TCSE logo 
 Sigsoft logo
Sustainability badge
Fri 2 May 2025 16:00 - 16:15 at 210 - Security and QA Chair(s): Nafiseh Kahani

A code-level backdoor is a hidden access, programmed and concealed within the code of a program. For instance, hard-coded credentials planted in the code of a file server application would enable maliciously logging into all deployed instances of this application. Confirmed software supply-chain attacks have led to the injection of backdoors into popular open-source projects, and backdoors have been discovered in various router firmware. Manual code auditing for backdoors is challenging and existing semi-automated approaches can handle only a limited scope of programs and backdoors, while requiring manual reverse-engineering of the audited (binary) program. raybox fuzzing (automated semi-randomized testing) has grown in popularity due to its success in discovering vulnerabilities and hence stands as a strong candidate for improved backdoor detection. However, current fuzzing knowledge does not offer any means to detect the triggering of a backdoor at runtime.

In this work we introduce ROSA, a novel approach (and tool) which combines a state-of-the-art fuzzer (AFL++) with a new metamorphic test oracle, capable of detecting runtime backdoor triggers. To facilitate the evaluation of ROSA, we have created ROSARUM, the first openly available benchmark for assessing the detection of various backdoors in diverse programs. Experimental evaluation shows that ROSA has a level of robustness, speed and automation similar to classical fuzzing. It finds all 17 authentic or synthetic backdooors from ROSARUM in 1h30 on average. Compared to existing detection tools, it can handle diversity of backdoors and programs and it does not rely on manual reverse-engineering of the fuzzed binary code.

Slides (2025-icse.pdf)2.31MiB

Fri 2 May

Displayed time zone: Eastern Time (US & Canada) change

16:00 - 17:30
Security and QAResearch Track / Journal-first Papers / SE In Practice (SEIP) at 210
Chair(s): Nafiseh Kahani Carleton University
16:00
15m
Talk
ROSA: Finding Backdoors with FuzzingSecurityArtifact-FunctionalArtifact-AvailableArtifact-ReusableAward Winner Best Artifact
Research Track
Dimitri Kokkonis Université Paris-Saclay, CEA, List, Michaël Marcozzi Université Paris-Saclay, CEA, List, Emilien Decoux Université Paris-Saclay, CEA List, Stefano Zacchiroli LTCI, Télécom Paris, Institut Polytechnique de Paris, Palaiseau, France
Link to publication DOI Pre-print Media Attached File Attached
16:15
15m
Talk
Analyzing the Feasibility of Adopting Google's Nonce-Based CSP Solutions on WebsitesSecurityArtifact-Available
Research Track
Mengxia Ren Colorado School of Mines, Anhao Xiang Colorado School of Mines, Chuan Yue Colorado School of Mines
16:30
15m
Talk
Early Detection of Performance Regressions by Bridging Local Performance Data and Architectural ModelsSecurityAward Winner
Research Track
Lizhi Liao Memorial University of Newfoundland, Simon Eismann University of Würzburg, Heng Li Polytechnique Montréal, Cor-Paul Bezemer University of Alberta, Diego Elias Costa Concordia University, Canada, André van Hoorn University of Hamburg, Germany, Weiyi Shang University of Waterloo
16:45
15m
Talk
Revisiting the Performance of Deep Learning-Based Vulnerability Detection on Realistic DatasetsSecurity
Journal-first Papers
Partha Chakraborty University of Waterloo, Krishna Kanth Arumugam University of Waterloo, Mahmoud Alfadel University of Calgary, Mei Nagappan University of Waterloo, Shane McIntosh University of Waterloo
17:00
15m
Talk
Sunflower: Enhancing Linux Kernel Fuzzing via Exploit-Driven Seed GenerationArtifact-AvailableArtifact-FunctionalArtifact-ReusableSecurity
SE In Practice (SEIP)
Qiang Zhang Hunan University, Yuheng Shen Tsinghua University, Jianzhong Liu Tsinghua University, Yiru Xu Tsinghua University, Heyuan Shi Central South University, Yu Jiang Tsinghua University, Wanli Chang College of Computer Science and Electronic Engineering, Hunan University
17:15
15m
Talk
Practical Object-Level Sanitizer With Aggregated Memory Access and Custom AllocatorSecurity
Research Track
Xiaolei wang National University of Defense Technology, Ruilin Li National University of Defense Technology, Bin Zhang National University of Defense Technology, Chao Feng National University of Defense Technology, Chaojing Tang National University of Defense Technology
:
:
:
: