
Darrell Anderson. 2002. Fstress: A Flexible Network File Service Benchmark. Technical Report.Google Scholar
Linux Kernel Archives. [n.d.]. Linux Kernel Selftests. https://www.kernel.org/doc/Documentation/kselftest.txt Accessed: 7 May 2021.Google Scholar
Jia-Ju Bai, Julia Lawall, Qiu-Liang Chen, and Shi-Min Hu. 2019. Effective Static Analysis of Concurrency Use-After-Free Bugs in Linux Device Drivers. In 2019 USENIX Annual Technical Conference (USENIX ATC 19). USENIX Association, Renton, WA, 255--268. https://www.usenix.org/conference/atc19/presentation/baiGoogle Scholar
Fabrice Bellard. 2005. QEMU, a Fast and Portable Dynamic Translator. In 2005 USENIX Annual Technical Conference (USENIX ATC 05). USENIX Association, Anaheim, CA, 41. https://www.usenix.org/conference/2005-usenix-annual-technical-conference/qemu-fast-and-portable-dynamic-translatorGoogle Scholar
Sebastian Burckhardt, Chris Dern, Madanlal Musuvathi, and Roy Tan. 2010. Line-up: A Complete and Automatic Linearizability Checker. In Proceedings of the 31st ACM SIGPLAN Conference on Programming Language Design and Implementation (Toronto, Ontario, Canada) (PLDI '10). Association for Computing Machinery, New York, NY, USA, 330--340. https://doi.org/10.1145/1806596.1806634Google ScholarDigital Library
Sebastian Burckhardt, Pravesh Kothari, Madanlal Musuvathi, and Santosh Nagarakatte. 2010. A Randomized Scheduler with Probabilistic Guarantees of Finding Bugs. SIGARCH Comput. Archit. News 38, 1 (March 2010), 167--178. https://doi.org/10.1145/1735970.1736040Google ScholarDigital Library
Jacob Burnim, Koushik Sen, and Christos Stergiou. 2011. Testing Concurrent Programs on Relaxed Memory Models. In Proceedings of the 2011 International Symposium on Software Testing and Analysis (Toronto, Ontario, Canada) (ISSTA '11). Association for Computing Machinery, New York, NY, USA, 122--132. https://doi.org/10.1145/2001420.2001436Google ScholarDigital Library
Pablo Carvalho, Rommel Cruz, Lucia M A Drummond, Cristiana Bentes, Esteban Clua, Edson Cataldo, and Leandro A J Marzulo. 2020. Kernel concurrency opportunities based on GPU benchmarks characterization. Cluster Computing 23, 1 (2020), 177--188. https://doi.org/10.1007/s10586-018-02901-1Google ScholarDigital Library
David Cerdeira, Nuno Santos, Pedro Fonseca, and Sandro Pinto. 2020. SoK: Understanding the Prevailing Security Vulnerabilities in TrustZone-assisted TEE Systems. In 2020 IEEE Symposium on Security and Privacy (SP). 1416--1432. https://doi.org/10.1109/SP40000.2020.00061Google Scholar
Feng Chen, Traian Florin Serbanuta, and Grigore Rosu. 2008. JPredictor: A Predictive Runtime Analysis Tool for Java. In Proceedings of the 30th International Conference on Software Engineering (Leipzig, Germany) (ICSE '08). Association for Computing Machinery, New York, NY, USA, 221--230. https://doi.org/10.1145/1368088.1368119Google ScholarDigital Library
Jong-Deok Choi, Keunwoo Lee, Alexey Loginov, Robert O'Callahan, Vivek Sarkar, and Manu Sridharan. 2002. Efficient and Precise Datarace Detection for Multithreaded Object-Oriented Programs. In Proceedings of the ACM SIGPLAN 2002 Conference on Programming Language Design and Implementation (Berlin, Germany) (PLDI '02). Association for Computing Machinery, New York, NY, USA, 258--269. https://doi.org/10.1145/512529.512560Google ScholarDigital Library
The Kernel Development Community. 2020. Linux Rcu Documentation. http://blog.foool.net/wp-content/uploads/linuxdocs/RCU.pdfGoogle Scholar
Jake Corina, Aravind Machiry, Christopher Salls, Yan Shoshitaishvili, Shuang Hao, Christopher Kruegel, and Giovanni Vigna. 2017. DIFUZE: Interface Aware Fuzzing for Kernel Drivers. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (Dallas, Texas, USA) (CCS '17). Association for Computing Machinery, New York, NY, USA, 2123--2138. https://doi.org/10.1145/3133956.3134069Google ScholarDigital Library
James Darvell. 2015. urgent-kernel-patch-ubuntu. https://www.linuxjournal com/content/urgent-kernel-patch-ubuntuGoogle Scholar
