finding semantic bugs in file systems with an extensible
play

Finding Semantic Bugs in File Systems with an Extensible Fuzzing - PowerPoint PPT Presentation

Feb 28, 2024 •186 likes •943 views

Finding Semantic Bugs in File Systems with an Extensible Fuzzing Framework Seulbae Kim, Meng Xu * , Sanidhya Kashyap * , Jungyeon Yoon, Wen Xu, Taesoo Kim * On the job market Demonstration Fuzzing F2FS in Linux v5.0-rc7 for crash consistency

  1. Finding Semantic Bugs in File Systems with an Extensible Fuzzing Framework Seulbae Kim, Meng Xu * , Sanidhya Kashyap * , Jungyeon Yoon, Wen Xu, Taesoo Kim * On the job market

  2. Demonstration Fuzzing F2FS in Linux v5.0-rc7 for crash consistency Result at the end of the talk! 2

  3. Question: Can file systems be bug-free? 3

  4. Can file systems be bug-free? ● Code base is massive 4

  5. Can file systems be bug-free? Not likely ● Code base is massive 39 KLoC 98 KLoC 94 KLoC + common VFS layer (53 KLoC)! 5

  6. Can file systems be bug-free? Not likely ● Code base is massive and evolving 39 KLoC 98 KLoC 94 KLoC 6

  7. Can file systems be bug-free? Not likely ● Code base is massive and evolving 39 KLoC 98 KLoC 94 KLoC 100+ ext4, Btrfs, XFS bugs were reported in 2019 7

  8. File system bugs are devastating ● Bugs and effects Crash consistency bug Data loss / corruption ! Specification violation Unexpected runtime error ! Logic bug Incorrect result ! Memory error DoS / Privilege escalation ! 8

  9. Previous approaches to find FS bugs Regression Model Verified Fuzzing Testing Checking File System FiSC (OSDI’04) FSCQ (SOSP’15) Linux Test Project eXplode (OSDI’06) Syzkaller (Google) Yggdrasil (OSDI’16) xfstests Juxta kAFL (SOSP’15) (Security’17) DFSCQ (SOSP’17) fsck Ferrite (ASPLOS’16) Janus (S&P’19) SFSCQ (OSDI’18) B3 (OSDI’18) 9

  10. Previous approaches to find FS bugs Regression Model Verified Fuzzing Testing Checking File System FiSC (OSDI’04) FSCQ (SOSP’15) Linux Test Project eXplode (OSDI’06) Syzkaller (Google) Yggdrasil (OSDI’16) xfstests Juxta kAFL (SOSP’15) (Security’17) DFSCQ (SOSP’17) fsck Ferrite (ASPLOS’16) Janus (S&P’19) SFSCQ (OSDI’18) B3 (OSDI’18) Only test known cases 10

  11. Previous approaches to find FS bugs Regression Model Verified Fuzzing Testing Checking File System FiSC (OSDI’04) FSCQ (SOSP’15) Linux Test Project eXplode (OSDI’06) Syzkaller (Google) Yggdrasil (OSDI’16) xfstests Juxta kAFL (SOSP’15) (Security’17) DFSCQ (SOSP’17) fsck Ferrite (ASPLOS’16) Janus (S&P’19) SFSCQ (OSDI’18) B3 (OSDI’18) High false positive Only test Limited to known known cases test cases 11

  12. Previous approaches to find FS bugs Regression Model Verified Fuzzing Testing Checking File System FiSC (OSDI’04) FSCQ (SOSP’15) Linux Test Project eXplode (OSDI’06) Syzkaller (Google) Yggdrasil (OSDI’16) xfstests Juxta kAFL (SOSP’15) (Security’17) DFSCQ (SOSP’17) fsck Ferrite (ASPLOS’16) Janus (S&P’19) SFSCQ (OSDI’18) B3 (OSDI’18) High false positive Only test Large unverified parts Limited to known known cases (buggy) test cases 12

  13. Previous approaches to find FS bugs Regression Model Verified Fuzzing Testing Checking File System FiSC FiSC (OSDI’04) (OSDI’04) FSCQ (SOSP’15) Linux Test Project eXplode eXplode (OSDI’06) (OSDI’06) Syzkaller (Google) Yggdrasil (OSDI’16) xfstests Juxta Juxta kAFL (SOSP’15) (SOSP’15) (Security’17) DFSCQ (SOSP’17) fsck Ferrite Ferrite (ASPLOS’16) (ASPLOS’16) Janus (S&P’19) SFSCQ (OSDI’18) B3 B3 (OSDI’18) (OSDI’18) High false positive Only test Large unverified parts Limited to known ? known cases (buggy) test cases 13

