Security researcher and associate professor at the EPFL school of computer and communication sciences (IC)
20th January 2022 - 4:00pm - 5:00pm (GST)
Fuzzing for profit: from crashes to vulnerabilities
Fuzzing has emerged as the de-facto standard to find software bugs. While research focuses on better guiding the fuzzer through improved feedback, setting up fuzzing campaigns has never been easier. It's as simple as compiling the code-under-test and then letting the fuzzer explore the code. Analysts can improve the fuzzing by providing targeted starting seeds or, ideally, by writing custom fuzzer stubs that exercise the functionality of interest. The result of the fuzzing campaign are crashing seeds that trigger bugs. The analyst then has to triage and group these crashes into individual bugs. Given that there may be thousands of crashes for each bug, triaging and grouping requires careful attention.
After a quick overview of the research frontier and remaining challenges in fuzzing, we will focus on minimizing developer efforts to set up fuzzing campaigns along with discussing trade-offs between defensive and offensive fuzzing---the former tries to find as many bugs as possible during software development, while the latter tries to discover exploitable bugs for, e.g., bug bounties.
Mathias Payer is a security researcher and professor at EPFL, leading the HexHive group. His research focuses on protecting applications in the presence of vulnerabilities, with a focus on memory corruption and type violations. He is interested in software security, system security, binary exploitation, effective mitigations, fault isolation/privilege separation, strong sanitization, and software testing (fuzzing) using a combination of binary analysis and compiler-based techniques.