Contact Us

Research on Binary analysis and Vulnerability Detection at NUS


Software almost always has vulnerabilities. Many of these cause serious problems such as software crash and leaking sensitive user information. To fix bugs, software engineers have been fighting an endless battle with bugs. The cost of this battle is enormous—$312 billion per year globally as of 2012 according to Cambridge University research (in comparison, the GDP of Singapore is $308 billion as of 2014). This high cost is due to that software developers spend about 50% of their time debugging. We are conducting research on automatically finding vulnerabilities in program binaries by combining black-box or grey-box fuzzing with symbolic execution approaches. In black-box or grey-box fuzzing, the logic of the program is not analyzed, whereas symbolic execution approaches proceed by a semantic analysis of the program behavior. A lot of our research can be seen as a targeted search where we are trying to reach target locations, either to reproduce a crash or to uncover more behavior so that vulnerabilities can be uncovered.

One of the key innovations in our approach is that the analysis for finding vulnerabilities works directly on the program binaries - no source code is needed. Another key innovation is the development of scalable search strategies to guide the symbolic analysis for common file-format processing programs such as PDF, PNG, WAV. We are also working on improving grey-box fuzzing technology in its weak-point, namely behavioral coverage. Grey-box fuzzing technology generates many inputs with the goal to crash the program, but may end up covering few paths in the program since no semantic analysis is involved. In our latest work, we have improved the search heuristics inside fuzzers to drastically improve the coverage without resorting to costly symbolic analysis. Thus, our approach for finding vulnerabilities is two pronged - improve the scalability of the symbolic execution or semantic approaches, and improve the behavioral coverage of fuzzing or syntactic approaches.


News:   Released the AFLfast tool, which improves AFL fuzzer - see Hacker news.  This has led to discussions, and  changes in the widely used AFL Fuzzer from Google.



Directed Greybox Fuzzing

Marcel Böhme, Van Thuan Pham, Manh Dung Nguyen, Abhik Roychoudhury

24th ACM Conference on Computer and Communications Security (CCS) 2017.



Bucketing Failing tests using Symbolic Analysis (pdf )

Van Thuan Pham, Saakar Khurana, Subhajit Roy, Abhik Roychoudhury

International Conference on Foundational Aspects of Software Engineering (FASE) 2017.


Coverage-based Greybox Fuzzing as Markov Chain (pdf )

Marcel Böhme, Van Thuan Pham, Abhik Roychoudhury

23rd ACM Conference on Computer and Communications Security (CCS) 2016.



Model-based Whitebox Fuzzing for Program Binaries (pdf )

Van Thuan Pham, Marcel Böhme, Abhik Roychoudhury

IEEE/ACM International Conference on Automated Software Engineering (ASE) 2016.



Hercules: Reproducing Crashes in Real-World Application Binaries (pdf )

Van Thuan Pham, Wei Boon Ng, Konstantin Rubinov, Abhik Roychoudhury

ACM/IEEE International Conference on Software Engineering (ICSE) 2015.



CoREBench: Studying Complexity of Regression Errors (pdf )

Marcel Böhme, Abhik Roychoudhury

ACM International Symposium on Software Testing and Analysis (ISSTA) 2014.



Regression Tests to Expose Change Interaction Errors (pdf )

Marcel Böhme, Bruno C.d.S. Oliveira, Abhik Roychoudhury

Joint meeting of ACM SIGSOFT symposium and European conference on Foundations of software engineering (ESEC-FSE) 2013.



Partition-based Regression Verification (pdf )

Marcel Böhme, Bruno C.d.S. Oliveira, Abhik Roychoudhury

ACM/IEEE International Conference on Software Engineering (ICSE) 2013.



Path Exploration based on Symbolic Output (pdf )

Dawei Qi, Hoang D.T. Nguyen, Abhik Roychoudhury

ACM Transactions on Software Engineering and Methodology (TOSEM), 22(4), 2013. Conference paper appeared in ESEC-FSE 2011



DARWIN: An approach to debugging evolving programs

Dawei Qi, Abhik Roychoudhury, Abhik Roychoudhury, Zhenkai Liang, Kapil Vaswani

ACM Transactions on Software Engineering and Methodology (TOSEM), 2012. Conference paper appeared in ESEC-FSE 2009




+Current Members:


The later parts of the research are integrated as part of an umbrella project, TSUNAMi, funded by a substantial research grant from NRF (National Research Foundation, Singapore). This support is gratefully acknowledged.

Contact Us
National University of Singapore   |   School of Computing   |   National Research Foundation