Deepfuzzer: Accelerated Deep Greybox Fuzzing

Publications

12-2019

DeepFuzzer: Accelerated Deep Greybox Fuzzing

Jie Liang Tsinghua University

Yu Jiang Tsinghua University

Mingzhe Wang Tsinghua University

Houbing Song Embry-Riddle Aeronautical University, [email protected]

Kim-Kwang Raymond Choo University of Texas

Follow this and additional works at: https://commons.erau.edu/publication

Part of the Software Engineering Commons

Scholarly Commons Citation Liang, J., Jiang, Y., Wang, M., Song, H., & Choo, K. R. (2019). DeepFuzzer: Accelerated Deep Greybox Fuzzing. IEEE Transactions on Dependable and Secure Computing, (). https://doi.org/10.1109/ TDSC.2019.2961339

This Article is brought to you for free and open access by Scholarly Commons. It has been accepted for inclusion in Publications by an authorized administrator of Scholarly Commons. For more information, please contact [email protected]. 1 DeepFuzzer: Accelerated Deep Greybox Fuzzing

Jie Liang, Yu Jiang, Mingzhe Wang, Xun Jiao, Yuanliang Chen, Houbing Song, and Kim-Kwang Raymond Choo

Abstract—Fuzzing is one of the most effective vulnerability detection techniques, widely used in practice. However, the performance of fuzzers may be limited by their inability to pass complicated checks, inappropriate mutation frequency, arbitrary mutation strategy, or the variability of the environment. In this paper, we present DeepFuzzer, an enhanced greybox fuzzer with qualiﬁed seed generation, balanced seed selection, and hybrid seed mutation. First, we use symbolic execution in a lightweight approach to generate qualiﬁed initial seeds which then guide the fuzzer through complex checks. Second, we apply a statistical seed selection algorithm to balance the mutation frequency between different seeds. Further, we develop a hybrid mutation strategy. The random and restricted mutation strategies are combined to maintain a dynamic balance between global exploration and deep search. We evaluate DeepFuzzer on the widely used benchmark Google fuzzer-test-suite which consists of real-world programs. Compared with AFL, AFLFast, FairFuzz, QSYM, and MOPT in the 24-hour experiment, DeepFuzzer discovers 30%, 240%, 102%, 147%, and 257% more unique crashes, executes 40%, 36%, 36%, 98%, and 15% more paths, and covers 37%, 34%, 34%, 101%, and 11% more branches, respectively. Furthermore, we present the practice of fuzzing a message middleware from Huawei with DeepFuzzer, and 9 new vulnerabilities are reported.

Index Terms—Software Testing, Greybox Fuzzing !

1 INTRODUCTION

UZZING is a software testing technique that feeds the structured inputs (such as SQL and JavaScript) [9], [10]. F computer program with invalid, unexpected or random While a significant amount of up-front work is required input seeds with the goal of monitoring exceptions. The to study specifications and construct rules, semantic checks first (or at least best-known) fuzzing project aimed to test like parsing are still difficult to pass. The limited generation the reliability of UNIX utilities [1], [2]. Since then, fuzzing rules also restrict the vitality of inputs to explore the state has identified a large number of software bugs and security space of the program. vulnerabilities. At present, fuzzing is widely deployed by To strike a balance between effectiveness and automa- many companies such as Google [3], [4], Microsoft [5], [6], tion, many researchers have devoted significant efforts. One and Adobe [7]. typical solution is guiding fuzzing with coverage infor- To generate input seeds, mutation and generation are mation. American Fuzzy Lop (or simply AFL) [8] is one two popular methods [1]. Mutation-based fuzzers mutate of the representative guided fuzzers. With some manual- existing seeds randomly so as to construct new seeds [8], provided initial seeds, it explores the target program by [3]. Aimless random mutation produces a lot of worthless mutating them and retaining interesting seeds which dis- seeds, especially for complex programs. Because of this, cover new coverage. Then it repeatedly mutates interesting they teeter in shallow areas and difficult to reach deep seeds to cover more states of the program. In this way, it has places in programs. However, many serious vulnerabilities hunted hundreds of high-impact vulnerabilities. However, usually remain undiscovered. Generation-based fuzzers, on just adding coverage information is insufficient for explor- the other hand, normally test programs accepting highly- ing hard-to-reach regions in programs and thus misses some deep vulnerabilities. First, AFL does not provide qualified • Jie Liang, Yu Jiang, Mingzhe Wang, and Yuanliang Chen are with initial seeds for initial start points even as initial start points the School of Software, Tsinghua University, China, also with Beijing are crucial; extra cycles of mutation on low-quality initial National Research Center for Information Science and Technology, China, and also with Key Laboratory for Information System Security, Ministry seeds hardly improves the performance. Klees et al. also of Education, China. point out the impact of initial seeds to fuzzing [11]. Second, • Xun Jiao is with the Department of Electrical and Computer Engineering, while worthless seeds can be screened out with coverage Villanova University, USA. information, the blind mutation strategy does not know • Houbing Song is with the Department of Electrical, Computer, Software, and Systems Engineering, Embry-Riddle Aeronautical University, USA. how to mutate the meaningful seeds to reach hard-to-reach • Kim-Kwang Raymond Choo is with the Department of Information regions. To get through complex checks and discover these Systems and Cyber Security, University of Texas at San Antonio, USA. regions, not only is a large number of mutations needed, Manuscript received Jul. 23, 2019; revised Nov. 11, 2019; accepted Dec. but also a bit of luck. In addition, when AFL gets through 6, 2019. This research is sponsored in part by the NSFC Program complex checks and covers hard-to-reach regions with a (No. 61527812), the National Science and Technology Major Project of China (No. 2016ZX01038101). Corresponding author: Yu Jiang (e-mail: lot of efforts, the byte sequence related to these checks are [email protected]). fragile in the presence of the blind mutation strategy. 2 Researchers have extended AFL in various ways. Some In this paper, we present DeepFuzzer1, a fuzzer that optimize the mutation strategy to acquire better efficiency. combines qualified seed generation, balanced seed selection, For example, AFLFast [12] assigns more mutation times hybrid seed mutation, and automatic fuzzing environment to seeds which execute infrequency paths, but this does configuration so as to grapple effectively with the four not increase the possibility of reaching uncovered regions. obstacles of current fuzzing techniques, and explore deep FairFuzz [13] adjusts the mutation strategy to direct fuzzing paths as widely and as fast as possible. The key idea is that to rare regions, but its performance is vulnerable to local the seed that touches the hard-to-reach regions represents convergence. AFLGo [14] assigns more mutation times to good directions and should be automatically generated, seeds closer to target regions, so as to direct the fuzzing to selected more and mutated more times, and the mutation on specific locations. However, any enhancement from reach- these seeds are restricted to some positions and operations ing deep regions is slight. MOPT [15] utilizes a customized to reserve the path depth and breadth. Specially, we employ particle swarm optimization algorithm to find the optimal symbolic execution [19] in a lightweight approach to gen- selection probability distribution of mutation operators to erate high quality initial seeds which pass complex checks. improve fuzzing. Then, we apply a statistical seed selection algorithm to bal- Others try to incorporate program analysis techniques ance the mutation frequency of different categories of seeds. such as symbolic execution as a way to extend AFL. For We also develop a hybrid random and reachability-reserved example, SAFL [16], Driller [17], and QSYM [18] all suc- mutation strategy that decides how to mutate the selected cessfully apply symbolic execution to solve complex checks seeds depending on the rarity of the reached regions. This which trap AFL. But solving complex constraints is still dif- achieves a dynamic balance between global exploration and ficult for state-of-the-art constraint solvers, and AFL is likely a deep search. Furthermore, to enhance the adaptability of to get stuck again quickly because of the blind mutation DeepFuzzer to complex industrial environments and system strategy. building complexity, we develop an automatic environment Last but not least, those academic extensions perform configuration component named toolchain. well when evaluated in ideal environments, but they do DeepFuzzer is evaluated on the widely used benchmark not work consistently as expected when applied to many Google fuzzer-test-suite2 which consists of real-world pro- industrial projects. Due to the complexity and variability of grams. The number of paths executed, branches covered, the production environment, there are too many potential and unique crashes triggered are used as metrics. Compared causes that could fail a ”smart” fuzzer. For instance, two with the state-of-the-art fuzzers such as AFL, AFLFast, Fair- testing engineers from Huawei tried to fuzz their industrial Fuzz, QSYM, and MOPT used in the 24-hour experiment, message middleware libmsg with Driller, but they gave up DeepFuzzer performs better, triggering 30%, 240%, 102%, after investing two weeks of valuable time. They discovered 147%, and 257% more unique crashes, executing 40%, 36%, that Driller lacks the support for a set of POSIX APIs and 36%, 98%, and 15% more paths and covering 37%, 34%, 34%, has rigid requirements on system and library configuration. 101%, and 11% more branches, respectively. Furthermore, Based on the performance of existing fuzzers, we ob- we present the practice of fuzzing an industrial message serve that there are four major obstacles for implementing middleware from Huawei with DeepFuzzer. After epitomiz- effective and adaptable fuzzing. ing several typical but interesting industrial environment traps, 9 previously-unknown vulnerabilities are reported, 1) Poor initial seed quality. Initial seeds supply start including flaws that lead to denial of service or commu- points to get through complex checks. Efficient nication crashes. The main contributions of our study are as seeds are hard to manually construct and random follows: seeds are worthless. Thus, generating guiding initial • We propose DeepFuzzer, an efficient open source seeds automatically is badly needed. fuzzer with qualified seed generation, balanced seed 2) Unbalanced seed selection. Unbalanced seed selec- selection, and hybrid seed mutation. tion may assign seeds with inappropriate mutation • We list typical obstacles encountered while applying times. Valuable seeds are seldom selected, which fuzzing to a real industrial project: libmsg from leads to inadequate mutations. In contrast, some Huawei. Solutions to each obstacle are also provided. seeds are selected too much which leads to a waste of resources. This paper is organized as follows: Section 2 introduces 3) Aimless mutation strategy. Extra efficiency gained a motivating example. Section 3 details our approaches with by coverage information enables exploring more DeepFuzzer to accelerate deep greybox fuzzing. Section meaningful areas, but aimless mutation strategies 4 presents design and implementation details. Section 5 invalidate this benefit. These strategies mutate in- presents evaluation along with obstacles and solutions for puts randomly so that the structures required to industrial practice. Section 6 introduces the related work. pass complex checks are easily damaged. Once the We conclude by exploring implications in section 7. delicate structures are broken, the exploration can reach only the shallow regions. 2 MOTIVATING EXAMPLE 4) Complex industrial environment. Fuzzers cannot To show how DeepFuzzer can address complicated checks, easily manage the complexity and diversity of we walk through a code snippet presented in Listing 1. In real industrial environments. Better adaptability of fuzzers to industrial software products is much 1. https://github.com/Ljiee/deepfuzz needed. 2. https://github.com/google/fuzzer-test-suite/ 3 family fuzzers (AFL, AFLFast, and FairFuzz). Figure 1 (b) 1 int fun(char *filename, int size) { 2 unsigned char buf[1000]; int fd; shows the operation of AFL. Because it has no whitebox- 3 if((fd = open(filename, O_RDONLY))==-1) level knowledge about the program, it will get stuck at Block 4 exit(0); C and guess with brute-force by mutating different bytes on 5 read(fd, buf, size); 6 if(size > 1000) return -1; various offsets. 7 //BLOCKA Figure 1 (c) shows the process of Driller or QSYM. 8 if(*(uint64_t *)buf == 0xCAFEBABE) They cannot pass the check in line 8 directly, but symbolic //BLOCKB 9 execution can help them to arrive at Block B. However, 10 printf("Magic bytes!\n"); 11 else they ignore the importance of bytes from 0 to 8 of buf. 12 //BLOCKC Their following mutated seeds generated by fuzzing might 13 return -1; destroy these bytes and return back to Block C again. As a 14 if(buf[10] < 10) { 15 //BLOCKD result, they have to employ symbolic execution to pass line 16 if(buf[12] < 10) { 14 and get to Block D. Note that the check at line 14 is not 17 //BLOCKE very difficult, so solving it by symbolic execution is a waste 18 bugs(); of resources to some extent. The check at line 14 also causes 19 } else{ 20 // BLOCKF more input seeds covering Block G than Block D. So Driller 21 ...some other task... or QSYM takes more times to fuzz seeds who hit Block G 22 } and most mutated seeds of them would go back to Block C. 23 } else{ 24 //BLOCKG It is difficult for them to concentrate on fuzzing Block D and 25 ...some other task... to cover its descendant blocks. In the end, they might have 26 close(fd); return 0; to use symbolic execution again to reach Block E and trigger 27 } the bug. On the other hand, along with the increased depth 28 close(fd); return 0; 29 } of the path, the cumulative constraints are also increasing. So Driller or QSYM will spend more and more time to solve Listing 1. A motivating example illustrates that how DeepFuzzer addresses complicated checks. these nested conditions. Figure 1 (d) shows the operation of DeepFuzzer. It passes the check at line 8 and gets to Block B at the beginning owing this code snippet, the paths covered depend on certain bytes to qualified initial seeds generated by symbolic execution. at fixed offsets. When fuzzing this program, AFL will be Next, DeepFuzzer detects that offset 0 to 8 are crucial to stuck in Block C; Driller or QSYM will cost a lot of time Block B. It preserves them and mutates other bytes to get and resources to trigger the bug; DeepFuzzer will trigger Block D. DeepFuzzer utilizes a balanced seed selection, the bug easily and quickly. To clarify such differences, the which means it balances Block D and G by giving the seeds corresponding control flow and the testing process of AFL, who hit Block D more mutation times. On top of that, its Driller or QSYM, and DeepFuzzer are presented in Figure 1. restrict mutation preserves bytes in offset 0-8, 10, 12 and only mutates other offsets. As a result, DeepFuzzer finds Block E and triggers the bug quickly. fuzzing A symbolic execution A When testing real-world programs, the whole process of Line 8: buf[0:8] == 0xCAFEBABE Line 8: buf[0:8] == 0xCAFEBABE Driller or QSYM would cost more time and resources. The B C B C inefficient use of the results of symbolic execution causes fre- Line 14: buf[10] < 10 Line 14: buf[10] < 10 quent switching between symbolic execution with fuzzing. D G D G Line 16: buf[12] < 10 Line 16: buf[12] < 10 The long execution trace would accumulate constraints thus

bug E F … bug E F … lower the success rate in solving. In contrast, DeepFuzzer combines symbolic execution in a more suitable way for (a) The control flow graph of the (b) The process of fuzzing the example example in Listing 2 program with AFL fuzzing real-world programs. In summary, DeepFuzzer is superior to other fuzzers in the following three aspects: fuzzing fuzzing symbolic execution A symbolic execution A Line 8: buf[0:8] == 0xCAFEBABE Line 8: buf[0:8] == 0xCAFEBABE 1) DeepFuzzer employs symbolic execution to gener- B C B C ate initial seeds, which ensures that the complicated Line 14: buf[10] < 10 Line 14: buf[10] < 10 checks could be passed in the beginning. It also D G D G Line 16: buf[12] < 10 Line 16: buf[12] < 10 preserves the efﬁcient fuzzing process and avoids

bug E F … bug E F … the switching cost between the symbolic execution and fuzzing. (c) The process of fuzzing the example (d) The process of fuzzing the example 2) DeepFuzzer utilizes the balanced seed selection to program with Driller or QSYM program with DeepFuzzer give adequate mutation times for each seed. It avoids wasting too many resources on exploring Fig. 1. The control ﬂow graph of Listing 2 and the process of fuzzing the program with AFL, Driller / QSYM, and DeepFuzzer. frequent parts. 3) DeepFuzzer integrates the restricted and random In line 8 of Listing 1, buf[0] and buf[1] are compared mutation to retain the results of the symbolic execu- with certain bytes to validate the input. This pattern is tion. As a result, DeepFuzzer passes the nested con- common in real-world programs such as libjpeg, lcms, and ditions more easily and explores more and deeper libpng. However, it is a signiﬁcant obstacle for pure AFL- paths continually. 4

3 DEEPFUZZER APPROACH 1 //BLOCKA Figure 2 presents an overview of the proposed approach. 2 if(x == 0x12345678) { Seed generation takes the C/C++ source code as input 3 //BLOCKB 4 if(...) { and utilizes symbolic execution to generate qualiﬁed ini- 5 //BLOCKD tial seeds to form the original circular queue. During the 6 } fuzzing process, seeds are taken out from the queue one 7 } 8 else{ after another. Seed selection determines whether to skip 9 //BLOCKC a seed and compute the mutation times for each selected 10 if(...) { seed. Seed mutation is responsible for mutating seeds in the 11 //BLOCKE restricted or random strategy based on whether the seed 12 } 13 } touches hard-to-reach areas. The bug report is produced by the seeds which crash the program. Or if the mutated seeds Listing 2. Unfair selection. have new coverage, they will be added to the seed queue for further mutations. Otherwise, the worthless mutated seeds will be thrown into the trash. The process of AFL could When the symbolic executor halts, states are ﬁltered to be contained in DeepFuzzer, which is framed in the dotted only export seeds covering new paths. This optimization box. There are three main differences between AFL and is crucial, because one symbolic execution session might DeepFuzzer. First, AFL lacks the process of seed generation. contain tens of thousands of states, many of which exercise Its initial seeds rely on manual supply. Second, it selects the same path. The optimization drastically reduces the seeds without considering the branch count statistics. Last, number of seeds passed to the fuzzer. it mutates seeds only by random mutation. 3.2 Balanced Seed Selection

