Catch Me If You Can: Deterministic Discovery of Race Conditions with Fuzzing

The presentation discusses a new approach to concurrency testing using coverage-guided fuzzing and annotations to control interleavings. The approach allows a fuzzer to explore all possible interleavings and find bugs efficiently.

• Concurrency testing is important for security and performance
• Current approaches to concurrency testing are limited and inefficient
• The proposed approach uses coverage-guided fuzzing and annotations to control interleavings
• The approach allows a fuzzer to explore all possible interleavings and find bugs efficiently
• Future work includes informing the fuzzer about different threads and improving performance

The presenter describes how the fuzzer can notice when two threads are doing work related to each other and build a test case that triggers a specific interleaving that is buggy. This demonstrates the effectiveness of the proposed approach in finding bugs efficiently.

Finding concurrency bugs has presented a challenge for security and development teams. Race condition-based vulnerabilities are a growing category of bugs reported to vendors and have been observed in in-the-wild exploits. Coverage-guided fuzzing has been a boon to the security community both offensive and defensive but on its own is often not sufficient to find deep concurrency issues reliably. This research discusses a novel approach to fuzzing that enables deterministic discovery of race condition bugs, allowing researchers to unearth and root cause these serious bugs while still having fun.