Finding semantic bugs in file systems with an extensible fuzzing framework

Kim, Seulbae; Xu, Meng; Kashyap, Sanidhya; Yoon, Jungyeon; Xu, Wen; Kim, Taesoo

doi:10.1145/3341301.3359662

Cited by 54 publications

(26 citation statements)

References 26 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…An alternative is to enumerate code paths statically [40][41][42][43][44], but this is not scalable. Recent OS fuzzers adopt specificationbased syscall synthesization [5,6,21,27]. However, these fuzzers mostly focus on generating sequential programs instead of multi-threaded programs and are not intended to explore interleavings in syscall execution.…”

Section: Background and Related Workmentioning

confidence: 99%

“…As is evident in kernel and file system evolutions [1][2][3][4], a whole zoo of programming paradigms is introduced to exploit multi-core computation, including but not limited to asynchronous work queues, read-copy-update (RCU), and optimistic locking such as sequence locks. However, alongside performance improvements, concurrency bugs also find their ways to the code base and have become particularly detrimental to the reliability and security of file systems due to their devastating effects such as deadlocks, kernel panics, data inconsistencies, and privilege escalations [5][6][7][8][9][10][11][12].…”

Section: Introductionmentioning

confidence: 99%

“…Without a doubt, kernel file systems can be fuzzed, and generic OS fuzzers [21][22][23] have demonstrated their viability with over 200 bugs found. In addition, file system-specific fuzzers, Janus [5] and Hydra [6], have extended the scope of file system fuzzing from memory errors into a broad set of semantic bugs, while the data race-specific fuzzer, Razzer [24], has shed lights on data race detection by combining fuzzing and static analysis. At the core of these fuzzers is the coverage measurement scheme, which summarizes unique program behaviors triggered by a given input in bitmaps.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Krace: Data Race Fuzzing for Kernel File Systems

Kashyap

Zhao

et al. 2020

2020 IEEE Symposium on Security and Privacy (SP)

Self Cite

View full text Add to dashboard Cite

Data races occur when two threads fail to use proper synchronization when accessing shared data. In kernel file systems, which are highly concurrent by design, data races are common mistakes and often wreak havoc on the users, causing inconsistent states or data losses. Prior fuzzing practices on file systems have been effective in uncovering hundreds of bugs, but they mostly focus on the sequential aspect of file system execution and do not comprehensively explore the concurrency dimension and hence, forgo the opportunity to catch data races.In this paper, we bring coverage-guided fuzzing to the concurrency dimension with three new constructs: 1) a new coverage tracking metric, alias coverage, specially designed to capture the exploration progress in the concurrency dimension; 2) an evolution algorithm for generating, mutating, and merging multithreaded syscall sequences as inputs for concurrency fuzzing; and 3) a comprehensive lockset and happens-before modeling for kernel synchronization primitives for precise data race detection. These components are integrated into KRACE, an end-to-end fuzzing framework that has discovered 23 data races in ext4, btrfs, and the VFS layer so far, and 9 are confirmed to be harmful.

show abstract

Section: Background and Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Krace: Data Race Fuzzing for Kernel File Systems

Kashyap

Zhao

et al. 2020

2020 IEEE Symposium on Security and Privacy (SP)

Self Cite

View full text Add to dashboard Cite

show abstract

“…For example, Btrfs [36] was designed 14 years ago yet reported 110 bugs in 2020 [21]. Such bugs can cause data corruption or loss and system crashes [22,24,37].…”

Section: Introductionmentioning

confidence: 99%

“…CMC [29][30][31] inserts file system code directly into the model checker, for substantial speed advantages, but requires extensive changes to the very code being verified, making the results less trustworthy [47]. Fuzzing can find real-world bugs [12,22,38,45,46], but either is limited to specific types of bugs (e.g., memory safety for Janus [46]), or needs human effort to create checkers [22]. Likewise, symbolic-execution tools [4,5] cannot guarantee thorough coverage because they focus on particular issues (e.g., corrupt input [5]); they also require a behavioral model of each file system call [4].…”

Section: Introductionmentioning

confidence: 99%

Model-Checking Support for File System Development

Liu

Ganesan

et al. 2021

Proceedings of the 13th ACM Workshop on Hot Topics in Storage and File Systems

View full text Add to dashboard Cite

Developing and maintaining a file system is time-consuming, typically requiring years of effort. Developers often test compliance with APIs such as POSIX with hand-written regression suites that, alas, examine only a fraction of a file system's state space. Conversely, formal model checking can explore vast state spaces efficiently, increasing confidence in the file system's implementation. Yet model checking is not currently part of file system development. Our position is that file systems should be designed a priori to facilitate model checking.To this end, we introduce MCFS, an architecture for efficient and comprehensive file-system model checking. MCFS relies on two new APIs that save and restore a file system's inmemory and on-disk state. We describe our earlier attempts at model-checking file systems, including unsuccessful or inefficient ones. Those attempts led us to develop VeriFS, which implements the new APIs. We illustrate MCFS's modelchecking principles with VeriFS, a FUSE-based file system we were able to quickly develop with MCFS's help. CCS CONCEPTS• Software and its engineering → Software verification and validation; • Information systems → Information storage systems.

show abstract