Source Crash If valuable seeds are seldom selected, it would lead to inadequate mutations. In contrast, if some worthless seeds are selected too frequent, it would waste resources. The Qualified Seed balanced seed selection aims at assigning balanced mutation Generation times to each seed. We propose two rules named the branch- Initial Seeds sensitive fair skip rule and the branch-sensitive energy as- Interesting Hybrid Seed Mutation signment rule to make the fuzzing tend to be in equilibrium. Seed Circular Seeds mutate Queue Restricted Random Branch-sensitive fair skip rule. In AFL, whether a seed Mutation Mutation is worth fuzzing depends on three factors: the size, the Take Skip running speed, and the number of fuzzed times. The skip rule is fair for seeds, as the seed characteristics are the main Balanced Seed Mutate Selection consideration. However, it is not fair for branches, as the branch coverage distribution is left out. For each branch, AFL only favours the smallest and the fastest seed covering the branch. In AFL, if a seed is not favored or it has been Fig. 2. The interaction of DeepFuzzer algorithms. fuzzed before, AFL will skip it, which may lead to coverage misses of some critical branches. For example, consider the code snippet in Listing 2. We 3.1 Qualified Seed Generation use tuples AB, AC, BD, CE to represent branches. Suppose If a complex check can not be passed by initial seeds, it takes the seed set S1 and S2 contain seeds which can hit branch significant computing resources to generate satisfied seeds AB and AC separately. Intuitively, if we select each seed by pure luck. To compensate the format-agnostic nature of the same number of times, the probability of generating greybox fuzzing, a symbolic executor is used to produce seeds covering CE is much bigger than BD. Branch AB is high-quality initial seeds. blocked by the magic bytes in a condition statement, leaving The symbolic executor works online and forks on explosive growth in the size of S2. So for the branch BD and branches. To model the interaction between the program CE, the selection is not fair. To fix this problem, we should and the environment, a subset of POSIX API is simulated give a high priority to seeds in S1 and skip seeds in S2 symbolically. For faster collection of constraints, LLVM bit- with a certain probability. In order to do this, we assign a code is chosen as the program representation to reduce the skip probability for every seed. This probability is inversely instruction count. Different from normal whitebox fuzzers proportional to the occurrence frequency of the code block. such as Driller, the symbolic executor uses a strict time- We collect and use the branch hit count to indicate limited scheduler, because once the code can be covered by the occurrence frequency to be common or rare. A branch initial seeds, fuzzer is more efficient at triggering bugs. Fol- represents a basic block transition; its hit count reflects lowing the design principle that a symbolic executor should the frequency of its associated blocks. Taking all runs into be lightweight, the total execution time, maximum memory account, the rarest branch of a seed denotes the branch which usage, and constraint solving time are strictly limited to has the minimum hit count among the hit branches of this prevent wasting computing resources on unnecessary ex- seed. Let xi be the hit count of the rarest branch for the plorations. seed si, n be the number of branches. γ is a constant, 5 which diminishes the skip probability equally to increase cover tough reachable areas in a restricted way to preserve efficiency. The optimized fair skip probability for seed si is: the depth. For other seeds, DeepFuzzer preserves them to ! retain the breadth with the random mutation strategy. x−1 i After several cycles, the original rare branches degener- P (si) = 1 − Pn −1 · γ (1) j=1 xj ate into common branches and new rare branches appear. The formula above assigns a higher mutation probability When it is difficult to cover rare branches, it is still possible for seeds exercising infrequent hit branches. After balancing to utilize the random mutation strategy to further increase branches, we still follow the original skip rule of AFL to the coverage. As described in the evaluation section, the omit unfavoured seeds. hybrid mutation solves the local convergence problem to a Branch-sensitive energy assignment rule. Energy is certain extent, such as in FairFuzz. A branch is rare if its hit defined as the number of times seeds are mutated in the count is less than or equal to rarity. rarity is the smallest random stage of fuzzing. AFL gives more energy to recently power of two, which bounds the number of input seeds created seeds which spend less execution time and achieve hitting the rarest branch. Let min hit be the minimum hit more branch coverage. This heuristic helps AFL reach more count of branches, rarity is: regions with less cost but also neglects the rarity of branches, rarity = 2dlog2 min hite which usually leads to unbalanced energy assignment. For example, a seed which only covers common branches might A target branch of a seed is the rarest branch among all run fast. Conversely, another seed runs slow but can hit rare covered branches of the seed. With the target branch chosen, branches. Because of the lack of branch rarity, the assigned the restricted mutation strategy can be performed. The algo- energy for the first seed is excessive while for the latter is rithm finds out strategies which would not diverge from the inadequate. target branch: for each byte in the seed, can it be overwritten, To assign a more suitable number of mutation times deleted, or inserted? The overwritable bytes are computed to seeds, we take the branch rarity into account similar by replacing every byte of the input with a random byte. If to the seed selection stage. Let s denote the selected seed the result still hits the target branch, the byte is designated that needs to be mutated next, p(s) denote the energy of s, as overwritable. The property of deletable and insertable is and pAF L(s) denote the original energy calculated by AFL. detected in a similar way: delete the byte being tested, or Given the number of times c(s) which s has previously been insert a random byte before. Although three operations all chosen from the queue S and the hit number h(s) of the change the value of the testing byte, they will cause different rarest branch covered by s, DeepFuzzer computes p(s) as external results and all of them are indispensable. Take the c(s) ! JPEG file as an example, it has several marker sections which pAF L(s) 2 p(s) = min · ,M (2) have fix length and data sections. We can only overwrite β h(s) bytes in the marker sections because other operations will p(s) is inversely proportional to h(s), which means the change the length and cause an invalid format. But in the rarer branch a seed can cover, the more energy the seed data sections, we can apply all of the three operations and will get. This helps to make the fuzzing process more still get a valid JPEG file. Knowing the mutation property balanced towards the branch. The increase in c(s) gives the for each byte, the seed is mutated in restricted ways at exponential energy for reselected seeds to explore the states. corresponding positions. It is noteworthy that this algorithm The constant M provides an upper bound on the number of utilizes random bytes for replacement or insertion. mutations per fuzzing iterations, which is 160k, the same as with AFL. β balances the relation between the original AFL energy assignment value and the branch-sensitive energy 4 IMPLEMENTATION assignment value. DeepFuzzer consists of three main components — the seed generator, the fuzzer, and the toolchain. The symbolic seed 3.3 Hybrid Seed Mutation generator is based on KLEE. The improved fuzzer is based Before the main fuzzing process starts, seed generation on AFL. The toolchain is based on a standard system has supplied high-quality initial seeds automatically. These toolchain invocation. KLEE and AFL work on vastly differ- seeds give the fuzzing a lot of valuable directions and help ent levels of program representation. To help bridge the gap, the fuzzer pass the complicated checks (like line 2 in Listing DeepFuzzer follows the interface specification of libFuzzer. 2) easily. But normal mutation strategy does not know the With this layer of abstraction, DeepFuzzer can use different delicate structure which is required to pass these checks. entry points for symbolic execution and fuzzing. This is Random mutation strategies easily damage the structure automatically done by the toolchain component. and mess up the high-quality seeds, such as in Driller and The symbolic seed generator is responsible for produc- QSYM. Defeated by the complex checks, the fuzzing session ing high-quality initial seeds. It is a wrapper of KLEE. The has to wander in shallow areas. The useless mutation also source code of KLEE is not modified, but the search strategy wastes too many resources and causes inefficient fuzzing. is fine-tuned for seed generation. When the symbolic execu- In order to take full advantage of the initial seeds and tor halts, states are filtered to only export seeds covering to explore the deep places while maintaining breadth, we new paths. Besides the tuning, there are three adaptations. propose a hybrid mutation strategy which combines the First, to support symbolic execution and basic POSIX API restricted-mutation strategy and the random mutation strat- simulation, we ship KLEE built with uclibc. Second, we egy. The restricted-mutation strategy mutates seeds which set the execution time of KLEE to 20 minutes. Finally, 6 we develop a converter to convert the results of KLEE to 5 EVALUATION available seeds. We evaluate the effectiveness of DeepFuzzer on the widely used benchmark Google fuzzer-test-suite and other real- The fuzzer component changes the source code of AFL. world programs. The influence of symbolic seed generation, It modifies the logic of seed selection and seed mutation to balanced seed selection, and hybrid seed mutation are quan- implement the algorithm we proposed. The seed selection tified. Compared with the state-of-the-art fuzzers, Deep- algorithm applies the skip rule and the energy assignment Fuzzer performs better. For example, compared with one rule to balance the mutation times of branches. Three maps of the most recently developed symbolic execution aided are defined: one counts the hit number of every branch, one tool — QSYM, it triggers 147% more unique crashes, covers labels whether a branch is interesting, denoting the rarest of 98% more paths, and achieves 101% more covered branches all branches a seed can cover. The last one records the times respectively. Furthermore, we deployed DeepFuzzer to the a seed is successfully selected for fuzzing. When a seed is highly customized runtime environment of Huawei and taken out from the queue, we skip it with the probability fuzzed the message middleware libmsg. After epitomiz- calculated by the formula (1) in section 3.2. The energy ing several typical but interesting industrial environment which is computed as the formula (2) in section 4.2 controls traps, 9 previously-unknown vulnerabilities were reported, the random mutation times for each seed. The hybrid seed including flaws that lead to denial of service or communi- mutation strategy assigns each seed with a fittest mutation cation crash. On this basis, we summarize ways to improve strategy. The restricted mutation strategy is only used for the utility of fuzzers in the industrial practical environment. the seeds that hit rare branches, it finds which bytes in a seed can be overwritten, deleted, or inserted, and the rules are obeyed in the mutation stage. 5.1 Benchmark Evaluation 5.1.1 Experiment setup The toolchain component intercepts standard system Google fuzzer-test-suite is a widely used fuzzing bench- toolchain invocation, which enables customization on the mark, including real-world projects such as boringssl, c- flags passed to the compiler and linking stage. Depending ares, guetzli, lcms, libarchive, libssh, libxml2, pcre2, proj4, on different build modes (symbolic vs fuzzing), different and re2. They are derived from real-life libraries which have sets of compiler flags are injected. The toolchain component typical bugs, hard-to-find code paths and other challenges takes care of the trivial details of different build systems for bug-finding tools. We use three metrics to evaluate such as CMake or AutoConf. It injects the flags as the the results of fuzzers on these ten real-life projects. These specification of build systems. When building LLVM bit- metrics consist of the number of exercised paths, covered code for symbolic execution, DeepFuzzer uses a pre-built branches, and triggered unique crashes. The first two met- bitcode file to supply the main function when linking. It rics evaluate the coverage of the target programs. AFL dis- feeds its argument(argv) as input, which simplifies the tinguishes the crash by different execution paths. Although environment interaction modelling of KLEE. The linking several unique crashes which might point to the same bug, stage also combines all the LLVM bitcode files into a whole no bugs can be found without a crash. In other words, file for KLEE. When building an executable file for fuzzing, the discovery of unique crashes is a prerequisite for the a slightly patched AFL driver in libFuzzer is used as the discovery of bugs. Thus this number reveals the probability main function for linking. The patch adds support for of finding vulnerabilities. clean-up logic at exit. From our observation, programs with To quantify the effect of seed generation, balanced seed background threads tend to crash because of an incorrect selection, and hybrid seed mutation, respectively, we sep- exit procedure; false positives on memory leakage are also arately integrate each component on the original imple- found. Moreover, the toolchain also enables sanitizers such mentation of AFL. Then we compare DeepFuzzer with as ASAN to detect latent bugs. The toolchain component some AFL-family tools consists of AFL, AFLFast, and Fair- also adds an additional LLVM pass to collect coverage Fuzz. Two state-of-the-art fuzzers namely QSYM and MOPT information. are also compared with DeepFuzzer. In particular, QSYM is the most recently developed symbolic execution aided DeepFuzzer encapsulates the internal complexities fuzzing tool. Because QSYM needs at least two cores (it above into a collection of command line utilities. The com- requires an AFL instance to run simultaneously), we also mand line utilities forms a workflow for software develop- run DeepFuzzer and MOPT with two cores. In addition, ers, providing an easy-to-use interface. The utilities detect AFL, AFLFast, and FairFuzz are also compared in the the system environment and configure each internal tool. same environment settings. To have a better comparison, In this way, optimal parameters are automatically decided, except for Google fuzzer-test-suite, we also evaluate these thus software developers do not have to manually tune fuzzers on three large real-world programs namely ffmpeg, the parameters. Furthermore, from our empirical study, one openjpeg, tcpdump. Apart from the three metrics namely of the major obstacles for complex fuzzers to run on real paths executed, branch covered and crash triggered, we also industry systems is system configuration inconsistency. A analyze the bugs found by each fuzzer. compatibility layer is implemented in DeepFuzzer, which We run each tool accompanied with Google AddressSan- contains various software library dependencies of each com- itizer (ASAN) for 24 hours on a 64-bit machine which has 32 ponent. As long as the kernel and glibc is recent enough, cores (Intel(R) Xeon(R) CPU E5- 2630 v3 @ 2.40GHz), 128GB DeepFuzzer is able to run on any Linux distribution. of main memory, and uses Ubuntu 16.04 as host OS. 7 5.1.2 Is qualified seed generation positive or negative With Random We first verify whether the seed generation mechanism can Generation With Qualified generate high-quality seeds to optimize the performance of Generation fuzzing or not. We feed AFL with initial seeds generated common 364 26540 by our symbolic-execution-based generator. Synthetically 3570 considering the time to generate enough high-quality initial seeds and the fuzzing performance, we choose 20 minutes for symbolic execution. The average count of initial input seeds generated by symbolic execution is 70. Table 1 shows the total number of three metrics for the benchmark in 24 Fig. 3. The Venn diagram of branch coverage with random or qualified hours. For comparison, we also list the statistics of original seed generation for fuzzing pcre2. AFL. To have a fair comparison, we generate the same number of random valid inputs for AFL. checks in deep paths cripple traditional greybox fuzzing. We observe that the initial seeds increase 17% more paths With the exclusive seeds, this version first achieves higher executed and 23% more branches covered. Benefiting from coverage, which enables unique opportunities to explore increased coverage, the improved version finds about 150% state spaces behind those deep paths. Thus many crashes more unique crashes than running AFL. hidden in these paths are only triggered when fuzzing with seed generation. On the other hand, when running AFL with TABLE 1 qualified initial seeds, it executes more paths in a shorter Influence on Qualified Seed Generation time. That means AFL could try more branch combinations and as a result, trigger more crashes. Metric AFL + Random Seed AFL + Qualified Generation Seed Generation From these statistics and analysis, we find that the symbolic-execution-based seed generation is positive to Path 22522 26249 Branch 63371 77907 fuzzing. It not only improves the coverage but also boosts Crash 244 610 the probability of finding vulnerabilities.

The improvements in performance have two reasons. 5.1.3 Is balanced seed selection positive or negative First, symbolic execution generates seeds which can pass We implement the balanced seed selection algorithm on some complicated checks. Many paths and vulnerabilities AFL and verify whether it works or not. The result presents can only be found after passing these complicated checks. that it assists AFL in growing both the number of paths However, it is very difficult to produce these seeds by muta- and branches for each tested project. As Table 2 shows, the tion alone. Second, these seeds provide plenty of directions increase in the number of paths and branches are 12% and for fuzzing and widen the breadth of the fuzzing process. 14% respectively. And in total, it triggers 122% more unique Without these seeds, AFL may get trapped in a few easily crashes. discovered directions, which limits it to finding new paths in the later stage. As the coverage increases, the probability TABLE 2 Influence on Balanced Seed Selection of finding vulnerabilities also increases. Let us take the detail of fuzzing pcre2 from the bench- Metric AFL AFL + Balanced mark as an example, as presented in Figure 4. The num- Seed Selection ber of paths and branches are higher than with random Path 20279 22656 seeds almost from the beginning to the end. High-quality Branch 61974 70559 initial seeds bring the benefits of discovering more paths Crash 211 469 and branches to the improved version at the very beginning. With the help of qualified initial seeds, AFL executes The main reason for the performance improvement is deeper paths. The abundant directions and the ability to that the balanced selection treats each branch equally, giv- easily reach deep regions increase the coverage steadily and ing the corresponding seed a suitable number of mutation evenly. In contrast, when feeding AFL with random initial times so that each seed can generate enough meaningful seeds that have scarce directions, its speed to find new results without wasting resources. In contrast, AFL does not regions is low. Profiting from the increased coverage, the take the rarity of branches into account, which limits the improved version triggers more unique crashes in the long effectiveness. Some worthless seeds are mutated too many run. times while others are not mutated enough. As a result, in We also analyze the branch coverage when fuzzing pcre2 the same amount of time, we find more branches and paths. with initial seeds generated by random or symbolic execu- Accordingly, the probability of finding vulnerabilities also tion. As Figure 3 shows, their branch coverage is not same. increases. They both have their own unique branches but AFL finds Figure 5 shows the performance comparison of fuzzing about 3000 more unique branches when runs with qualified pcre2. In the beginning, there are no marked differences initial seeds. between them. However, because of the more balanced Qualified seed generation produces a set of high-quality choice and the reasonable energy given to seeds, all metrics initial seeds which exercise deep paths. Those seeds are ex- continue to rise while AFL cannot find new paths any more. clusive to the version with qualified initial seeds, as complex With the increase of coverage, it also triggers more crashes. 8

16000 350 AFL + qualified generation 30000 AFL + qualified generation AFL + qualified generation AFL + random generation AFL + random generation AFL + random generation 14000 300 25000 12000 250

10000 20000 200

8000 15000 150 6000

Number of paths 10000 100 Number of crashes 4000 Number of branches 5000 50 2000

0 0 0 101 102 103 104 105 101 102 103 104 105 101 102 103 104 105 time(s) time(s) time(s) (a) paths over time (b) branches over time (c) crashes over time

Fig. 4. Number of paths, branches, and unique crashes change over time for fuzzing pcre2 with seed generation.