  14. Our approach: Fuzzing file systems ● Feedback-driven fuzzing is a complementary solution ○ Produces effective test cases on-the-fly 🙃 ○ Proven to be scalable in practice 🙃 ○ ● Known file system fuzzers ○ VM-based kernel fuzzers ■ kAFL (Security’17), Syzkaller (Google) ○ LibOS-based fuzzer ■ Janus (S&P’19) - our previous work! 14

  15. Our approach: Fuzzing file systems ● Feedback-driven fuzzing is a complementary solution ○ Produces effective test cases on-the-fly 🙃 🙃 Janus discovered 90 memory-safety bugs ○ Proven to be scalable in practice from file systems in 2018 🙃 ○ ● Known file system fuzzers ○ VM-based kernel fuzzers ■ kAFL (Security’17), Syzkaller (Google) ○ LibOS-based fuzzer ■ Janus (S&P’19) - our previous work! 15

  16. Our approach: Fuzzing file systems ● Feedback-driven fuzzing is a complementary solution ○ Produces effective test cases on-the-fly 🙃 🙃 Janus discovered 90 memory-safety bugs ○ Proven to be scalable in practice from file systems in 2018 🙃 ○ ● Known file system fuzzers ○ VM-based kernel fuzzers ■ kAFL (Security’17), Syzkaller (Google) However, existing file system fuzzers ○ LibOS-based fuzzer ■ focus only on memory-safety bugs 🙂 Janus (S&P’19) - our previous work! 16

  17. File system bugs in various flavors ● Memory-safety bugs (focus of existing fuzzers) 12 % (219) 88 % (1786) *Reference: Lu, Lanyue, et al. “A study of Linux file system evolution.” 17 FAST’13

  18. File system bugs in various flavors ● Memory-safety bugs (focus of existing fuzzers) 12 % (219) ● Semantic bugs ○ Crash consistency bug 88 % ○ Specification violation (1786) ○ Logic bug ○ ... *Reference: Lu, Lanyue, et al. “A study of Linux file system evolution.” 18 FAST’13

  19. File system bugs in various flavors ● Memory-safety bugs (focus of existing fuzzers) 12 % (219) ● Semantic bugs ○ Crash consistency bug 88 % We’d like to take advantage of fuzzing ○ Specification violation (1786) ○ Logic bug for finding semantic bugs ○ ... *Reference: Lu, Lanyue, et al. “A study of Linux file system evolution.” 19 FAST’13

  20. Challenge: Semantic bugs are harder to detect ● Key idea in fuzzing: “Crashes” are feedback to fuzzers Fuzzing for memory-safety bugs Target FUZZER program 20

  21. Challenge: Semantic bugs are harder to detect ● Key idea in fuzzing: “Crashes” are feedback to fuzzers Fuzzing for memory-safety bugs input Target FUZZER program 21

  22. Challenge: Semantic bugs are harder to detect ● Key idea in fuzzing: “Crashes” are feedback to fuzzers Fuzzing for memory-safety bugs input Target FUZZER program if BUG, crash 22

  23. Challenge: Semantic bugs are harder to detect ● Key idea in fuzzing: “Crashes” are feedback to fuzzers Fuzzing for memory-safety bugs input Target FUZZER program if BUG, crash feedback (e.g., SIGSEGV) Detected! 23

  24. Challenge: Semantic bugs are harder to detect ● Problem: Semantic bugs fail SILENTLY (i.e., no feedback) Fuzzing for semantic bugs Fuzzing for memory-safety bugs (e.g., spec. violation) input Target Target FUZZER FUZZER program program if BUG, crash feedback (e.g., SIGSEGV) Detected! 24

  25. Challenge: Semantic bugs are harder to detect ● Problem: Semantic bugs fail SILENTLY (i.e., no feedback) Fuzzing for semantic bugs Fuzzing for memory-safety bugs (e.g., spec. violation) input input Target Target FUZZER FUZZER program program if BUG, crash feedback (e.g., SIGSEGV) Detected! 25

  26. Challenge: Semantic bugs are harder to detect ● Problem: Semantic bugs fail SILENTLY (i.e., no feedback) Fuzzing for semantic bugs Fuzzing for memory-safety bugs (e.g., spec. violation) input input Target Target FUZZER FUZZER program program if BUG, function returns ? if BUG, crash feedback a wrong value internally (e.g., SIGSEGV) Detected! 26

