ROSA accepted at ICSE'25

Even though I already announced this on twitter and mastodon, I also felt like I had to post something here to commemorate the acceptance of my first ever paper at ICSE'25.

ROSA is a code-level backdoor detection approach based on fuzzing and metamorphic testing. It essentially exploits the fact that most backdoors are triggered by "innocent-looking" inputs, that end up producing divergent behavior through the target program. Here is the abstract:

A code-level backdoor is a hidden access, programmed and concealed within the code of a program. For instance, hard-coded credentials planted in the code of an FTP server would enable maliciously logging into all the deployed instances of this server. Confirmed software supply-chain attacks have led to the injection of backdoors into popular open-source projects, and backdoors have been discovered in various router firmware. Manual code auditing for backdoors is challenging and existing semi-automated approaches can handle only a limited amount of programs and backdoors, while requiring manual reverse-engineering of the audited (binary) program. Graybox fuzzing (automated semi-randomized testing) has grown in popularity due to its success in discovering vulnerabilities and hence stands as a strong candidate for improved backdoor detection. However, current fuzzing knowledge does not offer any means to detect the triggering of a backdoor at runtime.

In this work we introduce ROSA, a novel approach (and tool) which combines a state-of-the-art fuzzer (AFL++) with a new metamorphic test oracle, capable of detecting runtime backdoor triggers. To facilitate the evaluation of ROSA, we have created ROSARUM, the first openly available benchmark for assessing the detection of various backdoors in diverse programs. Experimental evaluation shows that ROSA has a level of robustness, speed and automation similar to classical fuzzing. Compared to existing detection tools, it can handle a diversity of backdoors and programs and it does not rely on manually reverse-engineering the fuzzed binary code.

This paper is the culmination of two years of work, of which a little more than one year of active work on ROSA itself: designing, implementing, testing, evaluating, writing... I am very proud of the results and the overall approach itself, and I hope other people find it useful!

I will update this post with a link to a pre-print when available; for now, you can find the ROSA toolchain and the ROSARUM benchmark on GitHub:

• https://github.com/binsec/rosa
• https://github.com/binsec/rosarum