14000 AFL + seed selection AFL + seed selection AFL + seed selection AFL AFL AFL 25000 250 12000

10000 20000 200

8000 15000 150

6000 10000 100 Number of paths

4000 Number of crashes Number of branches

5000 50 2000

0 0 0 101 102 103 104 105 101 102 103 104 105 101 102 103 104 105 time(s) time(s) time(s) (a) paths over time (b) branches over time (c) crashes over time

Fig. 5. Number of paths, branches, and unique crashes change over time for fuzzing pcre2 with seed selection.

16000 AFL+ seed mutation 30000 AFL+ seed mutation AFL+ seed mutation AFL AFL 600 AFL 14000 25000 500 12000 20000 10000 400

8000 15000 300 6000

Number of paths 10000 200 Number of crashes 4000 Number of branches 5000 100 2000

0 0 0 101 102 103 104 105 101 102 103 104 105 101 102 103 104 105 time(s) time(s) time(s) (a) paths over time (b) branches over time (c) crashes over time

Fig. 6. Number of paths, branches, and unique crashes change over time for fuzzing pcre2 with seed mutation.

From these statistics and analysis, we conclude that the The main reason for the performance improvement is balanced seed selection is positive to fuzzing. It helps AFL that the hybrid seed mutation combines the branch-reserved cover more states steadily and hunt more bugs. mutation to keep depth and the random mutation to keep breadth. As for the seeds which can cover rare branches, the branch-reserved mutation makes it possible to explore the 5.1.4 Is hybrid seed mutation positive or negative deeper paths which still contain the original rare branches. We implement the hybrid mutation strategy on AFL. As For the other seeds, the random mutation strategy is ap- Table 3 demonstrates, the total number of covered paths in- plied thus other common branches can be found with more creases 24%, the total number of branches covered increases probability. 18%, and the total number of triggered unique crashes We also use pcre2 to demonstrate more details. Figure 6 grows 123%. indicates that the growth rate of the coverage (the number of paths and branches) are almost the same at the beginning. TABLE 3 Then AFL gradually exceeds DeepFuzzer for a while. This Influence on Hybrid Seed Mutation is because the restricted mutation has some extra operations to identify and preserve rare branches, which may cost Metric AFL AFL + Hybrid Seed extra time. However, many deep paths are hidden in the Mutation regions where can only be exercised through rare branches. Path 20279 25215 Although exploring these regions costs much time and Branch 61974 73397 lowers the speed, our mutation strategy has the ability to Crash 211 471 continue raising the metrics when AFL is hard to find new 9 paths and branches. Consequently, DeepFuzzer also triggers TABLE 5 more crashes. Number of branches (two cores) From these statistics and analysis above, we find that the hybrid mutation strategy is positive to fuzzing. It improves Project AFL AFLFast FairFuzzQSYM MOPT DeepFuzzer the coverage and facilitates hunting more vulnerabilities. boringssl 9680 9897 10733 9228 9228 11320 c-ares 277 268 277 277 277 277 guetzli 5544 3403 8420 5155 8568 32521 5.1.5 DeepFuzzer performance lcms 7327 7319 6724 6911 6211 7720 libarchive 24673 25318 18919 10635 23202 27191 We integrate the qualified seed generation, balanced seed libssh 1595 1592 1595 1595 1595 1595 selection, and hybrid seed mutation to form DeepFuzzer. libxml2 34281 33413 32546 26212 54453 57048 Because they are complementary and serially connected, pcre2 75997 73711 76233 71208 73013 78552 proj4 594 592 592 594 588 2574 results get better when qualified seed generation, balanced re2 32805 32538 32419 32665 29454 33025 seed selection and hybrid seed mutation are combined. Seed ffmpeg 104618 98244 105500 46055 140297 139346 generation produces qualified seeds that reach deep regions openjpeg 4071 4471 4062 2497 4912 5018 tcpdump 21479 38596 31377 5980 46050 45025 of the program state space. Hybrid mutation strategy fur- Total 322941 329362 329397 219012 397848 441212 ther explores the program on the basis of the reachability brought by initial seeds. Balanced selection assigns each seed a reasonable mutation time. QSYM outperforms other fuzzers such as Driller and VUzzer[20] in small scale projects like LAVA-M in its pa- TABLE 4 Number of paths (two cores) per. And QSYM also applies many optimizations to scale symbolic execution to complex programs. However, in our experiments, QSYM fails to outperform DeepFuzzer in large Project AFL AFLFast FairFuzzQSYM MOPT DeepFuzzer real-world programs of Google fuzzer-test-suite. In particu- boringssl 664 697 756 716 565 766 lar, in three large programs namely ffmpeg, openjpeg, and c-ares 29 30 29 34 31 36 guetzli 511 390 912 663 749 1638 tcpdump, DeepFuzzer covers 450% more paths and 191% lcms 277 318 266 293 234 296 more branches than QSYM. From Table 6, we observe that libarchive 2238 2117 1573 1079 2032 2738 libssh 17 17 17 18 15 20 DeepFuzzer triggers more crashes than QSYM in 9 projects. libxml2 2710 2358 2318 1870 5289 5827 Table 7 shows that DeepFuzzer finds three more bugs than pcre2 11038 10719 12110 11479 11332 12568 QSYM. The main reason behind might relate to the size of proj4 64 65 61 76 58 245 re2 2113 2087 2008 2413 1367 2213 the program. Most of the programs we tested have a large ffmpeg 7676 7235 7394 1459 8110 9081 size than programs tested in QSYMs paper such as base64. openjpeg 440 534 445 276 785 645 tcpdump 1670 3899 2498 500 5232 5265 TABLE 6 Total 29447 30466 30387 20876 35799 41338 Number of crashes (two cores)

Table 4, 5, 6 compares the performance of DeepFuzzer, Project AFL AFLFast FairFuzzQSYM MOPT DeepFuzzer QSYM as well as other AFL-family fuzzers. Because QSYM boringssl 0 0 0 0 0 0 requires an AFL instance to run simultaneously and needs c-ares 6 7 9 3 9 7 guetzli 0 0 0 0 0 2 at least two cores, we also run DeepFuzzer and other lcms 20 13 48 29 0 7 fuzzers with two cores. Besides Google fuzzer-test-suite, we libarchive 0 0 0 0 0 31 also evaluate these fuzzers on three large real-world pro- libssh 0 0 0 0 0 0 libxml2 22 7 8 3 65 19 grams namely ffmpeg, openjpeg and tcpdump. The results pcre2 1361 510 840 699 439 1734 show that DeepFuzzer outperforms other fuzzers including proj4 0 0 0 0 0 0 QSYM. Table 4 and Table 5 show that DeepFuzzer has re2 3 1 1 0 0 6 ffmpeg 0 0 0 2 0 7 a higher coverage than other fuzzers. Compared to AFL, openjpeg 0 0 0 5 0 20 AFLFast, FairFuzz, QSYM, and MOPT, DeepFuzzer executes tcpdump 0 0 0 2 0 3 40%, 36%, 36%, 98%, and 15% more paths, covers 37%, 34%, Total 1412 538 906 743 513 1836 34%, 101%, and 11% branches respectively. From Table 6, we observe that DeepFuzzer triggers more unique crashes It is well known that symbolic execution suffers from than other fuzzers. DeepFuzzer crashes 10 programs while the path explosion problem in which the number of paths AFL, AFLFast, FairFuzz, QSYM, and MOPT crash 5, 5, 5, to explore grows exponentially with the program size. To 7, and 3 programs. According to the number of unique mitigate this problem, hybrid fuzzing offloads the trivial crashes triggered, DeepFuzzer achieves an improvement part of the exploration to fuzzing, and only utilizes the of 30%, 240%, 102%, 147%, and 257% compared to AFL, symbolic execution to solve the difficult part. Thus the sym- AFLFast, FairFuzz, QSYM, and MOPT. We also develop a bolic execution engine can discard a large number of trivial component that analyzes these crashes by discriminating paths and alleviate the path explosion. However, as the frames extracted from core dump files to get the number of exponential path growth is intrinsic to symbolic execution, bugs in Table 7, which have also been manually checked. It even as the optimizations in QSYM cannot either lower the shows that DeepFuzzer finds 11 bugs while AFL, AFLFast, asymptotic computational complexity, not to mention the FairFuzz, QSYM, and MOPT find 5, 5, 5, 7, 5 bugs, respec- stage of SMT solving, an NP-complete problem. When the tively. program gets larger, the cost of tracing greybox fuzzing, 10

TABLE 7 DeepFuzzer starts to feed the program with a lot of seeds Number of bugs (two cores) and monitor exceptions in the fuzzing stage. In order to boost the convenience of the fuzzing process, DeepFuzzer Project AFL AFLFast FairFuzzQSYM MOPT DeepFuzzer tries to automate all the steps as much as possible with boringssl 0 0 0 0 0 0 the toolchain module. The only thing that the test engi- c-ares 1 1 1 1 2 1 neers need to do manually is writing the corresponding guetzli 0 0 0 0 0 1 lcms 1 1 1 1 0 1 fuzzing driver, which exposes an interface to DeepFuzzer libarchive 0 0 0 0 0 1 for feeding the input and execution. The external network libssh 0 0 0 0 0 0 interface is chosen to focus on testing the protocol handlers libxml2 1 1 1 1 2 1 pcre2 1 1 1 1 1 1 of libmsg. Choosing this interface brings us three benefits: proj4 0 0 0 0 0 0 completeness for the reachability of almost all code paths re2 1 1 1 0 0 1 of libmsg, convenience for feeding input, and accuracy for ffmpeg 0 0 0 1 0 2 openjpeg 0 0 0 1 0 1 identifying vulnerabilities. tcpdump 0 0 0 1 0 1 Total 5 5 5 7 5 11 5.2.2 Typical obstacles and solutions After choosing the interface, things did not go as smoothly as we planned. We almost stumbled at each step due to collecting constraints, and solving constraints also increases. the complexity and diversity of the industrial environment. As a result, the performance gains brought by symbolic Typical obstacles that would fail other fuzzers are listed as execution tend to diminish when employing QSYM in test- follows: ing large programs. In contrast, DeepFuzzer adopts a more The first obstacle is the system build complexity. lightweight approach when invoking symbolic execution. libmsg has a complex build procedure. Due to the histor- By moving the symbolic execution forward to generate ical burden, the build scripts are a mix of bash, autoconf, initial seeds, it controls the time and resource usage and and CMake. This situation is also common for complex eliminates the cost of switching between two techniques. projects which have many dependencies in companies. It DeepFuzzer also utilizes the balanced seed selection to is tedious to manually modify a series of scripts to enable fuzzing valuable seeds, and it will quickly cover a lot of sanitizers. We solved it with the toolchain component of ”difficult” areas by hybrid seed mutation based on initial DeepFuzzer. The toolchain component can recognize differ- seeds. The results and the analysis demonstrate that when ent build systems and inject appropriate instrumentation- testing real-world software, utilizing symbolic execution to related compiler options. generate high-quality initial input seeds and fully utilize The second obstacle is the shallow bugs. When validat- them in fuzzing might be a better combination of two ing the fuzzing driver, the program crashed on virtually techniques. every seed, even the most simple ones constructed by hand. From these statistics and our findings explained in the The shallow bugs hindered further operations. We solved it analysis above, we find that DeepFuzzer has the ability by collaborating with the developer to fix these bugs. to increase not only coverage, but also the probability of The last obstacle is the bug-hiding code segments. As identifying vulnerabilities by triggering more crashes. a messaging library, libmsg is expected to handle errors and run continuously until explicitly told to exit. It simply disables the error reporting and directly exits with status 5.2 Industrial Practice code 0. Many projects also have a similar mechanism for In order to evaluate DeepFuzzer in a real industrial en- maintaining continuous availability. But the mechanism can vironment, we collaborated with engineers from Huawei also mislead fuzzers because they rely on an exit code and deployed DeepFuzzer to fuzz libmsg developed there. to identify crashes. The solution is to remove the logic libmsg is a proprietary message middleware which is which disables the error reporting mechanism and patch responsible for transferring the message of the entire dis- DeepFuzzer to detect a non-zero exit code. tributed system department. We encountered several obstacles that have failed some academic fuzzers, Driller, for ex- 5.2.3 Results ample, takes two engineers two weeks of effort to configure After overcoming those obstacles, we successfully ran Deep- but then failed. Benefiting from the toolchain of DeepFuzzer Fuzzer on libmsg. Benefiting from the adapting experience to support automatic fuzzing environment configuration, and the toolchain component of DeepFuzzer, we also suc- we overcame the obstacles and ran the program successfully. cessfully adapted AFL in the same setting. DeepFuzzer found 9 previously-unknown vulnerabilities, Table 8 shows the existing known vulnerabilities and including flaws that lead to slow resource leak, denial of the results of AFL and DeepFuzzer. It illustrates that Deep- service, and immediate system crashes. Fuzzer performs better. AFL and DeepFuzzer detects 5 and 11 vulnerabilities, respectively. Two known vulnerabilities 5.2.1 Experiment setup are found by both fuzzers. In other words, AFL and Deep- The complete fuzzing procedure for DeepFuzzer consists Fuzzer reveal 3 and 9 unknown vulnerabilities, respectively. of the preparing stage and the fuzzing stage. Steps of the For the only one memory leak vulnerability that is not preparing stage contain writing the fuzzing driver, prepar- captured by both AFL and DeepFuzzer, we find that they ing the environment, compiling hardened binary, and val- may be unable to cover some regions of the program, limited idating the fuzzing driver. When the preparation is down, by the simple fuzzing driver which converted from the 11

