Fuzzing and Software Security Summer School
Fuzzing and Software Security Summer School
Guest Speakers
Prof. Marcel Böhme
Head of the Software Security Group
Max Planck Institute for
Security and Privacy (MPI-SP)
Abhishek Arya
Engineering Director
Google Open Source and
Supply Chain Security
Lim Min Kwang
Director (Capability Masterplanning Office)
Cyber
Security Agency of Singapore
Dr
Thuan Pham
Cyber Security Senior Lecturer
The University of Melbourne
Prof. Mathias Payer
Head of the HexHive
research group
École Polytechnique
Fédérale de Lausanne (EPFL)
Prof. Andreas Zeller
CISPA Helmholtz Center for
Information Security
Professor for Software Engineering
Saarland University
Venue
National University of Singapore
11 Research Link
COM3, #01-26/27
Multipurpose Hall 1 and 2
Singapore 119391
Program Details (Updated 31 May 2024)
Monday - 27 May 2024
| Time | Activities | Speaker |
| 8am to 8.50am | Registration | |
| 8.50am to 9am | Please be seated | |
| 9am to 9.10am | Welcome Speech
Topic: Introduction to Fuzz Testing Abstract : A welcome address will be given to all attendees discussing connections between research, education and translation in the area of fuzz testing and software security. |
Professor Abhik Roychoudhury |
| 9.10am to 9.30am | Opening Address Speech | Mr Lim Min Kwang Director (Capability Masterplanning) Cyber Security Agency of Singapore |
| 9.30am to 10.30am | Keynote Speech Topic: Democratizing Fuzzing at Scale Abstract : This keynote talks about the democratization of fuzzing at scale, highlighting the collaboration between open source communities, academia, and industry to advance the field of fuzzing. It delves into the history of fuzzing, the development of scalable fuzzing platforms, and the empowerment of community-driven research. The talk will further discuss recent advancements leveraging AI/ML and offer insights into the future evolution of the fuzzing landscape. |
Mr Abhishek Arya Engineering Director Google Open Source and Supply Chain Security |
| 10.30am to 11am | Tea Break | - |
| 11am to 12pm | Tutorial Topic: Input Grammar Fuzzing Abstract: Fuzzing can be made much more efficient if one knows the language of the program input. Based on the fuzzing book (fuzzingbook.org), we introduce simple means to specify complex input languages as grammars, and using grammar-based fuzzers for effective blackbox testing of programs with complex inputs such as JSON, XML, or SQL. |
Professor Andreas Zeller CISPA Helmholtz Center for Information Security Professor for Software Engineering at Saarland University |
| 12pm to 1.30pm | Lunch | - |
| 1.30pm to 3.30pm | Tutorial Topic: Input Grammar Fuzzing - Hands-On Abstract: In this session, you build a grammar-based fuzzer yourself. More precisely, you create a SQL grammar that you will feed into a fuzzer to test SQL interpreters. Who will be the participant with the highest coverage? We also discuss important and common optimizations and extensions such as language coverage and probabilisttic grammar testing. Basic knowledge of Python is required for coding. On your machine, you will need to have installed: * GCC and MAKE * Python 3.10 or 3.12 * The Python fuzzingbook package ("pip install fuzzingbook") OR * Docker Desktop |
Professor Andreas Zeller |
| 3.30pm to 4pm | Tea Break | - |
| 4pm to 5pm | Tutorial and Discussions Topic: Input Grammar Fuzzing – Outlook Abstract: This last session collects and summarizes your experiences and gives some outlooks into more advanced techniques such as using constraints to further shape inputs, or coverage-driven greybox grammar fuzzing, looking forward to further topics discussed in the workshop. |
Professor Andreas Zeller |
Tuesday - 28 May 2024
| Time | Activities | Speaker |
| 9.30am to 10am | Hackathon Competition Team formation and Rules |
Ms Meng Ruijie Mr Dylan Wolff |
| 10am to 10.30am | Tea Break | |
| 10.30am to 12.30pm | Tutorial Topic: Fuzzing the mobile ecosystem Abstract: Fuzzing has proven the most effective technique to find bugs in code. By now, general-purpose greybox fuzzing is well-established and sees common usage across industry and academia. Fuzzing is an optimization game: given a finite amount of cycles, how can we find bugs efficiently? Our tutorial covers key aspects of fuzzing performance and how techniques can be tailored for specific environments. As a case study, we will explore the mobile ecosystem. |
Professor Mathias Payer Head of the HexHive research group École Polytechnique fédérale de Lausanne |
| 12.30pm to 1.30pm | Lunch | - |
| 1.30pm to 3.30pm | Tutorial and Discussions | Professor Mathias Payer |
| 3.30pm to 4pm | Tea Break | - |
| 4pm to 4.30pm | Team Formation/Discussion (Hackathon competition) | - |
| 4.30pm to 4.45pm | Transportation to Dinner Venue at Botanic Gardens | - |
| 6pm to 9pm | Dinner Event at Botanic Gardens | - |
Wednesday - 29 May 2024
| Time | Activities | Speaker |
| 9.30am to 10.30am | Interactive
Lecture with Group Discussion Topic: Software Security: Principles, Techniques, and Tools Abstract: We begin with group discussions, where we will establish i) what we expect from a software system to be secure, ii) which security flaws an attacker might exploit, iii) how those security flaws might be mitigated, and iv) which tools and techniques exist to reason about the presence or absence of security flaws. After a summary of this discussions, we will explore each question more systematically with a focus on the remaining blind spots and general principles. |
