Fuzzing workshop 2022
April 24, 2022
Co-located with NDSS'22 @ San Diego, California
Co-located with NDSS'22 @ San Diego, California
| Home | Program | Dates | FAQ | Program Committee | Latest Edition |
| 9:00am | Welcome and Introductions |
| 9:10am | Keynote 1: Fuzzing: A Tale of Two Cultures |
| Andreas Zeller (CISPA Helmholtz Center for Information Security) | |
|
Abstract: Do you fuzz your own program, or do you fuzz someone
else's program? The answer to this question has vast consequences on
your view on fuzzing. Fuzzing someone else's program is the typical
adverse "security tester" perspective, where you want your fuzzer to
be as automatic and versatile as possible. Fuzzing your own code,
however, is more like a traditional tester perspective, where you may
assume some knowledge about the program and its context, but may also
want to _exploit_ this knowledge - say, to direct the fuzzer to
critical locations. In this talk, I detail these differences in perspectives and assumptions, and highlight their consequences for fuzzer design and research. I also highlight cultural differences in the research communities, and what happens if you submit a paper to the wrong community. I close with an outlook into our newest frameworks, set to reconcile these perspectives by giving users unprecedented control over fuzzing, yet staying fully automatic if need be. Bio: Andreas Zeller is faculty at the CISPA Helmholtz Center for Information Security and professor for Software Engineering at Saarland University, both in Saarbrücken, Germany. His research on automated debugging, mining software archives, specification mining, and security testing has won several awards for its impact in academia and industry. Zeller is an ACM Fellow, an IFIP Fellow, an ERC Advanced Grant Awardee, and holds an ACM SIGSOFT Outstanding Research Award. [Slides] Session Chair: Baishakhi Ray (Columbia University)
|
| 10:00am | Session 1 |
|
Session Chair: László Szekeres (Google)
|
|
|
Dissecting American Fuzzy Lop - A FuzzBench Evaluation
[Slides]
Andrea Fioraldi, Alessandro Mantovani (EURECOM), Dominik Maier (TU Berlin), Davide Balzarotti (EURECOM) Fine-Grained Coverage-Based Fuzzing [Slides] Bernard Nongpoh, Marwan Nour, Michaël Marcozzi, Sébastien Bardin (Université Paris Saclay) |
| 10:40am | Morning Break |
| 11:00am | Fishbowl Conversation |
| Group conversation about fuzzing and the pre-registration publication model. |
| 12:00pm | Session 2 |
|
Session Chair: Mathias Payer (EPFL)
|
|
|
First, Fuzz the Mutants Alex Groce, Goutamkumar Kalburgi (Northern Arizona Univeristy), Claire Le Goues, Kush Jain (Carnegie Mellon University), Rahul Gopinath (Saarland University) Generating Test Suites for GPU Instruction Sets through Mutation and Equivalence Checking [Slides] Shoham Shitrit, Sreepathi Pai (University of Rochester) |
| 12:40pm | Lunch Break |
| (Note that we leave a long time for lunch break to make the afternoon session more Asia friendly.) |
| 3:00pm | Keynote 2: The Evolution of Fuzzing in Finding the Unknowns |
| Abhishek Aarya (Google) | |
|
Abstract: Fuzzing is a highly effective technique that finds security
vulnerabilities, stability bugs and correctness issues in a fully
automated way. Over the last decade, it has rapidly evolved from being
an experimental tool used by security teams to becoming a critical
component of the software development life cycle and part of NIST’s
standards for software verification. This talk will give insights into
this journey of fuzzing innovation, from a dumb, blackbox testing
technique to a smart, generational whitebox one, augmented with
effective memory instrumentation. It will also shed light on the recent
efforts to standardize fuzzer benchmarking and scaling research efforts
in the community. Bio: Abhishek Arya is a Principal Engineer and head of the Google Open Source Security Team. His team has been a key contributor to various security engineering efforts inside the Open Source Security Foundation (OpenSSF). This includes the Fuzzing Tools (Fuzz-Introspector), Supply Chain Security Framework (SLSA, Sigstore), Security Risk Measurement Platform (Scorecards, AllStar), Vulnerability Management Solution (OSV) and Package Analysis project. Prior to this, he was a founding member of the Google Chrome Security Team and built OSS-Fuzz, a highly scaled and automated fuzzing infrastructure that fuzzes all of Google and Open Source. His team also maintains FuzzBench, a free fuzzer benchmarking service that helps the community rigorously evaluate fuzzing research and make it easier to adopt. [Slides] Session Chair: Cristian Cadar (Imperial College London)
|
| 3:50pm | Afternoon Break |
| 4:00pm | Session 3 |
|
Session Chair: Marcel Böhme (MPI-SP and Monash University)
|
|
|
Fuzzing Configurations of Program Options
[Slides]
Zenong Zhang (University of Texas at Dallas), George Klees (University of Maryland), Eric Wang (Poolesville High School), Michael Hicks (University of Maryland), Shiyi Wei (University of Texas at Dallas) NSFuzz: Towards Efficient and State-Aware Network Service Fuzzing [Slides] Shisong Qin (Tsinghua University), Fan Hu (State Key Laboratory of Mathematical Engineering and Advanced Computing), Bodong Zhao, Tingting Yin, Chao Zhang (Tsinghua University) datAFLow: Towards a Data-Flow-Guided Fuzzer [Slides] Adrian Herrera (Australian National University), Mathias Payer (EPFL), Antony Hosking (Australian National University) |
| 5:00pm | Concluding remarks |
| Design by Mike Pierce | © Conference Organizers |