TABLE 8 in the development process. On the other hand, to lower the Number of vulnerabilities Detected cost, converting sample code or unit tests to form fuzzing drivers might be a convenient method. Type Known AFL DeepFuzzer In addition, some of the programs being tested use low- Incorrect exit procedure 0 2 2 level interventions such as the signal handler, which pre- File descriptor leak 0 1 1 vents DeepFuzzer and other fuzzers from detecting anoma- Reachable assertion 0 0 1 Unaligned memory access 2 2 2 lies. These workarounds are hard to locate in the source code Uncontrolled memory allocation 0 0 4 but must be found and bypassed. Besides detecting crashes, Use after free 0 0 1 fuzzers can also monitor the usage of resources. A resource Memory leak 1 0 0 utilization anomaly may also imply a bug. For example, Total 3 5 11 after investigating the exceedingly high number of execution timeouts, we find the uncontrolled memory allocation vulnerability. When the allocation is too large, the kernel simple sample code. Manual tests may have the advantage will over-commit memory, which slows down the memory of having knowledge of the program, and they can system- accesses. There are also some limitations in other aspects, for atically cover most of the interfaces and APIs. We believe example, DeepFuzzer cannot divide unique crashes caused a better driver will help DeepFuzzer solve this problem by the same bug in real-time. Its crash analyzer component and capture more vulnerabilities. Nine other previously can only work after the fuzzing process. unknown vulnerabilities are captured by DeepFuzzer. For example, the file descriptor leak can only be triggered when all file descriptors are exhausted by feeding a large number 6 RELATED WORK of inputs. However, manual tests might never detect this For the related work, we focus on generation-based fuzzing, problem because it usually feeds the program with a small mutation-based fuzzing, and symbolic execution-based number of predefined inputs. fuzzing. We also discuss the differences between these From these statistics and above analysis, we find that works and our study. DeepFuzzer can be applied in industrial practice to hunt real bugs. With the experience gained from overcoming those obstacles, it is easier to apply fuzzing on other real-world 6.1 Generation-Based Fuzzing projects. These experiences and the developed toolchain can Generation-based fuzzing generates inputs from scratch not only help DeepFuzzer, but also have some reference based on specifications. For programs which require inputs value for adapting other fuzzers on real projects. in complex formats, this fuzzing technique is especially use- ful. The specification can be separated into two categories including input model and context-free grammar. 5.3 Discussion Model-based fuzzers [21], [22], [9] employ a model of the There are some reasons for limiting the use of DeepFuzzer protocol. The model is executed on- or off-line to generate in practice. We provide below some potential methods to complex interactions with the test program. Peach [22] is enhance its functioning. an input model-based fuzzer and combines generation and Unlike static analyzers working on source code, fuzzing mutation capabilities. Peach operates by applying fuzzing is a dynamic method. Fuzzers that cannot be executed in to models of the data and the state. The data-model de- the environment of the target program are worthless. The scribes the format of the input, and the state-model defines complex environment and configurations, including the op- the ways of interacting the data with the fuzzing targets. erating system, the compiler, and the hardware, are usually Skyfire [9] generates inputs from a context-sensitive gram- vastly different thus may lead to configuration inconsis- mar model, which is learned from corpora and grammars. tency. DeepFuzzer and many advanced academic technolo- Many fuzzers [10], [23], [24], [25] generate inputs based gies are usually limited by environmental inconsistency and on context-free grammar. Csmith [10] is a C-compiler test diversity, resulting in unavailability. In order to improve the tool which can generate random C programs conforming utility, DeepFuzzer has a support layer in the toolchain, so to the C99 standard. This tool has the ability to generate it can run in almost all recent Linux versions. Despite this, programs exploring typical combinations of C-language fea- it might still be unavailable because of configuration failed. tures while free of undefined and unspecified behaviours. For example, the seed generator of DeepFuzzer does not Sirer and Bershad developed lava [23] to generate effec- support multi-threading and inline assembly code, and we tive test suites for JVM. IFuzzer [24] takes the context-free have to disable seed generation for programs that have these grammar of a language as the input to generate parse trees features. and to extract code fragments from a given test-suite. Then Missing the fuzzing driver is another threat for efficient it generates new code fragments by performing genetic fuzzing. Developing a fuzzing driver requires sufficient operations on the parse tree. domain knowledge as well as adequate understanding of Some tools try to automatically learn the specifica- fuzzing technology. Unfortunately, typically people who tion [26], [27], [28]. Glade [26] automatically synthesizes develop fuzzers lack domain knowledge while developers a context-free grammar from seeds and blackbox program with domain knowledge do not understand fuzzing. To access, and then uses the synthesized grammar in conjunc- solve this, promoting fuzzing technology is necessary, the tion with a standard grammar-based fuzzer to generate new developer needs to put writing the fuzzing drivers as a step test inputs. Learn&Fuzz [27] employs neural-network-based 12 statistical learning to automatically generate input grammar But they differ in details. DeepFuzzer applies the hybrid from sample inputs. mutation strategy which combines the random and the re- DeepFuzzer is a mutation-based fuzzer, so it differs stricted mutation strategies. Compared with FairFuzz which greatly from these tools. Though DeepFuzzer also generates only applies reserved mutation, the random mutation of inputs with lightweight symbolic execution, these inputs DeepFuzzer preserves the probability of exploring other play the role of the initial seeds to supply start points for regions so that the local convergence of FairFuzz is unlikely mutational fuzzing, and are further mutated and scheduled to occur in DeepFuzzer. Compared with ProFuzzer, the based on coverage information. mutation of DeepFuzzer is lightweight. ProFuzzer replaces each byte with all 256 values to extract features and infer the fields. In contrast, DeepFuzzer only replaces each byte 6.2 Mutation-Based Fuzzing with one random value to infer the delicate structures of Mutation-based fuzzing is a basic way to detect vulnera- the input. As a result, ProFuzzer has an additional stage to bilities when the fuzzer knows little about the program. It probe the input fields while DeepFuzzer integrates it into generates input seed by modifying the existing inputs. the mutation stage. MOPT focuses on how to select muta- Many tools [8], [12], [14], [29], [20], [13], [30] apply tion operators. Different from it, DeepFuzzer concentrates various techniques to boost the fuzzing process. AFLFast, on refining mutation operators to improve mutation quality. AFLGo, CollAFL, and VUzzer focus on improving the seed selection. AFLFast [12] proves that the process of AFL can be regarded as a Markov chain. A power schedule computes 6.3 Symbolic Execution-Based Fuzzing the times of random mutation for each seed. AFLFast carries Symbolic execution treats the input of the program as out a fast power schedule based on the path frequency of the symbols, collects the constraints to generate symbolic for- seeds executed. Similar to AFLFast, AFLGo [14] implements mulas and employs constraint solvers to find out concrete a simulated annealing-based power schedule, which helps inputs. Godefroid presents an introduction to automatic to fuzz some target areas in the codes. In particular, it pro- input generation using symbolic execution [31]. Some tools poses a way to measure the distance between the seeds and apply pure symbolic execution [32], [33], [34] while others the targets. CollAFL [29] provides more accurate coverage integrate it with other techniques [17], [35], [36]. information to mitigate path collision. It also utilizes the SAGE [32], KLEE [33], and Mayhem [34] are pure sym- coverage information to apply some seed selecting strate- bolic execution tools. SAGE uses the generational search that gies. VUzzer [20] utilizes static analyze to obtain the control better leverages expensive symbolic execution. It collects structure and prioritizes seeds which execute deep paths. constraints by actually running the program on well-formed It also uses taint analysis to help mutate seeds. FairFuzz inputs, then negates the constraints one by one and solves [13], ProFuzzer [30], and MOPT [15] focus on improving them to produce inputs. KLEE is a refined version of EXE the seed mutation. FairFuzz only mutates seeds which hit [37]. It employs a variety of constraint solving optimizations rare branches and it strives to ensure the mutant seeds and uses a heuristics search to get high code coverage. still hit the rarest ones. ProFuzzer probes the input fields KLEE runs on-line — it forks on branching in a single run, (for example, assertion, raw data, off-size) and adapts the which differs from SAGE — working on execution traces mutation strategy to them. MOPT schedules the mutation off-line. Mayhem combines them by alternating between on- operators based on Particle Swarm Optimization. line and off-line. It can automatically find exploitable bugs Compared with these tools, DeepFuzzer considers the in binary programs. Although these tools are powerful, the seed generation, seed selection, and seed mutation make up path explosion problem is still inevitable. a whole fuzzing process and coordinates them to gain an Driller [17] integrates symbolic execution and mutation- edge over other fuzzers. The process of seed generation is based fuzzing to mitigate the path explosion problem. It uti- lacked in all of these tools. For seed selection, DeepFuzzer lizes quick fuzzing to explore most of the paths and switches controls the mutation times like AFLFast and AFLGo. The to symbolic execution to solve complex constraints when the difference is that DeepFuzzer attributes the times by branch fuzzer gets stuck. QSYM [18] makes hybrid fuzzing scalable frequency, which associates with the state space of the enough to test real-world applications. VeriFuzz [38] com- program more tightly than path frequency. CollAFL, VUzzer bines fuzzing with static analysis, and it uses constraint- and DeepFuzzer all collect the branch coverage, but in- solver to generate initial seeds. Some tools [35], [36] combine put selection schemes are different. CollAFL utilizes the taint analysis and symbolic execution. The basic idea is topology of blocks to calculate the number of untouched guiding symbolic execution towards vulnerable parts found neighbour branches when fuzzing, which determines the by taint analysis. They work on a limited class of bugs and weight of an input. Similarly, VUzzer also utilizes the topol- need the user to specify attack points. ogy to assign higher weights to deeply nested basic blocks. Compared with pure symbolic execution tools, Deep- Then it prioritizes deep paths by selecting seeds based on Fuzzer strictly limits the constraint solving time to prevent the sum of the weights of all the basic blocks covered. wasting too much computing resources with unnecessary Differently, DeepFuzzer is unaware of the structure of the explorations. Beyond this, DeepFuzzer utilizes symbolic target program. It utilizes the branch count statistics to infer execution only in the beginning to produce initial seeds. rare branches and calculate the weights. The essential difference between DeepFuzzer and Driller For seed mutation, DeepFuzzer, FairFuzz, and ProFuzzer or QSYM is the usage of symbolic execution. DeepFuzzer all recognize the critical bytes which influence the execution utilizes it for generating high-quality seeds while Driller or behaviour of the target problem through per-byte mutation. QSYM applies it to overcome complex checks when fuzzing 13 gets stuck. VeriFuzz also generates seeds with constraint- [2] B. P. Miller, D. Koski, C. P. Lee, V. Maganty, R. Murthy, A. Natara- solver. But it and Driller use a blind mutation strategy. jan, and J. Steidl, “Fuzz revisited: A re-examination of the reliability of UNIX utilities and services,” University of Wisconsin- Although they pass checks with the help of symbolic exe- Madison Department of Computer Sciences, Tech. Rep., 1995. cution, they are likely to get stuck again. In contrast, Deep- [3] “libFuzzer in Chrome,” https://chromium.googlesource.com/ Fuzzer has the ability to reserve the result of the symbolic chromium/src/+/master/testing/libfuzzer/README.md, 2017, execution by only mutating bytes at limited positions in [Online; accessed 12-November-2017]. [4] “Continuous fuzzing for open source soft- restricted ways. ware,” https://opensource.googleblog.com/2016/12/ In the evaluation section, we mainly compared Deep- announcing-oss-fuzz-continuous-fuzzing.html, 2016, [Online; Fuzzer with AFL, AFLFast, FairFuzz, QSYM, and MOPT. accessed 26-January-2018]. They are chosen because they are the most relevant and [5] “SDL PROCESS: VERIFICATION,” https://www.microsoft. com/en-us/SDL/process/verification.aspx, [Online; accessed are state-of-the-art fuzzers. For example, QSYM is the most 26-January-2018]. recently developed symbolic execution aided fuzzing tool, [6] “Microsoft Security Risk Detection (”Project Springfield”),” and performs better than AFL and Driller as stated in its https://www.microsoft.com/en-us/research/project/ paper [18]. For a fair comparison, some other recent works project-springfield/, 2015, [Online; accessed 26-January-2018]. [7] “A Basic Distributed Fuzzing Framework for are excluded. They include some works which are not FOE,” http://blogs.adobe.com/security/2012/05/ much related, such as Skyfire, a generation-based fuzzer, a-basic-distributed-fuzzing-framework-for-foe.html, 2012, or fuzzers that have different purposes, such as AFLGo, [Online; accessed 28-January-2018]. a patch testing fuzzer, or that are known not to be high [8] M. Zalewski, “American fuzzy lop,” 2015. [9] J. Wang, B. Chen, L. Wei, and Y. Liu, “Skyfire: Data-driven seed performing, such as FidgetyAFL, or that have engineering generation for fuzzing,” 2017. problems, as with Driller. It took us one month to try to cus- [10] X. Yang, Y. Chen, E. Eide, and J. Regehr, “Finding and understand- tomize Driller on Google benchmark, but we failed. Driller ing bugs in C compilers,” in ACM SIGPLAN Notices, vol. 46, no. 6. ACM, 2011, pp. 283–294. is designed for testing the CGC binaries in cluster. The [11] G. Klees, A. Ruef, B. Cooper, S. Wei, and M. Hicks, “Evaluating property of cluster fuzzing implies the high cost of configur- fuzz testing,” in Proceedings of the 2018 ACM SIGSAC Conference on ing the environment, for example messaging middlewares Computer and Communications Security. ACM, 2018, pp. 2123–2138. and databases. The property of CGC-oriented implies the [12]M.B ohme,¨ V.-T. Pham, and A. Roychoudhury, “Coverage-based greybox fuzzing as markov chain,” in Proceedings of the 2016 lack of environment modelling and system call support. ACM SIGSAC Conference on Computer and Communications Security. It is impossible to run applications in Google fuzzer-test- ACM, 2016, pp. 1032–1043. suite when emulation of mmap() is missing. In addition, [13] C. Lemieux and K. Sen, “Fairfuzz: A targeted mutation strategy Driller only supports standard input, but these applications for increasing greybox fuzz testing coverage,” in Proceedings of the 33rd ACM/IEEE International Conference on Automated Software all require file input. LibFuzzer is also excluded because of Engineering. ACM, 2018, pp. 475–485. the engineering problem. libFuzzer will shut down when [14]M.B ohme,¨ V.-T. Pham, M.-D. Nguyen, and A. Roychoudhury, “Di- it finds a crash, while other tools continue fuzzing unless rected greybox fuzzing,” in Proceedings of the 2017 ACM SIGSAC manually terminated. Conference on Computer and Communications Security (CCS17), 2017. [15] C. Lyu, S. Ji, C. Zhang, Y. Li, W.-H. Lee, Y. Song, and R. Beyah, “{MOPT}: Optimized mutation scheduling for fuzzers,” in 28th 7 CONCLUSION {USENIX} Security Symposium ({USENIX} Security 19), 2019, pp. 1949–1966. In this paper, we propose DeepFuzzer, which applies sym- [16] M. Wang, J. Liang, Y. Chen, Y. Jiang, X. Jiao, H. Liu, X. Zhao, bolic seed generation, balanced seed selection, and hybrid and J. Sun, “Safl: increasing and accelerating testing coverage seed mutation to the acceleration of deep greybox fuzzing. with symbolic execution and guided fuzzing,” in Proceedings of The light-weight symbolic execution supplies high-quality the 40th International Conference on Software Engineering: Companion Proceeedings. ACM, 2018, pp. 61–64. initial seeds which contain abundant mutation information. [17] N. Stephens, J. Grosen, C. Salls, A. Dutcher, R. Wang, J. Corbetta, The seed selection and mutation take full account of branch Y. Shoshitaishvili, C. Kruegel, and G. Vigna, “Driller: Augmenting coverage balance to decide how to select and mutate seeds Fuzzing Through Selective Symbolic Execution.” in NDSS, vol. 16, to ensure depth and breadth. Evaluated on Google fuzzer- 2016, pp. 1–16. [18] I. Yun, S. Lee, M. Xu, Y. Jang, and T. Kim, “QSYM: A Practical test-suite, DeepFuzzer outperforms other commonly used Concolic Execution Engine Tailored for Hybrid Fuzzing,” in 27th fuzzers, and it is capable of exploring a wider program USENIX Security Symposium (USENIX Security 18), 2018, pp. 745– state space and triggering more crashes. In addition, we 761. [19] J. C. King, “Symbolic execution and program testing,” Communi- apply DeepFuzzer in a complex industrial development en- cations of the ACM, vol. 19, no. 7, pp. 385–394, 1976. vironment to fuzz a real-world program libmsg of Huawei. [20] S. Rawat, V. Jain, A. Kumar, L. Cojocar, C. Giuffrida, and H. Bos, We set out the main obstacles and relevant solutions. After “Vuzzer: Application-aware evolutionary fuzzing,” in Proceedings overcoming these obstacles, DeepFuzzer performed well of the Network and Distributed System Security Symposium (NDSS), 2017. and reported 9 previously-unknown bugs. This engineering [21] “Fuzzer Automation with SPIKE,” http://resources. practice and the developed toolchain provide some refer- infosecinstitute.com/fuzzer-automation-with-spike/, [Online; ences for fuzzing other industrial software. Our future work accessed 12-February-2018]. focuses in two directions. The first is to support concurrency [22] M. Eddington, “Peach fuzzing platform,” Peach Fuzzer, p. 34, 2011. [23] E. G. Sirer and B. N. Bershad, “Using production grammars in for the seed generator, and the other is to integrate the software testing,” in ACM SIGPLAN Notices, vol. 35, no. 1. ACM, resource utilization to guide greybox fuzzing. 1999, pp. 1–13. [24] S. Veggalam, S. Rawat, I. Haller, and H. Bos, “Ifuzzer: An evolu- EFERENCES tionary interpreter fuzzer using genetic programming,” in Euro- R pean Symposium on Research in Computer Security. Springer, 2016, [1] B. P. Miller, L. Fredriksen, and B. So, “An empirical study of the pp. 581–601. reliability of UNIX utilities,” Communications of the ACM, vol. 33, [25] C. Holler, K. Herzig, and A. Zeller, “Fuzzing with Code Frag- no. 12, pp. 32–44, 1990. ments.” in USENIX Security Symposium, 2012, pp. 445–458. 陈元亮

