ROSA: Finding Backdoors with Fuzzing

TL;DR

ROSA is a novel fuzzing-based approach that detects runtime backdoor triggers in software, significantly improving automation and diversity in backdoor detection compared to prior methods.

Contribution

ROSA introduces a new metamorphic test oracle combined with AFL++ fuzzing to automatically detect backdoor triggers at runtime, and provides the first open benchmark for backdoor detection evaluation.

Findings

ROSA detects all 17 backdoors in the benchmark within 1.5 hours.

It handles diverse backdoors and programs without manual reverse-engineering.

ROSA achieves robustness, speed, and automation comparable to classical fuzzers.

Abstract

A code-level backdoor is a hidden access, programmed and concealed within the code of a program. For instance, hard-coded credentials planted in the code of a file server application would enable maliciously logging into all deployed instances of this application. Confirmed software supply chain attacks have led to the injection of backdoors into popular open-source projects, and backdoors have been discovered in various router firmware. Manual code auditing for backdoors is challenging and existing semi-automated approaches can handle only a limited scope of programs and backdoors, while requiring manual reverse-engineering of the audited (binary) program. Graybox fuzzing (automated semi-randomized testing) has grown in popularity due to its success in discovering vulnerabilities and hence stands as a strong candidate for improved backdoor detection. However, current fuzzing knowledge does not offer any means to detect the triggering of a backdoor at runtime. In this work we introduce ROSA, a novel approach (and tool) which combines a state-of-the-art fuzzer (AFL++) with a new metamorphic test oracle, capable of detecting runtime backdoor triggers. To facilitate the evaluation of ROSA, we have created ROSARUM, the first openly available benchmark for assessing the detection of various backdoors in diverse programs. Experimental evaluation shows that ROSA has a level of robustness, speed and automation similar to classical fuzzing. It finds all 17 authentic or synthetic backdooors from ROSARUM in 1h30 on average. Compared to existing detection tools, it can handle a diversity of backdoors and programs and it does not rely on manual reverse-engineering of the fuzzed binary code.