Finding backdoors with fuzzing

Backdoors in software are real. We’ve seen injections creep into open-source projects more than once. Remember the infamous xz backdoor? That was just the headline act. Before that, we have seen the PHP backdoor (2021), vsFTPd (CVE-2011-2523), and ProFTPD (CVE-2010-20103). And it doesn’t stop at open-source projects: network daemons baked into router firmware have been caught red-handed too—think Belkin F9K1102, D-Link DIR-100, and Tenda W302R. Spoiler alert: this is likely just the tip of the iceberg. Why is this so scary? Because a single backdoor in a popular open-source project or router model is basically an all-you-can-eat buffet for attackers—millions of systems served on a silver platter.

Finding and neutralizing backdoors means digging deep into large codebases and binary firmware. Sounds heroic, right? In practice, even for a seasoned analyst armed with reverse-engineering tools (and maybe a good Belgian beer), it’s a royal pain. So painful that, honestly, almost nobody does it. Some brave souls tried building specialized reverse tools—Firmalice, HumIDIFy, Stringer, Weasel—but those projects have been gathering dust for years. And when we tested Stringer (which hunts for hard-coded strings that might trigger backdoors), the results were… let’s say “meh”: tons of noise, so many missed hits.

This is where ROSA (https://github.com/binsec/rosa) comes in. Our mission? Make backdoor detection practical enough that people actually want to do it—no Belgian beer required (but appreciated!). Our secret weapon: fuzzing. Standard fuzzers like AFL++ (https://github.com/AFLplusplus/AFLplusplus) bombard programs with massive input sets to make them crash. It’s brute force, but it works wonders for memory-safety bugs. Backdoors, though, play a different game: they don’t crash—they hide behind secret triggers and valid behaviors. So we built a mechanism that teaches fuzzers to spot the difference between “normal” and “backdoored” behavior. We integrated it into AFL++, and guess what? It nailed 7 real-world backdoors and 10 synthetic ones in our tests.

In this talk, we’d like to show you how ROSA works, demo it live, and share ideas for making it even better. If you’re into fuzzing, reverse engineering, or just love geeking out over security, you’re in for a treat.