2017级硕士生 2013.9-2017.6 南京大学研究方向：内存安全模糊测试

SIDAR Workshop, DIMVA 2004, Dortmund, Germany, July 6.7, 2004, Xin Yang received the BS degree in software en- Proceedings, 2004, pp. 161–173. gineering from Beijing Jiaotong University, Bei- [31] M. Bourquin, A. King, and E. Robbins, “Binslayer: accurate com- jing, China, in 2016. She is currently working parison of binary executables,” in Proceedings of the 2nd ACM SIG- toward the M.S. degree in software engineering PLAN Program Protection and Reverse Engineering Workshop 2013, 池婧雯 at Tsinghua University, Beijing, China. PPREW@POPL 2013, January 26, 2013, Rome, Italy, pp. 4:1–4:10. Her research interests include binary vulnera- [32] J. Munkres, “Algorithms for the assignment and transportation bility search, machine learning in program anal- problems,” Journal of the Society for Industrial Applied Mathematics, 2017级硕士生 ysis and their applications to industry. vol. 5, no. 1, pp. 32–38, 1957. [33] L. Jiang, G. Misherghi, Z. Su, and S. Glondu, “Deckard: Scalable2013.9-2017.6 清华大学 and accurate tree-based detection of code clones,” 29th Interna-研究方向：测试用例生成 tional Conference on Software Engineering (ICSE’07). [34] D. Gao, M. K. Reiter, and D. X. Song, “Binhunt: Automatically finding semantic differences in binary programs,” in Information and Communications Security, 10th International Conference, ICICS 2008, Birmingham, UK, October 20-22, 2008, 2008, pp. 238–255. [35] M. Egele, M. Woo, P. Chapman, and D. Brumley, “Blanket ex- 14 Cong Wang is a PhD student in School of Soft- ecution: Dynamic similarity testing for program binaries and ware, Tsinghua University. He received his B.S. [26] O.components,” Bastani, R. Sharma, in A. Aiken, and P. Liang,, 2014. “Synthesizing pro- Mingzhe Wang received the BS degree in USENIX Security Symposium degree in the School of Software, Tsinghua Uni- [36] gramZ. Li, input D. Zou, grammars,” S. Xu, H. in Jin,Proceedings H. Qi, and of the J. 38th Hu, ACM “Vulpecker: SIGPLAN an software engineering from Beijing University of versity in 2015. His research interest is program Conferenceautomatedon vulnerability Programming detection Language system Design based and onImplementation code similarity. Posts and Telecommunications, Beijing, China, analysis, software testing and deep learning. ACM,analysis,” 2017, in pp. 95–110. in 2018. He is currently working toward the Ph.D. Proceedings of the 32nd Annual Conference on Computer His research interests include binary vulner- [27] P. Godefroid, H. Peleg, and R. Singh,, 2016, “Learn&fuzz: pp. 201–213. Machine degree in software engineering at Tsinghua Uni- Security Applications, ACSAC 2016, USA ability search, binary clone detection, machine [37] learningZ. Li, D. Zou, for input S. Xu, fuzzing,” X. Ou, H. in Jin,Proceedings S. Wang, Z. of Deng, the 32nd and IEEE/ACM Y. Zhong, versity, Beijing, China. His research interests in- learning in program analysis and their applica- International“Vuldeepecker: Conference A deep on learning-based Automated Software system Engineering for vulnerability. IEEE clude program analysis and its applications to tions to industry. Press,detection,” 2017,CoRR pp. 50–59., vol. abs/1801.01681, 2018. industry. Ì¸· ¿®¬·½´» ¸¿ ¾»»² ¿½½»°¬»¼ º±® °«¾´·½¿¬·±² ·² ¿ º«¬«®» ·«» ±º ¬¸· ¶±«®²¿´ô ¾«¬ ¸¿ ²±¬ ¾»»² º«´´§ »¼·¬»¼ò Ý±²¬»²¬[28][38]M.H ³¿§M. ½¸¿²¹» White,oschele¨ °®·±® M. ¬± and º·²¿´ Tufano, °«¾´·½¿¬·±²ò A. Zeller, C. Vendome, Ý·¬¿¬·±² “Mining ·²º±®³¿¬·±²æ and input D. ÜÑ× grammars Poshyvanyk, ïðòïïðçñÌÝòîðïéòîéëðïìêô from “Deep dy- ×ÛÛÛ namiclearning taints,” code in fragmentsProceedings for of code the 31st clone IEEE/ACM detection,” International Ì®¿²¿½¬·±² ±² Ý±³°«¬»® 2016 31st ConferenceIEEE/ACM on International Automated Conference Software Engineering on Automated. Software ACM, 2016, Engineer- pp. ing (ASE), 2016. 王明哲 ×ÛÛÛ ÌÎßÒÍßÝÌ×ÑÒÍ ÑÒ ÝÑÓÐËÌÛÎÍ ÔßÌÛÈ ÝÔßÍÍ Ú×ÔÛÍô ÊÑÔò ô ÒÑò ô îðïé 720–725. ïð [29] S. Gan, C. Zhang, X. Qin, X. Tu, K. Li, Z. Pei, and Z. Chen, “CollAFL: Path sensitive fuzzing,” in 2018 IEEE Symposium on 2018级直博生 ÅéÃ Öò Éò Þ±ô Õò Ûò Ô¿«¬»®ô Öò Ô±º¬«ô ¿²¼ Óò Ò¿»¸®·¹ò ×³°®±ª»¼ »½«®·¬§ ÅíïÃSecurity Íò Íò Î±§ô and Ñò Privacy Î»°¿®¿¦ô (SP) Úò. Ê»®½¿«¬»®»²ô IEEE, 2018, ¿²¼ pp. ×ò Ê»®¾¿«©¸»¼»ò 679–696. Ý±³°¿½¬ 14 [30] W. You, X. Wang, S. Ma, J. Huang, X. Zhang, X. Wang, and 北京邮电大学Xun Jiao isis an an assistant assistant professor professor in in the the ECE ECE º±® ¿ ®·²¹ó¾¿»¼ º«´´§ ¸±³±³±®°¸·½ »²½®§°¬·±² ½¸»³»ò ×² Ý®§°¬±¹®¿°¸§ ¿²¼ ·¼» ½¸¿²²»´ ®»·¬¿²¬ ¼·½®»¬» ¹¿«·¿² ¿³°´·²¹ô îðïìò 2014.9-2018.6 department of Villanova University. He obtained ¿²¼ Ý±¼·²¹ ó ïì¬¸ ×Óß ×²¬»®²¿¬·±²¿´ Ý±²º»®»²½»ô ×ÓßÝÝ îðïíô Ñ¨º±®¼ô ÅíîÃB.SIDAR Íò Íò Liang, Î±§ô Workshop, Úò “ProFuzzer: Ê»®½¿«¬»®»²ô DIMVA ÒòOn-the-fly Ó»²¬»²ô2004, Dortmund, ÜòInput Üò Ý¸»²ô Type Germany, ¿²¼ Probing ×ò Ê»®¾¿«©¸»¼»ò July for 6.7, Better 2004, Xin Yang received the BS degree in software en- Jian Gao received the BS degree in software the Ph.D. degree from from the the department department of of Com- Com- ËÕô Ü»½»³¾»® ïéóïçô îðïíò Ð®±½»»¼·²¹ô °¿¹» ìëŠêìô îðïíò Ý±³°¿½¬Zero-DayProceedings Î·²¹óÔÉÛ Vulnerability, 2004, pp. Ý®§°¬±°®±½»±®ò 161–173. Discovery,” ×² inÝ®§°¬±¹®¿°¸·½ProFuzzer: On-the-fly Ø¿®¼©¿®» ¿²¼ Input研究方向：内存安全模糊测试gineering from Beijing Jiaotong University, Bei- engineering from Beijing University of Posts and puter Science and Engineering at the University ÅèÃ Íò Þò Íò ß¸³¿¼ Þ±±®¹¸¿²§ ¿²¼ Îò Ö¿´·´·ò Ñ² ½±²¬®¿·²»¼ ·³°´»³»²¬¿¬·±² [31]Û³¾»¼¼»¼Type M. Bourquin, Probing Í§¬»³ for A. Better ó King, ÝØÛÍ Zero-Day and îðïì E.ô ª±´«³» Robbins,Vulnerability èéíïô “Binslayer: °¿¹» Discovery íéïŠíçïò accurate. IEEE, îðïìò 2019, com- jing, China, in 2016. She is currently working Telecommunications, Beijing, China, in 2016. He of California, San Diego. He received the dual ±º ´¿¬¬·½»ó¾¿»¼ ½®§°¬±¹®¿°¸·½ °®·³·¬·ª» ¿²¼ ½¸»³» ±² ³¿®¬ ½¿®¼ò ÅííÃp.parison Øò 0. Í»±ô Æò of Ô·«ô binary Ìò Ð¿®µô executables,” Øò Õ·³ô Çò in Ô»»ôProceedings Öò Ý¸±· ¿²¼ of the Øò Õ·³ò2nd ACM Ð¿®¿´´»´ SIG- toward the M.S. degree in software engineering is currently working toward the Ph.D. degree bachelor’sbachelors degree degree from from the the Beijing Beijing University University of Ý®§°¬±´±¹§ »Ð®·²¬ ß®½¸·ª»ô Î»°±®¬ îðïìñëïìô îðïìò ¸¬¬°æññ»°®·²¬ò·¿½®ò [31] ×³°´»³»²¬¿¬·±²P.PLAN Godefroid, Program ±º “Test Protection ÔÛßò generation×²º±®³¿¬·±² and Reverse usingÍ»½«®·¬§ Engineering symbolic ¿²¼ Ý®§°¬±´±¹§ Workshop execution,” Š ×Ý×ÍÝ 2013, in at Tsinghua University, Beijing, China. in software engineering at Tsinghua University, ofPosts Posts and and Telecommunications, Telecommunications, China China and and the ±®¹ñîðïìñëïìò°¼ºò îðïíIARCSPPREW@POPLô °¿¹» Annual îëêóîéìô Conference 2013, Í°®·²¹»® January on ×²¬»®²¿¬·±²¿´ Foundations 26, 2013, Rome, Ð«¾´·¸·²¹ô of Software Italy, îðïìò pp. Technology 4:1–4:10. and Her research interests include binary vulnera- Beijing, China. the Queen Mary University of London, United ÅçÃ ßò Þ±±®¹¸¿²§ ¿²¼ Îò Ö¿´·´·ò ×³°´»³»²¬¿¬·±² ¿²¼ Ý±³°¿®·±² ±º Ô¿¬¬·½»ó [32]ÅíìÃTheoretical J. Øò Munkres, Í»±ô Öò Ý¸±·ô Computer “Algorithms Øò Õ·³ô Science Ìò for Ð¿®µô (FSTTCS the Øò assignment Õ·³ò 2012) Ð»«¼±. and Schloss Î¿²¼±³ transportation Dagstuhl- Ò«³¾»® Queenbility search, Mary Universitymachine learning of London, in program United King- anal- His research interests include binary vulner- Kingdom, in 2013. His research interests include Ù»²»®¿¬±®Leibniz-Zentrumproblems,” ¿²¼Journal Ø¿¸ fuerÚ«²½¬·±² of the Informatik, Society º±® Û³¾»¼¼»¼ for 2012. Industrial Ó·½®±°®±½»±®ò Applied Mathematics ×² ×ÛÛÛ , dom,ysis and in their 2013. applications His research to industry. interests include ability search, binary clone detection, machine error-tolerant computing and machine learning. Ý®§°¬±´±¹§ »Ð®·²¬ ß®½¸·ª»ô Î»°±®¬ îðïìñðéèô îðïìò ¸¬¬°æññ»°®·²¬ò·¿½®ò [32] É±®´¼P.vol. Godefroid, 5, Ú±®«³ no. 1, ±² pp. M. ×²¬»®²»¬ 32–38, Y. Levin, ±º1957. Ì¸·²¹ D. A.