Skip to main content

Talk: The Science of Fuzzing

Rahul Gopinath: Postdoctoral Researcher, CISPA Helmholtz Center for Information Security, Germany

Event Details

Date
Monday, March 15, 2021
Time
4-5 p.m.
Location
Description

Abstract: Fuzzing is a key method for evaluating the robustness of a program
against malicious inputs. It involves generating and feeding arbitrary
data to a program, and monitoring the program for catastrophic
failures. Any failure in the program in processing the data indicates
a possible vulnerability in the program. Efficient and effective
fuzzing requires the availability of the input specification for the
program under test. However, such specifications are typically
unavailable, obsolete, incomplete, or inaccurate, limiting the reach
of fuzzers. This has led to a proliferation of hacky recipes by
different fuzzers to get past the input parsing stage, with each
recipe working on some but not all programs. That is, fuzzing most
resembles alchemy than science at this point.

In this talk, I show how to transform fuzzing into a science. I
present an end-to-end framework for recovering precise input
specifications of programs. Such mined specifications can immediately be used for effective
exploration of the program input space as well as the space of the
program behavior, leading to the identification of failure-inducing
inputs. Next, given any failure-inducing input, I show how to
generalize such inputs into abstract patterns, precisely identifying
the failure-causing parts of the input. Any number of such abstract
patterns can then be combined using the full set of logical
connectives --- to produce specialized grammars that can be used by
any grammar fuzzer for precise control of produced inputs and hence
the expected behavior.
 

Bio: Rahul Gopinath is a postdoctoral researcher at CISPA Helmholtz Center
for Information Security, Germany. He received his Ph.D. in 2017 from
Oregon State University, US. Rahul's research focus is on static and
dynamic analysis of programs, especially mining input specifications,
focused fuzzing, and debugging. His recent work in debugging received
the ACM SIGSOFT Distinguished Paper Award. He is also one of the
co-authors of the "Fuzzing Book -- Tools and Techniques for Generating
Software Tests" available online (https://fuzzingbook.org). Rahul also
has extensive industry experience, having worked in diverse fields
such as telco, publishing, systems, and DevOps.


 

Cost
Free

Tags