Pantazis Deligiannis, Alastair F. Donaldson, and Zvonimir Rakamarić. 2015. Fast and Precise Symbolic Analysis of Concurrency Bugs in Device Drivers. In Proceedings of the 30th IEEE/ACM International Conference on Automated Software Engineering (Lincoln, Nebraska) (ASE '15). IEEE Press, 166--177. https://doi.org/10.1109/ASE.2015.30Google ScholarDigital Library
Vincent Driessen. [n.d.]. Redis queue. https://python-rq.org Accessed: 7 May 2021.Google Scholar
Eric Dumazet. 2021. net/packet: remove data races in fanout operations. https://github.com/torvalds/linux/commit/94f633ea8ade8418634d152ad0931133338226f6Google Scholar
Dawson Engler and Ken Ashcraft. 2003. RacerX: Effective, Static Detection of Race Conditions and Deadlocks. In Proceedings of the Nineteenth ACM Symposium on Operating Systems Principles (Bolton Landing, NY, USA) (SOSP '03). Association for Computing Machinery, New York, NY, USA, 237--252. https://doi.org/10.1145/945445.945468Google ScholarDigital Library
John Erickson, Madan Musuvathi, Sebastian Burckhardt, and Kirk Olynyk. 2010. Effective Data-Race Detection for the Kernel. In Operating System Design and Implementation (OSDI'10) (operating system design and implementation (osdi'10) ed.). USENIX. https://www.microsoft.com/en-us/research/publication/effective-data-race-detection-for-the-kernel/Google Scholar
Cormac Flanagan and Stephen N Freund. 2004. Atomizer: A Dynamic Atomicity Checker for Multithreaded Programs. In Proceedings of the 31st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (Venice, Italy) (POPL '04). Association for Computing Machinery, New York, NY, USA, 256--267. https://doi.org/10.1145/964001.964023Google ScholarDigital Library
Cormac Flanagan and Stephen N. Freund. 2009. FastTrack: Efficient and Precise Dynamic Race Detection. In Proceedings of the 30th ACM SIGPLAN Conference on Programming Language Design and Implementation (Dublin, Ireland) (PLDI '09). Association for Computing Machinery, New York, NY, USA, 121--133. https://doi.org/10.1145/1542476.1542490Google ScholarDigital Library
Pedro Fonseca, Cheng Li, and Rodrigo Rodrigues. 2011. Finding Complex Concurrency Bugs in Large Multi-Threaded Applications. In Proceedings of the Sixth Conference on Computer Systems (Salzburg, Austria) (EuroSys '11). Association for Computing Machinery, New York, NY, USA, 215--228. https://doi.org/10.1145/1966445.1966465Google ScholarDigital Library
Pedro Fonseca, Cheng Li, and Rodrigo Rodrigues. 2011. Finding Complex Concurrency Bugs in Large Multi-Threaded Applications. In Proceedings of the Sixth Conference on Computer Systems (Salzburg, Austria) (EuroSys '11). Association for Computing Machinery, New York, NY, USA, 215--228. https://doi.org/10.1145/1966445.1966465Google ScholarDigital Library
Pedro Fonseca, Cheng Li, Vishal Singhal, and Rodrigo Rodrigues. 2010. A study of the internal and external effects of concurrency bugs. In 2010 IEEE/IFIP International Conference on Dependable Systems Networks (DSN). 221--230. https://doi.org/10.1109/DSN.2010.5544315Google ScholarCross Ref
Pedro Fonseca, Rodrigo Rodrigues, and Björn B. Brandenburg. 2014. SKI: Exposing Kernel Concurrency Bugs through Systematic Schedule Exploration. In 11th USENIX Symposium on Operating Systems Design and Implementation (OSDI 14). USENIX Association, Broomfield, CO, 415--431. https://www.usenix.org/conference/osdi14/technical-sessions/presentation/fonsecaGoogle Scholar
GNU. [n.d.]. Conditionals with Omitted Operands. https://gcc.gnu.org/onlinedocs/gcc/Conditionals.html Accessed: 7 May 2021.Google Scholar
Sishuai Gong. 2021. configfs: fix a race in configfs_-lookup(). https://github.com/torvalds/linux/commit/c42dd069be8dfc9b2239a5c89e73bbd08ab35de0Google Scholar
Sishuai Gong. 2021. net: fix a concurrency bug in l2tp_-tunnel_register(). https://github.com/torvalds/linux/commit/69e16d01d1de4f1249869de342915f608feb55d5Google Scholar
