We present information flow fuzzing, an approach that guides fuzzers towards detecting information leaks—information that reaches a third party, but should not. The approach detects information flow by means of mutations, checking whether and how mutations to (secret) data affect output and execution: • First, the fuzzer uses information flow as a leak oracle. To this end, for each input, the fuzzer first runs the program regularly. Then, it mutates secret data such as a certificate or a password, and re-runs the program giving the original input. If the output changes, the fuzzer has revealed an information leak. • Second, the fuzzer uses information flow as guidance. The fuzzer not only maximizes coverage, but also changes in coverage and changes in data between the two runs. This increases the likelihood that a mutation will spread to the output. We have implemented a tool named FLOWFUZZ that wraps around a C program under test to provide information-flow based oracles and guidance, allowing for integration with all common fuzzers for C programs. Using a set of subjects representing common information leaks, we investigate (1) whether oracles based on information flow detect information leaks in our subjects; and (2) whether guidance based on information flow improves over standard coverage guidance. All data and tools are available for replication and reproduction.
2025-01-20
2025-02-26