  27. Challenge: Semantic bugs are harder to detect ● Problem: Semantic bugs fail SILENTLY (i.e., no feedback) Fuzzing for semantic bugs Fuzzing for memory-safety bugs (e.g., spec. violation) input input Target Target FUZZER FUZZER program program if BUG, function returns ? if BUG, crash feedback a wrong value internally (e.g., SIGSEGV) Not detected 🙂 Detected! 27

  28. Challenge: Semantic bugs are harder to detect ● Problem: Semantic bugs fail SILENTLY (i.e., no feedback) Fuzzing for semantic bugs Fuzzing for memory-safety bugs (e.g., spec. violation) input input Target Target FUZZER FUZZER program program if BUG, function returns ! if BUG, crash feedback a wrong value internally (e.g., SIGSEGV) Detected! Checker feedback Detected 🙃 28

  29. Challenge: Semantic bugs are harder to detect ● Problem: Semantic bugs fail SILENTLY (i.e., no feedback) Fuzzing for semantic bugs Fuzzing for memory-safety bugs (e.g., spec. violation) input input Target Target FUZZER FUZZER program program if BUG, function returns ! if BUG, crash feedback a wrong value internally (e.g., SIGSEGV) Accurate checker for each bug type Retval Detected! checker signal needs to be integrated to fuzzing! Detected :) 29

  30. Proposed solution: Hydra A turnkey solution for file system fuzzing 30

  31. HYDRA overview (high-level) LibOS-based Test case BUG! Input generator Checker Test Executor Feedback 31

  32. HYDRA overview - Input generator AFL variant* LibOS-based Test case BUG! Input generator Checker Test Executor Feedback 32 * Fuzzing File Systems via Two-Dimensional Input Space Exploration - IEEE S&P 2019

  33. HYDRA overview - Test case FS image + AFL variant* System calls LibOS-based Test case BUG! Input generator Checker Test Executor Feedback 33 * Fuzzing File Systems via Two-Dimensional Input Space Exploration - IEEE S&P 2019

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cross-checking Semantic Correctness: The Case of Finding File System Bugs Changwoo Min , Sanidhya

Cross-checking Semantic Correctness: The Case of Finding File System Bugs Changwoo Min , Sanidhya

Cross-checking Semantic Correctness: The Case of Finding File System Bugs Changwoo Min , Sanidhya Kashyap, Byoungyoung Lee, Chengyu Song, Taesoo Kim Georgia Institute of Technology School of Computer Science Two promising approaches to make

1.25k views • 85 slides
Understanding and Finding Crash-Consistency Bugs in Parallel File Systems Jinghan Sun , Chen Wang,

Understanding and Finding Crash-Consistency Bugs in Parallel File Systems Jinghan Sun , Chen Wang,

Understanding and Finding Crash-Consistency Bugs in Parallel File Systems Jinghan Sun , Chen Wang, Jian Huang, and Marc Snir University of Illinois at Urbana-Champaign Contact: Jinghan Sun (js39@illinois.edu) PFS failures are frequent and

912 views • 17 slides
FUSE: Finding File Upload Bugs via Penetration Testing Taekjin Lee, Seongil Wi , Suyoung Lee,

FUSE: Finding File Upload Bugs via Penetration Testing Taekjin Lee, Seongil Wi , Suyoung Lee,

FUSE: Finding File Upload Bugs via Penetration Testing Taekjin Lee, Seongil Wi , Suyoung Lee, Sooel Son KAIST Upload Functionality Sharing user-provided content has become a de facto standard feature of modern web applications 2 File

995 views • 61 slides
Construction of a Semantic Model Construction of a Semantic Model for a Typed Assembly Language

Construction of a Semantic Model Construction of a Semantic Model for a Typed Assembly Language

Construction of a Semantic Model Construction of a Semantic Model for a Typed Assembly Language Gang Tan, Andrew Appel, Kedar Swadi and Dinghao Wu Princeton University Jan 11, 2004 Extensible systems Extensible systems code extensions host

228 views • 22 slides
Trigger Scripts For Trigger Scripts For Extensible File Extensible File Systems Systems

Trigger Scripts For Trigger Scripts For Extensible File Extensible File Systems Systems

Trigger Scripts For Trigger Scripts For Extensible File Extensible File Systems Systems Cameron Macdonell Macdonell Cameron Overview Overview The The Scruf Scruf Framework Framework Examples of Extended File Systems

470 views • 18 slides
Outline Bugs! 1 Avoiding and Finding bugs 2 Bugs still happen 3 Why do bugs still happen ?!

