Colloquia - Stefan Nagy, Advancing and Accelerating Vetting of the Closed-source Software Ecosystem, Virtual, 4:25 - 5:25 pm

Thursday, January 20, 2022 - 4:25pm to 5:25pm
Event Type: 

Stefan Nagy - Smiling man with shaved head stands in front of a glass door.

Advancing and Accelerating Vetting of the Closed-source Software Ecosystem


Today’s computing world is at a crossroads: the security community has long been the heart of responsible disclosure efforts to secure open-source software and systems (e.g., OSSFuzz, BugZilla), yet society’s ubiquitous devices, platforms, and applications (e.g., iPhone, Windows, and Skype) are increasingly closed-source. Currently, exploits targeting closed-source IP (e.g., iOS) routinely sell for millions of dollars, making the black-market exploit trade far more lucrative than responsible disclosure bug bounties. Reversing course from the next decade’s worst cyberattack demands that science introduce effective security vetting outside of transparent, open-source contexts. In this talk, I will discuss my vision of tackling the asymmetries impeding security auditing of today's complex and opaque codebases. I will cover three arcs of my work on improving performance of closed-source software fuzz-testing (fuzzing). Beyond expediting discovery of security vulnerabilities in closed-source codebases, these innovations provide a basis for future advances in high-performance testing on the world's most popular and security-critical software and systems.


Stefan Nagy is a Ph.D. candidate and Hume Center for National Security and Technology Graduate Fellow advised by Dr. Matthew Hicks in the Department of Computer Science at Virginia Tech. He received his Bachelor's in Computer Science from The University of Illinois at Urbana-Champaign in 2016. His research interests are in security, software engineering, and systems. His work aims to make automated software and system security vetting more accessible, transparent, and efficient irrespective of kernel, architecture, and source code. His research has been published in top-tier academic venues (e.g., IEEE S&P, USENIX Security, ACM CCS, and ICSE), and has garnered adoption by industry leaders like the AFL++ Project, Google Project Zero, and Red Hat.