![Page 1: Fuzz Testing by Biased Thread Scheduling Work-in-Progress Update Derek Hower Andrew Phelps March 30, 2007](https://reader035.vdocuments.mx/reader035/viewer/2022080916/56649eae5503460f94bb5359/html5/thumbnails/1.jpg)
Fuzz Testing by Biased Thread Scheduling
Work-in-Progress Update
Derek HowerAndrew PhelpsMarch 30, 2007
![Page 2: Fuzz Testing by Biased Thread Scheduling Work-in-Progress Update Derek Hower Andrew Phelps March 30, 2007](https://reader035.vdocuments.mx/reader035/viewer/2022080916/56649eae5503460f94bb5359/html5/thumbnails/2.jpg)
What We’re Doing
Parallel software: is notoriously hard to get right often works “by chance” but harbors latent bugs
Better testing is needed for better software …So we will randomly perturb programs to
scare up the crashes
![Page 3: Fuzz Testing by Biased Thread Scheduling Work-in-Progress Update Derek Hower Andrew Phelps March 30, 2007](https://reader035.vdocuments.mx/reader035/viewer/2022080916/56649eae5503460f94bb5359/html5/thumbnails/3.jpg)
Focus On:
Lightweight threads (shared data) Specifically, pthreads NPTL on Linux Using our desktop machines (so far)
![Page 4: Fuzz Testing by Biased Thread Scheduling Work-in-Progress Update Derek Hower Andrew Phelps March 30, 2007](https://reader035.vdocuments.mx/reader035/viewer/2022080916/56649eae5503460f94bb5359/html5/thumbnails/4.jpg)
Perturb How?
Modify the scheduling of threads Software can unconsciously rely on a particular
thread running at a particular time For awhile after returning from a call Through an area that should have been protected with a
lock
We will be unfair to the threads, and arbitrarily stop some and prefer others
We will increase the number of times that threads are switched at arbitrary points
![Page 5: Fuzz Testing by Biased Thread Scheduling Work-in-Progress Update Derek Hower Andrew Phelps March 30, 2007](https://reader035.vdocuments.mx/reader035/viewer/2022080916/56649eae5503460f94bb5359/html5/thumbnails/5.jpg)
What Software to Break?
Where does one find apps that use pthreads? Actually, lots of places… We have chosen an initial set of applications
to test: OpenOffice ffmpeg video encoding library MySQL database Apache web server
![Page 6: Fuzz Testing by Biased Thread Scheduling Work-in-Progress Update Derek Hower Andrew Phelps March 30, 2007](https://reader035.vdocuments.mx/reader035/viewer/2022080916/56649eae5503460f94bb5359/html5/thumbnails/6.jpg)
Choice of Three Approaches
We identified a main approach and two backups: We want to use ptrace, libthread_db to control the
target app If that runs into difficulty, we could simply hack
pthreads Or, worst case, hack the kernel scheduler
![Page 7: Fuzz Testing by Biased Thread Scheduling Work-in-Progress Update Derek Hower Andrew Phelps March 30, 2007](https://reader035.vdocuments.mx/reader035/viewer/2022080916/56649eae5503460f94bb5359/html5/thumbnails/7.jpg)
Current Progress
Peach, the multithreaded fuzz tester
Basically a specialized debugger
Mixed success Poorly documented
libraries = major headache!
We are currently able to attach, monitor some events
![Page 8: Fuzz Testing by Biased Thread Scheduling Work-in-Progress Update Derek Hower Andrew Phelps March 30, 2007](https://reader035.vdocuments.mx/reader035/viewer/2022080916/56649eae5503460f94bb5359/html5/thumbnails/8.jpg)
Peach Basics
1 shadow Peach thread per target thread Scheduling decisions made in shadow when
the target cedes control
Main Peach Controller
Shadows Target Threads
![Page 9: Fuzz Testing by Biased Thread Scheduling Work-in-Progress Update Derek Hower Andrew Phelps March 30, 2007](https://reader035.vdocuments.mx/reader035/viewer/2022080916/56649eae5503460f94bb5359/html5/thumbnails/9.jpg)
Moving Forward
Still developing foundation With any luck, actual fuzz testing will begin
shortly Finding source of any bugs we do find looks
doubtful given the current timeframe
![Page 10: Fuzz Testing by Biased Thread Scheduling Work-in-Progress Update Derek Hower Andrew Phelps March 30, 2007](https://reader035.vdocuments.mx/reader035/viewer/2022080916/56649eae5503460f94bb5359/html5/thumbnails/10.jpg)
Questions?