ô Molnar ÉÚó×±Ìùïìôet al. °¿¹», “Automated íéŠìðô Í»±«´ô white- error-tolerant computing and machine learning. learning in program analysis and their applica- ±®¹ñîðïìñðéèò°¼ºò [33]Õ±®»¿ôbox L. Jiang, fuzz îðïìò testing.”G. ×ÛÛÛò Misherghi, in Z. Su,, vol. and 8, 2008, S. Glondu, pp. 151–166. “Deckard: Scalable tionsNDSS to industry. ÅïðÃ Üò Ý¿³¿®¿¿²¼ô˜ ÝòÐÔ Ù±«ª»¿ô˜ Öò Ô±°»¦l ¿²¼ Îò Ü¿¸¿¾ò Ú¿¬ Í±º¬ó [33]ÅíëÃ C.and Øò Cadar,Í»±ô accurate Æò D. Ô·«ô tree-based Dunbar, Öò Ù®±A½¸ D. detection¿¼´ôx R. Öò Engler Ý¸±· of ¿²¼ codeet al. Øò, clones,”Õ·³ “KLEE: Ó±²¬¹±³»®§29th Unassisted Interna- ©¿®» Ð±´§²±³·¿´ Ó«´¬·°´·½¿¬·±² ±² ßÎÓ Ð®±½»±® «·²¹ ¬¸» ÒÛÑÒ Ó±¼«´¿®andtional Automatic Conference Ó«´¬·°´·½¿¬·±² Generation on Software ±² ßÎÓóÒÛÑÒ Engineeringof High-Coverage ®»ª··¬»¼ò (ICSE’07)×²º±®³¿¬·±² Tests. for Í»½«®·¬§ Complex Û²¹·²»ô Í»½«®·¬§ Û²¹·²»»®·²¹ ¿²¼ ×²¬»´´·¹»²½» ×²º±®³¿¬·½ô °¿¹» ïíéŠ [34]¿²¼Systems D. Ý®§°¬±´±¹§Gao,Programs.” M. K. Š ×Ý×ÍÝ Reiter, in îðïì andOSDIô °¿¹» D., vol. X. íîèŠíìîô 8,Song, 2008, “Binhunt: Í°®·²¹»®ô pp. 209–224. îðïìò Automatically ïëìô Í°®·²¹»®ô îðïíò [34]ÅíêÃ S.finding Øò K. Í»±ô Cha, semanticÆò T. Ô·«ô Avgerinos, Öò differences Ù®±A½¸ A.x Rebert, in binary and programs,” D. Brumley, in “UnleashingInformation ÅïïÃ Ë²·ª»®·¬§ ±º É¿¬»®´±±ô Ý¿²¿¼¿ò Ý®§°¬±É±®µîïŒô ¿ª¿·¿¾´» ·² ¸¬¬°æññ ßÎÓóÒÛÑÒand Communications ¿²¼ ×¬ ß°°´·½¿¬·±² Security, º±® 10th Ø·¹¸óÍ°»»¼ International ÎÍß Conference, ×³°´»³»²¬¿¬·±²ò ICICS mayhem on binary code,” in Security and Privacy (SP), 2012 IEEE Yuanliang Chen received the BS degree in soft- ½®§°¬±©±®µîïò¿´¾»®¬±½±²²±®ò½¿ñ¿¾±«¬ñ ßª¿·´¿¾´»Symposium2008, Birmingham, ·² ×ßÝÎ on. »Ð®·²¬IEEE, UK,¸¬¬°æññ»°®·²¬ò·¿½®ò±®¹ñîðïëñìêëò°¼ºô 2012, October pp. 20-22, 380–394. 2008, 2008, pp. 238–255. îðïëò [35] M. Egele, M. Woo, P. Chapman, and D. Brumley, “Blanket ex- Zijiangware engineering Yang is a professor from Nanjing in computer University, science Nan- ÅïîÃ Ìò Ý±®³»²ô Ýò Ô»·»®±²ô ¿²¼ Îò Î·ª»¬ò ×²¬®±¼«½¬·±² Ì± ß´¹±®·¬¸³ò [35]ÅíéÃ I. ÓòÖòÑ Haller, Í¿¿®·²»²¿²¼ A. Slowinska,Yu ¿²¼ Jiang ÞòÞò M. Neugschwandtner, Þ®«³´»§òreceived Ô·¹¸¬»®ô the BS Ú¿¬»®ô and degree H. ¿²¼ Bos, in Ý±²¬¿²¬ó software “Dows- Cong Wang is a PhD student in School of Soft- ecution: Dynamic similarity testing for program binaries and atjing, Western China, Michigan in 2017. University. He is currently He holds working a Ph.D. to- ¸¬¬°æññ¬¿ººò«¬½ò»¼«ò½²ñü²·³ü½´·ñ¹®¿¼«¿¬»ñ¿´¹±®·¬¸³ñ¾±±µêñ¬±½ò¸¬³ò Ì·³»æing for É¸·®´Þ±¾ô Overflows: ¬¸»engineering É¸·®´°±±´ A Guided ª¿®·¿²¬ from Fuzzer ±º Beijing Í¬®·Þ±¾ò to FindUniversity ×ßÝÎ Buffer »Ð®·²¬ of BoundaryPosts ¸¬¬°æ and ware, Tsinghua University. He received his B.S. components,” in USENIX Security Symposium, 2014. fromward the the Ph.D. University degree of in Pennsylvania, software engineering an M.S. at ññ»°®·²¬ò·¿½®ò±®¹ñîðïìñëðïò°¼ºôViolations.” in USENIXTelecommunications Security îðïìò Symposium in 2010,, 2013, and pp. the 49–64. PhD de- degree in the School of Software, Tsinghua Uni- [36] Z. Li, D. Zou, S. Xu, H. Jin, H. Qi, and J. Hu, “Vulpecker: an fromTsinghua Rice University, University Beijing,and a B.S. China. from His the research Univer- ½·»²¬ Í±º¬©¿®» ×³°´»³»²¬¿¬·±² ±º Î·²¹óÔÉÛ Û²½®§°¬·±²ò ïè¬¸ Ü»·¹²ô [36] M. Neugschwandtner,gree P. in Milani computer Comparetti, science from I. Haller, Tsinghua and H.Univer- Bos, 苏卓 versity in 2015. His research interest is program automated vulnerability detection system based on code similarity sityinterests of Science include and program Technology analysis of China. and its Before appli- ß«¬±³¿¬·±² ú Ì»¬ ·² Û«®±°» Ý±²º»®»²½» ú Û¨¸·¾·¬·±² Š ÜßÌÛ îðïëô ¬±§¬»³ ±² ³±¬» »²±®sity in 2015. ø¸±®¬ He °¿°»®÷ worked ×² ×²¬»®²¿¬·±²¿´ as a Postdoc Ý±²º»®»²½» researcher analysis, software testing and deep learning. “Theanalysis,” borg: in Nanoprobing binaries for buffer overreads,” in Proceed- joiningcations WMU to industry. he was an associate research staff îðïëò ±² ×²º±®³¿¬·±²Proceedings ¿²¼ Ý±³³«²·½¿¬·±²in the of department the 32nd Í»½«®·¬§ Annual ofô computer °¿¹» Conference ëïçŠëîèò science on Í°®·²¹»®ô Computer of Uni- His research interests include binary vulner- ings of the 5th ACM Conference on Data and, 2016, Application pp. 201–213. Security and 级直博生 member at NEC Labs America. His research ÅïìÃ Ôò Ü«½¿ò Ô¿¬¬·½» ¾¿»¼ ·¹²¿¬«®»æ ß¬¬¿½µô ¿²¿´§· ¿²¼ ±°¬·³·¦¿¬·±²ò îððêò郭建敏Security Applications,versity ACSAC of Illinois 2016, at USA Urbana-Champaign, IL, USA, 2018 ability search, binary clone detection, machine [37]Privacy Z. Li, D.. Zou, ACM, S. Xu, 2015, X. pp. Ou, 87–97. H. Jin, S. Wang, Z. Deng, and Y. Zhong, interests are in the area of software engineering Ð¸òÜ Ì¸»·ô îðïíò ¸¬¬°æññ½»©»¾ò«½¼ò»¼« ´¼«½¿ñÌ¸»·ñ·²¼»¨ò¸¬³´ò ÅíçÃ Öò É¿²¹ô ÐòÕò Ê¿¼²¿´¿ôin Öò 2016, Ù®±A½¸ and¿¼´x is ¿²¼ now Ïò È«ò an Ø·¹¸»®óÑ®¼»® assistant professor Ó¿µ·²¹ in learning in program analysis and their applica- [37] C.“Vuldeepecker: Cadar, V. Ganesh, A deep P. learning-based M. Pawlowski, system D. L. for Dill, vulnerability and D. R.2014.9-2018.6东北大学with the primary focus on the testing, debugging ÅïëÃ Ð±¬ó¯«¿²¬«³ ½®§°¬±¹®¿°¸§ º±® ´±²¹ó¬»®³ »½«®·¬§ ÐÏÝÎÇÐÌÑ ×ÝÌó ·² Ð®¿½¬·½»æ ß Ê»½¬±®Tsinghua ×³°´»³»²¬¿¬·±² University. ±º Ó¿µ»¼ His ßÛÍcurrent º±® researchßÎÓ ÒÛÑÒò inter- tions to industry. êìëêîîŒ ¸¬¬°æññ°¯½®§°¬±ò»«ò±®¹ñ·²¼»¨ò¸¬³´ Ì±°·½Engler,detection,”级直博生 ·² Ý®§°¬±´±¹§“EXE:CoRR automatically, vol.Š ÝÌóÎÍß abs/1801.01681, îðïë generatingô °¿¹» 2018.ïèïŠïçèô inputs Í°®·²¹»®ô of death,” îðïëòACM and verification of software systems. He is a 2017Transactions on Informationests include and domainSystem Security specific (TISSEC) modeling,, vol. formal 12, 陈元亮 senior member of IEEE. Ì¸· ¿®¬·½´»ÅïêÃ ¸¿ ¾»»² Òò Ù¿½½»°¬»¼±¬¬»®¬ôx º±® Ìò °«¾´·½¿¬·±² Ú»´´»®ô Óò ·² ¿ Í½¸²»·¼»®ôº«¬«®» ·«» ±º Öò ¬¸· Þ«½¸³¿²²ô ¶±«®²¿´ô ¾«¬ ¸¿ ¿²¼ ²±¬ Íò ¾»»² Ø«ò º«´´§ »¼·¬»¼ò Ñ² Ý±²¬»²¬[38] ³¿§ M. ½¸¿²¹» White, °®·±® M. ¬± º·²¿´ Tufano, computation°«¾´·½¿¬·±²ò C. Vendome, Ý·¬¿¬·±² model, ·²º±®³¿¬·±²æ and formal D. ÜÑ× verificationPoshyvanyk, ïðòïïðçñÌÝòîðïéòîéëðïìêô and “Deep their ×ÛÛÛ ¬¸» Ü»·¹² ±º Ø¿®¼©¿®» Þ«·´¼·²¹ Þ´±½µ º±® Ó±¼»®² Ô¿¬¬·½»óÞ¿»¼ ¿®·¬¸³»¬·½òno.learning 2, p.北京邮电大学 10, code×ÛÛ 2008. fragments Ð®±½»»¼·²¹ for Š Ý±³°«¬»® code clone ¿²¼ detection,” Ü·¹·¬¿´ Ì»½¸²·¯«»2016 31stô Ì®¿²¿½¬·±²2013.9-2017.6 ±²[38] applicationsÝ±³°«¬»® A. B. Chowdhury, in embedded R.systems. K. Medicherla, and R. Venkatesh, “VeriFuzz: Û²½®§°¬·±² Í½¸»³»ò Ý®§°¬±¹®¿°¸·½ Ø¿®¼©¿®» ¿²¼ Û³¾»¼¼»¼ Í§¬»³Š ïìçøî÷æìêŠëîôIEEE/ACM International Ó¿®ò îððîò Conference on Automated Software Engineer- 2017级硕士生 ÝØÛÍ îðïîô éìîèæëïîŠëîçô îðïîò Programing (ASE), aware 2016. fuzzing,” in International Conference on Tools and ×ÛÛÛ ÌÎßÒÍßÝÌ×ÑÒÍ ÑÒ ÝÑÓÐËÌÛÎÍ ÔßÌÛÈ ÝÔßÍÍ Ú×ÔÛÍô ÊÑÔò ô ÒÑò研究方向：深度学习系统测试 ô îðïé ïð ÅïéÃ ÝòÐÔ Ù±«ª»¿˜ ¿²¼ Öò Ô±°»¦l ×³°´»³»²¬·²¹ ÙÝÓ ±² ßÎÓªèò Ì±°·½ ·² Algorithms for the Construction and Analysis of Systems. Springer,2013.9-2017.6 南京大学Houbing Song received the PhD degree in elec- Ý®§°¬±´±¹§ Š ÝÌóÎÍß îðïëô °¿¹» ïêéŠïèðô Í°®·²¹»®ô îðïëò 2019, pp. 244–249. trical engineering from the University of Virginia, 研究方向：内存安全模糊测试Charlottesville, VA, in August 2012. In August ÅéÃ Öò Éò Þ±ô Õò Ûò Ô¿«¬»®ô Öò Ô±º¬«ô ¿²¼ Óò Ò¿»¸®·¹ò ×³°®±ª»¼ »½«®·¬§ ÅíïÃ Íò Íò Î±§ô Ñò Î»°¿®¿¦ô Úò Ê»®½¿«¬»®»²ô ¿²¼ ×ò Ê»®¾¿«©¸»¼»ò Ý±³°¿½¬ Jiaguang2017,Xun Jiao he joined Sunis anreceived assistant the Department the professor BS degree of in Electrical, the in ECE au- Ð¿·®·²¹ ±² ßÎÓ Ð®±½»±®ò Í»´»½¬»¼ ß®»¿ ·² Ý®§°¬±¹®¿°¸§ Š ÍßÝ Æ¸»Zhe Ô·« Liu received®»½»·ª»¼ ¸· his Ð¸òÜ Ph.D ¼»¹®»» degree Ô¿¾±®¿¬±®§ from the Lab- ±º º±®îðïî ¿ ®·²¹ó¾¿»¼ô ééðéæïìçŠïêëô º«´´§ ¸±³±³±®°¸·½ îðïîò »²½®§°¬·±² ½¸»³»ò ×² Ý®§°¬±¹®¿°¸§ ¿²¼ ·¼» ½¸¿²²»´ ®»·¬¿²¬ ¼·½®»¬» ¹¿«·¿² ¿³°´·²¹ô îðïìò tomationComputer,department science Software, of Villanova from and Tsinghua University. Systems University Engineering, He obtained in ¿²¼ Ý±¼·²¹ ó ïì¬¸ ×Óß ×²¬»®²¿¬·±²¿´ Ý±²º»®»²½»ô ×ÓßÝÝ îðïíô Ñ¨º±®¼ô ÅíîÃ Íò Íò Î±§ô Úò Ê»®½¿«¬»®»²ôß´¹±®·¬¸³·½ôoratory Òò Ó»²¬»²ôof Algorithmics, Ý®§°¬±´±¹§ Üò Üò Ý¸»²ô ¿²¼ Cryptology Í»½«®·¬§ ¿²¼ ×ò Ê»®¾¿«©¸»¼»ò øÔßÝÍ÷ô and Security Ëó ÅïçÃ Ìò Ù«²»§«ôx Êò Ô§«¾¿¸»ªµ§ ¿²¼ Ìò Ð±°°»´³¿²²òx Ð®¿½¬·½¿´ Ô¿¬¬·½»ó Jian Gao received the BS degree in software 1970.Embry-Riddlethe Ph.D. He degreeis currently Aeronautical from a the professor department University, in Tsinghua Daytona of Com- ËÕô Ü»½»³¾»® ïéóïçô îðïíò Ð®±½»»¼·²¹ô °¿¹» ìëŠêìô îðïíò Ý±³°¿½¬ Î·²¹óÔÉÛ²·ª»®·¬§ Ý®§°¬±°®±½»±®ò(LACS), ±º University Ô«¨»³¾±«®¹ô ×² ofÝ®§°¬±¹®¿°¸·½ Luxembourg. Ô«¨»³¾±«®¹ò Ø¿®¼©¿®» His Ø· Ph.D Ð¸òÜ ¿²¼ the- Þ¿»¼ Ý®§°¬±¹®¿°¸§æ ß Í·¹²¿¬«®» Í½¸»³» º±® Û³¾»¼¼»¼ Í§¬»³ò Ý®§°ó Jieengineering Liang received from Beijing the BS University degree of in