Outline Bugs! 1 Avoiding and Finding bugs 2 Bugs still happen 3 Why do bugs still happen ?!

Failure is not an option * A journey through software bugs Philippe Biondi Nov 20 th 2015 / GreHack Failure is not an option * Outline Bugs! 1 Avoiding and Finding bugs 2 Bugs still happen 3 Why do bugs still happen ?! 4 Living with bugs

966 views • 63 slides
Finding Bugs Last time Run-time reordering transformations Today Program Analysis for

Finding Bugs Last time Run-time reordering transformations Today Program Analysis for

Finding Bugs Last time Run-time reordering transformations Today Program Analysis for finding bugs, especially security bugs problem specification motivation approaches remaining issues CS553 Lecture Finding Bugs 2

461 views • 8 slides
Finding Crash-Consistency Bugs with Bounded Black-Box Testing Jayashree Mohan , Ashlie Martinez,

Finding Crash-Consistency Bugs with Bounded Black-Box Testing Jayashree Mohan , Ashlie Martinez,

Finding Crash-Consistency Bugs with Bounded Black-Box Testing Jayashree Mohan , Ashlie Martinez, Soujanya Ponnapalli, Pandian Raju, Vijay Chidambaram Crashes I crashed This is very File saved! important File missing Image

878 views • 87 slides
1 Example Bugs Type Qualifiers [Shankar, et al 01] Idea null dereference Add tainted and

1 Example Bugs Type Qualifiers [Shankar, et al 01] Idea null dereference Add tainted and

Finding Bugs Problem Last time What is a bug? a path in the code that causes a run-time exception Alias/Pointer analysis a path through the code that causes incorrect results Today Issues Program Analysis for finding bugs,

214 views • 4 slides
1 Bug Triage Regression Testing Decide which bugs to fix Good: rerun the test that failed

1 Bug Triage Regression Testing Decide which bugs to fix Good: rerun the test that failed

What is a bug? Formally, a software defect A Bugs life SUT fails to perform to spec SUT causes something else to fail SUT functions, but does not satisfy Finding and Managing Bugs usability criteria CSE 403 If the

643 views • 3 slides
EMMA Extensible Multimodal Annotation markup language Canonical structure semantic

EMMA Extensible Multimodal Annotation markup language Canonical structure semantic

EMMA Extensible Multimodal Annotation markup language Canonical structure semantic interpretations for a variety of inputs including: Speech Natural language text GUI Ink 1 James A. Larson EMMA EMMA Extensible Multimodal

376 views • 15 slides
Building an Extensible File System via Policy-based Data

Building an Extensible File System via Policy-based Data

Building an Extensible File System via Policy-based Data Management Hao Xu Jewel H. Ward Mike Conway Arcot Rajasekar Reagan W. Moore (iRODS

985 views • 38 slides
Whitebox Fuzzing David Molnar Microsoft Research Problem: Security Bugs in File Parsers Hundreds

Whitebox Fuzzing David Molnar Microsoft Research Problem: Security Bugs in File Parsers Hundreds

Whitebox Fuzzing David Molnar Microsoft Research Problem: Security Bugs in File Parsers Hundreds of file formats are supported in Windows, Office, et al. Many written in C/C++ Programming errors security bugs! Random choice of x: one

493 views • 35 slides
Chapter 6: File Systems File systems n Files n Directories & naming n File system

Chapter 6: File Systems File systems n Files n Directories & naming n File system

Chapter 6: File Systems File systems n Files n Directories & naming n File system implementation n Example file systems Chapter 6 CS 1550, cs.pitt.edu 2 (originaly modified by Ethan Long-term information storage n Must store large amounts

1.01k views • 66 slides
Chapter 6: File Systems File systems Files Directories & naming File system

Chapter 6: File Systems File systems Files Directories & naming File system

Chapter 6: File Systems File systems Files Directories & naming File system implementation Example file systems Chapter 6 CMPS 111, UC Santa Cruz 2 Long-term information storage Must store large amounts of data

829 views • 57 slides
Using Crash Hoare Logic for Certifying the FSCQ File System Haogang Chen, Daniel Ziegler, Tej

