TY - GEN
T1 - Ct-fuzz
T2 - 13th IEEE International Conference on Software Testing, Verification and Validation, ICST 2020
AU - He, Shaobo
AU - Emmi, Michael
AU - Ciocarlie, Gabriela
N1 - Publisher Copyright:
© 2020 IEEE.
PY - 2020/10
Y1 - 2020/10
N2 - Testing-based methodologies like fuzzing are able to analyze complex software which is not amenable to traditional formal approaches like verification, model checking, and abstract interpretation. Despite enormous success a texposing countless security vulnerabilities in many popular software projects, applications of testing-based approaches mainly targeted checking traditional safety properties like memory safety. While unquestionably important, this class of properties does not precisely characterize other important security aspects such as information leakage, e.g., through side channels.In this work we extend testing-based software analysis methodologies to two-safety properties, which enables the precise discovery of information leaks in complex software. In particular, we present the ct-fuzz tool, which lends coverage-guided grey box fuzzers the ability to detect two safety property violations. Our approach is capable of exposing violations to any two-safety property expressed a sequality between two program traces. Empirically, we demonstrate that ct-fuzz swiftly reveals timing leaks in popular cryptographic implementations.
AB - Testing-based methodologies like fuzzing are able to analyze complex software which is not amenable to traditional formal approaches like verification, model checking, and abstract interpretation. Despite enormous success a texposing countless security vulnerabilities in many popular software projects, applications of testing-based approaches mainly targeted checking traditional safety properties like memory safety. While unquestionably important, this class of properties does not precisely characterize other important security aspects such as information leakage, e.g., through side channels.In this work we extend testing-based software analysis methodologies to two-safety properties, which enables the precise discovery of information leaks in complex software. In particular, we present the ct-fuzz tool, which lends coverage-guided grey box fuzzers the ability to detect two safety property violations. Our approach is capable of exposing violations to any two-safety property expressed a sequality between two program traces. Empirically, we demonstrate that ct-fuzz swiftly reveals timing leaks in popular cryptographic implementations.
UR - https://www.scopus.com/pages/publications/85091591834
UR - https://www.scopus.com/pages/publications/85091591834#tab=citedBy
U2 - 10.1109/ICST46399.2020.00063
DO - 10.1109/ICST46399.2020.00063
M3 - Conference contribution
AN - SCOPUS:85091591834
T3 - Proceedings - 2020 IEEE 13th International Conference on Software Testing, Verification and Validation, ICST 2020
SP - 466
EP - 471
BT - Proceedings - 2020 IEEE 13th International Conference on Software Testing, Verification and Validation, ICST 2020
Y2 - 23 March 2020 through 27 March 2020
ER -