Research & Innovation

Jun Xu Awarded NSF Grant of $1.2 Million to Better Uncover Software Vulnerabilities

Xu and students aim to revolutionize fuzzing techniques for large software

Photo of Jun Xu

Principal Investigator (PI) Jun Xu, assistant professor of computer science at Stevens’ Charles V. Schaefer, Jr. School of Engineering and Science, and Co-PI Long Lu of Northwestern University were recently awarded a grant of $1.2 million from the National Science Foundation as a part of the organization’s Secure and Trustworthy Cyberspace (SaTC) program. Their project, entitled “Collaborative Research: SaTC: CORE: Medium: Rethinking Fuzzing for Security,” will improve methods for uncovering vulnerabilities in software code that can be exploited by malicious actors. Stevens leads this initiative.

Finding software vulnerabilities is becoming increasingly challenging because the software widely used in day-to-day life is growing larger and more complex. Xu’s project addresses this challenge by rethinking a classic technique called “fuzzing” for finding vulnerabilities in large software. The high-level aim of fuzzing is to create a large number of random inputs to run software and, in turn, trigger vulnerabilities. While existing fuzzing techniques primarily follow an approach called code-coverage-driven fuzzing, this project shows that code coverage has weaker-than-expected ties with vulnerabilities, and thus is not well suited for vulnerability finding.

In his project, Xu will pioneer vulnerability-coverage-driven fuzzing. Novels to his project are new approaches, techniques, and tools that could revolutionize fuzzing and make the nearly-random testing process more intelligent and targeted—ultimately enhancing the security of various types of widely used software, ranging from web browsers to server-side programs.

Xu will include both undergraduate and graduate students in this research, and will ultimately provide outreach to industry professionals in order to raise awareness around software security.

Learn more about cybersecurity at Stevens: