Detecting Lifecycle-Related Concurrency Bugs in ROS Programs via Coverage-Guided Fuzzing

Abstract

Robot Operating System (ROS) is very popular in robotic software development. To ease the process management of ROS programs, ROS provides a special lifecycle mechanism that can conveniently manage the state of each running process, which often involves resource allocation, initialization, and release; and this mechanism has been widely used in real-world ROS programs. However, due to code concurrency of ROS programs, a lifecycle-related function is inevitably concurrently executed with other functions, introducing the security risk of dangerous concurrency bugs involving null-pointer dereference and use after free. Due to the non-determinism of thread scheduling, these concurrency bugs are difficult to find and reproduce. In this paper, we design and implement a new coverage-guided fuzzing framework named ROCF, which can effectively detect and reproduce lifecycle-related concurrency bugs in ROS programs, with two novel techniques. First, we propose a lifecycle-aware fuzzing approach that uses lifecycle pair sequence as a new coverage metric to effectively describe lifecycle-related thread interleavings, for input-mutation guidance of ROS concurrency fuzzing. Second, we propose a heuristic-based reproducing method that identifies minimal input sequences that can stably and efficiently reproduce the found concurrency bugs, with strategical input pruning and delay injection. We evaluate ROCF on eight popular robotic programs in ROS2, and it finds 32 new and real concurrency bugs, all of which have been confirmed by ROS developers, and 19 have been assigned CVE IDs.