Google. 2015. Syzkaller-kernel fuzzer. https://github.com/google/syzkallerGoogle Scholar
Google. 2019. Introducing E2, new cost-optimized general purpose VMs for Google Compute Engine. https://cloud.google.com/blog/products/compute/google-compute-engine-gets-new-e2-vm-machine-typesGoogle Scholar
gregkh. 2012. Patch "ext4: fix crash when accessing /proc/mounts concurrently" has been added to the 3.6-stable tree. https://www.mail-archive.com/[email protected]/msg19380.htmlGoogle Scholar
Ronghui Gu, Zhong Shao, Hao Chen, Xiongnan (Newman) Wu, Jieung Kim, Vilhelm Sjöberg, and David Costanzo. 2016. CertiKOS: An Extensible Architecture for Building Certified Concurrent OS Kernels. In 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI 16). USENIX Association, Savannah, GA, 653--669. https://www.usenix.org/conference/osdi16/technical-sessions/presentation/guGoogle ScholarDigital Library
HyungSeok Han and Sang Kil Cha. 2017. IMF: Inferred Model-Based Fuzzer. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (Dallas, Texas, USA) (CCS '17). Association for Computing Machinery, New York, NY, USA, 2345--2358. https://doi.org/10.1145/3133956.3134103Google ScholarDigital Library
Red Hat. 2015. Panic due to race condition between iput() and invali-date_inodes(), kernel BUG at fs/inode.c. https://access.redhat.com/solutions/1593553Google Scholar
Red Hat. 2017. CVE-2017-17712 kernel: Race condition in raw_sendmsg function allows denial-of-service or kernel addresses leak. https://bugzilla.redhat.com/show_bug.cgi?id=1526427Google Scholar
Chun-Hung Hsiao, Jie Yu, Satish Narayanasamy, Ziyun Kong, Cristiano L. Pereira, Gilles A. Pokam, Peter M. Chen, and Jason Flinn. 2014. Race Detection for Event-Driven Mobile Applications. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation (Edinburgh, United Kingdom) (PLDI '14). Association for Computing Machinery, New York, NY, USA, 326--336. https://doi.org/10.1145/2594291.2594330Google ScholarDigital Library
Jian Huang, Moinuddin K. Qureshi, and Karsten Schwan. 2016. An Evolutionary Study of Linux Memory Management for Fun and Profit. In 2016 USENIX Annual Technical Conference (USENIX ATC 16). USENIX Association, Denver, CO, 465--478. https://www.usenix.org/conference/atc16/technical-sessions/presentation/huangGoogle Scholar
Mohammad Majharul Islam and Abdullah Muzahid. 2013. Characterizing Real World Bugs Causing Sequential Consistency Violations. In 5th USENIX Workshop on Hot Topics in Parallelism (HotPar 13). USENIX Association, San Jose, CA. https://www.usenix.org/conference/hotpar13/workshop-program/presentation/islamGoogle Scholar
Takashi Iwai. 2021. ALSA: control: Fix racy management of user ctl memory size account. https://patches.linaro.org/patch/421808/Google Scholar
Joab Jackson. 2012. Nasdaq's Facebook glitch came from 'race conditions'. https://www.computerworld.com/article/2504676/nasdaq-s-facebook-glitch-came-from--race-conditions-.htmlGoogle Scholar
Dae R. Jeong, Kyungtae Kim, Basavesh Shivakumar, Byoungyoung Lee, and Insik Shin. 2019. Razzer: Finding kernel race bugs through fuzzing. Proceedings - IEEE Symposium on Security and Privacy 2019-May (2019), 754--768. https://doi.org/10.1109/SP.2019.00017Google ScholarCross Ref
Dave Jones. 2012. Trinity: Linux system call fuzzer. https://github.com/kernelslacker/trinityGoogle Scholar
Daniel Jordan. 2018. ktask: multithread CPU-intensive kernel work. http://lkml.iu.edu/hypermail/linux/kernel/1811.0/03370.htmlGoogle Scholar
Sanidhya Kashyap, Changwoo Min, and Taesoo Kim. 2017. Scalable NUMA-aware Blocking Synchronization Primitives. In 2017 USENIX Annual Technical Conference (USENIX ATC 17). USENIX Association, Santa Clara, CA, 603--615. https://www.usenix.org/conference/atc17/technical-sessions/presentation/kashyapGoogle ScholarDigital Library
