Auflistung nach Schlagwort "syzkaller"
1 - 2 von 2
Treffer pro Seite
Sortieroptionen
- TextdokumentBeastie In For Checkup: Analyzing FreeBSD with LockDoc(Tagungsband des FG-BS Herbsttreffens 2021, 2021) Lochmann, Alexander; Schirmeier, HorstLockDoc is an approach to extract locking rules for kernel data structures, based on a dynamic execution trace. The recorded trace can e.g. be used to verify existing locking documentation. LockDoc results for Linux indicated that only 53 % of all examined data types were accessed consistently with their respective locking documentation [5]: Linux systematically elides locks for performance reasons, and the existing documentation is partially outdated or inconsistent. Without a solid “ground truth”, it is impossible to reliably attribute LockDoc’s findings to bugs in Linux, or to issues with the LockDoc approach itself. Therefore, in this paper we present results from applying LockDoc to a much more straightforwardly and “cleanly” implemented operating system: FreeBSD offers sophisticated locking documentation – e.g. for many data structures, each individual field is annotated with a precise locking rule. We report that, for four centrally documented data types, FreeBSD adheres to the documented locking rules in 72.4 % of all dynamic data-structure accesses. Investigating the remaining rule-violating accesses, we already triggered two commits for the FreeBSD kernel fixing unprotected accesses, and nudge this value to 73.6 %.
- TextdokumentImproving Linux-Kernel Tests for LockDoc with Feedback-driven Fuzzing(Tagungsband des FG-BS Herbsttreffens 2020, 2020) Lochmann, Alexander; Thunig, Robin; Schirmeier, HorstLockDoc is an approach to extract locking rules for kernel data structures from a dynamic execution trace recorded while the system is under a benchmark load. These locking rules can e.g. be used to locate synchronization bugs. For high rule precision and thorough bug finding, the approach heavily depends on the choice of benchmarks: They must trigger the execution of as much code as possible in the kernel subsystem relevant for the targeted data structures. However, existing test suites such as those provided by the Linux Test Project (LTP) only achieve – in the case of LTP – about 35 percent basic-block coverage for the VFS subsystem, which is the relevant subsystem when extracting locking rules for filesystem-related data structures. In this article, we discuss how to complement the LTP suites to improve the code coverage for our LockDoc scenario. We repurpose syzkaller – a coverage-guided fuzzer with the goal to validate the robustness of kernel APIs – to 1) not aim for kernel crashes, and to 2) maximize code coverage for a specific kernel subsystem. Thereby, we generate new benchmark programs that can be run in addition to the LTP, and increase VFS basic-block coverage by 26.1 percent.