Singapore Academic Cybersecurity R&D

Harnessing R&D to Secure our Nation

Trustworthy Systems from UN-trusted component AMalgamations

I. Goal

To develop trustworthy systems built from untrusted components such
as COTS (commercial off-the-shelf) components.

II. Technologies

Directed and Efficient Greybox Fuzzing [CCS 2017 & TSE 2018]


  • 10x faster than the state-of-the-art
  • Received 2000 USD @ Google Security bug bounties
  • Outperforms KLEE on vulnerability detection
  • Integrated into main-line AFL



  • 1st directed greybox fuzzer
  • 10x faster than the state of the art.
  • Received 2000 USD @Google bug bounty
  • Found 17 CVEs @ US National Vulnerability Database
  • Found 39 bugs @ security-critical internet libraries (libxml)
  • Outperforms state-of-the-art in patch testing (KATCH) and crash reproduction (BugRedux)
  • Integrated into Google’s OSSFuzzL

Panoply – Low-TCB Linux Applications with SGX Enclaves [NDSS 2017]


  • