Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
149 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
45 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

UBfuzz: Finding Bugs in Sanitizer Implementations (2401.04538v1)

Published 9 Jan 2024 in cs.CR, cs.PL, and cs.SE

Abstract: In this paper, we propose a testing framework for validating sanitizer implementations in compilers. Our core components are (1) a program generator specifically designed for producing programs containing undefined behavior (UB), and (2) a novel test oracle for sanitizer testing. The program generator employs Shadow Statement Insertion, a general and effective approach for introducing UB into a valid seed program. The generated UB programs are subsequently utilized for differential testing of multiple sanitizer implementations. Nevertheless, discrepant sanitizer reports may stem from either compiler optimization or sanitizer bugs. To accurately determine if a discrepancy is caused by sanitizer bugs, we introduce a new test oracle called crash-site mapping. We have incorporated our techniques into UBfuzz, a practical tool for testing sanitizers. Over a five-month testing period, UBfuzz successfully found 31 bugs in both GCC and LLVM sanitizers. These bugs reveal the serious false negative problems in sanitizers, where certain UBs in programs went unreported. This research paves the way for further investigation in this crucial area of study.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (44)
  1. Derek Bruening and Qin Zhao. 2011. Practical memory checking with Dr. Memory. In Proceedings of the 2011 International Symposium on Code Generation and Optimization (CGO’11). IEEE, 213–223.
  2. JTC1/SC22/WG14 The C Standards Committee. 2018. ISO/IEC 9899:2018, Programming languages — C. https://www.open-std.org/jtc1/sc22/wg14/www/docs/n2310.pdf.
  3. CppCheck developers. 2023a. A Tool for Static C/C++ Code Analysis. Retrieved March 7, 2023 from http://cppcheck.sourceforge.net/
  4. Google developers. 2017. OSS-fuzz - continuous fuzzing of open source software. https://github.com/google/oss-fuzz. Accessed: March 7, 2023.
  5. LLVM developers. 2023b. UndefinedBehaviorSanitizer. https://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html. Accessed: March 7, 2023.
  6. Zhen Yu Ding and Claire Le Goues. 2021. An empirical study of oss-fuzz bugs. In Proceedings of the 2021 IEEE/ACM International Conference on Mining Software Repositories (MSR’21). IEEE, 131–142.
  7. GCC. 2022a. Bug Report. https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106558.
  8. GCC. 2022b. Bug report. https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108085.
  9. GCC. 2023. Bug report. https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109151.
  10. Don’t Look UB: Exposing Sanitizer-Eliding Compiler Optimizations. In To appear at the 44th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’23). 1–21.
  11. FuZZan: Efficient Sanitizer Metadata Design for Fuzzing.. In Proceedings of the 2020 USENIX Annual Technical Conference (USENIX ATC’20). 249–263.
  12. Compiler validation via equivalence modulo inputs. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’14). 216–226.
  13. Finding deep compiler bugs via guided stochastic program mutation. In Proceedings of the 2015 ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA’15). 386–399.
  14. PartiSan: fast and flexible sanitization via run-time partitioning. In Proceedings of the 21st International SymposiumResearch in Attacks, Intrusions, and Defenses (RAID’18). Springer, 403–422.
  15. Shaohua Li and Zhendong Su. 2023a. Accelerating Fuzzing through Prefix-Guided Execution. Proceedings of the ACM on Programming Languages 7, OOPSLA (2023), 1–27.
  16. Shaohua Li and Zhendong Su. 2023b. Finding Unstable Code via Compiler-Driven Differential Testing. In Proceedings of the 28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS’23). 238–251.
