Razzer: Finding Kernel Race Bugs through Fuzzing presented at IEEESymposium 2019

by Byoungyoung Lee, Kyungtae Kim, Insik Shin, Dae R. Jeong, Basavesh Shivakumar,

URL : https://youtu.be/9UszCIxc0r0

Summary : A data race in a kernel is an important class of bugs, criticallyimpacting the reliability and security of the associated system. As aresult of a race, the kernel may become unresponsive. Even worse,an attacker may launch a privilege escalation attack to acquireroot privileges.In this paper, we propose Razzer, a tool to find race bugs in kernels.The core of Razzer is in guiding fuzz testing towards potentialdata race spots in the kernel. Razzer employs two techniques tofind races efficiently: a static analysis and a deterministic threadinterleaving technique. Using a static analysis, Razzer identifiesover-approximated potential data race spots, guiding the fuzzer tosearch for data races in the kernel more efficiently. Using thedeterministic thread interleaving technique implemented at thehypervisor, Razzer tames the non-deterministic behavior of the kernelsuch that it can deterministically trigger a race. We implemented aprototype of Razzer and ran the latest Linux kernel (from v4.16-rc3to v4.18-rc3) using Razzer. As a result, Razzer discovered 30 newraces in the kernel, with 16 subsequently confirmed and accordinglypatched by kernel developers after they were reported.