Research Topics

Static and Dynamic Platform Analysis

While software defenses try to prevent the exploitation of bugs, static (before execution) and dynamic (during execution) analysis tries to find these bugs before they are delivered to customers. Both are also increasingly deployed in software development cycles. The former, static analysis, is used to uncover bugs at compile-time. Where traditional static analysis tools run specialized checkers for each class of bugs, modern static analysis frameworks like GitHub's CodeQL allow to specify custom static-analysis queries to be performed, even for large-scale projects.

In contrast, dynamic techniques just recently gained popularity, mostly because of highly-practical, easy-to-use tools like LLVM's address sanitizer or Google's American Fuzzy Lop (AFL). Nowadays, dynamic techniques are even integrated in consumer-grade software like the Firefox browser, where a so-called memory sanitizer is running in nightly builds to find bugs like overflows.

For us as a research group, fuzzing is a promising research direction. Fuzzing is a dynamic analysis technique, where existing test cases are repeatedly transformed and fed to the program under test in order to find crashes. The execution can also provide information (feedback) as to whether a test case reaches new code locations and is therefore a good candidate for further transformations.

While fuzzing is already established as a research field in the academic community, in practice there are many applications that are closed-source or too large/too complex for such an analysis. In our group, we work on tackling these challenges by researching new ways to build fuzzers and how they can benefit from existing CPU features.