Ruhr-Uni-Bochum

Mathias Payer (EPFL school of computer and communication sciences/IC)

"Security Testing Hard to Reach Code"

Abstract. Memory corruption plagues systems since the dawn of computing. Attacks have evolved alongside the development of ever stronger defenses resulting in an eternal war in memory. Despite the rise of strong mitigations such as stack cookies, ASLR, DEP, or most recently Control-Flow Integrity, exploits are still prevalent as none of these defenses offers complete protection. This situation calls for program testing techniques that discover reachable vulnerabilities before the attacker. Finding and fixing bugs is the only way to protect against
any exploitation.

We develop fuzzing techniques that follow an adversarial approach, focusing on the exposed attack surface and exploring potentially reachable vulnerabilities. In this talk we will discuss two areas of hard to reach code: (i) areas of a program that are guarded through hard to satisfy checks (such as checksums or equivalence checks) and (ii) drivers that interact with peripherals.

First, whenever the fuzzer hits a coverage wall and no longer makes progress, we detect checks in the code that current input could not satisfy. Through transformational fuzzing we target these underexplored program components and fine-tune the program under test to particular use cases. Second, by providing a custom-tailored emulation environment we create mock Trojan devices that allow fuzzing the peripheral/driver interface. In these projects we develop new techniques to test different kinds of hard to reach code and exposed large
amounts of vulnerabilities.

Biography. Mathias Payer is a security researcher and an assistant professor at the EPFL school of computer and communication sciences (IC), leading the HexHive group. His research focuses on protecting applications in the presence of vulnerabilities, with a focus on memory corruption and type violations. He is interested in software security, system security, binary exploitation, effective mitigations, fault isolation/privilege separation, strong sanitization, and software testing (fuzzing) using a combination of binary analysis and compiler-based techniques.

After 4 years at Purdue university, he joined EPFL in 2018. Before joining Purdue in 2014 he spent two years as PostDoc in Dawn Song's BitBlaze group at UC Berkeley. He graduated from ETH Zurich with a Dr. sc. ETH in 2012, focusing on enforcing security policies through low-level binary translation. All prototype implementations are open-source. He co-founded the EPFL polygl0t and Purdue b01lers CTF teams.