Baris Kasikci, Cristian Zamfir, and George Candea. 2013. RaceMob: Crowdsourced Data Race Detection. In Proceedings of the Twenty-Fourth ACM Symposium on Operating Systems Principles (Farminton, Pennsylvania) (SOSP '13). Association for Computing Machinery, New York, NY, USA, 406--422. https://doi.org/10.1145/2517349.2522736Google ScholarDigital Library
Linux Kernel. [n.d.]. Sequence counters and sequential locks. https://www.kernel.org/doc/html/latest/locking/seqlock.html Accessed: 7 May 2021.Google Scholar
Michael Kerrisk. [n.d.]. syscalls(2) --- Linux manual page. https://man7.org/linux/man-pages/man2/syscalls.2.html Accessed: 7 May 2021.Google Scholar
Kyungtae Kim, Dae R. Jeong, Chung Hwan Kim, Yeongjin Jang, Insik Shin, and Byoungyoung Lee. 2020. HFL: Hybrid Fuzzing on the Linux Kernel. In 27th Annual Network and Distributed System Security Symposium, NDSS 2020, San Diego, California, USA, February 23-26, 2020. The Internet Society. https://www.ndss-symposium.org/ndss-paper/hflhybrid-fuzzing-on-the-linux-kernel/Google Scholar
KUnit. [n.d.]. KUnit - Unit Testing for the Linux Kernel. https://kunit.dev/third_party/kernel/docs/ Accessed: 7 May 2021.Google Scholar
Oren Laadan, Nicolas Viennot, Chia-Che Tsai, Chris Blinn, Junfeng Yang, and Jason Nieh. 2011. Pervasive Detection of Process Races in Deployed Systems. In Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles (Cascais, Portugal) (SOSP '11). Association for Computing Machinery, New York, NY, USA, 353--367. https://doi.org/10.1145/2043556.2043589Google ScholarDigital Library
Michael Larabel. 2019. The Linux Kernel Enters 2020 At 27.8 Million Lines In Git But With Less Developers For 2019. https://www.phoronix.com/scan.php?page=news_item&px=Linux-Git-Stats-EOY2019Google Scholar
Yoochan Lee, Changwoo Min, and Byoungyoung Lee. 2021. ExpRace: Exploiting Kernel Races through Raising Interrupts. In 30th USENIX Security Symposium (USENIX Security 21). USENIX Association, 2363--2380. https://www.usenix.org/conference/usenixsecurity21/presentation/lee-yoochanGoogle Scholar
Michel Lespinasse. 2020. Fine grained MM locking. https://patchwork.kernel.org/project/linux-mm/cover/[email protected]/Google Scholar
Hongliang Liang, Yixiu Chen, Zhuosi Xie, and Zhiyi Liang. 2020. X-AFL: A Kernel Fuzzer Combining Passive and Active Fuzzing. In Proceedings of the 13th European Workshop on Systems Security (Heraklion, Greece) (EuroSec '20). Association for Computing Machinery, New York, NY, USA, 13--18. https://doi.org/10.1145/3380786.3391400Google ScholarDigital Library
Qianyu Liu, Naijie Gu, and Junjie Su. 2019. Method for Reducing Overhead of Shared Memory Access Instrumentation. In Proceedings of the 3rd International Conference on Computer Science and Application Engineering (Sanya, China) (CSAE 2019). Association for Computing Machinery, New York, NY, USA, Article 9, 6 pages. https://doi.org/10.1145/3331453.3361323Google ScholarDigital Library
LTP. 2012. Linux test project. https://linux-test-project.github.ioGoogle Scholar
Lanyue Lu, Andrea C. Arpaci-Dusseau, Remzi H. Arpaci-Dusseau, and Shan Lu. 2013. A Study of Linux File System Evolution. In 11th USENIX Conference on File and Storage Technologies (FAST 13). USENIX Association, San Jose, CA, 31--44. https://www.usenix.org/conference/fast13/technical-sessions/presentation/luGoogle ScholarDigital Library
Shan Lu, Weihang Jiang, and Yuanyuan Zhou. 2007. A Study of Interleaving Coverage Criteria. In The 6th Joint Meeting on European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering: Companion Papers (Dubrovnik, Croatia) (ESEC-FSE companion '07). Association for Computing Machinery, New York, NY, USA, 533--536. https://doi.org/10.1145/1295014.1295034Google ScholarDigital Library
Shan Lu, Soyeon Park, Chongfeng Hu, Xiao Ma, Weihang Jiang, Zhenmin Li, Raluca A. Popa, and Yuanyuan Zhou. 2007. MUVI: Automatically Inferring Multi-Variable Access Correlations and Detecting Related Semantic and Concurrency Bugs. In Proceedings of Twenty-First ACM SIGOPS Symposium on Operating Systems Principles (Stevenson, Washington, USA) (SOSP '07). Association for Computing Machinery, New York, NY, USA, 103--116. https://doi.org/10.1145/1294261.1294272Google ScholarDigital Library
