NUS Computing Provost’s Chair Professor Abhik Roychoudhury and collaborators have been awarded a S$6.7 million grant by the National Research Foundation (NRF) National Cybersecurity R&D Programme.
The grant will fund a four-year research programme on fuzz testing for the period between 1 July 2023 to 30 June 2027. The collaborators who have been instrumental in this research proposal alongside Prof Roychoudhury include Associate Professor Zhenkai Liang, Assistant Professors Umang Mathur and Manuel Rigger from NUS, and external collaborators from EPFL Switzerland, Google, and Max-Planck Institute.
Making Software Secure with Fuzz Testing
As one of the digitally interconnected nations in the world, Singapore is easily exposed to security bugs and vulnerabilities. To date, the most well-known method to test and identify security vulnerabilities in software is grey-box fuzz testing. It uses “biased random search” to reveal program inputs that are most likely to cause the program to crash. It is used by corporations daily to find software vulnerabilities.
The team has made significant progress in the discipline of fuzz testing, specifically in symbolic execution. Symbolic execution techniques can find much deeper bugs than conventional fuzzing techniques, but it is often bogged down with heavy-weight constraint accumulation.
“Our main idea has been to make measurable improvements to the grey-box fuzzing framework to implicitly achieve the efficacy of symbolic execution (e.g., covering different program paths), while remaining in a fuzzing framework, without losing the efficiency of fuzz testing campaign,” Prof Roychoudhury explained.
“The team’s past work on grey-box fuzzing has influenced fuzzing practice by encouraging the development of Google’s Fuzzbench, a free, community-based fuzzer benchmarking platform used by academics and practitioners to evaluate their fuzzing innovations.”
One of the main purposes of the new research programme is to “build the next generation of fuzz testing technologies.” The team seeks to develop new techniques that can detect security vulnerabilities, specifically for concurrent, stateful, and reactive software systems, which involve interactions between many software components.
“I am excited about the possibility of working further to make open-source software systems less vulnerable by working on stateful component-based systems. Being able to validate component-based systems, allows us to deeply test the impact of a vendor-provided component on software. Our research is of importance in the context of recent well-known software supply chain attacks, such as Solarwinds,” said Prof Roychoudhury.
“We will also continue to build the community by forging closer academia-industry interaction and holding annual summer schools to help students.”
As part of the programme launch, Prof Roychoudhury will be speaking on 7 July 2023, from 3 p.m. to 4 p.m. at the NUS School of Computing. Please visit our events page for more information.