Hyperfuzzing: black-box security hypertesting with a grey-box fuzzer
Daniel Blackwell, Ingolf Becker, David Clark
TL;DR
LeakFuzzer introduces a hyperfuzzer that automatically generates hypertests to enforce the non-interference security property for information flow in C/C++ programs. Built on AFL++ and augmented with a hash-based leakage witness and public/secret input partitioning, it detects leakage without relying on internal program structure. In evaluation on the SIFF benchmark (10 SUTs, including Heartbleed and PostgreSQL cases), LeakFuzzer discovers leaks across all programs and generally outperforms CBMC and sanitizer-based AFL++ configurations, though with higher memory usage. The work demonstrates scalable, automated leakage testing and provides the SIFF benchmark suite for future evaluation, with data available for replication and extension.
Abstract
Information leakage is a class of error that can lead to severe consequences. However unlike other errors, it is rarely explicitly considered during the software testing process. LeakFuzzer advances the state of the art by using a noninterference security property together with a security flow policy as an oracle. As the tool extends the state of the art fuzzer, AFL++, LeakFuzzer inherits the advantages of AFL++ such as scalability, automated input generation, high coverage and low developer intervention. The tool can detect the same set of errors that a normal fuzzer can detect, with the addition of being able to detect violations of secure information flow policies. We evaluated LeakFuzzer on a diverse set of 10 C and C++ benchmarks containing known information leaks, ranging in size from just 80 to over 900k lines of code. Seven of these are taken from real-world CVEs including Heartbleed and a recent error in PostgreSQL. Given 20 24-hour runs, LeakFuzzer can find 100% of the leaks in the SUTs whereas existing techniques using such as the CBMC model checker and AFL++ augmented with different sanitizers can only find 40% at best.