NIFuzz: Estimating Quantified Information Flow with a Fuzzer
Daniel Blackwell, Ingolf Becker, David Clark
TL;DR
NIFuzz tackles the problem of not only detecting information leaks in software but also quantifying them at scale. It combines fuzzing with information-theoretic metrics, deriving a novel conditional mutual information formulation and providing a channel-capacity lower bound, all implemented in Rust atop LibAFL. The approach simultaneously identifies leak sources (explicit secret input, stack, heap) and yields both lower-bound and upper-bound leakage estimates, demonstrated across 14 SUTs including Heartbleed and other CVEs. This enables prioritization of fixes and provides actionable insight for verifying leak quantities in large, real-world programs.
Abstract
This paper presents a scalable, practical approach to quantifying information leaks in software; these errors are often overlooked and downplayed, but can seriously compromise security mechanisms such as address space layout randomisation (ASLR) and Pointer Authentication (PAC). We introduce approaches for three different metrics to estimate the size of information leaks, including a new derivation for the calculation of conditional mutual information. Together, these metrics can inform of the relative safety of the target program against different threat models and provide useful details for finding the source of any leaks. We provide an implementation of a fuzzer, NIFuzz, which is capable of dynamically computing these metrics with little overhead and has several strategies to optimise for the detection and quantification of information leaks. We evaluate NIFuzz on a set of 14 programs -- including 8 real-world CVEs and ranging up to 278k lines of code in size -- where we find that it is capable of detecting and providing good estimates for all of the known information leaks.