Shan Lu, Soyeon Park, Eunsoo Seo, and Yuanyuan Zhou. 2008. Learning from Mistakes: A Comprehensive Study on Real World Concurrency Bug Characteristics. In Proceedings of the 13th International Conference on Architectural Support for Programming Languages and Operating Systems (Seattle, WA, USA) (ASPLOS XIII). Association for Computing Machinery, New York, NY, USA, 329--339. https://doi.org/10.1145/1346281.1346323Google ScholarDigital Library
Shan Lu, Joseph Tucek, Feng Qin, and Yuanyuan Zhou. 2006. AVIO: Detecting Atomicity Violations via Access Interleaving Invariants. In Proceedings of the 12th International Conference on Architectural Support for Programming Languages and Operating Systems (San Jose, California, USA) (ASPLOS XII). Association for Computing Machinery, New York, NY, USA, 37--48. https://doi.org/10.1145/1168857.1168864Google ScholarDigital Library
Brandon Lucia and Luis Ceze. 2009. Finding concurrency bugs with context-aware communication graphs. In 42st Annual IEEE/ACM International Symposium on Microarchitecture MICRO-42 2009, December 12-16, 2009, New York, New York, USA, David H. Albonesi, Margaret Martonosi, David I. August, and José F. Martínez (Eds.). ACM, 553--563. https://doi.org/10.1145/1669112.1669181Google ScholarDigital Library
Brandon Lucia, Joseph Devietti, Luis Ceze, and Karin Strauss. 2009. Atom-Aid: Detecting and Surviving Atomicity Violations. IEEE Micro 29, 1 (2009), 73--83. https://doi.org/10.1109/MM.2009.1Google ScholarDigital Library
LWN. 2018. Introducing the syzbot dashboard. https://lwn.net/Articles/749910/Google Scholar
Aravind Machiry, Chad Spensky, Jake Corina, Nick Stephens, Christopher Kruegel, and Giovanni Vigna. 2017. DR. CHECKER: A Soundy Analysis for Linux Kernel Drivers. In 26th USENIX Security Symposium (USENIX Security 17). USENIX Association, Vancouver, BC, 1007--1024. https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/machiryGoogle ScholarDigital Library
Paul McKenney. 2019. The RCU API, 2019 edition. https://lwn.net/Articles/777036/Google Scholar
Madanlal Musuvathi, Shaz Qadeer, Thomas Ball, Gerard Basler, Piramanayagam Arumuga Nainar, and Iulian Neamtiu. 2008. Finding and Reproducing Heisenbugs in Concurrent Programs. In Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation (San Diego, California) (OSDI'08). USENIX Association, USA, 267--280. https://dl.acm.org/doi/10.5555/1855741.1855760Google ScholarDigital Library
Shankara Pailoor, Andrew Aday, and Suman Jana. 2018. MoonShine: Optimizing OS Fuzzer Seed Selection with Trace Distillation. In 27th USENIX Security Symposium (USENIX Security 18). USENIX Association, Baltimore, MD, 729--743. https://www.usenix.org/conference/usenixsecurity18/presentation/pailoorGoogle ScholarDigital Library
Soyeon Park, Shan Lu, and Yuanyuan Zhou. 2009. CTrigger: Exposing Atomicity Violation Bugs from Their Hiding Places. In Proceedings of the 14th International Conference on Architectural Support for Programming Languages and Operating Systems (Washington, DC, USA) (ASPLOS XIV). Association for Computing Machinery, New York, NY, USA, 25--36. https://doi.org/10.1145/1508244.1508249Google ScholarDigital Library
Hui Peng and Mathias Payer. 2020. USBFuzz: A Framework for Fuzzing USB Drivers by Device Emulation. In 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, 2559--2575. https://www.usenix.org/conference/usenixsecurity20/presentation/pengGoogle Scholar
Bo Qiao, Oliver Reiche, Jürgen Teich, and Frank Hannig. 2020. Unveiling Kernel Concurrency in Multiresolution Filters on GPUs with an Image Processing DSL. In Proceedings of the 13th Annual Workshop on General Purpose Processing Using Graphics Processing Unit (San Diego, California) (GPGPU '20). Association for Computing Machinery, New York, NY, USA, 11--20. https://doi.org/10.1145/3366428.3380773Google ScholarDigital Library
