Despite advances in cybersecurity, even the most protected networks are vulnerable to cyberattacks due to software bugs or security flaws. Though vulnerability detection methods such as fuzzing can detect bugs, these methods have some limitations. Endadul Hoque, assistant professor in electrical engineering and computer science, has made significant progress researching computer networks and systems security and is working to enhance network security by developing an innovative automated solution.
Hoque has received a National Science Foundation (NSF) CAREER Award to research context-sensitive fuzzing for networked systems. This grant supports early career faculty with their professional development and will build upon Hoque’s research on computer networks and systems security, program analysis, and software engineering.
“Many big tech companies like Google and Microsoft have been investing in fuzzing techniques and have seen the importance of finding bugs in existing software,” Hoque says. “The National Institute of Standards in Technology (NIST) also endorses fuzzing as an automated technique for security testing. This project will push boundaries within the field and have an impact on cybersecurity.”
Hoque’s project has three research goals. The first goal is to create a language that can encode complex structures of inputs that change depending on the context and develop algorithms that can quickly generate correct inputs based on this language. The second goal is to create techniques that can mutate these inputs without losing their context sensitivity, which is essential for the process of fuzzing. The final goal is to create mechanisms that ensure the internal state of a protocol is accurately maintained. This will allow each fuzz input to be tested in a suitable state for the protocol being tested.
“In this area of research, people tend to focus on strengthening the system by finding flaws in the existing system that we use in our day-to-day life,” Hoque says. “How can we find loopholes in real-world security-critical systems? This research award falls under that category to advance the limitations of existing methodologies.”
As part of his project, Hoque plans to improve cybersecurity courses and hold K-12 workshops to promote cybersecurity awareness, integrating his research findings into these initiatives. The project will also encourage undergraduate and graduate students from historically marginalized communities to get involved with educational and research activities.
Additionally, Hoque will form a team for cybersecurity competitions such as capture-the-flag (CTF) competitions, where participants search for hidden text strings in vulnerable websites or programs. These gamified competitions are also an effective way to improve cybersecurity education.
“This project has the potential to significantly enhance the robustness of protocol implementations and cybersecurity education, benefiting society. I’m happy to have received this prestigious award.”