DETECTING RACE CONDITION VULNERABILITIES IN COMPUTER SOFTWARE APPLICATIONS

摘要

Testing computer software applications is performed by identifying first and second executable portions of the computer software application, where the portions are configured to access a data resource, and where at least one of the portions is configured to write to the data resource, instrumenting the computer software application by inserting one or more instrumentation instructions into one or both of the portions, where the instrumentation instruction is configured to cause execution of the portion being instrumented to be extended by a randomly-determined amount of time, and testing the computer software application in multiple iterations, where the computer software application is executed in multiple parallel execution threads, where the portions are independently executed at least partially in parallel in different threads, and where the computer software application is differently instrumented in each of the iterations.

主权项

1. A method for testing computer software applications, the method comprising:
identifying a first executable portion of a computer software application and a second executable portion of the computer software application, wherein the first and second executable portions are identified as being data interdependent and the first and second executable portions are configured to access a data resource, wherein at least one of the first and second executable portions is configured to write to the data resource; instrumenting the computer software application, the instrumenting comprising inserting at least one instrumentation instruction into at least one of the first and second executable portions, and inserting the at least one instrumentation instruction proximate to a location where the data resource is accessed, wherein the instrumentation instruction is configured to cause execution of the portion being instrumented to be extended by a randomly-determined amount of time; and testing the computer software application in each of a plurality of iterations, wherein the computer software application is differently instrumented in each of the iterations; wherein the computer software application is executed in multiple parallel execution threads, wherein the first and second executable portions are independently executed at least partially in parallel in different ones of the threads; and wherein the testing comprises identifying a race condition vulnerability associated with the computer software application if
during one of the iterations the first executable portion writes to the data resource before the second executable portion accesses the data resource, andduring a different one of the iterations the second executable portion accesses the data resource before the first executable portion writes to the data resource.