Combining BMC and Fuzzing Techniques for Finding Software Vulnerabilities in Concurrent Programs

Finding software vulnerabilities in concurrent programs is a challenging task due to the size of the state-space exploration, as the number of interleavings grows exponentially with the number of program threads and statements. We propose and evaluate EBF (Ensembles of Bounded Model Checking with Fuzzing) -- a technique that combines Bounded Model Checking (BMC) and Gray-Box Fuzzing (GBF) to find software vulnerabilities in concurrent programs. Since there are no publicly-available GBF tools for concurrent code, we first propose a novel concurrency-aware gray-box fuzzer that explores different thread schedules by instrumenting the code under test with random delays controlled by the fuzzing engine. Then, we build an ensemble of one BMC and one GBF tool in the following way. On the one hand, when the BMC tool in the ensemble returns a counterexample, we use it as a seed for our GBF tool, thus increasing the likelihood of executing paths guarded by complex mathematical expressions. On the other hand, we aggregate the outcomes of the BMC and GBF tools in the ensemble using a decision matrix, thus improving the accuracy of EBF. We evaluate EBF against state-of-the-art pure BMC tools and show that it can generate up to 14.9% more correct verification witnesses than BMC alone. Furthermore, we demonstrate the efficacy of our concurrency-aware GBF by showing that it can find 21.4% of the vulnerabilities in our evaluation suite, while non-concurrency-aware GBF tools can only find 0.55%. Finally, thanks to our concurrency-aware GBF tool, EBF detects a data race in the open-source wolfMqtt library, which demonstrates its effectiveness in finding vulnerabilities in real-world software.