P2FAAS: Toward Privacy-Preserving Fuzzing as a Service

TL;DR

P2FaaS introduces a privacy-preserving fuzzing-as-a-service ecosystem utilizing Intel SGX to protect user application data, achieving scalable cloud fuzzing with acceptable overhead.

Contribution

The paper presents a novel SGX-based framework for privacy-preserving fuzzing-as-a-service, enabling scalable cloud fuzzing without exposing application data.

Findings

Imposes 45% runtime overhead compared to baseline

Enables scaling with Intel SGX Card hardware

Provides privacy guarantees for user applications

Abstract

Global corporations (e.g., Google and Microsoft) have recently introduced a new model of cloud services, fuzzing-as-a-service (FaaS). Despite effectively alleviating the cost of fuzzing, the model comes with privacy concerns. For example, the end user has to trust both cloud and service providers who have access to the application to be fuzzed. Such concerns are due to the platform is under the control of its provider and the application and the fuzzer are highly coupled. In this paper, we propose P2FaaS, a new ecosystem that preserves end user's privacy while providing FaaS in the cloud. The key idea of P2FaaS is to utilize Intel SGX for preventing cloud and service providers from learning information about the application. Our preliminary evaluation shows that P2FaaS imposes 45% runtime overhead to the fuzzing compared to the baseline. In addition, P2FaaS demonstrates that, with recently introduced hardware, Intel SGX Card, the fuzzing service can be scaled up to multiple servers without native SGX support.