Data

Tools

Indexes

Applications

Experiments

Open Source Science

rosa

ROSA: Finding Backdoors with Fuzzing

https://github.com/binsec/rosa

Science Score: 57.0%

This score indicates how likely this project is to be science-related based on various indicators:

  • CITATION.cff file
    Found CITATION.cff file
  • codemeta.json file
    Found codemeta.json file
  • .zenodo.json file
    Found .zenodo.json file
  • DOI references
    Found 7 DOI reference(s) in README
  • Academic publication links
  • Academic email domains
  • Institutional organization owner
  • JOSS paper metadata
  • Scientific vocabulary similarity
    Low similarity (13.4%) to scientific vocabulary
Last synced: 10 months ago · JSON representation ·

Repository

ROSA: Finding Backdoors with Fuzzing

Basic Info
  • Host: GitHub
  • Owner: binsec
  • License: lgpl-2.1
  • Language: Rust
  • Default Branch: main
  • Homepage:
  • Size: 703 KB
Statistics
  • Stars: 23
  • Watchers: 2
  • Forks: 0
  • Open Issues: 0
  • Releases: 0
Created over 1 year ago · Last pushed 12 months ago
Metadata Files
Readme Changelog Contributing License Citation Authors

README.md

ROSA: Finding Backdoors with Fuzzing

Paper DOI badge Zenodo DOI badge SWH

About

ROSA[^1] is a fuzzing-based toolchain for backdoor detection in binary programs. It uses a state-of-the-art fuzzer (AFL++) coupled with a novel metamorphic oracle to detect many different types of backdoors in different types of binary programs.

Installation

Docker

The recommended way to use ROSA is in a Docker container, to avoid having to build dependencies (such as AFL++).

You can simply pull the existing ROSA Docker image by running:

console $ docker pull plumtrie/rosa:latest

Then, you can run a container using that image by running:

console $ docker run -ti --rm -p 4000:4000 plumtrie/rosa:latest

Note that this command will start an interactive session within the container, and that exiting the container will trigger its removal. It will also forward any traffic to port 4000 on the host to port 4000 on the guest, and serve the documentation on that port; this means you can consult the documentation on http://localhost:4000 on the host while the Docker container is running.

Building the Docker image

If you wish to build the Docker image on your machine, you can use the helper build.sh script, which will automatically tag the image with the current version. See the script itself for more information.

Before running the script (or simply docker build ...), make sure that you have cloned all of the submodules used in this repo. You can do this either by cloning the repo with --recurse-submodules, or by running git submodule update --init --recursive post-cloning.

Be advised that the build might take some time, especially including the time it takes to clone all of the submodules.

Once the Docker image is built, the run.sh convenience script may be used to run it. Generally, released versions of the image will be tagged, so you can run git checkout <TAG> and run ./build.sh and ./run.sh to build and run a specific version of the image.

Building from source

In order to build ROSA from source, you need the Rust toolchain (specifically Cargo). The recommended way to obtain it is via rustup.

If you also wish to build the documentation, you will need mdBook.

NOTE: ROSA is currently only supported on Linux x86_64 systems. It most definitely depends on libc, so it might not work out of the box (or at all) on other systems.

Before proceeding with the build, make sure that you have cloned all of the submodules used in this repo. You can do this either by cloning the repo with --recurse-submodules, or by running git submodule update --init --recursive post-cloning.

Building ROSA

To build ROSA itself, run:

console $ cargo build --release

To install ROSA, run:

console $ cargo install --path .

Building AFL++

To build the version of AFL++ that ROSA uses, you first need to install some dependencies. On Debian-based systems, you can run:

console $ sudo apt install -y build-essential python3-dev automake cmake git flex bison libglib2.0-dev \ libpixman-1-dev python3-setuptools cargo libgtk-3-dev lld llvm llvm-dev \ clang ninja-build cpio libcapstone-dev wget curl python3-pip $ sudo apt install -y gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev \ libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev

You then need to apply some patches to AFL++. In ./fuzzers/aflpp/aflpp/qemu_mode/qemuafl, run:

console $ patch -p1 < ../../../patches/qemuafl-rosa.patch

Then, in ./fuzzers/aflpp/aflpp, run:

console $ patch -p1 < ../patches/aflpp-rosa.patch $ patch -p1 < ../patches/aflpp-qemuafl-build.patch

Finally, in ./fuzzers/aflpp/aflpp, you can build AFL++:

console $ make -j$(nproc)

And in ./fuzzers/aflpp/aflpp/qemu_mode, you can build QEMU-AFL:

console $ ./build_qemu_support.sh

Building the documentation

You can build and preview the full documentation with mdbook:

console $ mdbook serve doc

You can also build and preview the API documentation with cargo doc:

console $ cargo doc --open

Instructions on how to use and modify ROSA, as well as in-depth explanations of the internals, are available in the documentation.

