Byoungyoung Lee is an Associate Professor in Electrical and Computer Engineering at Seoul National University (SNU). Before joining SNU, he was an Assistant Professor in Computer Science at Purdue University. He earned his BS and MS at POSTECH under the supervision of Prof. Jong Kim, and Ph.D. at Georgia Tech under the supervision of Prof. Wenke Lee and Prof. Taesoo Kim. His research area is in general security and privacy problems, particularly focusing on systems and software security areas. He received Internet Defense Prize by Facebook and USENIX (2015), Best Applied Research Paper Award by CSAW (2015), and Google ASPIRE Award (2019). His research found more than 100 security vulnerabilities in various software/hardware products, including Windows kernel, Linux kernel, Mac OS X, Chrome, Firefox, QEMU, and RISC-V CPUs.
Challenges in Automated Vulnerability Discovery through Fuzzing
Now fuzz testing is used everywhere, probably because it is easy-to-use while being effective. It is easy-to-use, as all you need to do is to provide random inputs. It is effective, as many critical vulnerabilities have been found through fuzzing.
In this talk, I will introduce new challenges that the fuzzing testing is facing, as well as possible research directions to address these challenges. In particular, the security attack trends are rapidly shifting, rendering the traditional fuzzing techniques neither easy-to-use nor effective. First, attackers are now launching new type of attacks, which is different from classic memory corruption issues. These new attacks are ranging from side-channels (e.g., Spectre) to privacy leaks (e.g., your photos are leaked from your smartphone app), but we do not know of good detecting mechanisms for fuzzing. Second, attackers are now target various devices, not only a simple piece of software. These include autonomous vehicles, drones, hardware chips, etc., but performing automated testing on these platforms has opened a completely new set of challenges.