Computer scientist Elia Geretto optimised an important tool that helps secure software.
Programmes have vulnerabilities that can be used by an attacker to gain control over the computers they run on. These are often simple mistakes that programmers have made when writing code. To eliminate them, security experts review and test code to find and fix vulnerabilities. Experts often use tools that can partially automate this process, allowing them to explore more code with less effort.
Fuzzers
Computer scientist Elia Geretto's research focuses on improving fuzzers, one such tool. Specifically, it makes them faster. The core principle of a fuzzer is to give random input to a program and see how it behaves. The speed of such a fuzzer is a very important property, since a faster fuzzer can generate more random input and thus test the program more thoroughly.
The main conclusion Geretto can draw from his research is that the optimisations he proposes for three specific types of fuzzers, namely snapshot fuzzers, hybrid fuzzers and targeted fuzzers, increase their speed. Furthermore, he has shown that the achieved speed increases result in fuzzers that can explore programmes more thoroughly. Finally, he shows that building fast fuzzers also helps to draw appropriate conclusions when evaluating other optimisations, because their effect varies with speed.
Phones and laptops
Geretto's research is important for security researchers. His optimisations are all publicly available online and can be integrated into existing fuzzers to make them faster. These improved fuzzers will help security researchers to evaluate code more thoroughly and thus reduce the number of vulnerabilities in released software.
Furthermore, fewer vulnerabilities in software means that the findings also have an impact on general users. Both the devices we use every day, such as phones and laptops, and the servers in the cloud that manage our data will become more secure.
Geretto's research can be roughly divided into four steps: first, he designed an optimisation that he thought could improve the speed of an existing fuzzer. Next, he implemented the optimisation by writing code to modify that existing fuzzer. Then, he performed experiments to compare the performance of the fuzzer with and without the optimisation. Finally, he analysed the collected data using statistical methods to prove that his optimization did indeed improve the performance of the fuzzer.
More information on the
