Today’s computing world is at a crossroads: the academic and industry security community has long been the heart of responsible disclosure efforts to secure open-source software and systems, yet society’s ubiquitous devices, platforms, and applications (e.g., iPhone, Windows, and Skype) are increasingly closed-source. In the face of today’s rampant corporate espionage and intellectual property theft, developers are taking aggressive measures to make their products as opaque as possible. Unfortunately, by indiscriminately hindering all third-party auditing, developers are shutting out the security community while significantly raising the stakes for attackers.
Exploits targeting closed-source IP routinely sell for millions of dollars, making the black-market exploit trade far more lucrative than responsible disclosure bug bounties. Reversing course from the next decade’s worst cyberattack demands that science achieve accessible, transparent, and efficient vetting beyond open-source contexts.
In this talk, I will discuss my work on tackling the asymmetries impeding automated security auditing of today’s complex and opaque codebases. I will first cover three arcs of my research on improving the performance of closed-source software fuzz-testing (fuzzing). Beyond expediting discovery of security vulnerabilities in closed-source codebases, these innovations provide a basis for future advances in high-performance application testing on the world’s most popular and security-critical software platforms. Lastly, I will introduce my vision for expanding automation beyond testing to the other critical components of the security vetting process.
Stefan Nagy is a Ph.D. candidate and Hume Center for National Security and Technology Graduate Fellow advised by Dr. Matthew Hicks in the Department of Computer Science at Virginia Tech. He received his Bachelor’s in Computer Science from The University of Illinois at Urbana-Champaign in 2016. His research interests are in security, software engineering, and systems. His work aims to make automated vetting of software and systems more effective and efficient irrespective of kernel, architecture, and source code. His research has been published in top-tier academic venues (e.g., IEEE S&P, USENIX Security, ACM CCS, and ICSE), and has garnered adoption by industry leaders like the AFL++ Project, Google Project Zero, and Red Hat.