Finding software vulnerabilities in concurrent programs is a challenging task due to the size of the state-space exploration, as the number of interleavings grows exponentially with the number of program threads and statements. We propose and evaluate EBF (Ensembles of Bounded Model Checking with Fuzzing) -- a technique that combines Bounded Model Checking (BMC) and Gray-Box Fuzzing (GBF) to find software vulnerabilities in concurrent programs. Since there are no publicly-available GBF tools for concurrent code, we first propose OpenGBF -- a new open-source concurrency-aware gray-box fuzzer that explores different thread schedules by instrumenting the code under test with random delays. Then, we build an ensemble of a BMC tool and OpenGBF in the following way. On the one hand, when the BMC tool in the ensemble returns a counterexample, we use it as a seed for OpenGBF, thus increasing the likelihood of executing paths guarded by complex mathematical expressions. On the other hand, we aggregate the outcomes of the BMC and GBF tools in the ensemble using a decision matrix, thus improving the accuracy of EBF. We evaluate EBF against state-of-the-art pure BMC tools and show that it can generate up to 14.9% more correct verification witnesses than the corresponding BMC tools alone. Furthermore, we demonstrate the efficacy of OpenGBF, by showing that it can find 24.2% of the vulnerabilities in our evaluation suite, while non-concurrency-aware GBF tools can only find 0.55%. Finally, thanks to our concurrency-aware OpenGBF, EBF detects a data race in the open-source wolfMqtt library and reproduces known bugs in several other real-world programs, which demonstrates its effectiveness in finding vulnerabilities in real-world software.
翻译:在并行程序中查找软件脆弱性是一项具有挑战性的任务,因为州-空间探索的规模很大,因此在同时的程序中寻找软件脆弱性是一项具有挑战性的任务。由于州-空间探索的规模,我们首先提议OpenGBF -- -- 一个新的开放源代码的货币汇率透明灰色框 fuzzer,在随机拖延的情况下,通过对代码进行仪表测试来探索不同的货币交易时间表。然后,我们建议和评估EBFF(使用模糊模型检查)和Gray-Box Fuzzing(GBF) -- -- 这种技术结合了损坏的模型检查(BMC)和Gray-Box Fuzzing(GBF)(GFFF),以找出同时程序中的软件脆弱性。由于没有公开可用的 GBFF 工具,因此我们首先通过随机的测试工具来探索不同的货币交易时间表。我们用BMC 和GBFMF(BMF) 的精度评估结果,然后用EQUMF(E) 的精度工具来展示另一个工具的精度。