More Web Proxy on the site http://driver.im/

research-article

DifFuzz: differential fuzzing for side-channel analysis

Authors:

Shirin Nilizadeh,

Corina S. PăsăreanuAuthors Info & Claims

ICSE '19: Proceedings of the 41st International Conference on Software Engineering

Pages 176 - 187

https://doi.org/10.1109/ICSE.2019.00034

Published: 25 May 2019 Publication History

Abstract

Side-channel attacks allow an adversary to uncover secret program data by observing the behavior of a program with respect to a resource, such as execution time, consumed memory or response size. Side-channel vulnerabilities are difficult to reason about as they involve analyzing the correlations between resource usage over multiple program paths. We present DifFuzz, a fuzzing-based approach for detecting side-channel vulnerabilities related to time and space. DifFuzz automatically detects these vulnerabilities by analyzing two versions of the program and using resource-guided heuristics to find inputs that maximize the difference in resource consumption between secret-dependent paths. The methodology of DifFuzz is general and can be applied to programs written in any language. For this paper, we present an implementation that targets analysis of Java programs, and uses and extends the Kelinci and AFL fuzzers. We evaluate DifFuzz on a large number of Java programs and demonstrate that it can reveal unknown side-channel vulnerabilities in popular applications. We also show that DifFuzz compares favorably against Blazer and Themis, two state-of-the-art analysis tools for finding side-channels in Java programs.

References

[1]

Apache FtpServer. https://mina.apache.org/ftpserver-project/. Accessed: 2018-08-21.

[2]

Authentication plugin for the Bukkit/Spigot API. https://github.com/AuthMe/AuthMeReloaded. Accessed: 2018-08-21.

[3]

H2 database engine. http://www.h2database.com/html/main.html. Accessed: 2018-05-06.

[4]

The Meltdown Attack. https://meltdownattack.com/. Accessed: 2018-08-21.

[5]

Xbox 360 Timing Attack. http://beta.ivc.no/wiki/index.php/Xbox_360_Timing_Attack. Accessed: 2018-08-21.

[6]

Dakshi Agrawal, Josyula R. Rao, and Pankaj Rohatgi. Multi-channel Attacks. In Colin D. Walter, Çetin Kaya Koç, and Christof Paar, editors, Cryptographic Hardware and Embedded Systems - CHES 2003, 5<sup>th</sup> International Workshop, Cologne, Germany, September 8--10, 2003, Proceedings, volume 2779 of Lecture Notes in Computer Science, pages 2--16. Springer, 2003.

[7]

B. Almeida, M. Barbosa, J. S. Pinto, and B. Vieira. Formal verification of side-channel countermeasures using self-composition. In Science of Computer Programminga78(7), 2013.

Digital Library

[8]

Timos Antonopoulos, Paul Gazzillo, Michael Hicks, Eric Koskinen, Tachio Terauchi, and Shiyi Wei. Decomposition instead of self-composition for proving the absence of timing channels. In Proceedings of the 38th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2017, Barcelona, Spain, June 18--23, 2017, pages 362--375, 2017.

Digital Library

[9]

Lucas Bang, Abdulbaki Aydin, Quoc-Sang Phan, Corina S. Păsăreanu, and Tevfik Bultan. String Analysis for Side Channels with Segmented Oracles. In Proc. of the 2016 24<sup>th</sup> ACM SIGSOFT International Symposium on Foundations of Software Engineering, FSE 2016, pages 193--204, New York, NY, USA, November 2016. ACM.

Digital Library

[10]

Gilles Barthe, Pedro R. D'Argenio, and Tamara Rezk. Secure information flow by self-composition. In Proceedings of the 17th IEEE Workshop on Computer Security Foundations, CSFW '04, pages 100-, Washington, DC, USA, 2004. IEEE Computer Society.

Digital Library

[11]

Marcel Böhme. STADS: Software testing as species discovery. ACM Transactions on Software Engineering and Methodology, 27(2):7:1--7:52, June 2018.

Digital Library

[12]

Tegan Brennan, Seemanta Saha, Tevfik Bultan, and Corina S. Păsăreanu. Symbolic path cost analysis for side-channel detection. In Proceedings of the 27th ACM SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2018, pages 27--37, New York, NY, USA, 2018. ACM.

Digital Library

[13]

David Brumley and Dan Boneh. Remote Timing Attacks Are Practical. In Proc. of the 12<sup>th</sup> Conf. on USENIX Security Symposium - Volume 12, SSYM'03, Berkeley, CA, USA, 2003. USENIX Association.