Professor Marcel Böhme Head of the Software Security Group Max Planck Institute for Security and Privacy (MPI-SP) |
| 10.30am to 11am | Tea Break | - |
| 11am to 12pm |
Interactive
Lecture with Group Discussions
Topic: Guarantees in Software Security Abstract: We will explore the concrete and fundamental challenges that will forever prevent us from making perfectly reliable statements about the security of a system — despite all the principles, techniques and tools to assess and ensure the security of our software systems, and then discuss what we can do about it. |
Professor Marcel Böhme |
| 12pm to 1.30pm | Lunch | |
| 1.30pm to 3.30pm | Live
Coding Session Topic: On the Surprising Efficiency, Scalability, and Predictability of Greybox Fuzzing Abstract: In this live coding session, I will draw on the Fuzzing Book and develop a whitebox, blackbox, and greybox fuzzer in front of the audience in Jypyter notebook with a Python kernel. I will demonstrate the surprising efficiency of blackbox fuzzing versus whitebox fuzzing and show how greybox fuzzing brings ideas from whitebox fuzzing to blackbox fuzzing. Despite the surprising efficiency of greybox fuzzing, I will explain how vulnerability discovery comes at an exponential cost. This is even more surprising given the constant rate of bug reports (3-4 bugs per week), we see in OSS-Fuzz for the average project (which will also be explained). Finally, Seongmin Lee will continue the live-coding session by illustrating the statistical framework for fuzzing, which will allow users to decide when to stop fuzzing and to estimate/predict the probability that a bug exists that has not been found (residual risk). He would then show how these statistical ideas apply beyond fuzzing to program analysis in general. |
Professor Marcel Böhme |
| 3.30pm to 4pm | Tea Break | - |
| 4pm to 5pm | Lecture Topic: Efficient Dataflow Analysis by Fuzzing and for Fuzzing Abstract: In this lecture, we will discuss techniques and representations for efficient dataflow analysis inspired by fuzzing techniques. First, we introduce a dependency-based taint analysis rule representation, which enables taint rules to be automatically inferred using a fuzzing-style approach, without specification of underlying instruction sets. Second, we discuss the internal mathematical structure of such taint rules and show how it can simply dynamic dataflow analysis and use GPU as co-processors to speed up dataflow queries. Finally, we discuss the key ideas of the solutions and look for inspirations to support fuzzing. |
Associate Professor Liang Zhenkai |
Thursday- 30 May 2024
| Time | Activities | Speaker |
| 9am to 10am | Lecture Topic: Systematic Concurrency Testing Abstract: Concurrency bugs are a classic example of heisenbugs ---- even when developers encounter them once, they have a hard time reproducing them. This makes detecting such bugs extremely challenging. In this lecture I will discuss how to model concurrent software from a testing perspective and then discuss advanced techniques for concurrency testing such as runtime predictive analysis, randomized concurrency testing and concurrency-centric fuzz testing. |
Associate Professor Umang Mathur |
| 10am to 10.30am | Tea Break | |
| 10.30am to 12.30pm | Tutorial Topic: Expand the reach of fuzzing: beyond well-tested applications Abstract: Fuzzing, especially coverage-guided fuzzing (CGF), has proven its effectiveness in discovering thousands of vulnerabilities in file-processing and stateless applications (e.g., media processing libraries such as LibPNG, FFMpeg, and binary utilities like Binutils). In this tutorial, we will explain how we extend CGF to conduct fuzz testing on other intriguing yet challenging applications, such as stateful network protocol and graph algorithm implementations. |
Dr
Thuan Pham Cyber Security Senior Lecturer The University of Melbourne |
| 12.30pm to 2pm | Lunch | - |
| 2pm to 5pm | Hackathon Competition Team Submission | Ms Meng Ruijie Mr Dylan Wolff |
Friday- 31 May 2024
| Time | Activities | Speaker |
| 9am to 10am | Lecture Topic: Fuzzing Database Systems Abstract: This talk will present how we can fuzz database systems. While popular grey-box fuzzers have found many bugs in popular database engines, this session will show how domain-specific insights can greatly increase bug-finding effectiveness and efficiency. Specifically, the talk will cover test oracles to find correctness and performance issues, as well as how we can use query plans as a feedback signal. The techniques are available and widely-used as part of SQLancer ( https://github.com/sqlancer/sqlancer). |
Assistant Professor Manuel Rigger |
| 10am to 12pm | Tutorial and Discussions Topic: Expand the reach of fuzzing: beyond crash oracles Abstract: In fuzzing, and automated testing in general, designing test oracles is crucial. Without them, we cannot distinguish between expected and unexpected behaviors of the systems under test, and consequently, we cannot detect bugs. In this tutorial, we will cover differential and metamorphic fuzzing as solutions for the test oracle problem, and we will discuss several examples of test oracle design, including the one used in our award-winning ICSE'24 paper on detecting excessive data exposures (a form of data leakage) over web APIs. |
Dr Thuan Pham |
| 12pm to 1.30pm | Lunch | - |
| 1.30pm to 2.30pm | Prize Presentation | - |