Posts computer and University.Beach,puter Science FL, He where is and dedicated Engineeringhe is currently in teaching at the an Universityand Assistant R&D ÅèÃ Íò Þò Íò ß¸³¿¼ Þ±±®¹¸¿²§ ¿²¼ Îò Ö¿´·´·ò Ñ² ½±²¬®¿·²»¼ ·³°´»³»²¬¿¬·±² Û³¾»¼¼»¼ Í§¬»³ ó¬¸»· ÝØÛÍsis has ¸¿ îðïì received ®»½»·ª»¼ô ª±´«³» the ¬¸» èéíïô prestigious °®»¬·¹·±« °¿¹» íéïŠíçïò ÚÒÎ FNR ß©¿®¼ îðïìò Awards. ¬±¹®¿°¸·½ Ø¿®¼©¿®» ¿²¼ Û³¾»¼¼»¼ Í§¬»³ Š ÝØÛÍ îðïîô éìîèæëíðŠ scienceTelecommunications, from Beijing Beijing, University China, of in Posts 2016. and He activitiesProfessorof California, in and computer San the Diego.Director graphics, He of received the computer-aided Security the dualand ±º ´¿¬¬·½»ó¾¿»¼ ½®§°¬±¹®¿°¸·½ °®·³·¬·ª» ¿²¼ ½¸»³» ±² ³¿®¬ ½¿®¼ò ÅííÃ Øò Í»±ô Æò Ô·«ô Ìò Ð¿®µôîðïêHe isØò Š a Õ·³ô Ñ«¬¬¿²¼·²¹ full Çò professor Ô»»ô ÖòÐ¸Ü Ý¸±· in Ì¸»· College ¿²¼ Øò ß©¿®¼ Õ·³ò of Computer Ð¿®¿´´»´º±® ¸· ëìéô îðïîò Telecommunications,is currently working Beijing, toward China, the Ph.D. in 2017. degree He design,Optimizationbachelor’s formal degree for verification Networked from the of software, Globe Beijing Laboratory University and sys- Ý®§°¬±´±¹§ »Ð®·²¬ ß®½¸·ª»ô Î»°±®¬ îðïìñëïìô îðïìò ¸¬¬°æññ»°®·²¬ò·¿½®ò ×³°´»³»²¬¿¬·±² ±º ÔÛßò½±²¬®·¾«¬·±²Science×²º±®³¿¬·±² and ·² Technology, ½®§°¬±¹®¿°¸·½ Í»½«®·¬§ ¿²¼ Nanjing Ý®§°¬±´±¹§ »²¹·²»»®·²¹ò University Š ×Ý×ÍÝØ» · of ÅîðÃ Üò Ø±²¹ò ÔÛßæ ß ïîèó¾·¬ ¾´±½µ ½·°¸»® º±® º¿¬ »²½®§°¬·±² ±² ½±³³±² isin software currently engineering working toward at Tsinghua the Ph.D. University, degree tem(SONGof Posts architecture. Lab, and www.SONGLab.us). Telecommunications, He is currently the His Chinadirector research and of ±®¹ñîðïìñëïìò°¼ºò îðïíô °¿¹» îëêóîéìô¿Aeronautics Í°®·²¹»® º«´´ °®±º»±® ×²¬»®²¿¬·±²¿´ and ·² Astronautics Ý±´´»¹» Ð«¾´·¸·²¹ô ±º Ý±³°«¬»® (NUAA) îðïìò Í½·»²½»and SnT, °®±½»±®ò ×²×²º±®³¿¬·±² Í»½«®·¬§ ß°°´·½¿¬·±²ô É×Íßùïìô °¿¹» íóîéô inBeijing, software China. engineering at Tsinghua University, theintereststhe School Queen lie of Mary in Information the University areas Science of cyber-physical of London, & Technology United sys- ÅçÃ ßò Þ±±®¹¸¿²§ ¿²¼ Îò Ö¿´·´·ò ×³°´»³»²¬¿¬·±² ¿²¼ Ý±³°¿®·±² ±º Ô¿¬¬·½»ó ÅíìÃ Øò Í»±ô Öò Ý¸±·ô Øò¿²¼University Õ·³ô Ì»½¸²±´±¹§ô Ìò Ð¿®µô of Luxembourg. Øò Ò¿²¶·²¹ Õ·³ò Ë²·ª»®·¬§ Ð»«¼± He has Î¿²¼±³ ±º been ß»®±²¿«¬·½ Ò«³¾»® a visiting îðïìò Beijing,His research China. interestsHis research include interests binary include vulner- andKingdom, the School in 2013. of Software His research in Tsinghua interests Univer- include Ù»²»®¿¬±® ¿²¼ Ø¿¸¿²¼ Ú«²½¬·±²scholar ß¬®±²¿«¬·½ in º±® City Û³¾»¼¼»¼ University øÒËßß÷ Ó·½®±°®±½»±®ò ¿²¼ of Hong Í²Ìô Ë²·ª»®·¬§Kong, ×² COSIC,×ÛÛÛ ±º tems, the Internet of things, cloud computing, big data, connected ÅîïÃ Æò Ô·«ô Øò Í»±ô Æò Ø«ô Èò Ø«²¿¹ô ¿²¼ Öò Ù®±A½¸x programability search, analysis binary and its clone applications detection, to machineindustry. sity.error-tolerant computing and machine learning. Ý®§°¬±´±¹§ »Ð®·²¬ ß®½¸·ª»ô Î»°±®¬ îðïìñðéèô îðïìò ¸¬¬°æññ»°®·²¬ò·¿½®ò É±®´¼ Ú±®«³ ±² ×²¬»®²»¬Ô«¨»³¾±«®¹ôK. U. ±º Leuven Ì¸·²¹ Ô«¨»³¾±«®¹òôas ÉÚó×±Ìùïìô well as Ø» °¿¹» Microsoft ¸¿ ¾»»² íéŠìðô ¿ Research, ª··¬·²¹ Í»±«´ô vehicles, wireless communications and networking, and optical commu- °´»³»²¬¿¬·±² ±º ÛÝÜØ µ»§ »¨½¸¿²¹» º±® ÓÍÐìíðó¾¿»¼ ©·®»´» »²±® learning in program analysis and their applica- ±®¹ñîðïìñðéèò°¼ºò Õ±®»¿ô îðïìò ×ÛÛÛò ½¸±´¿®Redmond. ·² Ý·¬§ His Ë²·ª»®·¬§ research ±º interests Ø±²¹ Õ±²¹ô include ÝÑÍ×Ýô com- nications and networking. ²»¬©±®µò ×² Ð®±½»»¼·²¹ ±º ¬¸» ïð¬¸ ßÝÓ Í§³°±·«³ ±² ×²º±®³¿¬·±²ô tions to industry. ÅïðÃ Üò Ý¿³¿®¿¿²¼ô˜ ÝòÐÔ Ù±«ª»¿ô˜ Öò Ô±°»¦l ¿²¼ Îò Ü¿¸¿¾ò Ú¿¬ Í±º¬ó ÅíëÃputerÕò Ëò Øò Ô»«ª»²arithmetic Í»±ô ¿ Æò ©»´´ andÔ·«ô ¿ information Öò Ó·½®±±º¬ Ù®±A½¸¿¼´ô Î»»¿®½¸ôx security. Öò Ý¸±· Î»¼³±²¼ò ¿²¼ Øò Ø· Õ·³ ®»»¿®½¸ Ó±²¬¹±³»®§ ·²¬»®»¬ Ý±³°«¬»® ¿²¼ Ý±³³«²·½¿¬·±² Í»½«®·¬§ô °¿¹» ïìëŠïëíò ßÝÓô îðïëò ·²½´«¼» ½±³°«¬»® ¿®·¬¸³»¬·½ ¿²¼ ·²º±®³¿¬·±² »½«®·¬§ò Ø» ¸¿ ½±ó¿«¬¸±®»¼ ÅîîÃ©¿®» Æò Ô·«ô Ð±´§²±³·¿´ Øò Í»±ô Íò Ó«´¬·°´·½¿¬·±² Íò Î±§ô Öò Ù®±A½¸ ±² ßÎÓ¿¼´ôx ØòÐ®±½»±® Õ·³ô ¿²¼ «·²¹ ×ò Ê»®¾¿«©¸»¼»ò ¬¸» ÒÛÑÒ Ó±¼«´¿® Ó«´¬·°´·½¿¬·±² ±² ßÎÓóÒÛÑÒ ®»ª··¬»¼ò ×²º±®³¿¬·±² Í»½«®·¬§ Û²¹·²»ô Í»½«®·¬§ Û²¹·²»»®·²¹ ¿²¼ ×²¬»´´·¹»²½» ×²º±®³¿¬·½ô °¿¹» ïíéŠ ³±®»¿²¼ ¬¸¿² Ý®§°¬±´±¹§ êð ®»»¿®½¸ Š ×Ý×ÍÝ °»»®ó®»ª·»©»¼ îðïìô °¿¹» ¶±«®²¿´ íîèŠíìîô ¿²¼ ½±²º»®»²½» Í°®·²¹»®ô îðïìò °¿°»® ·² ¬¸» ×²¬»®²¿¬·±²¿´ ¿®»¿ ±º ·²º±®³¿¬·±² »½«®·¬§ò ïëìôÉ±®µ¸±° Í°®·²¹»®ô ±² îðïíòÝ®§°¬±¹®¿°¸·½ Ø¿®¼©¿®» ¿²¼ Û³¾»¼¼»¼ Í§¬»³ô °¿¹» ÅíêÃ Øò Í»±ô Æò Ô·«ô Öò Ù®±A½¸x ÅïïÃêêíŠêèîò Ë²·ª»®·¬§ Í°®·²¹»®ô ±º É¿¬»®´±±ô îðïëò Ý¿²¿¼¿ò Ý®§°¬±É±®µîïŒô ¿ª¿·¿¾´» ·² ¸¬¬°æññ ßÎÓóÒÛÑÒ ¿²¼ ×¬ ß°°´·½¿¬·±² º±® Ø·¹¸óÍ°»»¼ ÎÍß ×³°´»³»²¬¿¬·±²ò 池婧雯 Kim-Kwang Raymond Choo received the Ph.D. ÅîíÃ½®§°¬±©±®µîïò¿´¾»®¬±½±²²±®ò½¿ñ¿¾±«¬ñ Êò Ô§«¾¿¸»ªµ§ô Ýò Ð»·µ»®¬ô ¿²¼ Ñò Î»¹»ªò Ñ² ×¼»¿´ Ô¿¬¬·½» ¿²¼ Ô»¿®²ó ßª¿·´¿¾´»梁杰 ·² ×ßÝÎ »Ð®·²¬ ¸¬¬°æññ»°®·²¬ò·¿½®ò±®¹ñîðïëñìêëò°¼ºô îðïëò in information security in 2006 from Queens- ÅïîÃ Ìò Ý±®³»²ô Ýò Ô»·»®±²ô ¿²¼ Îò Î·ª»¬ò ×²¬®±¼«½¬·±² Ì± ß´¹±®·¬¸³ò ÅíéÃ ÓòÖòÑ Í¿¿®·²»²¿²¼ ¿²¼ ÞòÞò Þ®«³´»§ò Ô·¹¸¬»®ô Ú¿¬»®ô ¿²¼ Ý±²¬¿²¬ó Zijiang Yang is a professor in computer science ·²¹ ©·¬¸ Û®®±® ±ª»® Î·²¹ò ×² ß¼ª¿²½» ·² Ý®§°¬±´±¹§ ÛËÎÑÝÎÇÐÌ Yu Jiang received the BS degree in software landat Western University Michigan of Technology, University. He Australia. holds a He Ph.D. is ¸¬¬°æññ¬¿ººò«¬½ò»¼«ò½²ñüîðïðô ª±´«³» êïïð ±º² Ô»½¬«®»·³ü½´·ñ¹®¿¼«¿¬»ñ¿´¹±®·¬¸³ñ¾±±µêñ¬±½ò¸¬³ò Ò±¬» ·² Ý±³°«¬»® Í½·»²½»ô °¿¹» ïóîíò Ì·³»æ É¸·®´Þ±¾ô ¬¸»engineering É¸·®´°±±´ ª¿®·¿²¬ from ±ºBeijing Í¬®·Þ±¾ò University ×ßÝÎ »Ð®·²¬ of Posts ¸¬¬°æ and 级硕士生 currently a cloud technology endowed associate Î»¦¿ ß¦¿®¼»®¿µ¸¸ ®»½»·ª»¼ ¬¸» Ð¸òÜò ¼»¹®»» ·² 2017 from the University of Pennsylvania, an M.S. Í°®·²¹»® Þ»®´·² Ø»·¼»´¾»®¹ô îðïðò 2017ññ»°®·²¬ò·¿½®ò±®¹ñîðïìñëðïò°¼ºô级直博生 Telecommunications îðïìò in 2010, and the PhD de- »´»½¬®·½¿´Telecommunications ¿²¼ ½±³°«¬»® in »²¹·²»»®·²¹ 2010, and º®±³ the ¬¸» PhD Ë²·ó de- professorfrom Rice at University University and of a Texas B.S. from at San the Antonio, Univer- ÅîìÃ½·»² Ó·½®±±º¬¬ Í±º¬©¿®» Î»»¿®½¸ô ×³°´»³»²¬¿¬·±² Ô¿¬¬·½»¼óÞ¿»¼ ±º Î·²¹óÔÉÛ Ý®§°¬±¹®¿°¸§Œô Û²½®§°¬·±²ò ¸¬¬°æññ®»»¿®½¸òïè¬¸ Ü»·¹²ô gree in computer science from Tsinghua Univer-2013.9-2017.6 清华大学 ª»®·¬§gree in ±º computer É»¬»®² Ñ²¬¿®·±ôscience Ô±²¼±²ôfrom Tsinghua ÑÒô Ý¿²¿¼¿ô Univer- ansity associate of Science professor and Technology at the University of China. of Before South ß«¬±³¿¬·±²³·½®±±º¬ò½±³ñ»²ó«ñ°®±¶»½¬ñ´¿¬¬·½»ñ ú Ì»¬ ·² Û«®±°» Ý±²º»®»²½» ú Û¨¸·¾·¬·±² Š ÜßÌÛ2013.9-2017.6 îðïëô ¬±§¬»³ 北京邮电大学 ±² ³±¬» »²±®sity in 2015. ø¸±®¬ He °¿°»®÷ worked ×² ×²¬»®²¿¬·±²¿´ as a Postdoc Ý±²º»®»²½» researcher ·²sity îðïïò in 2015. Ø» ©¿ He ¿ worked ÒÍÛÎÝ as Ð±¬óÜ±½¬±®¿´ a Postdoc researcher Î»»¿®½¸ 研究方向：测试用例生成Australia,joining WMU and he a was guest an professor associate at research ChinaUni- staff ÅîëÃîðïëò Ìò Ñ¼»®ô Ìò Ð±°°»´³¿²²ôx ¿²¼ Ìò Ù«²»§«òx Þ»§±²¼ ÛÝÜÍß ¿²¼ ÎÍßæ ±² ×²º±®³¿¬·±² ¿²¼ Ý±³³«²·½¿¬·±²in the department Í»½«®·¬§ ofô computer °¿¹» ëïçŠëîèò science Í°®·²¹»®ô of Uni- Ú»´´±©in the ©·¬¸ department ¬¸» Ý»²¬»® of º±® computer ß°°´·»¼ science Ý®§°¬±¹®¿°¸·½ of Uni- versitymember of at Geosciences. NEC Labs America. He is the His recipient research of ÅïìÃÔ¿¬¬·½»ó¾¿»¼ Ôò Ü«½¿ò Ô¿¬¬·½» Ü·¹·¬¿´ ¾¿»¼ Í·¹²¿¬«®» ·¹²¿¬«®»æ ±² ß¬¬¿½µôÝ±²¬®¿·²»¼ ¿²¿´§· Ü»ª·½»ò ¿²¼ ±°¬·³·¦¿¬·±²òëï¬研究方向：内存安全模糊测试 ß²²«¿´ îððêò versity of Illinois at Urbana-Champaign, IL, USA, Î»»¿®½¸versity of ¿²¼ Illinois ¬¸» Ü»°¿®¬³»²¬ at Urbana-Champaign, ±º Ý±³¾·²¿¬±®·½ IL,¿²¼ USA, variousinterests awards are in the including area of ESORICS software engineering 2015 Best Ð¸òÜÜ»·¹² Ì¸»·ô ß«¬±³¿¬·±² îðïíò ¸¬¬°æññ½»©»¾ò«½¼ò»¼«Ý±²º»®»²½» Š ÜßÝ îðïì´¼ô«½¿ñÌ¸»·ñ·²¼»¨ò¸¬³´ò îðïìò ÅíçÃ Öò É¿²¹ô ÐòÕò Ê¿¼²¿´¿ôin Öò 2016, Ù®±A½¸x¿¼´ and is ¿²¼ now Ïò È«ò an Ø·¹¸»®óÑ®¼»® assistant professor Ó¿µ·²¹ in ÅïëÃ Ð±¬ó¯«¿²¬«³ ½®§°¬±¹®¿°¸§ º±® ´±²¹ó¬»®³ »½«®·¬§ ÐÏÝÎÇÐÌÑ ×ÝÌó ·² Ð®¿½¬·½»æ ß Ê»½¬±®Ñ°¬·³·¦¿¬·±²ôin ×³°´»³»²¬¿¬·±² 2016, and Ë²·ª»®·¬§ is ±º now Ó¿µ»¼ ±º an É¿¬»®´±±ô ßÛÍ assistant º±® É¿¬»®´±±ô ßÎÓ professor ÒÛÑÒò ÑÒô in Researchwith the primary Paper focus Award, on Winning the testing, Team debugging of Ger- ÅîêÃ Ìò Ð±°°»´³¿²²ôx Ôò Ü«½¿ ¿²¼ Ìò Ù«²»§«òx Û²¸¿²½»¼ Ô¿¬¬·½»óÞ¿»¼ Tsinghua University. His current research inter- manysand verification University of of Erlangen-Nurembergsoftware