Digital Library

[14]

Jia Chen, Yu Feng, and Isil Dillig. Precise detection of side-channel vulnerabilities using quantitative cartesian hoare logic. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, TX, USA, October 30 - November 03, 2017, pages 875--890, 2017.

Digital Library

[15]

Shuo Chen, Rui Wang, XiaoFeng Wang, and Kehuan Zhang. Side-Channel Leaks in Web Applications: A Reality Today, a Challenge Tomorrow. In Proc. of the 2010 IEEE Symposium on Security and Privacy, SP '10, pages 191--206, Washington, DC, USA, 2010. IEEE Computer Society.

Digital Library

[16]

Tom Chothia, Yusuke Kawamoto, and Chris Novakovic. LeakWatch: Estimating Information Leakage from Java Programs. In 19th European Symposium on Research in Computer Security - Volume 8713, ESORICS 2014, pages 219--236, New York, NY, USA, 2014. Springer-Verlag New York, Inc.

Digital Library

[17]

Quoc Huy Do, Richard Bubel, and Reiner Hähnle. Exploit Generation for Information Flow Leaks in Object-Oriented Programs. In ICT Systems Security and Privacy Protection: 30<sup>th</sup> IFIP TC 11 Intl. Conf., SEC 2015, Hamburg, Germany, pages 401--415. Springer, 2015.

[18]

Goran Doychev, Dominik Feld, Boris Köpf, Laurent Mauborgne, and Jan Reineke. CacheAudit: A Tool for the Static Analysis of Cache Side Channels. In Proc. of 22<sup>nd</sup> USENIX Conf. on Security, SEC'13, pages 431--146, Berkeley, CA, USA, 2013. USENIX Association.

Digital Library

[19]

Thai Duong and Juliano Rizzo. The CRIME attack. In Presentation at ekoparty Security Conf., 2012.

[20]

Mr. Dustin Fraze. Space/Time Analysis for Cybersecurity (STAC). https://www.darpa.mil/program/space-time-analysis-for-cybersecurity. Accessed: 2018-08-21.

[21]

Matthias Höschele and Andreas Zeller. Mining input grammars from dynamic taints. In Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering, ASE 2016, pages 720--725, New York, NY, USA, 2016. ACM.

Digital Library

[22]

Ralf Hund, Carsten Willems, and Thorsten Holz. Practical timing side channel attacks against kernel space aslr. In Security and Privacy (SP), 2013 IEEE Symposium on, pages 191--205. IEEE, 2013.

Digital Library

[23]

Yusuke Kawamoto, Fabrizio Biondi, and Axel Legay. Hybrid Statistical Estimation of Mutual Information for Quantifying Information Flow. In FM, volume 9995 of Lecture Notes in Computer Science, pages 406--425, 2016.

[24]

Rody Kersten, Kasper Luckow, and Corina S. Păsăreanu. Poster: Afl-based fuzzing for java with kelinci. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS '17, pages 2511--2513, New York, NY, USA, 2017. ACM.

Digital Library

[25]

Paul C. Kocher. Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems. In Proc. of the 16<sup>th</sup> Annual International Cryptology Conf. on Advances in Cryptology, CRYPTO '96, pages 104--113, London, UK, UK, 1996. Springer-Verlag.

Digital Library

[26]

Boris Köpf and David Basin. An Information-theoretic Model for Adaptive Side-channel Attacks. In Proc. of the 14<sup>th</sup> ACM Conf. on Computer and Communications Security, CCS '07, pages 286--296, New York, NY, USA, 2007. ACM.

Digital Library

[27]

Boris Köpf, Laurent Mauborgne, and Martín Ochoa. Automatic quantification of cache side-channels. In Proc. of the 24<sup>th</sup> international Conf. on Computer Aided Verification, CAV'12, pages 564--580, Berlin, Heidelberg, 2012. Springer-Verlag.

Digital Library

[28]

Nate Lawson. Timing attack in Google Keyczar library. https://rdist.root.org/2009/05/28/timing-attack-in-google-keyczar-library/, 2009. Accessed: 2018-08-21.

[29]

Caroline Lemieux, Rohan Padhye, Koushik Sen, and Dawn Song. Perffuzz: Automatically generating pathological inputs. In Proceedings of the 27th ACM SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2018, pages 254--265, New York, NY, USA, 2018. ACM.

Digital Library

[30]

Caroline Lemieux and Koushik Sen. Fairfuzz: A targeted mutation strategy for increasing greybox fuzz testing coverage. In Proceedings of the 2018 33rd ACM/IEEE International Conference on Automated Software Engineering, ASE 2018, New York, NY, USA, 2018. ACM.