  17. Debug information validation for optimized code. In Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’20). 1052–1065.
  18. Random testing for C and C++ compilers with YARPGen. Proceedings of the 2016 ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA’20) (2020), 1–25.
  19. LLVM. 2022. Bug report. https://github.com/llvm/llvm-project/issues/55189.
  20. LLVM. 2023a. Bug report. https://github.com/llvm/llvm-project/issues/60236.
  21. LLVM. 2023b. Bug report. https://github.com/llvm/llvm-project/issues/61982.
  22. The art, science, and engineering of fuzzing: A survey. IEEE Transactions on Software Engineering 47, 11 (2019), 2312–2331.
  23. Meta. 2023. A Tool to Detect Bugs in Java and C/C++/Objective-c Code. Retrieved March 7, 2023 from https://fbinfer.com/
  24. Same Coverage, Less Bloat: Accelerating Binary-only Fuzzing with Coverage-preserving Coverage-guided Tracing. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security (CCS’21). 351–365.
  25. Nicholas Nethercote and Julian Seward. 2007. Valgrind: A Framework for Heavyweight Dynamic Binary Instrumentation. In Proceedings of the 2007 ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA’07). 89–100.
  26. NIST. 2017. Juliet Test Suite for C/C++ 1.3. https://samate.nist.gov/SARD/test-suites/112.
  27. NIST. 2023. CWE-469: Use of Pointer Subtraction to Determine Size. https://cwe.mitre.org/data/definitions/469.html. Accessed: March 7, 2023.
  28. Music: Mutation analysis tool with high configurability and extensibility. In Proceedings of the 2018 IEEE international conference on software testing, verification and validation workshops (ICSTW’18). IEEE, 40–46.
  29. Kosta Serebryany. 2016a. Continuous fuzzing with libfuzzer and addresssanitizer. In Proceedings of the 2016 IEEE Cybersecurity Development (SecDev’16). IEEE, 157–157.
  30. Kostya Serebryany. 2016b. Sanitize, fuzz, and harden your C++ code.
  31. AddressSanitizer: A Fast Address Sanity Checker. In Proceedings of the 2012 USENIX Annual Technical Conference (USENIX ATC’12). 309–318.
  32. Evgeniy Stepanov and Konstantin Serebryany. 2015. MemorySanitizer: fast detector of uninitialized memory use in C++. In Proceedings of the 2015 IEEE/ACM International Symposium on Code Generation and Optimization (CGO’15). IEEE, 46–55.
  33. Finding compiler bugs via live code mutation. In Proceedings of the 2016 ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA’16). 849–863.
  34. CWE Content Team. 2008. CWE: Weaknesses in Software Written in C. https://cwe.mitre.org/data/definitions/658.html.
  35. The Clang Team. 2023a. LibTooling. https://clang.llvm.org/docs/LibTooling.html.
  36. The LLDB Team. 2023b. The LLDB Debugger. https://lldb.llvm.org/.
  37. Finding missed optimizations through the lens of dead code elimination. In Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS’22). 697–709.
  38. High system-code security with low overhead. In Proceedings of the 36th IEEE Symposium on Security and Privacy (S&P’15). IEEE, 866–879.
  39. Compilation Consistency Modulo Debug Information. In Proceedings of the 28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS’23). 146–158.
  40. Undefined behavior: what happened to my code?. In Proceedings of the Asia-Pacific Workshop on Systems. 1–7.
  41. Towards optimization-safe systems: Analyzing the impact of undefined behavior. In Proceedings of the 24th ACM Symposium on Operating Systems Principles (SOSP’13). 260–275.
  42. Finding and understanding bugs in C compilers. In Proceedings of the 32nd ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’11). 283–294.
  43. SANRAZOR: Reducing Redundant Sanitizer Checks in C/C++ Programs.. In Proceedings of the 15th USENIX Symposium on Operating Systems Design and Implementation (OSDI’21). 479–494.
  44. Debloating Address Sanitizer. In Proceedings of the 31st USENIX Security Symposium (USENIX Security’22). 4345–4363.
Citations (2)

Summary

We haven't generated a summary for this paper yet.

X Twitter Logo Streamline Icon: https://streamlinehq.com