Table of Contents
Fetching ...

NIFuzz: Estimating Quantified Information Flow with a Fuzzer

Daniel Blackwell, Ingolf Becker, David Clark

TL;DR

NIFuzz tackles the problem of not only detecting information leaks in software but also quantifying them at scale. It combines fuzzing with information-theoretic metrics, deriving a novel conditional mutual information formulation and providing a channel-capacity lower bound, all implemented in Rust atop LibAFL. The approach simultaneously identifies leak sources (explicit secret input, stack, heap) and yields both lower-bound and upper-bound leakage estimates, demonstrated across 14 SUTs including Heartbleed and other CVEs. This enables prioritization of fixes and provides actionable insight for verifying leak quantities in large, real-world programs.

Abstract

This paper presents a scalable, practical approach to quantifying information leaks in software; these errors are often overlooked and downplayed, but can seriously compromise security mechanisms such as address space layout randomisation (ASLR) and Pointer Authentication (PAC). We introduce approaches for three different metrics to estimate the size of information leaks, including a new derivation for the calculation of conditional mutual information. Together, these metrics can inform of the relative safety of the target program against different threat models and provide useful details for finding the source of any leaks. We provide an implementation of a fuzzer, NIFuzz, which is capable of dynamically computing these metrics with little overhead and has several strategies to optimise for the detection and quantification of information leaks. We evaluate NIFuzz on a set of 14 programs -- including 8 real-world CVEs and ranging up to 278k lines of code in size -- where we find that it is capable of detecting and providing good estimates for all of the known information leaks.

NIFuzz: Estimating Quantified Information Flow with a Fuzzer

TL;DR

NIFuzz tackles the problem of not only detecting information leaks in software but also quantifying them at scale. It combines fuzzing with information-theoretic metrics, deriving a novel conditional mutual information formulation and providing a channel-capacity lower bound, all implemented in Rust atop LibAFL. The approach simultaneously identifies leak sources (explicit secret input, stack, heap) and yields both lower-bound and upper-bound leakage estimates, demonstrated across 14 SUTs including Heartbleed and other CVEs. This enables prioritization of fixes and provides actionable insight for verifying leak quantities in large, real-world programs.

Abstract

This paper presents a scalable, practical approach to quantifying information leaks in software; these errors are often overlooked and downplayed, but can seriously compromise security mechanisms such as address space layout randomisation (ASLR) and Pointer Authentication (PAC). We introduce approaches for three different metrics to estimate the size of information leaks, including a new derivation for the calculation of conditional mutual information. Together, these metrics can inform of the relative safety of the target program against different threat models and provide useful details for finding the source of any leaks. We provide an implementation of a fuzzer, NIFuzz, which is capable of dynamically computing these metrics with little overhead and has several strategies to optimise for the detection and quantification of information leaks. We evaluate NIFuzz on a set of 14 programs -- including 8 real-world CVEs and ranging up to 278k lines of code in size -- where we find that it is capable of detecting and providing good estimates for all of the known information leaks.
Paper Structure (32 sections, 9 equations, 11 figures, 4 tables, 4 algorithms)

This paper contains 32 sections, 9 equations, 11 figures, 4 tables, 4 algorithms.

Figures (11)

  • Figure 1: A simplified access control policy diagram for two isolated virtual machines running under a hypervisor; a common architecture for cloud computing services. Here the arrow points represent allowed directions for flow of information. Note that both VM1 and VM2 have a 'root' user, though these are separated and no information can flow between them.
  • Figure 2: A simple password checker containing a side-channel leak.
  • Figure 3: A diagram detailing the 3 approaches that we use for estimating quantifying information flow, note that the left two both measure channel capacity and all three are measures of Shannon information.
  • Figure 4: Diagram showing the structure of an input, as seen from NIFuzz point of view. Note that each subsection of the secret part of the input is optional.
  • Figure 5: Simplified description of the map stored in the fuzzer state
  • ...and 6 more figures