Rapid7. 2011. Linux PolicyKit Race Condition Privilege Escalation. https://www.rapid7.com/db/modules/exploit/linux/local/pkexec/Google Scholar
Malavika Samak and Murali Krishna Ramanathan. 2014. Multithreaded Test Synthesis for Deadlock Detection. In Proceedings of the 2014 ACM International Conference on Object Oriented Programming Systems Languages & Applications (Portland, Oregon, USA) (OOPSLA '14). Association for Computing Machinery, New York, NY, USA, 473--489. https://doi.org/10.1145/2660193.2660238Google ScholarDigital Library
Malavika Samak and Murali Krishna Ramanathan. 2015. Synthesizing Tests for Detecting Atomicity Violations. In Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering (Bergamo, Italy) (ESEC/FSE 2015). Association for Computing Machinery, New York, NY, USA, 131--142. https://doi.org/10.1145/2786805.2786874Google ScholarDigital Library
Malavika Samak, Murali Krishna Ramanathan, and Suresh Jagannathan. 2015. Synthesizing Racy Tests. In Proceedings of the 36th ACM SIGPLAN Conference on Programming Language Design and Implementation (Portland, OR, USA) (PLDI '15). Association for Computing Machinery, New York, NY, USA, 175--185. https://doi.org/10.1145/2737924.2737998Google ScholarDigital Library
Stefan Savage, Michael Burrows, Greg Nelson, Patrick Sobalvarro, and Thomas Anderson. 1997. Eraser: A dynamic data race detector for multi-threaded programs. SIGOPS Oper. Syst. Rev. 31, 5 (1997), 27--37. https://doi.org/10.1145/269005.266641Google ScholarDigital Library
Justin Seyster, Prabakar Radhakrishnan, Samriti Katoch, Abhinav Duggal, Scott D. Stoller, and Erez Zadok. 2011. Redflag: A Framework for Analysis of Kernel-Level Concurrency. In Proceedings of the 11th International Conference on Algorithms and Architectures for Parallel Processing - Volume Part I (Melbourne, Australia) (ICA3PP'11). Springer-Verlag, Berlin, Heidelberg, 66--79. https://dl.acm.org/doi/10.5555/2075416.2075425Google ScholarCross Ref
Yao Shi, Soyeon Park, Zuoning Yin, Shan Lu, Yuanyuan Zhou, Wenguang Chen, and Weimin Zheng. 2010. Do I Use the Wrong Definition? DeFuse: Definition-Use Invariants for Detecting Concurrency and Sequential Bugs. In Proceedings of the ACM International Conference on Object Oriented Programming Systems Languages and Applications (Reno/Tahoe, Nevada, USA) (OOPSLA '10). Association for Computing Machinery, New York, NY, USA, 160--174. https://doi.org/10.1145/1869459.1869474Google ScholarDigital Library
Armando Solar-Lezama, Christopher Grant Jones, and Rastislav Bodik. 2008. Sketching Concurrent Data Structures. In Proceedings of the 29th ACM SIGPLAN Conference on Programming Language Design and Implementation (Tucson, AZ, USA) (PLDI '08). Association for Computing Machinery, New York, NY, USA, 136--148. https://doi.org/10.1145/1375581.1375599Google ScholarDigital Library
Viktor Vafeiadis. 2010. Automatically Proving Linearizability. In Proceedings of the 22nd International Conference on Computer Aided Verification (Edinburgh, UK) (CAV'10). Springer-Verlag, Berlin, Heidelberg, 450--464. https://doi.org/10.1007/978-3-642-14295-6_40Google ScholarDigital Library
Martin Vechev, Eran Yahav, and Greta Yorsh. 2009. Experience with Model Checking Linearizability. In Proceedings of the 16th International SPIN Workshop on Model Checking Software (Grenoble, France). Springer-Verlag, Berlin, Heidelberg, 261--278. https://doi.org/10.1007/978-3-642-02652-2_21Google ScholarDigital Library
Kaushik Veeraraghavan, Peter M. Chen, Jason Flinn, and Satish Narayanasamy. 2011. Detecting and Surviving Data Races Using Complementary Schedules. In Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles (Cascais, Portugal) (SOSP '11). Association for Computing Machinery, New York, NY, USA, 369--384. https://doi.org/10.1145/2043556.2043590Google ScholarDigital Library
