Apr 13

Bending Fuzzers to One's Own Will

11:40 AM to 12:40 PM

Online lecture -

Rohan Padhye, UC Berkeley

Software bugs affect the security, performance, and reliability of critical systems that much of our society depends on. In practice, the predominant method of ensuring software quality is via extensive testing. Although software developers have considerable domain expertise, handcrafted tests often fail to catch corner cases. Automated testing techniques such as random fuzzing are a promising approach for discovering unexpected inputs that may cause programs to crash. However, by relying solely on hardcoded heuristics, their effectiveness as push-button tools is limited when the test program, the input format, or the testing objective becomes complex. Can we empower software developers to specialize automated testing tools using their domain expertise?

In this talk, I will describe new abstractions and algorithms that enable users to dramatically improve the effectiveness of random fuzzing by subtly transforming the search space. The corresponding research tools such as JQF+Zest, PerfFuzz, and FuzzFactory have unlocked the capability to easily discover new classes of software bugs from compiler optimization failures to algorithmic performance bottlenecks and memory consumption issues. My research tools have helped identify security vulnerabilities affecting billions of devices, have been adopted by firms such as Netflix and Samsung, and have been commercialized as services by multiple startups.