Side channels pose a significant threat to the confidentiality of software
systems. Such vulnerabilities are challenging to detect and evaluate because
they arise from non-functional properties of software such as execution times
and require reasoning on multiple execution traces. Recently, noninterference
notions have been adapted in static analysis, symbolic execution, and greybox
fuzzing techniques. However, noninterference is a strict notion and may reject
security even if the strength of information leaks are weak. A quantitative
notion of security allows for the relaxation of noninterference and tolerates
small (unavoidable) leaks. Despite progress in recent years, the existing
quantitative approaches have scalability limitations in practice. In this work,
we present QFuzz, a greybox fuzzing technique to quantitatively evaluate the
strength of side channels with a focus on min entropy. Min entropy is a measure
based on the number of distinguishable observations (partitions) to assess the
resulting threat from an attacker who tries to compromise secrets in one try.
We develop a novel greybox fuzzing equipped with two partitioning algorithms
that try to maximize the number of distinguishable observations and the cost
differences between them. We evaluate QFuzz on a large set of benchmarks from
existing work and real-world libraries (with a total of 70 subjects). QFuzz
compares favorably to three state-of-the-art detection techniques. QFuzz
provides quantitative information about leaks beyond the capabilities of all
three techniques. Crucially, we compare QFuzz to a state-of-the-art
quantification tool and find that QFuzz significantly outperforms the tool in
scalability while maintaining similar precision. Overall, we find that our
approach scales well for real-world applications and provides useful
information to evaluate resulting threats. Additionally, QFuzz identifies a
zero-d…

Go to Source of this post
Author Of this post: <a href="http://arxiv.org/find/cs/1/au:+Noller_Y/0/1/0/all/0/1">Yannic Noller</a>, <a href="http://arxiv.org/find/cs/1/au:+Tizpaz_Niari_S/0/1/0/all/0/1">Saeid Tizpaz-Niari</a>

By admin