Jan Wen Voung, Ranjit Jhala, and Sorin Lerner. 2007. RELAY: Static Race Detection on Millions of Lines of Code. In Proceedings of the the 6th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on The Foundations of Software Engineering (Dubrovnik, Croatia) (ESEC-FSE '07). Association for Computing Machinery, New York, NY, USA, 205--214. https://doi.org/10.1145/1287624.1287654Google ScholarDigital Library
Cong Wang. 2021. net: fix dev_ifsioc_locked() race condition. https://github.com/torvalds/linux/commit/3b23a32a63219f51a5298bc55a65ecee866e79d0Google Scholar
Pengfei Wang, Jens Krinke, Kai Lu, Gen Li, and Steve Dodier-Lazaro. 2017. How Double-Fetch Situations turn into Double-Fetch Vulnerabilities: A Study of Double Fetches in the Linux Kernel. In 26th USENIX Security Symposium (USENIX Security 17). USENIX Association, Vancouver, BC, 1--16. https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/wang-pengfeiGoogle ScholarDigital Library
Robert Watson. 2007. Before & After Under The Giant Lock. https://lists.freebsd.org/pipermail/freebsd-hackers/2007-November/022368.htmlGoogle Scholar
Wikipedia contributors. 2020. Therac-25 --- Wikipedia, The Free Encyclopedia. https://en.wikipedia.org/w/index.php?title=Therac-25&oldid=992942654.Google Scholar
Herbert Xu. 2020. rhashtable: Fix unprotected RCU dereference in ___rht_ptr. https://github.com/torvalds/linux/commit/1748f6a2cbc4694523f16da1c892b59861045b9dGoogle Scholar
Min Xu, Rastislav Bodík, and Mark D. Hill. 2005. A Serializability Violation Detector for Shared-Memory Server Programs. In Proceedings of the 2005 ACM SIGPLAN Conference on Programming Language Design and Implementation (Chicago, IL, USA) (PLDI '05). Association for Computing Machinery, New York, NY, USA, 1--14. https://doi.org/10.1145/1065010.1065013Google ScholarDigital Library
Meng Xu, Sanidhya Kashyap, Hanqing Zhao, and Taesoo Kim. 2020. Krace: Data Race Fuzzing for Kernel File Systems. In 2020 IEEE Symposium on Security and Privacy (SP). 1643--1660. https://doi.org/10.1109/SP40000.2020.00078Google Scholar
Meng Xu, Chenxiong Qian, Kangjie Lu, Michael Backes, and Taesoo Kim. 2018. Precise and Scalable Detection of Double-Fetch Bugs in OS Kernels. In 2018 IEEE Symposium on Security and Privacy (SP). 661--678. https://doi.org/10.1109/SP.2018.00017Google Scholar
Cheer-Sun D. Yang, Amie L. Souter, and Lori L. Pollock. 1998. All-Du-Path Coverage for Parallel Programs. SIGSOFT Softw. Eng. Notes 23, 2 (March 1998), 153--162. https://doi.org/10.1145/271775.271804Google ScholarDigital Library
Jie Yu, Satish Narayanasamy, Cristiano Pereira, and Gilles Pokam. 2012. Maple: A Coverage-Driven Testing Tool for Multithreaded Programs. In Proceedings of the ACM International Conference on Object Oriented Programming Systems Languages and Applications (Tucson, Arizona, USA) (OOPSLA '12). Association for Computing Machinery, New York, NY, USA, 485--502. https://doi.org/10.1145/2384616.2384651Google ScholarDigital Library
Yuan Yu, Tom Rodeheffer, and Wei Chen. 2005. RaceTrack: Efficient Detection of Data Race Conditions via Adaptive Tracking. In Proceedings of the Twentieth ACM Symposium on Operating Systems Principles (Brighton, United Kingdom) (SOSP '05). Association for Computing Machinery, New York, NY, USA, 221--234. https://doi.org/10.1145/1095810.1095832Google ScholarDigital Library
Wei Zhang, Junghee Lim, Ramya Olichandran, Joel Scherpelz, Guoliang Jin, Shan Lu, and Thomas Reps. 2011. ConSeq: Detecting Concurrency Bugs through Sequential Errors. In Proceedings of the Sixteenth International Conference on Architectural Support for Programming Languages and Operating Systems (Newport Beach, California, USA) (ASPLOS XVI). Association for Computing Machinery, New York, NY, USA, 251--264. https://doi.org/10.1145/1950365.1950395Google ScholarDigital Library
Kaiyang Zhao, Sishuai Gong, and Pedro Fonseca. 2021. On-Demand-Fork: A Microsecond Fork for Memory-Intensive and Latency-Sensitive Applications. Association for Computing Machinery, New York, NY, USA, 540--555. https://doi.org/10.1145/3447786.3456258Google ScholarDigital Library

