Software correctness is becoming increasingly important as our society grows more reliant on computer systems, with even the simplest software errors now having the capacity to inflict devastating financial or security losses.
A University of Maryland expert in programming languages is addressing this issue, using funding from the National Science Foundation to advance a randomized testing technique known as “fuzzing,” making it easier to write, debug, and reason about software and its specifications.
Leonidas Lampropoulos, an assistant professor of computer science and a core faculty member in the Maryland Cybersecurity Center, is principal investigator of the NSF Faculty Early Career Development Program (CAREER) award, expected to total $582K over the next five years.
Fuzzing, also known as fuzz testing, is an automated method that injects invalid or unexpected inputs into a program to reveal software defects and vulnerabilities. Then the program is monitored for exceptions such as crashes or information leakage.
Formal specifications can serve as the foundation of strong safety and security guarantees by providing a precise description of what it means for a piece of code to be correct. This can be stated either explicitly, such as “private data should never be leaked to third parties,” or implicitly, like “this code will not terminate with an uncaught exception.”
However, formal specifications are underutilized in practice because they are perceived as both complex and uneconomical, Lampropoulos explains.
His project aims to study the theory and practice of fuzzing with high-level specifications that traditionally operate on highly structured and constrained data, to develop a theory of feedback-based generation of such data, and to streamline the evaluation of how these and future techniques perform in practice.
Ultimately, Lampropoulos says, the project will render the benefits of specifications accessible to more programmers through a combined research and educational effort.
—Story by Melissa Brachfeld
“CAREER: Fuzzing Formal Specifications” is supported by NSF grant #2145649 from the NSF’s Division of Computing and Communications Foundations.
PI: Leonidas Lampropoulos, assistant professor of computer science with appointments in the University of Maryland Institute for Advanced Computer Studies and the Maryland Cybersecurity Center.
About the CAREER award: The Faculty Early Career Development (CAREER) Program is an NSF activity that offers the foundation’s most prestigious awards in support of junior faculty who exemplify the role of teacher-scholars through outstanding research, excellent education and the integration of education and research within the context of the mission of their organization.