Introducing Cheesecloth: A Tool for Proving Software Vulnerabilities in Zero Knowledge

In the world of cybersecurity, proving software vulnerabilities responsibly is a critical challenge. 

Imagine a security analyst discovers a vulnerability and wants to tell a software company that their program can be hacked. Here, they face a common dilemma: when they tell the software company about the vulnerability, the company may choose to simply ignore the problem, leaving user systems and data at risk. On the other hand, if they disclose the vulnerability to the public as a way to pressure the company into patching the issue, bad actors could use that information too, putting users at risk. What is needed is a way to publicly and convincingly prove that a vulnerability exists, while keeping the details secret to protect users.

Enter “Cheesecloth,” one of the latest innovations from Galois’ cryptography and privacy research team. Developed as part of DARPA’s SIEVE program, Cheesecloth is able to selectively reveal program properties and behavior, proving vulnerabilities in Zero Knowledge (ZK) without disclosing the details of the vulnerability in question. 

In short, Cheesecloth allows an analyst to say, “You’ve got a flaw, and here’s my proof” without giving away the “where” or “how.”

How Does it Work? And Why Does it Matter?

“At its core, Cheesecloth is a compiler of LLVM programs,” explained Galois Research Engineer James Parker. “This could be any C, C++, or Rust program, so it covers a lot of ground. Cheesecloth compiles the program in question into a zero-knowledge statement or circuit verifying the execution of a program. So, you’re basically executing the program in zero-knowledge. That way, we can prove that the vulnerability exists, but we explicitly conceal exactly what and where the vulnerability is.”

Why is this a big deal? Programs written in C, C++, and Rust are everywhere—they power everything from web browsers to national infrastructure. Cheesecloth works like a private detective for any software written in these languages, discretely disclosing weaknesses to protect the public at large. 

It’s a new, better way to make sure things are secure without making them more of a target.

A Growing List of Capabilities

Among the specific vulnerabilities Cheesecloth can detect are memory-related errors, such as out-of-bounds reads and writes; information leaks that could inadvertently reveal passwords or other sensitive data; and cryptographic bugs that require network interactions. As Galois continues to improve Cheesecloth and add capabilities, that list is growing. Right now, Parker and his team are working on adding the ability to check in zero knowledge whether a piece of software is vulnerable to a denial of service (DOS) attack

“Normally, that isn’t something you can do in ZK, because it’s just too big. You can’t verify 10 trillion cycles. That would take tens or even hundreds of years,” said Parker. “The way we overcome that challenge is through symbolic execution – using symbols instead of concrete values as we execute the program, condensing the program’s behavior into a form both suitable for analysis and expression as a ZK proof.”

Potential Impact

This isn’t just theory. Cheesecloth’s practical abilities have been tested and validated on well-known bugs from the recent past, including proving an out-of-bounds memory error in the video tool FFmpeg and the infamous Heartbleed information leakage in the encryption tool OpenSSL. By enabling the verification of vulnerabilities in zero-knowledge, Cheesecloth provides a way for vulnerabilities like these to be disclosed and addressed responsibly in the future. And the implications of Cheesecloth extend beyond simply proving software bugs. It has the ability, for example, to verify that a high-security network isn’t compromised by malformed files – an incredibly useful application for governments and businesses that cannot afford the slightest breach in their digital defenses.

The bottom line is that Cheesecloth symbolizes a smarter way to handle digital security issues. By proving problems exist without exposing the details, it’s setting up a new standard for safely sharing information about software threats. And as this technology evolves, we may find Cheesecloth-like tools becoming a staple in the tech world, offering a kind of protection that’s essential in today’s interconnected, and often vulnerable, digital landscape.

Distribution Statement “A” (Approved for Public Release, Distribution Unlimited)