systems. He Digital is a êìëêîîŒ ¸¬¬°æññ°¯½®§°¬±ò»«ò±®¹ñ·²¼»¨ò¸¬³´ Ý®§°¬±¹®¿°¸·½ Ø¿®¼©¿®» ¿²¼ Ì±°·½ ·² Ý®§°¬±´±¹§Ý¿²¿¼¿ò Š ÝÌóÎÍß Ø» îðïë ·ô ½«®®»²¬´§ °¿¹» ïèïŠïçèô ©·¬¸ ¬¸» Í°®·²¹»®ô Ü»°¿®¬³»²¬ îðïëò ±º ests include domain specific modeling, formal Forensics Research Challengesenior member 2015, of and IEEE. 2014 Highly Commended ÅïêÃÛ³¾»¼¼»¼ Òò Ùx±¬¬»®¬ô Í§¬»³ Ìò Ú»´´»®ô Š ÝØÛÍ Óò Í½¸²»·¼»®ô îðïìô èéíïæíëíŠíéðô Öò Þ«½¸³¿²²ô îðïìò ¿²¼ Íò Ø«ò Ñ² Ý±³°«¬»® Û²¹·²»»®·²¹ô Î±½¸»¬»® ×²¬·¬«¬» ±º Ì»½¸ó computation model, formal verification and their Award by the Australia New Zealand Policing Advisory Agency. His ÅîéÃ¬¸» Ìò Ü»·¹² Ð±°°»´³¿²²ôx ±º Ø¿®¼©¿®» Ìò Ñ¼»®ô Þ«·´¼·²¹ ¿²¼ ÌòÙ Þ´±½µ«²»§«òx º±® Ø·¹¸ó°»®º±®³¿²½» Ó±¼»®² Ô¿¬¬·½»óÞ¿»¼ ·¼»¿´ ¿®·¬¸³»¬·½ò ×ÛÛ Ð®±½»»¼·²¹²±´±¹§ô Î±½¸»¬»®ô Š Ý±³°«¬»® ÒÇô ËÍßò ¿²¼ Ø· Ü·¹·¬¿´ ½«®®»²¬ Ì»½¸²·¯«» ®»»¿®½¸ô applications in embedded systems. research interests include cyber security and forensics. Û²½®§°¬·±²´¿¬¬·½»ó¾¿»¼ Í½¸»³»ò ½®§°¬±¹®¿°¸§Ý®§°¬±¹®¿°¸·½ ±² èó¾·¬ ¿¬¨³»¹¿ Ø¿®¼©¿®» ³·½®±½±²¬®±´´»®ò ¿²¼ Û³¾»¼¼»¼ Í§¬»³Š ×² ×²¬»®ó applicationsïìçøî÷æìêŠëîô in embedded Ó¿®ò îððîò systems. ÝØÛÍ²¿¬·±²¿´ îðïî Ý±²º»®»²½»ô éìîèæëïîŠëîçô ±² Ý®§°¬±´±¹§ îðïîò ¿²¼ ×²º±®³¿¬·±² Í»½«®·¬§ ·² Ô¿¬·² ´·°¬·½ ½«®ª» ½®§°¬±¹®¿°¸§ô °¿·®·²¹ó¾¿»¼ ½®§°¬±¹®¿°¸§ô ¿²¼ ·³°´»³»²¬¿¬·±² ÅïéÃß³»®·½¿ ÝòÐÔ Ù±«ª˜»¿¿²¼ô °¿¹» íìêŠíêëò Öò Ôl±°»¦ Í°®·²¹»®ô ×³°´»³»²¬·²¹ îðïëò ÙÝÓ ±² ßÎÓªèò Ì±°·½ ·² ±² »³¾»¼¼»¼ ¼»ª·½»ò Ð®±ºò ß¦¿®¼»®¿µ¸¸ ©¿ ¬¸» ®»½·°·»²¬ ±º ¬¸» °®»¬·¹·±« ÅîèÃÝ®§°¬±´±¹§ Ìò Ð±°°»´³¿²²ôx Š ÝÌóÎÍß Ì±¾·¿ îðïë Ñ¼»®ôô °¿¹» ¿²¼ ïêéŠïèðô Ìò Ù«²»§«òx Í°®·²¹»®ô Í°»»¼ îðïëò Î»½±®¼ º±® ×¼»¿´ ÒÍÛÎÝ Ð±¬óÜ±½¬±®¿´ Î»»¿®½¸ Ú»´´±©¸·° ·² îðïîò Ø» · ¿ Ù«»¬ Û¼·¬±® Ô¿¬¬·½»óÞ¿»¼ Ý®§°¬±¹®¿°¸§ ±² ßÊÎò ×² ¸¬¬°æññ»°®·²¬ò·¿½®ò±®¹ñîðïëñíèîò º±® ¬¸» ×ÛÛÛñßÝÓ Ì®¿²¿½¬·±² ±² Ý±³°«¬¿¬·±²¿´ Þ·±´±¹§ ¿²¼ Þ·±·²º±®ó ³¿¬·½ º±® ¬¸» °»½·¿´ ·«» ±º Û³»®¹·²¹ Í»½«®·¬§ Ì®»²¼ º±® Þ·±³»¼·½¿´ Jiaguang Sun received the BS degree in au- Ð°¼ºò¿·®·²¹ ±² ßÎÓ Ð®±½»±®ò Í»´»½¬»¼ ß®»¿ ·² Ý®§°¬±¹®¿°¸§ Š ÍßÝ Æ¸»ZheÔ·« Liu received®»½»·ª»¼ ¸· his Ð¸òÜ Ph.D ¼»¹®»» degree Ô¿¾±®¿¬±®§ from the Lab- ±º ÅîçÃîðïî Ìò Ð®»½±¬¬òô ééðéæïìçŠïêëô Î¿²¼±³ îðïîò Ò«³¾»® Ù»²»®¿¬·±² «·²¹ ßÛÍò ¸¬¬°æññ©©©ò¿¬³»´ò Ý±³°«¬¿¬·±²ô Ü»ª·½»ô ¿²¼oratory ×²º®¿¬®«½¬«®» of Algorithmics, øîðïë ¿²¼ Cryptology îðïê÷ò Ø» and ¿´± Security»®ª» tomation science from Tsinghua University in ¿ ¬¸» Ù«»¬ Û¼·¬±® ±º ×ÛÛÛß´¹±®·¬¸³·½ô Ì®¿²¿½¬·±² Ý®§°¬±´±¹§ ±² Ü»°»²¼¿¾´» ¿²¼ Í»½«®·¬§ ¿²¼ Í»½«®» øÔßÝÍ÷ô Ý±³ó Ëó 1970. He is currently a professor in Tsinghua ÅïçÃ½±³ñ¦¸ñ½²ñ×³¿¹»ñ¿®¬·½´» Ìò Ù«²»§«ôx Êò Ô§«¾¿¸»ªµ§®¿²¼±³ ¿²¼²«³¾»®ò°¼º Ìò Ð±°°»´³¿²²òx Ð®¿½¬·½¿´ Ô¿¬¬·½»ó ²·ª»®·¬§(LACS), ±º University Ô«¨»³¾±«®¹ô of Luxembourg. Ô«¨»³¾±«®¹ò His Ø· Ph.D Ð¸òÜ the- ÅíðÃÞ¿»¼ Ñò Î»¹»ªò Ý®§°¬±¹®¿°¸§æ Ñ² Ô¿¬¬·½»ô ß Í·¹²¿¬«®» Ô»¿®²·²¹ Í½¸»³» ©·¬¸ Û®®±®ô º±® Û³¾»¼¼»¼ Î¿²¼±³ Í§¬»³ò Ô·²»¿® Ý±¼»ôÝ®§°ó °«¬·²¹ô Í°»½·¿´ ×«» ±²sis Û³»®¹·²¹ has received Û³¾»¼¼»¼ the ¿²¼ prestigious Ý§¾»® Ð¸§·½¿´ FNR Í§¬»³ Awards. University. He is dedicated in teaching and R&D Í»½«®·¬§ Ý¸¿´´»²¹» ¿²¼¬¸»· ×²²±ª¿¬·±² ¸¿ ®»½»·ª»¼ øîðïê÷òØ» ¬¸» · °®»¬·¹·±« ¿ «°»®ª·±® ÚÒÎ ³»³¾»® ß©¿®¼ º±® ¬±¹®¿°¸·½¿²¼ Ý®§°¬±¹®¿°¸§ò Ø¿®¼©¿®» ¿²¼ ×² Ð®±½»»¼·²¹ Û³¾»¼¼»¼ Í§¬»³ ±º ¬¸» ¬¸·®¬§ó»ª»²¬¸ Š ÝØÛÍ îðïî ¿²²«¿´ô éìîèæëíðŠ ßÝÓ He is a full professor in College of Computer activities in computer graphics, computer-aided Ý®§°¬±É±®µîïøÒÍÛÎÝ ÝÎÛßÌÛîðïê Š Ñ«¬¬¿²¼·²¹ Ì®¿·²·²¹ Ð®±¹®¿³ Ð¸Ü ·² Ì¸»· Þ«·´¼·²¹ ß©¿®¼ ¿ É±®µº±®½» º±® ¸· ëìéô§³°±·«³ îðïîò ±² Ì¸»±®§ ±º ½±³°«¬·²¹ô ÍÌÑÝ ùðëô °¿¹» èìŠçíô Ò»© Ç±®µô Science and Technology, Nanjing University of design, formal verification of software, and sys- º±® ¬¸» Ý®§°¬±¹®¿°¸·½ ×²º®¿¬®«½¬«®»½±²¬®·¾«¬·±² ±º·² ¬¸» ½®§°¬±¹®¿°¸·½ îï¬ Ý»²¬«®§÷ò »²¹·²»»®·²¹ò Ø» · 王明哲 tem architecture. He is currently the director of ÅîðÃÒÇô Üò Ø±²¹ò ËÍßô ÔÛßæîððëò ßßÝÓò ïîèó¾·¬ ¾´±½µ ½·°¸»® º±® º¿¬ »²½®§°¬·±² ±² ½±³³±² ¿Aeronautics º«´´ °®±º»±® and ·² Astronautics Ý±´´»¹» ±º Ý±³°«¬»® (NUAA) Í½·»²½»and SnT, °®±½»±®ò ×²×²º±®³¿¬·±² Í»½«®·¬§ ß°°´·½¿¬·±²ô É×Íßùïìô °¿¹» íóîéô University of Luxembourg. He has been a visiting the School of Information Science & Technology ¿²¼ Ì»½¸²±´±¹§ô Ò¿²¶·²¹ Ë²·ª»®·¬§ ±º ß»®±²¿«¬·½ and the School of Software in Tsinghua Univer- îðïìò ¿²¼scholar ß¬®±²¿«¬·½ in City University øÒËßß÷ ¿²¼ of Hong Í²Ìô Ë²·ª»®·¬§Kong, COSIC, ±º 2018级直博生 ÅîïÃ Æò Ô·«ô Øò Í»±ô Æò Ø«ô Èò Ø«²¿¹ô ¿²¼ Öò Ù®±A½¸x K. U. Leuven as well as Microsoft Research, sity. ððïèóçíìð ø½÷ îðïé ×ÛÛÛò Ð»®±²¿´ «» · °»®³·¬¬»¼ô ¾«¬ ®»°«¾´·½¿¬·±²ñ®»¼·¬®·¾«¬·±² ®»¯«·®» ×ÛÛÛ °»®³··±²ò Í»» ¸¬¬°æññ©©©ò·»»»ò±®¹ñ°«¾´·½¿¬·±²Á¬¿²¼¿®¼ñ°«¾´·½¿¬·±²ñ®·¹¸¬ñ·²¼»¨ò¸¬³´傅滢 Ô«¨»³¾±«®¹ô Ô«¨»³¾±«®¹ò Ø» ¸¿ ¾»»² º±® ¿ ³±®» ª··¬·²¹ ·²º±®³¿¬·±²ò 北京邮电大学 °´»³»²¬¿¬·±² ±º ÛÝÜØ µ»§ »¨½¸¿²¹» º±® ÓÍÐìíðó¾¿»¼ ©·®»´» »²±® ½¸±´¿®Redmond. ·² Ý·¬§ His Ë²·ª»®·¬§ research ±º interests Ø±²¹ Õ±²¹ô include ÝÑÍ×Ýô com-2014.9-2018.6 ²»¬©±®µò ×² Ð®±½»»¼·²¹ ±º ¬¸» ïð¬¸ ßÝÓ Í§³°±·«³ ±² ×²º±®³¿¬·±²ô puterÕò Ëò Ô»«ª»²arithmetic ¿ ©»´´ and ¿ information Ó·½®±±º¬ Î»»¿®½¸ô security. Î»¼³±²¼ò Ø· ®»»¿®½¸ ·²¬»®»¬研究方向：内存安全模糊测试 Ý±³°«¬»® ¿²¼ Ý±³³«²·½¿¬·±² Í»½«®·¬§ô °¿¹» ïìëŠïëíò ßÝÓô îðïëò ·²½´«¼»2017 ½±³°«¬»®级硕士生 ¿®·¬¸³»¬·½ ¿²¼ ·²º±®³¿¬·±² »½«®·¬§ò Ø» ¸¿ ½±ó¿«¬¸±®»¼ ÅîîÃ Æò Ô·«ô Øò Í»±ô Íò Íò Î±§ô Öò Ù®±A½¸x¿¼´ô Øò Õ·³ô ¿²¼ ×ò Ê»®¾¿«©¸»¼»ò ³±®» ¬¸¿² êð ®»»¿®½¸ °»»®ó®»ª·»©»¼ ¶±«®²¿´ ¿²¼ ½±²º»®»²½» °¿°»® ·² ¬¸» ×²¬»®²¿¬·±²¿´ ¿®»¿ ±º ·²º±®³¿¬·±² »½«®·¬§ò É±®µ¸±° ±² Ý®§°¬±¹®¿°¸·½ Ø¿®¼©¿®» ¿²¼ Û³¾»¼¼»¼ Í§¬»³2013.9-2017.6ô °¿¹» 北京邮电大学 êêíŠêèîò Í°®·²¹»®ô îðïëò ÅîíÃ Êò Ô§«¾¿¸»ªµ§ô Ýò Ð»·µ»®¬ô ¿²¼ Ñò Î»¹»ªò Ñ² ×¼»¿´ Ô¿¬¬·½» ¿²¼ Ô»¿®²ó研究方向：区块链安全测试 ·²¹ ©·¬¸ Û®®±® ±ª»® Î·²¹ò ×² ß¼ª¿²½» ·² Ý®§°¬±´±¹§ ÛËÎÑÝÎÇÐÌ îðïðô ª±´«³» êïïð ±º Ô»½¬«®» Ò±¬» ·² Ý±³°«¬»® Í½·»²½»ô °¿¹» ïóîíò Í°®·²¹»® Þ»®´·² Ø»·¼»´¾»®¹ô îðïðò Î»¦¿ ß¦¿®¼»®¿µ¸¸ ®»½»·ª»¼ ¬¸» Ð¸òÜò ¼»¹®»» ·² ÅîìÃ Ó·½®±±º¬ Î»»¿®½¸ô Ô¿¬¬·½»¼óÞ¿»¼ Ý®§°¬±¹®¿°¸§Œô ¸¬¬°æññ®»»¿®½¸ò »´»½¬®·½¿´ ¿²¼ ½±³°«¬»® »²¹·²»»®·²¹ º®±³ ¬¸» Ë²·ó ³·½®±±º¬ò½±³ñ»²ó«ñ°®±¶»½¬ñ´¿¬¬·½»ñ ª»®·¬§ ±º É»¬»®² Ñ²¬¿®·±ô Ô±²¼±²ô ÑÒô Ý¿²¿¼¿ô ÅîëÃ Ìò Ñ¼»®ô Ìò Ð±°°»´³¿²²ôx ¿²¼ Ìò Ù«²»§«òx Þ»§±²¼ ÛÝÜÍß ¿²¼ ÎÍßæ ·² îðïïò Ø» ©¿ ¿ ÒÍÛÎÝ Ð±¬óÜ±½¬±®¿´ Î»»¿®½¸ Ô¿¬¬·½»ó¾¿»¼ Ü·¹·¬¿´ Í·¹²¿¬«®» ±² Ý±²¬®¿·²»¼ Ü»ª·½»ò ëï¬ ß²²«¿´ Ú»´´±© ©·¬¸ ¬¸» Ý»²¬»® º±® ß°°´·»¼ Ý®§°¬±¹®¿°¸·½ Ü»·¹² ß«¬±³¿¬·±² Ý±²º»®»²½» Š ÜßÝ îðïìô îðïìò Î»»¿®½¸ ¿²¼ ¬¸» Ü»°¿®¬³»²¬ ±º Ý±³¾·²¿¬±®·½ ¿²¼ ÅîêÃ Ìò Ðx±°°»´³¿²²ô Ôò Ü«½¿ ¿²¼ Ìò Ùx«²»§«ò Û²¸¿²½»¼ Ô¿¬¬·½»óÞ¿»¼ Ñ°¬·³·¦¿¬·±²ô Ë²·ª»®·¬§ ±º É¿¬»®´±±ô É¿¬»®´±±ô ÑÒô Ý®§°¬±¹®¿°¸·½ Ø¿®¼©¿®» ¿²¼ Ý¿²¿¼¿ò Ø» · ½«®®»²¬´§ ©·¬¸ ¬¸» Ü»°¿®¬³»²¬ ±º Û³¾»¼¼»¼ Í§¬»³ Š ÝØÛÍ îðïìô èéíïæíëíŠíéðô îðïìò Ý±³°«¬»® Û²¹·²»»®·²¹ô Î±½¸»¬»® ×²¬·¬«¬» ±º Ì»½¸ó ÅîéÃ Ìò Ðx±°°»´³¿²²ô Ìò Ñ¼»®ô ¿²¼ Ìò Ùx«²»§«ò Ø·¹¸ó°»®º±®³¿²½» ·¼»¿´ ²±´±¹§ô Î±½¸»¬»®ô ÒÇô ËÍßò Ø· ½«®®»²¬ ®»»¿®½¸ 苏卓 ´¿¬¬·½»ó¾¿»¼ ½®§°¬±¹®¿°¸§ ±² èó¾·¬ ¿¬¨³»¹¿ ³·½®±½±²¬®±´´»®ò ×² ×²¬»®ó ²¿¬·±²¿´ Ý±²º»®»²½» ±² Ý®§°¬±´±¹§ ¿²¼ ×²º±®³¿¬·±² Í»½«®·¬§ ·² Ô¿¬·² ´·°¬·½ ½«®ª» ½®§°¬±¹®¿°¸§ô °¿·®·²¹ó¾¿»¼ ½®§°¬±¹®¿°¸§ô ¿²¼ ·³°´»³»²¬¿¬·±² ß³»®·½¿ô °¿¹» íìêŠíêëò Í°®·²¹»®ô îðïëò ±² »³¾»¼¼»¼ ¼»ª·½»ò Ð®±ºò ß¦¿®¼»®¿µ¸¸ ©¿ ¬¸» ®»½·°·»²¬ ±º ¬¸» °®»¬·¹·±« 2018级直博生 ÅîèÃ Ìò Ðx±°°»´³¿²²ô Ì±¾·¿ Ñ¼»®ô ¿²¼ Ìò Ùx«²»§«òÍ°»»¼ Î»½±®¼ º±® ×¼»¿´ ÒÍÛÎÝ Ð±¬óÜ±½¬±®¿´ Î»»¿®½¸ Ú»´´±©¸·° ·² îðïîò Ø» · ¿ Ù«»¬ Û¼·¬±® Ô¿¬¬·½»óÞ¿»¼ Ý®§°¬±¹®¿°¸§ ±² ßÊÎò ×² ¸¬¬°æññ»°®·²¬ò·¿½®ò±®¹ñîðïëñíèîò º±® ¬¸» ×ÛÛÛñßÝÓ Ì®¿²¿½¬·±² ±² Ý±³°«¬¿¬·±²¿´ Þ·±´±¹§ ¿²¼ Þ·±·²º±®ó 2014.9-2018.6东北大学 °¼ºò ³¿¬·½ º±® ¬¸» °»½·¿´ ·«» ±º Û³»®¹·²¹ Í»½«®·¬§ Ì®»²¼ º±® Þ·±³»¼·½¿´ ÅîçÃ Ìò Ð®»½±¬¬ò Î¿²¼±³ Ò«³¾»® Ù»²»®¿¬·±² «·²¹ ßÛÍò ¸¬¬°æññ©©©ò¿¬³»´ò Ý±³°«¬¿¬·±²ô Ü»ª·½»ô ¿²¼ ×²º®¿¬®«½¬«®» øîðïë ¿²¼ îðïê÷ò Ø» ¿´± »®ª» ½±³ñ¦¸ñ½²ñ×³¿¹»ñ¿®¬·½´» ®¿²¼±³ ²«³¾»®ò°¼º ¿ ¬¸»赵越 Ù«»¬ Û¼·¬±® ±º ×ÛÛÛ Ì®¿²¿½¬·±² ±² Ü»°»²¼¿¾´» ¿²¼ Í»½«®» Ý±³ó ÅíðÃ Ñò Î»¹»ªò Ñ² Ô¿¬¬·½»ô Ô»¿®²·²¹ ©·¬¸ Û®®±®ô Î¿²¼±³ Ô·²»¿® Ý±¼»ô °«¬·²¹ô Í°»½·¿´ ×«» ±² Û³»®¹·²¹ Û³¾»¼¼»¼ ¿²¼ Ý§¾»® Ð¸§·½¿´ Í§¬»³ ¿²¼ Ý®§°¬±¹®¿°¸§ò ×² Ð®±½»»¼·²¹ ±º ¬¸» ¬¸·®¬§ó»ª»²¬¸ ¿²²«¿´ ßÝÓ Í»½«®·¬§ Ý¸¿´´»²¹» ¿²¼ ×²²±ª¿¬·±² øîðïê÷òØ» · ¿ «°»®ª·±® ³»³¾»® º±® §³°±·«³ ±² Ì¸»±®§ ±º ½±³°«¬·²¹ô ÍÌÑÝ ùðëô °¿¹» èìŠçíô Ò»© Ç±®µô Ý®§°¬±É±®µîïøÒÍÛÎÝ2017级硕士生 ÝÎÛßÌÛ Ì®¿·²·²¹ Ð®±¹®¿³ ·² Þ«·´¼·²¹ ¿ É±®µº±®½» ÒÇô ËÍßô îððëò ßÝÓò º±® ¬¸» Ý®§°¬±¹®¿°¸·½ ×²º®¿¬®«½¬«®» ±º ¬¸» îï¬ Ý»²¬«®§÷ò 2013.9-2017.6 北京邮电大学

ððïèóçíìð ø½÷ îðïé ×ÛÛÛò Ð»®±²¿´ «» · °»®³·¬¬»¼ô ¾«¬ ®»°«¾´·½¿¬·±²ñ®»¼·¬®·¾«¬·±² ®»¯«·®» ×ÛÛÛ研究方向：深度学习系统测试 °»®³··±²ò Í»» ¸¬¬°æññ©©©ò·»»»ò±®¹ñ°«¾´·½¿¬·±²Á¬¿²¼¿®¼ñ°«¾´·½¿¬·±²ñ®·¹¸¬ñ·²¼»¨ò¸¬³´ º±® ³±®» ·²º±®³¿¬·±²ò