Contributing

Please read CONTRIBUTING.md.

Citing this repo

When citing the associated ICSE'25 paper, use the following snippet:

bibtex @inproceedings{kokkonis-2025-rosa, author = {Kokkonis, Dimitri and Marcozzi, Michaël and Decoux, Emilien and Zacchiroli, Stefano}, booktitle = {2025 IEEE/ACM 47th International Conference on Software Engineering (ICSE)}, title = {ROSA: Finding Backdoors with Fuzzing}, year = {2025}, volume = {}, number = {}, pages = {2816-2828}, keywords = {Runtime;Automation;Manuals;Binary codes;Fuzzing;Benchmark testing;Robustness;Software;Performance analysis;Standards;fuzzing;dynamic analysis;metamorphic testing;backdoors;vulnerability detection}, doi = {10.1109/ICSE55347.2025.00183}, }

When citing the actual repository/tool itself, use CITATION.cff.

[^1]: ROSA is a reference to the song El Paso, but also stands for Runtime trace Oracle-based Selection Algorithm.

Owner

  • Name: BINSEC development team
  • Login: binsec
  • Kind: organization

Citation (CITATION.cff) 

# This CITATION.cff file was generated with cffinit.
# Visit https://bit.ly/cffinit to generate yours today!

cff-version: 1.2.0
title: ROSA
message: >-
  If you use this software, please cite it using the
  metadata from this file.
type: software
authors:
  - given-names: Dimitri
    family-names: Kokkonis
    email: dimitri.kokkonis@cea.fr
    affiliation: 'Université Paris-Saclay, CEA, List'
    orcid: 'https://orcid.org/0009-0009-5171-2992'
  - given-names: Michaël
    family-names: Marcozzi
    email: michael.marcozzi@cea.fr
    affiliation: 'Université Paris-Saclay, CEA, List'
    orcid: 'https://orcid.org/0000-0002-8087-0537'
  - given-names: Emilien
    family-names: Decoux
    email: emilien.decoux@protonmail.com
    affiliation: 'Université Paris-Saclay, CEA, List'
  - given-names: Stefano
    family-names: Zacchiroli
    email: stefano.zacchiroli@telecom-paris.fr
    affiliation: 'LTCI, Télécom Paris, Institut Polytechnique de Paris'
    orcid: 'https://orcid.org/0000-0002-4576-136X'
identifiers:
  - type: doi
    value: 10.5281/zenodo.14724250
    description: Zenodo artifact
  - type: swh
    value: 'swh:1:rev:d30f7f1800a5dde3b9991125f9b911f8396c6346'
repository-code: 'https://github.com/binsec/rosa'
abstract: >-
  A code-level backdoor is a hidden access, programmed and
  concealed within the code of a program. For instance,
  hard-coded credentials planted in the code of a file
  server application would enable maliciously logging into
  all deployed instances of this application. Confirmed
  software supplychain attacks have led to the injection of
  backdoors into popular open-source projects, and backdoors
  have been discovered in various router firmware. Manual
  code auditing for backdoors is challenging and existing
  semi-automated approaches can handle only a limited scope
  of programs and backdoors, while requiring manual
  reverse-engineering of the audited (binary) program.
  Graybox fuzzing (automated semi-randomized testing) has
  grown in popularity due to its success in discovering
  vulnerabilities and hence stands as a strong candidate for
  improved backdoor detection. However, current fuzzing
  knowledge does not offer any means to detect the
  triggering of a backdoor at runtime. In this work we
  introduce ROSA, a novel approach (and tool) which combines
  a state-of-the-art fuzzer (AFL++) with a new metamorphic
  test oracle, capable of detecting runtime backdoor
  triggers. To facilitate the evaluation of ROSA, we have
  created ROSARUM, the first openly available benchmark for
  assessing the detection of various backdoors in diverse
  programs. Experimental evaluation shows that ROSA has a
  level of robustness, speed and automation similar to
  classical fuzzing. It finds all 17 authentic or synthetic
  backdooors from ROSARUM in 1 h 30 on average. Compared to
  existing detection tools, it can handle a diversity of
  backdoors and programs and it does not rely on manual
  reverse-engineering of the fuzzed binary code.
keywords:
  - Backdoors
  - Fuzzing
  - Vulnerability detection
  - Binary programs
license: LGPL-2.1-only

GitHub Events

Total
  • Issues event: 2
  • Watch event: 20
  • Issue comment event: 3
  • Push event: 14
  • Public event: 1
Last Year
  • Issues event: 2
  • Watch event: 20
  • Issue comment event: 3
  • Push event: 14
  • Public event: 1

Dependencies

Cargo.lock cargo
  • 118 dependencies
Cargo.toml cargo
Dockerfile docker
  • ubuntu 22.04 build