南京大学计算机软件新技术国家重点实验室 

摘 要：

Fuzzing is a promising method for discovering vulnerabilities. Recently, various techniques are developed to improve the efficiency of fuzzing, and impressive gains are observed in evaluation results. However, evaluation is complex, as many factors affect the results, for example, benchmark, baseline and metrics. In order to restore the comparability and authenticity of existing fuzzing works, in this talk, we present an empirical evaluation of fuzzing techniques. First, we systematically evaluate typical fuzzers on a unified test suite with carefully selected metrics. By analyzing the results, we summarize common pitfalls optimizing a fuzzer. Furthermore, to understand the root causes behind the pitfalls, we conduct experiments and propose directions to overcome the problems, and demonstrate how to customize it to different domains such as deep learning, block-chain and industry control.

报告人简介：

姜宇，清华大学软件学院副教授。重点关注人工智能、工控等领域的软件安全，利用深度学习与模糊测试等技术，进行软件缺陷的自动挖掘与理解。相关工具在广泛使用的系统软件中累积发现500余个缺陷，其中125个漏洞（例如操作系统Linux-kernel 漏洞 CVE-2019-7707 和工控协议Lib-iec61850 漏洞 CVE-2018-19121）被收录入美国国家信息安全漏洞库。相关成果以第一作者或通讯作者在Security,EMSOFT,ASE,TSE等知名会议和期刊上发表论文50余篇，并获ACM EMSOFT， ICSE-SEIP等会议的最佳论文或提名奖5次。曾获2015年中国计算机学会优秀博士论文奖、2018年中国科协青年托举人才计划，2020年阿里巴巴达摩院青橙奖。主持华为、阿里、三菱重工等企业创新研究基金10余项及国家自然科学基金优秀青年基金项目1项。

时间：10月14日(星期三)15:00

腾讯会议 ID：618  678  191