Fuzzing faces a key challenge: after running for an extensive time, coverage plateaus and will no longer increase despite extensive mutations. Only new seed inputs or mutation operators will likely change that. We have observed that for Syzbot fuzzing in the Linux kernel has essentially plateaued due to Google's multi-year …
read moreOther articles
Droidot: Vulnerable Native Libraries on Android
Android is a complex platform with diverse, concurrently running services. Looking at user-space the assumption is that each app is isolated from all others running on top of the rich Android runtime system. Unfortunately, the available system libraries are heavily limited and Android apps often ship diverse libraries. These libraries …
read moreNASS: Fuzzing Native Android System Services
Android is a complex platform with diverse, concurrently running services. In the past, we focused on privileged components such as fuzzing the secure monitor with EL3XIR, targeting trusted applications, or even surveying the use of rollback counters in trusted applications.
As more and more components get secured and hardened, we …
read moreType++: A Type-Safe C++ Dialect
The C++ language combines a massive potential for raw power with the massive risk of type and memory safety violations. The developer is inherently responsible for securing all executed code and to guarantee type safety and memory safety. We are particularly focused on type safety. In C++, developers can cast …
read moreDumpling: dumping fine-grained execution state
JavaScript engines face a dilemma: on one end, they need to be extremely efficient as they are processing millions of lines of JavaScript code, dynamically translating complex programs into efficient code. On the other end, the code may be controlled by an attacker that is trying to exploit bugs in …
read moreQMSan: discovering uninitialized memory errors in binaries
Sanitizers serve as the primary bug detection Oracle during automated testing. They "crash" the program gracefully and tell the fuzzer when and where a bug was triggered. The most well-known sanitizer is ASan or AddressSanitizer which adds redzones around memory objects to detect whenever an access is out-of-bounds. MSan or …
read moreTruman: discovering hypervisor bugs through virtual device models
Hypervisors power not just the cloud but are becoming a commodity in mobile phones and desktops as well. They separate virtual machines from each other, enabling strong isolation and security guarantees. In cloud environments, hypervisors separate non-trusting virtual machines and an attacker may try to compromise and gain access to …
read moreFrom Fuzzing to Frameworks: 2024 Research Highlights
2024 was an active year for the HexHive research group, marked by tireless efforts to enhance the security of various complex systems. A key trend throughout the year was the continued evolution of fuzzing research. Notably, we observed a gradual shift away from general-purpose fuzzing as a primary research focus …
read moreRIP Niklaus Wirth
Niklaus Wirth, known for his work on programming languages and systems, died on January 1st, 2024 (ETH Zurich). Wirth was known for his work on programming languages and systems with a keen focus on simplicity and functionality for which he was awarded the 1984 Turing Award. His most well-known language …
read more