NIFuzz: Estimating Quantified Information Flow with a Fuzzer

TL;DR

This paper introduces NIFuzz, a scalable fuzzer that estimates and quantifies information leaks in software using new metrics, aiding security assessment and leak source identification.

Contribution

It presents a novel approach with three metrics for quantifying information leaks, including a new derivation for conditional mutual information, integrated into an efficient fuzzer.

Findings

NIFuzz detects all known information leaks in tested programs.

The metrics provide accurate estimates of leak sizes.

NIFuzz operates with low overhead and high effectiveness.

Abstract

This paper presents a scalable, practical approach to quantifying information leaks in software; these errors are often overlooked and downplayed, but can seriously compromise security mechanisms such as address space layout randomisation (ASLR) and Pointer Authentication (PAC). We introduce approaches for three different metrics to estimate the size of information leaks, including a new derivation for the calculation of conditional mutual information. Together, these metrics can inform of the relative safety of the target program against different threat models and provide useful details for finding the source of any leaks. We provide an implementation of a fuzzer, NIFuzz, which is capable of dynamically computing these metrics with little overhead and has several strategies to optimise for the detection and quantification of information leaks. We evaluate NIFuzz on a set of 14 programs -- including 8 real-world CVEs and ranging up to 278k lines of code in size -- where we find that it is capable of detecting and providing good estimates for all of the known information leaks.