Fuzz Testing
Abstract:
Today, greybox fuzzing is the primary mechanism for finding vulnerabilities in
software, and is used in corporations on a daily basis. These
fuzz testing methods to find security vulnerabilities in software systems
will be the main topic of this talk. At a technical level, it represents a biased random
search with different machinery to control the bias. We discuss how the random search
in fuzzing can be inspired by ideas from symbolic execution and model checking to
go beyond conventional fuzzing methods, without sacrificing the
efficiency of fuzzing. These observations have prompted our works in the
area. By aligning closer with model checking, the technique can also
find deeper bugs beyond simple crashes, which are out of the ability of
conventional fuzzers.
Along with the technical work we have conducted in this area - the talk
will also weave in two other equally important aspects.
[A] Translation: the work we have conducted in this area have been
translated and have also spurred significant follow-up research. I will
try to give a personal account of how we started working on this area,
when there was little research in this area, and the practice was to
mostly use the fuzzing tools available as a black-box. Thus the talk
will also share the initial research observations and positions, that
prompted us to look into the area.
[B] Mentoring: the works were a successful collaboration with two of
my PhD students who are now academics. I will briefly discuss the
importance of student mentoring.
The talk will end with an announcement of a new 4 year research program
we are launching on fuzz testing (2023-27), jointly with Zhenkai Liang, Umang Mathur
and Manuel Rigger.
Biodata:
Abhik Roychoudhury is a Professor of Computer Science at the National
University of Singapore, where he has been working since 2001 after
receiving his Ph.D. in Computer Science from the State University of New
York at Stony Brook in 2000. Abhik's research focuses on software
testing and analysis, software security and trust-worthy software
construction. Abhik is a member of the Steering committee of the
flagship conferences in Software Engineering, International Conference
on Software Engineering (ICSE) and Symposium on Foundations of Software
Engineering (FSE). His former doctoral students have been placed all
over the world as academics (University College London, Max-Planck
Institute, University of Melbourne and other places). His research was
honored with IEEE TCSE New Directions Award in 2022 (jointly with
Cristian Cadar) for contributions to symbolic execution, as well as with
an ICSE Most Influentual Paper Award for an ICSE 2013 paper suggesting
semantic approaches towards program repair. His research group is
mostly known for contributions to fuzz testing and program repair.