Fuzzing and Software Security Summer School

Guest Spea​kers

Prof. Marcel Böhme 
Head of the Software Security Group
Max Planck Institute for
Security and Privacy (MPI-SP)

Abhishek Arya
Engineering Director
Google Open Source and
Supply Chain Security

Lim Min Kwang 
Director (Capability Masterplanning Office) 
Cyber Security Agency of Singapore  

Dr Thuan Pham 
Cyber Security Senior Lecturer
The University of Melbourne 

Prof. Mathias Payer
Head of the HexHive research group
École Polytechnique 
Fédérale de Lausanne (EPFL) 

Prof. Andreas Zeller 
CISPA Helmholtz Center for 
Information Security
Professor for Software Engineering
Saarland University

Venue

National University of Singapore 
11 Research Link 
COM3, #01-26/27 
Multipurpose Hall 1 and 2
Singapore 119391

Program Details (Updated 31 May 2024)

Monday - 27 May 2024

Time Activities Speaker
8am to 8.50am Registration
8.50am to 9am Please be seated
9am to 9.10am Welcome Speech 
Topic: ​Introduction to Fuzz Testing

Abstract A welcome address will be given to all attendees discussing connections between research, education and translation in the area of fuzz testing and software security.
Professor ​Abhik Roychoudhury
9.10am to 9.30am Opening Address Speech Mr Lim Min Kwang
Director (Capability Masterplanning) Cyber Security Agency of Singapore
9.30am to 10.30am Keynote Speech
Topic: Democratizing Fuzzing at Scale
Abstract : This keynote talks about the democratization of fuzzing at scale, highlighting the collaboration between open source communities, academia, and industry to advance the field of fuzzing. It delves into the history of fuzzing, the development of scalable fuzzing platforms, and the empowerment of community-driven research. The talk will further discuss recent advancements leveraging AI/ML and offer insights into the future evolution of the fuzzing landscape.
Mr Abhishek Arya
Engineering Director Google Open Source and Supply Chain Security
10.30am to 11am Tea Break -
11am to 12pm Tutorial
Topic: Input Grammar Fuzzing
Abstract: Fuzzing can be made much more efficient if one knows the language of the program input. Based on the fuzzing book (fuzzingbook.org), we introduce simple means to specify complex input languages as grammars, and using grammar-based fuzzers for effective blackbox testing of programs with complex inputs such as JSON, XML, or SQL.
Professor Andreas Zeller
CISPA Helmholtz Center for Information Security Professor for Software Engineering at Saarland University
12pm to 1.30pm Lunch -
1.30pm to 3.30pm Tutorial
Topic: Input Grammar Fuzzing - Hands-On
Abstract: In this session, you build a grammar-based fuzzer yourself. More precisely, you create a SQL grammar that you will feed into a fuzzer to test SQL interpreters. Who will be the participant with the highest coverage? We also discuss important and common optimizations and extensions such as language coverage and probabilisttic grammar testing. Basic knowledge of Python is required for coding.

On your machine, you will need to have installed: 
* GCC and MAKE 
* Python 3.10 or 3.12 
* The Python fuzzingbook package ("pip install fuzzingbook") 

OR 
* Docker Desktop

Professor Andreas Zeller
3.30pm to 4pm Tea Break -
4pm to 5pm Tutorial and Discussions 
Topic: Input Grammar Fuzzing – Outlook
Abstract: This last session collects and summarizes your experiences and gives some outlooks into more advanced techniques such as using constraints to further shape inputs, or coverage-driven greybox grammar fuzzing, looking forward to further topics discussed in the workshop.
Professor Andreas Zeller

Tuesday - 28 May 2024

Time Activities Speaker
9.30am to 10am Hackathon Competition 
Team formation and Rules
Ms Meng Ruijie
Mr Dylan Wolff
10am to 10.30am Tea Break
10.30am to 12.30pm Tutorial
Topic: Fuzzing the mobile ecosystem
Abstract:  ​Fuzzing has proven the most effective technique to find bugs in code. By now, general-purpose greybox fuzzing is well-established and sees common usage across industry and academia. Fuzzing is an optimization game: given a finite amount of cycles, how can we find bugs efficiently? Our tutorial covers key aspects of fuzzing performance and how techniques can be tailored for specific environments. As a case study, we will explore the mobile ecosystem.
Professor Mathias Payer
Head of the HexHive research group École Polytechnique fédérale de Lausanne
12.30pm to 1.30pm Lunch -
1.30pm to 3.30pm Tutorial and Discussions Professor Mathias Payer
3.30pm to 4pm Tea Break -
4pm to 4.30pm Team Formation/Discussion (Hackathon competition) -
4.30pm to 4.45pm Transportation to Dinner Venue at Botanic Gardens -
6pm to 9pm Dinner Event at Botanic Gardens -

