P2FAAS: Toward Privacy-Preserving Fuzzing as a Service
It addresses privacy risks for users of cloud-based fuzzing services, though it is incremental as it builds on existing hardware and service models.
The paper tackles privacy concerns in fuzzing-as-a-service (FaaS) by proposing P2FaaS, a system that uses Intel SGX to protect user data from cloud and service providers, resulting in a 45% runtime overhead compared to baseline fuzzing.
Global corporations (e.g., Google and Microsoft) have recently introduced a new model of cloud services, fuzzing-as-a-service (FaaS). Despite effectively alleviating the cost of fuzzing, the model comes with privacy concerns. For example, the end user has to trust both cloud and service providers who have access to the application to be fuzzed. Such concerns are due to the platform is under the control of its provider and the application and the fuzzer are highly coupled. In this paper, we propose P2FaaS, a new ecosystem that preserves end user's privacy while providing FaaS in the cloud. The key idea of P2FaaS is to utilize Intel SGX for preventing cloud and service providers from learning information about the application. Our preliminary evaluation shows that P2FaaS imposes 45% runtime overhead to the fuzzing compared to the baseline. In addition, P2FaaS demonstrates that, with recently introduced hardware, Intel SGX Card, the fuzzing service can be scaled up to multiple servers without native SGX support.