Secure Software Development with Continuous Collaborative Fuzzing

Date: 16/4/20 from 14.00 to 15.00 AEST

Title: Secure Software Development with Continuous and Collaborative Fuzzing

Slides: Thuan_Pham_SAO_Seminar

Guest speaker: Dr Thuan Pham

Thuan Pham (https://thuanpv.github.io/) is currently a Research Fellow at Monash University, working with Dr. Marcel Böhme on scalable and high-performance fuzz testing. Before joining Monash, he worked in the TSUNAMi research center which focuses on software and system security. He received his Ph.D. degree in Computer Science from the National University of Singapore in July 2017 under the supervision of Provost’s Chair Professor Abhik Roychoudhury. His research has led to several papers published at premier journals and conferences (e.g., TSE, ICSE, CCS) and one U.S. patent. He has developed several open-source automated security testing tools (e.g., AFLGo, AFLSmart, AFLNet) that are responsible for 100+ (critical) vulnerabilities discovered in large real-world software systems.

Abstract:

Fuzzing is one of the most common vulnerability discovery techniques, together with static analysis and manual code inspection. It is used by hackers and security researchers to discover (zero-day) vulnerabilities in large real-world software systems. The technique has received increasing attention from industry and academia. Recently, many works have been done to significantly improve the effectiveness and efficiency of Fuzzing. Tech giants like Microsoft, Google, and Facebook have dedicated teams to develop and integrate Fuzzing into their software development process.

In this seminar, we will talk about our works on Directed Fuzzing, Structure-Aware Fuzzing, and Network Protocol Fuzzing that are responsible for 100+ (critical) vulnerabilities discovered in core Linux utilities, widely-used media processing libraries, document viewers, and network servers. We will also discuss how these techniques can be integrated into the software development process, in collaborative setups, to thoroughly and continuously test the software from the first days of its life cycle