Tuesday, September 9, 2025

Trusted CI Webinar: No Harness, No Problem: Extending Fuzzing’s Reach via Oracle-guided Harness Generation, Monday September 22nd @ 10am Central

University of Utah's Stefan Nagy is presenting the talk, No Harness, No Problem: Extending Fuzzing’s Reach via Oracle-guided Harness Generation, on Monday September 22nd at 10am, Central time.

Please register here.

As NIST estimates that today's software contains up to 25 bugs per 1,000 lines of code, the prompt discovery of exploitable flaws is now crucial to mitigating the next big cyberattack. Over the last decade, the software industry mitigated increasing complexity by turning to a lightweight approach known as fuzzing: automated testing that uncovers program bugs through repeated injection of randomly-mutated test cases. Academia and industry have extensively studied fuzzing's three main challenges—input generation, program feedback collection, and, most critically, code harnessing—accelerating fuzzing to find many more vulnerabilities in less time. However, the critical nature of scientific computing—multi-purpose software toolkits, bespoke APIs, and high-performance environments—demands analogous advances in the vetting of scientific cyberinfrastructure. 

In this talk, I will showcase my group's research on automatic code harnessing, a key step toward making fuzzing scalable to today's complex scientific libraries. First, I will introduce our core approach Oracle-guided Harnessing: a technique that mutationally constructs and refines fuzzing harnesses using only library headers, validated through correctness oracles spanning compilation, execution, and coverage. Next, I will discuss our extensions of this approach to the C and Python library ecosystems, where it has uncovered over 70 previously-unknown security vulnerabilities and logical bugs across widely-used codebases. Finally, I will outline my vision for synergistic harnessing techniques that combine emergent large-language-model–driven methods with our Oracle-guided strategies, charting a path toward fully automatic, broadly applicable, and error-free harnessing.

Speaker Bio: 

Dr. Stefan Nagy is an Assistant Professor in the Kahlert School of Computing at the University of Utah, where he directs the FuTURES³ Lab. His work lies at the intersection of software engineering, computer systems, and security, with a focus on making automated vetting of software and systems more effective and efficient irrespective of kernel, architecture, and source code. His research frequently appears at top venues such as ICSE, USENIX Security, and ACM CCS, and has led to the discovery of more than 200 previously-unknown software bugs and security vulnerabilities (futures.cs.utah.edu/bugs). He holds a PhD from Virginia Tech and a BS from the University of Illinois at Urbana-Champaign.


---

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."