School of Computing PhD candidate Adrian Herrera’s research on “fuzzing” has escaped the lab and, only weeks after publication, is being incorporated into the software industry’s preferred bug-finding tool, AFL++.
Fuzzing is a testing technique that involves the generation of invalid or unexpected data to be used as inputs to a computer program to root out vulnerabilities. Enhancing the effectiveness of fuzzing means that government and private computing systems will be better protected against hostile actors and system failures, making all of us safer.
Cybersecurity research goes global
The open source, globally collaborative AFL++ is the most widely used fuzzing software. Herrera’s research looked at its selection process for the seed inputs that begin the fuzzing process.
“Typically, when you start running a fuzzer, you give it an initial set of files that it will start mutating and smashing together to generate all this random data to feed into the software that you’re testing,” Herrera said. “So, the question we were looking at was, ‘what is the best set of files that you start with?’”
Herrera and colleagues found that fuzzing outcomes vary significantly depending on the initial seeds, suggesting that seed choice should be carefully considered and explicitly documented.
In mid-July, they presented this work at the annual International Symposium on Software Testing and Analysis (ISSTA) conference and quickly afterward, fuzzer developers around the world began contacting Herrera asking for advice on how best to integrate this work into their infrastructure. “Then, they started doing some tests and they found that the improvements were significant enough that they were pretty keen to make it the default tool in their suite,” Herrera said.
Herrera and colleagues designed software that takes a large collection of data and distills it down to a bare minimum set of seed files for fuzzing work. “There are a couple of existing tools that do this, but our tooling produces a significantly smaller starting set of files, which is I guess what caught people’s interest,” he said.
“Adrian’s work is a great example of how pathways to impact can take a few years, but the breakthroughs can see rapid uptake once they come,” said Professor Tony Hosking, who leads the ANU School of Computing.
Herrera’s path to ANU was neither direct nor traditional. After earning an undergraduate degree at the University of Wollongong in 2011, he went to work for th Defence Science and Technology Group (DSTG). In 2018, DSTG entered a partnership with ANU as part its mission to engage Australia’s science, technology, and innovation eco-system to address Defence and national security challenges. It was at the behest of DTSG that Herrera joined the research team at ANU as a subject matter expert.
“I’ve always been interested in doing a PhD, and it seemed like an aligning of the planets,” Herrera said. “This collaborative project with ANU was up and running and I was already involved in that, so it kind of made sense.”
In addition to conducting research at ANU, Herrera has served as a lecturer and contributed to the planning of a course in cybersecurity. Students and staff say that Herrera’s research and his teaching are both enhanced by his experience outside the university setting and outside of Australia. Prior to coming to ANU, Herrera took a leave of absence from DSTG to work as a research engineer in Switzerland at École polytechnique fédérale de Lausanne.
Herrera’s undergraduate studies focused on electrical engineering, but he has never done any work in that field. “I pivoted immediately to computer science which turned out to be really good because I really love it,” he said.
That pivot began during an internship at CSIRO in Brisbane toward the end of Herrera’s undergraduate studies. “The project that I worked there was focused on embedded systems and securing communications,” he said. “So, that was my introduction to cybersecurity.”
Herrera was still an undergraduate when he interviewed for a job with DSTG. He found himself a candidate for several roles, but the emerging field of cybersecurity interested him most. Ten years later, he is a senior researcher at DSTG, working at the forefront of cybersecurity and pursuing a PhD at the ANU School of Computing.
“Ultimately it came down to the technical challenge. Cybersecurity was a hard problem back then, and it’s only getting harder. We’re still talking about it today. In fact, we’re talking about it a lot more. It was the technical challenge and the technical parts of it that drew me in.”