We are hiring!
Seeking one highly motivated Research Fellow (2 years) with some experience in fuzzing / vulnerability discovery. Want to apply? Send your CV, transcripts, and your reasons why you would like work on automated vulnerability discovery. to .

FuzzInfer: Fuzzing Protocol Implementations

The discovery of vulnerabilities in web applications before an attacker does can save companies millions of dollars. According to a 2018 study "[..] the total average cost of web application attacks in APAC over the past 12 months was $2.4 million per company, while the total average cost of DoS attacks was $1.1 million. [..] Web application attacks are a constant threat for companies. 43 percent of respondents said that web application security is more critical than other security issues faced by their organizations." Most critically, a vulnerability in a web application can be exploited remotely over the network from anywhere in the world.

This project aims to develop stateful fuzzing techniques that can discover vulnerabilities that could otherwise be used for remote arbitrary execution attacks. In this project, we are planning to first tackle the challenges of statefulness and protocol inference before we address the (greybox) problem where only the compiled x86 program binary of the protocol implementation or web application is available.


Principal Investigators
Abhik Roychudhury is a Professor of Computer Science at National University of Singapore. His research focuses on software testing and analysis, trust-worthy software construction and software security. He is currently leading the Singapore Cyber-security Consortium. He has served as an Associate Editor of IEEE Transactions on Software Engineering (TSE) during 2014-18, and is serving as an Associate Editor of IEEE Transactions on Dependable and Secure Computing (TDSC) during 2019-21. Abhik received his Ph.D. in Computer Science from the State University of New York at Stony Brook in 2000.
Marcel Böhme is a 2019 ARC DECRA Fellow and Lecturer (Asst Prof) at Monash University, Australia. He was research fellow at CISPA, Saarland University, Germany from 2014 to 2015 and completed his PhD at National University of Singapore in 2014. Marcel’s research is focussed on automated vulnerability discovery, analysis, testing, debugging, and repair of large software systems. His tools discovered 100+ bugs in widely-used software systems, more than 60 of which are security-critical vulnerabilities registered as CVEs at the US National Vulnerability Database.
Team Members
Van-Thuan Pham is a postdoctoral research fellow at Monash University, Australia. During his PhD studies at NUS, under the supervision of Prof Abhik Roychoudhury he conducted research on fuzz testing techniques (including black-box, coverage-based grey-box and symbolic-execution based white-box fuzzing) and applied these techniques to vulnerability detection, crash reproduction and debugging.
Mingyuan Gao is a PhD student at National University of Singapore. Before that he was a Research Engineer at Institute for Infocomm Research, Agency for Science, Technology and Research (A*STAR), Singapore. Before joining A*STAR, Mingyuan worked as a Research Assistant at School of Computing, National University of Singapore (NUS) for two years. He received an MSc. in Computer Science and Engineering (System Software) from Pohang University of Science and Technology (POSTECH, South Korea), and a B.Eng. in Software Engineering from Xi'an Jiaotong University (XJTU, China).
We have an opening for a Research Fellow position at Monash University, Australia for two years. The Research Fellow would conduct this research within our Monash fuzzing team in collaboration with the team of Abhik Roychoudhury at the National University of Singapore. The applicant should have
  • Strong background in system building, software testing, and bug finding
  • Some success in CTFs, hackathons, or bug bounty programs
  • Some background in binary analysis, reverse engineering, fuzzing
  • Background in statistics, research, and experimentation desirable
You can find more information here:

Marcel Böhme < · https://fuzzinfer.github.io · Updated: 2019-09-06 14:05