Index Terms

Snowboard: Finding Kernel Concurrency Bugs through Systematic Inter-thread Communication Analysis
1. Security and privacy
  1. Systems security
    1. Operating systems security
2. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Software defect analysis
        Software testing and debugging
  2. Software organization and properties
    1. Contextual software domains
      1. Operating systems
        Process management
        Concurrency control

Recommendations

Snowcat: Efficient Kernel Concurrency Testing using a Learned Coverage Predictor
SOSP '23: Proceedings of the 29th Symposium on Operating Systems Principles

Random-based approaches and heuristics are commonly used in kernel concurrency testing due to the massive scale of modern kernels and corresponding interleaving space. The lack of accurate and scalable approaches to analyze concurrent kernel ...
Read More
Pinso: Precise Isolation of Concurrency Bugs via Delta Triaging
ICSME '14: Proceedings of the 2014 IEEE International Conference on Software Maintenance and Evolution

Concurrent programs are known to be difficult to test and maintain. These programs often fail because of concurrency bugs caused by non-deterministic interleavings among shared memory accesses. Even though a concurrency bug can be detected, it is still ...
Read More
Debugging Flaky Tests on Web Applications
WEBIST 2019: Proceedings of the 15th International Conference on Web Information Systems and Technologies

Testing web applications is a challenging practice because it involves managing asynchronous requests between clients and servers, the integration of heterogeneous technologies, and concurrent accesses to the resources. Therefore, rerunning the test ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in

SOSP '21: Proceedings of the ACM SIGOPS 28th Symposium on Operating Systems Principles
October 2021
899 pages
ISBN:9781450387095
DOI:10.1145/3477132

Copyright © 2021 Owner/Author
This work is licensed under a Creative Commons Attribution International 4.0 License.
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 26 October 2021
Check for updates
Badges
- Artifacts Evaluated & Functional / v1.1
- Artifacts Available / v1.1
Author Tags
Concurrency programming
Kernel concurrency bug
Operating systems security
Software testing and debugging
Qualifiers
- research-article
- Research
- Refereed limited
Conference

Acceptance Rates
Overall Acceptance Rate131of716submissions,18%
Upcoming Conference
SOSP '24

Sponsor:

sigops

ACM SIGOPS 29th Symposium on Operating Systems Principles

November 5 - 8, 2024

Austin , TX , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 12
  Total Citations
  View Citations
- 2,042
  Total Downloads
- Downloads (Last 12 months)613
- Downloads (Last 6 weeks)63
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Snowboard: Finding Kernel Concurrency Bugs through Systematic Inter-thread Communication Analysis

SOSP '21: Proceedings of the ACM SIGOPS 28th Symposium on Operating Systems Principles

ABSTRACT

References

Cited By

Index Terms

Recommendations

Snowcat: Efficient Kernel Concurrency Testing using a Learned Coverage Predictor

Pinso: Precise Isolation of Concurrency Bugs via Delta Triaging

Debugging Flaky Tests on Web Applications