IdSan: Identity Sanitization in Fuzzing, Crypto & Comm
- IdSan is a multifaceted domain that integrates identity-based binary memory sanitization, cryptographic signature schemes with sanitization, and joint identification-and-sensing for enhanced system security and correctness.
- It employs precise pointer metadata tracking, chameleon hash-based signature algorithms, and feedback-driven multi-user channel coding to detect memory errors, support credential redaction, and optimize identification in communication systems.
- Each approach offers trade-offs between efficiency and security, prompting further research in post-quantum cryptography, zero-knowledge predicate proofs, and scalable multi-access coding strategies.
IdSan refers to three distinct but conceptually related research domains, each united by a focus on “identity” and rigorous enforcement and sanitization mechanisms in software correctness, cryptographic protocol design, and information-theoretic communication. These appear in (i) identity-based run-time binary memory sanitization for fuzzing safety, (ii) cryptographic signature schemes supporting identity sanitization in decentralized credentials, and (iii) joint identification and sensing information-theoretic coding for multi-user channels. All three approaches share a common thread: precise accounting and management of “identity” information—whether for pointers, digital signatures, or communicated messages—in order to ensure security, correctness, and privacy.
1. Identity-Based Memory Sanitization for Binary Fuzzing
IdSan for binary memory fuzzing denotes an identity-based memory sanitizer that operates directly on AArch64 binaries, with no requirement for access to the source code. IdSan deviates from traditional location-based sanitizers (ASan, QAsan, RetroWrite), which insert “redzones” into memory and perform address-range checks. Instead, IdSan attaches metadata to pointers, specifically a tuple per pointer, defining the bounds:
A memory access is valid if and only if it falls within those explicit bounds. To support vectorized and unaligned memory accesses—as occur with compiler-optimized memcpy—IdSan tracks sub-word “value metadata,” encoding per-bit-range identities within machine registers and memory words. The sanitizer’s operational state tracks (, , ), maintaining metadata for each register, machine word, and stack frame (Craaijo, 2020).
IdSan functions in two main binary execution environments:
- Ptrace supervisor mode: Forks the target and single-steps or traps on syscalls, analyzing register/memory at each instruction.
- Unicornafl emulation: Instruments ELF sections and translates instructions into sanitizer operations at emulation time.
Metadata provision can leverage DWARF debug info or user-exported annotations (from IDA, radare2). Incomplete annotation results in conservative “catch-all” tracking; errors occur only if overlapping pointer regions are overwritten.
The sanitizer enforces the invariant for each memory access: the pointer’s identity tuple must validate the entire access range. Mechanisms for copying, pointer arithmetic, and stack management are supported, using precise algorithms to propagate and verify metadata under all common AArch64 idioms.
Detection covers overflows on heap (not free), stack, and global objects, conditional on correct annotations. Temporal memory errors (use-after-free) are not covered. False negatives stem from exceeded metadata list sizes per word (implementation cap: 6) or incomplete annotations. The approach avoids conventional redzones, yielding lower virtual memory consumption, at significant time overhead: ≈11–32× slowdown under Unicorn emulation on representative binaries (Craaijo, 2020).
2. Sanitizable and Redactable Signatures for Decentralized Identity Systems
IdSan in cryptographic context refers to protocols supporting identity sanitization by selective redaction or replacement of credential attributes, while retaining validity under digital signature verification (Kumara et al., 2023). The two principal primitives are:
- Redactable Signature Schemes (RSS): Allow removing parts of a signed message/document, yielding a redacted message and signature that remains verifiable.
- Sanitizable Signature Schemes (SSS): Extend RSS by permitting replacement of allowed message fields, not just deletion.
These schemes must provide correctness (verification holds post-sanitization), unforgeability (UF-CMA-R/S), and privacy (modifications should not leak excess information). The adversarial threat model splits roles—issuer holds the signing key, sanitizer (holder) operates with a specialized trapdoor, verifier uses the public key with field-specific parameters.
A concrete pairing-based SSS construction combines per-field chameleon hash commitments with a BLS-style signature. Each attribute slot has its own trapdoor . Given a message , the signature is computed over
with the BLS signature 0. Sanitization uses 1 to adjust both value and commitment randomness 2, preserving 3 and thus signature validity, with privacy derived from chameleon hash hiding and the hardness of discrete logarithm in 4.
Credential Workflow
Within a decentralized identity system, IdSan enables a workflow where a credential issuer generates keys and trapdoors, delegates partially blank or template documents, and end-users/holders can sanitize out or modify personally identifiable information (PII) prior to presentation. Verification convinces the verifier that the credential structure is genuine, redaction is limited to permitted fields, and presentation is privacy-preserving.
A comparative analysis indicates:
- ZKP-based credentials: Offer higher expressiveness (predicate proofs) but are costly in proof size and computational effort.
- Selective-disclosure credentials (CL, Idemix, PS): Support hiding entire attributes with moderate proof sizes but complex protocols.
- IdSan SSS: High efficiency, non-interactive release, constant-size signatures, but cannot enforce external predicates on sanitized values and lacks privacy-preserving revocation.
