Michael Hicks, a professor of computer science with an appointment in the University of Maryland Institute for Advanced Computer Studies, was recently recognized for his work in improving fuzz testing—a quality assurance technique used to discover coding errors and security loopholes in software.
Hicks was part of a team honored with a Distinguished Paper Award at the 31st USENIX Security Symposium, held from August 10–12 in Boston.
The paper, “FIXREVERTER: A Realistic Bug Injection Methodology for Benchmarking Fuzz Testing,” offers a tool and new protocols to help assess rapidly evolving fuzz testing methods currently used by programmers and security experts.
In addition to Hicks, the award-winning paper’s authors included Zenong Zhang, Zach Patterson and Shiyi Wei, all from the University of Texas at Dallas. Wei first began collaborating with Hicks while a postdoc at the University of Maryland from 2015–2017.
The researchers developed a tool called FIXREVERTER, which automatically injects realistic bugs into a program. Programmers can then use various fuzz testing techniques and assess which one performs the best.
FIXREVERTER takes as input a bugfix pattern which contains both code syntax and semantic conditions. Any code site that matches the specified syntax is undone if the semantic conditions are satisfied, as checked by static analysis, thus (re)introducing a likely bug.
Hicks—currently on leave from the University of Maryland while working as a senior principal scientist at Amazon Web Services—says this most recent work is the successor to a paper he co-authored with Wei in 2019, “Evaluating Fuzz Testing,” which made the case that good fuzzing benchmarks were needed.
Other papers presented at this year’s USENIX Symposium by University of Maryland faculty and students—all of whom are affiliated with the Maryland Cybersecurity Center—include:
- “Orca: Blocklisting in Sender-Anonymous Messaging,” by Nirvan Tyagi and Julia Len, Cornell University; Ian Miers, University of Maryland; Thomas Ristenpart, Cornell Tech
- “Hyperproofs: Aggregating and Maintaining Proofs in Vector Commitments,” by Shravan Srinivasan, University of Maryland; Alexander Chepurnoy, Ergo Platform; Charalampos Papamanthou, Yale University; Alin Tomescu, VMware Research; Yupeng Zhang, Texas A&M University
- “Expected Exploitability: Predicting the Development of Functional Vulnerability Exploits,” by Octavian Suciu, University of Maryland; Connor Nelson, Zhuoer Lyu, and Tiffany Bao, Arizona State University; Tudor Dumitraș, University of Maryland
- “GET/out: Automated Discovery of Application-Layer Censorship Evasion Strategies,” by Michael Harrity, Kevin Bock, Frederick Sell and Dave Levin, University of Maryland
- “Why Users (Don't) Use Password Managers at a Large Educational Institution,” by Peter Mayer, Karlsruhe Institute of Technology; Collins W. Munyendo, The George Washington University; Michelle L. Mazurek, University of Maryland; Adam J. Aviv, The George Washington University