Using Crash Hoare Logic for Certifying the FSCQ File System Haogang Chen, Daniel Ziegler, Tej

Using Crash Hoare Logic for Certifying the FSCQ File System Haogang Chen, Daniel Ziegler, Tej Chajed, Adam Chlipala, Frans Kaashoek, and Nickolai Zeldovich MIT CSAIL 1 / 1 File systems are complex and have bugs File systems are complex (e.g.,

765 views • 52 slides
Testing of embedded and mobile Qt and QML Applications Qt Developer Days 2013 by Harri Porten

Testing of embedded and mobile Qt and QML Applications Qt Developer Days 2013 by Harri Porten

Testing of embedded and mobile Qt and QML Applications Qt Developer Days 2013 by Harri Porten About me Name: Harri Porten Company: froglogic GmbH Position: co-founder and CTO Qt usage: since 1997 (KDE project) Qt

516 views • 24 slides
Intro to Assumption Testing November 22, 2019 Todays Agenda Intro to Assumption Testing and

Intro to Assumption Testing November 22, 2019 Todays Agenda Intro to Assumption Testing and

Community Mobility Design Challenge 2019 Intro to Assumption Testing November 22, 2019 Todays Agenda Intro to Assumption Testing and Prototyping Schedule Reminders Team Updates Road Map August: Kick-off Team Activities

804 views • 41 slides
T HOUGHTS ON P ROGRESS M ADE AND C HALLENGES A HEAD IN F EW -S HOT L EARNING Hugo Larochelle

T HOUGHTS ON P ROGRESS M ADE AND C HALLENGES A HEAD IN F EW -S HOT L EARNING Hugo Larochelle

T HOUGHTS ON P ROGRESS M ADE AND C HALLENGES A HEAD IN F EW -S HOT L EARNING Hugo Larochelle Google Brain 3 Human-level concept learning People are through probabilistic good at it program induction Brenden M. Lake, 1 * Ruslan

765 views • 40 slides
A Grand Challenge for Testing Nanoelectronic Circuits Introduction B. Becker, University of

A Grand Challenge for Testing Nanoelectronic Circuits Introduction B. Becker, University of

Special Session: Massive Statistical Process Variation: A Grand Challenge for Testing Nanoelectronic Circuits Introduction B. Becker, University of Freiburg S. Hellebrand, University of Paderborn I. Polian, University of Passau W.

819 views • 61 slides
(New) Challenges in Random Number Generation for Cryptography Viktor F ISCHER Laboratoire Hubert

(New) Challenges in Random Number Generation for Cryptography Viktor F ISCHER Laboratoire Hubert

TRNG Design Challenges RNG security evaluation Conclusions (New) Challenges in Random Number Generation for Cryptography Viktor F ISCHER Laboratoire Hubert Curien, UMR 5516 CNRS Jean Monnet University, Member of University of Lyon

685 views • 44 slides
Sparkle Planning Challenge 2019 Chuan Luo, Mauro Vallati and Holger H. Hoos Universiteit Leiden

Sparkle Planning Challenge 2019 Chuan Luo, Mauro Vallati and Holger H. Hoos Universiteit Leiden

Sparkle Planning Challenge 2019 Chuan Luo, Mauro Vallati and Holger H. Hoos Universiteit Leiden The Netherlands & University of Huddersfield United Kingdom ICAPS 2019, Berkeley, USA The state of the art in solving X ... ... is not

276 views • 26 slides
Connected Fleet Challenge Webinar Series Webinar #1 2:00 3:30 PM (Eastern) | October 3, 2019

Connected Fleet Challenge Webinar Series Webinar #1 2:00 3:30 PM (Eastern) | October 3, 2019

Connected Fleet Challenge Webinar Series Webinar #1 2:00 3:30 PM (Eastern) | October 3, 2019 Webinar Logistics All lines are muted Webinar will be recorded Submit questions and comments in chat or Q&A section of webinar

891 views • 56 slides
Come migliorare le cicatrici post-acneiche: Dott. ssa Anna Masar Universit di Napoli

Come migliorare le cicatrici post-acneiche: Dott. ssa Anna Masar Universit di Napoli

Come migliorare le cicatrici post-acneiche: Dott. ssa Anna Masar Universit di Napoli Federico II ACNE AND SCARS Acne is a chronic disease of the pilosebaceous follicle. It causes polymorph cutaneous lesions that mainly occur on the face,

781 views • 57 slides

More recommend