Table 1 summarizes trade-offs.
| Scheme | Expressiveness | Efficiency | Predicate Proofs | Trusted Setup |
|---|---|---|---|---|
| ZKP Credentials | Arbitrary predicates | Large, slow | Yes | Some schemes |
| Selective Disclosure | Hide attributes | Moderate | Yes | No |
| IdSan SSS | Field edit/redaction | Very high (single pairing) | No | No (except trapdoors) |
Implementation considerations include secure trapdoor/key management and schema versioning; open problems include integrating ZKPs for predicate enforcement, post-quantum variants, and privacy-preserving revocation (Kumara et al., 2023).
3. Joint Identification and Sensing over Multiple Access Channels
IdSan also arises as an acronym for “Joint Identification-and-Sensing” (JIDAS) in information theory (Zhao et al., 2024). Here, the problem involves two users transmitting identification messages (i.e., which of many possible IDs is being sent—capacity grows doubly-exponentially in blocklength) over a state-dependent multiple access channel (SD-MAC), while simultaneously estimating the underlying state sequence 5 under a per-symbol distortion constraint.
The system features:
- Encoders 6: Map ID and past feedback to input at each 7.
- Decoder 8: Accepts hypotheses for each ID, detects presence using the received 9.
- State estimator 0: Produces 1 based on all inputs and outputs.
Success is defined as vanishing type I and II errors for identification, and expected average distortion 2 for sensing. Codebooks may scale as 3.
The achievable 4 region is characterized by auxiliary variables 5 and joint distributions meeting mutual information constraints:
6
The construction exploits the generation of common randomness from channel feedback (Ahlswede–Dueck), which supports extremely high achievable ID “rates,” coordinated with simultaneous state sensing. Compared to any time-sharing or separation-based approach, JIDAS strictly outperforms in achievable “ID rate” for a given distortion target, as seen in explicit examples (e.g., the binary adder channel, where joint operation expands the ID-rate boundary over any convex combination of independent identification and sensing) (Zhao et al., 2024).
4. Technical Mechanisms and Algorithms
Memory Sanitization (Binary Fuzzing)
IdSan implements precise per-pointer identity tracking in binaries via a combination of:
- Metadata-passing instrumentation at the binary level.
- Emulation or ptrace-based instruction decoding and metadata propagation.
- Bitfield-level copying to handle vectorized operations.
- Range-checking access invariants on each load/store.
- Shadow stack and register state shadowing.
The sanitizer is agnostic to malloc/free events themselves but checks all accesses through annotated pointers for spatial overflows, including on the stack and global variables.
Sanitizable Signature Schemes
The IdSan SSS is realized through the use of:
- Chameleon hash functions per field, with individual trapdoors, enabling flexible field replacement under signature integrity.
- BLS signatures enable compact, efficient (single group element) verification, with unchanged signature size irrespective of the number of edits.
- Holder-side trapdoor use allows redaction/sanitization without access to the signing key and no need for interactive proofs at verification.
Joint Identification and Sensing Codes
IdSan JIDAS codes feature:
- Feedback-exploiting encoders that use the observed 7 to coordinate channel inputs, building near-uniform common randomness for ID encoding.
- Coloring (random hashing) of typical output sets, enabling doubly-exponential ID code size.
- Simultaneous distributed state estimation via single-letter estimators 8.
- Achievability proofs leveraging law of large numbers and mutual-information-type bounds.
5. Applications, Trade-offs, and Limitations
- Binary fuzzing: IdSan enables analysis of binaries for overflows in objects not protected by redzones, but incurs significant emulation time overhead and requires out-of-band annotations or DWARF extraction. Temporal memory errors are not addressed (Craaijo, 2020).
- Decentralized identity: IdSan signatures provide efficient non-interactive identity sanitization, suitable for delegated issuance and selective attribute disclosure, but do not enforce external attribute predicates and require careful key/trapdoor management (Kumara et al., 2023).
- Multi-user communication: JIDAS (IdSan) enables strictly larger achievable joint regions in identification and state estimation compared to naive separation schemes, leveraging feedback and random coding for optimal performance (Zhao et al., 2024).
Each use case reflects a domain-specific balance among detection/coverage, efficiency, verifiability, and privacy. Open problems span post-quantum cryptographic realization, efficient revocation, expressive predicate proofs, and multi-party or threshold sanitization.
6. Relationship to Alternative Approaches and Future Directions
IdSan in memory safety advances past location-based approaches (ASan, RetroWrite) in binary-only contexts, by virtue of pointer-identity tracking and support for complex modern binaries, including vectorized operations (Craaijo, 2020). In credential frameworks, IdSan SSS provides a lightweight, verifiable alternative to resource-intensive ZKP systems and more complex selective-disclosure credentials, appropriate for cases demanding minimal interaction and editability. In multiuser communications, the IdSan JIDAS region demonstrates the fundamental advantage of joint (rather than separated) design in feedback-enabled identification and state estimation (Zhao et al., 2024).
Open directions highlighted in the literature include the integration of IdSan SSS with zero-knowledge predicate proofs, post-quantum constructions, privacy-preserving revocation, and threshold trapdoor delegation. For binary sanitization, possible avenues involve reducing emulation overhead and extending detection to temporal vulnerabilities. In the communication-theoretic context, extensions to more users and state models are natural progressions.