Wednesday - 29 May 2024

Time Activities Speaker
9.30am to 10.30am Interactive Lecture with Group Discussion
Topic: Software Security: Principles, Techniques, and Tools
Abstract: We begin with group discussions, where we will establish i) what we expect from a software system to be secure, ii) which security flaws an attacker might exploit, iii) how those security flaws might be mitigated, and iv) which tools and techniques exist to reason about the presence or absence of security flaws. After a summary of this discussions, we will explore each question more systematically with a focus on the remaining blind spots and general principles.
Professor Marcel Böhme 
Head of the Software Security Group Max Planck Institute for Security and Privacy (MPI-SP)
10.30am to 11am Tea Break -
11am to 12pm Interactive Lecture with Group Discussions
Topic: Guarantees in Software Security
Abstract: We will explore the concrete and fundamental challenges that will forever prevent us from making perfectly
 reliable statements about the security of a system — despite all the principles, techniques and tools to assess and ensure the security of our software systems, and then discuss what we can do about it.
Professor Marcel Böhme 
12pm to 1.30pm Lunch
1.30pm to 3.30pm Live Coding Session
Topic: On the Surprising Efficiency, Scalability, and Predictability of Greybox Fuzzing
Abstract:  In this live coding session, I will draw on the Fuzzing Book and develop a whitebox, blackbox, and greybox fuzzer in front of the audience in Jypyter notebook with a Python kernel. I will demonstrate the surprising efficiency of blackbox fuzzing versus whitebox fuzzing and show how greybox fuzzing brings ideas from whitebox fuzzing to blackbox fuzzing. Despite the surprising efficiency of greybox fuzzing, I will explain how vulnerability discovery comes at an exponential cost. This is even more surprising given the constant rate of bug reports (3-4 bugs per week), we see in OSS-Fuzz for the average project (which will also be explained). Finally, Seongmin Lee will continue the live-coding session by illustrating the statistical framework for fuzzing, which will allow users to decide when to stop fuzzing and to estimate/predict the probability that a bug exists that has not been found (residual risk). He would then show how these statistical ideas apply beyond fuzzing to program analysis in general.

Professor Marcel Böhme 
3.30pm to 4pm Tea Break -
4pm to 5pm Lecture
Topic: Efficient Dataflow Analysis by Fuzzing and for Fuzzing
Abstract:  In this lecture, we will discuss techniques and representations for efficient dataflow analysis inspired by fuzzing techniques. First, we introduce a dependency-based taint analysis rule representation, which enables taint rules to be automatically inferred using a fuzzing-style approach, without specification of underlying instruction sets. Second, we discuss the internal mathematical structure of such taint rules and show how it can simply dynamic dataflow analysis and use GPU as co-processors to speed up dataflow queries. Finally, we discuss the key ideas of the solutions and look for inspirations to support fuzzing.
Associate Professor Liang Zhenkai

Thursday- 30 May 2024

Time Activities Speaker
9am to 10am Lecture
Topic: Systematic Concurrency Testing
Abstract:  Concurrency bugs are a classic example of heisenbugs ---- even when developers encounter them once, they have a hard time reproducing them. This makes detecting such bugs extremely challenging. In this lecture I will discuss how to model concurrent software from a testing perspective and then discuss advanced  techniques for concurrency testing such as runtime predictive analysis, randomized concurrency testing and concurrency-centric fuzz testing.

Associate Professor ​ Umang Mathur
10am to 10.30am Tea Break
10.30am to 12.30pm Tutorial
Topic: Expand the reach of fuzzing: beyond well-tested applications
Abstract: Fuzzing, especially coverage-guided fuzzing (CGF), has proven its effectiveness in discovering thousands of vulnerabilities in file-processing and stateless applications (e.g., media processing libraries such as LibPNG, FFMpeg, and binary utilities like Binutils). In this tutorial, we will explain how we extend CGF to conduct fuzz testing on other intriguing yet challenging applications, such as stateful network protocol and graph algorithm implementations.
Dr Thuan Pham
Cyber Security Senior Lecturer The University of Melbourne
12.30pm to 2pm Lunch -
2pm to 5pm Hackathon Competition Team Submission  Ms Meng Ruijie
Mr Dylan Wolff

Friday- 31 May 2024

Time Activities Speaker
9am to 10am Lecture
Topic: ​Fuzzing Database Systems
Abstract: ​This talk will present how we can fuzz database systems. While popular grey-box fuzzers have found many bugs in popular database engines, this session will show how domain-specific insights can greatly increase bug-finding effectiveness and efficiency. Specifically, the talk will cover test oracles to find correctness and performance issues, as well as how we can use query plans as a feedback signal. The techniques are available and widely-used as part of SQLancer (
https://github.com/sqlancer/sqlancer).
Assistant Professor Manuel Rigger
10am to 12pm Tutorial and Discussions
Topic: Expand the reach of fuzzing: beyond crash oracles
Abstract: In fuzzing, and automated testing in general, designing test oracles is crucial. Without them, we cannot distinguish between expected and unexpected behaviors of the systems under test, and consequently, we cannot detect bugs. In this tutorial, we will cover differential and metamorphic fuzzing as solutions for the test oracle problem, and we will discuss several examples of test oracle design, including the one used in our award-winning ICSE'24 paper on detecting excessive data exposures (a form of data leakage) over web APIs.
Dr Thuan Pham
12pm to 1.30pm Lunch -
1.30pm to 2.30pm Prize Presentation -