Digital Library

[31]

Fangfei Liu, Yuval Yarom, Qian Ge, Gernot Heiser, and Ruby B Lee. Last-level cache side-channel attacks are practical. In Security and Privacy (SP), 2015 IEEE Symposium on, pages 605--622. IEEE, 2015.

Digital Library

[32]

Heiko Mantel, Alexandra Weber, and Boris Köpf. A systematic study of cache side channels across aes implementations. In Eric Bodden, Mathias Payer, and Elias Athanasopoulos, editors, Engineering Secure Software and Systems, pages 213--230, Cham, 2017. Springer International Publishing.

[33]

P. Mardziel, M. S. Alvim, M. Hicks, and M. R. Clarkson. Quantifying information flow for dynamic secrets. In 2014 IEEE Symposium on Security and Privacy (SP), pages 540--555, May 2014.

Digital Library

[34]

Yannic Noller, Rody Kersten, and Corina S. Păsăreanu. Badger: Complexity analysis with fuzzing and symbolic execution. In Proceedings of the 27th ACM SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2018, pages 322--332, New York, NY, USA, 2018. ACM.

Digital Library

[35]

Corina S Pasareanu, Quoc-Sang Phan, and Pasquale Malacaria. Multi-run side-channel analysis using symbolic execution and max-smt. In Computer Security Foundations Symposium (CSF), 2016 IEEE 29th, pages 387--400. IEEE, 2016.

[36]

Theofilos Petsios, Adrian Tang, Salvatore J. Stolfo, Angelos D. Keromytis, and Suman Jana. NEZHA: efficient domain-independent differential testing. In 2017 IEEE Symposium on Security and Privacy, SP 2017, San Jose, CA, USA, May 22--26, 2017, pages 615--632, 2017.

[37]

Quoc-Sang Phan, Lucas Bang, Corina S. Pasareanu, Pasquale Malacaria, and Tevfik Bultan. Synthesis of adaptive side-channel attacks. In 30th IEEE Computer Security Foundations Symposium, CSF 2017, Santa Barbara, CA, USA, August 21--25, 2017, pages 328--342, 2017.

[38]

S. Sivakorn, G. Argyros, K. Pei, A. D. Keromytis, and S. Jana. Hvlearn: Automated black-box analysis of hostname verification in ssl/tls implementations. In 2017 IEEE Symposium on Security and Privacy (SP), pages 521--538, May 2017.

[39]

Jiayi Wei, Jia Chen, Yu Feng, Kostas Ferles, and Isil Dillig. Singularity: Pattern fuzzing for worst case complexity. In Proceedings of the 26th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, ESEC/FSE 2018, New York, NY, USA, 2018. ACM.

Digital Library

[40]

Yuan Xiao, Mengyuan Li, Sanchuan Chen, and Yinqian Zhang. Stacco: Differentially analyzing side-channel traces for detecting ssl/tls vulnerabilities in secure enclaves. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS '17, pages 859--874, New York, NY, USA, 2017. ACM.

Digital Library

[41]

Xuejun Yang, Yang Chen, Eric Eide, and John Regehr. Finding and understanding bugs in c compilers. In Proceedings of the 32Nd ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI '11, pages 283--294, New York, NY, USA, 2011. ACM.

Digital Library

[42]

Michal Zalewski. American fuzzy lop (afl). http://lcamtuf.coredump.cx/afl/, 2014. Accessed: 2018-05-06.

Cited By

Ruan HNoller YTizpaz-Niari SChattopadhyay SRoychoudhury A(2024)Timing Side-Channel Mitigation via Automated Program RepairACM Transactions on Software Engineering and Methodology10.1145/367816933:8(1-27)Online publication date: 16-Jul-2024
https://dl.acm.org/doi/10.1145/3678169
Jiao TXu ZQi MWen SXiang YNan G(2024)A Survey of Ethereum Smart Contract Security: Attacks and DetectionDistributed Ledger Technologies: Research and Practice10.1145/36438953:3(1-28)Online publication date: 9-Sep-2024
https://dl.acm.org/doi/10.1145/3643895
Gao PSong FChen T(2024)Compositional Verification of First-Order Masking Countermeasures against Power Side-Channel AttacksACM Transactions on Software Engineering and Methodology10.1145/363570733:3(1-38)Online publication date: 14-Mar-2024
https://dl.acm.org/doi/10.1145/3635707
Show More Cited By

Recommendations

QFuzz: quantitative fuzzing for side channels
ISSTA 2021: Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis

Side channels pose a significant threat to the confidentiality of software systems. Such vulnerabilities are challenging to detect and evaluate because they arise from non-functional properties of software such as execution times and require reasoning ...
SEnFuzzer: Detecting SGX Memory Corruption via Information Feedback and Tailored Interface Analysis
RAID '23: Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses

Intel SGX provides protected memory called enclave to secure the private user data against corrupted or malicious OS environment. However, several researches have shown that the SGX applications suffer from memory corruption vulnerabilities, thus leading ...
EOSFuzzer: Fuzzing EOSIO Smart Contracts for Vulnerability Detection
Internetware '20: Proceedings of the 12th Asia-Pacific Symposium on Internetware

EOSIO is one typical public blockchain platform. It is scalable in terms of transaction speeds and has a growing ecosystem supporting smart contracts and decentralized applications. However, the vulnerabilities within the EOSIO smart contracts have led ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

ICSE '19: Proceedings of the 41st International Conference on Software Engineering

May 2019

1318 pages

General Chair:
Joanne M. Atlee
University of Waterloo, Canada
,
Program Chairs:
Tevfik Bultan
University of California, Santa Barbara
,
Jon Whittle
Monash University, Australia

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering
IEEE-CS: Computer Society

Publisher

IEEE Press

Publication History

Published: 25 May 2019

Check for updates

Badges

Author Tags

Qualifiers

Research-article

Conference

ICSE '19

Sponsor:

SIGSOFT
IEEE-CS

ICSE '19: 41st International Conference on Software Engineering

May 25 - 31, 2019

Quebec, Montreal, Canada

Acceptance Rates

Overall Acceptance Rate 276 of 1,856 submissions, 15%

Upcoming Conference

ICSE 2025

2025 IEEE/ACM 46th International Conference on Software Engineering

April 26 - May 3, 2025

Ottawa , ON , Canada

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

26
Total Citations
View Citations
254
Total Downloads

Downloads (Last 12 months)16
Downloads (Last 6 weeks)0

Reflects downloads up to 31 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Ruan HNoller YTizpaz-Niari SChattopadhyay SRoychoudhury A(2024)Timing Side-Channel Mitigation via Automated Program RepairACM Transactions on Software Engineering and Methodology10.1145/367816933:8(1-27)Online publication date: 16-Jul-2024
https://dl.acm.org/doi/10.1145/3678169
Jiao TXu ZQi MWen SXiang YNan G(2024)A Survey of Ethereum Smart Contract Security: Attacks and DetectionDistributed Ledger Technologies: Research and Practice10.1145/36438953:3(1-28)Online publication date: 9-Sep-2024
https://dl.acm.org/doi/10.1145/3643895
Gao PSong FChen T(2024)Compositional Verification of First-Order Masking Countermeasures against Power Side-Channel AttacksACM Transactions on Software Engineering and Methodology10.1145/363570733:3(1-38)Online publication date: 14-Mar-2024
https://dl.acm.org/doi/10.1145/3635707
Pasqua MCeccato MTonella PRoychoudhury APaiva AAbreu RStorey M(2024)Hypertesting of Programs: Theoretical Foundation and Automated Test GenerationProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3640323(1-12)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3640323
Zhao XQu HXu JLi XLv WWang G(2024)A systematic review of fuzzingSoft Computing - A Fusion of Foundations, Methodologies and Applications10.1007/s00500-023-09306-228:6(5493-5522)Online publication date: 1-Mar-2024
https://dl.acm.org/doi/10.1007/s00500-023-09306-2
Deng SLi MTang YWang SYan SZhang YCalandrino JTroncoso C(2023)CIPHERHProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620620(6843-6860)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620620
Li WRuan JYi GCheng LLuo XCai HCalandrino JTroncoso C(2023)POLYFUZZProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620315(1379-1396)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620315
Zhou YMa FChen YRen MJiang Y(2023)CLFuzz: Vulnerability Detection of Cryptographic Algorithm Implementation via Semantic-aware FuzzingACM Transactions on Software Engineering and Methodology10.1145/362816033:2(1-28)Online publication date: 23-Dec-2023
https://dl.acm.org/doi/10.1145/3628160
Nilizadeh ALeavens GPăsăreanu CNoller Y(2023)JMLKelinci+: Detecting Semantic Bugs and Covering Branches with Valid Inputs Using Coverage-guided Fuzzing and Runtime Assertion CheckingFormal Aspects of Computing10.1145/360753836:1(1-24)Online publication date: 5-Aug-2023
https://dl.acm.org/doi/10.1145/3607538
Li SSu ZAamodt TJerger NSwift M(2023)Finding Unstable Code via Compiler-Driven Differential TestingProceedings of the 28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 310.1145/3582016.3582053(238-251)Online publication date: 25-Mar-2023
https://dl.acm.org/doi/10.1145/3582016.3582053
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents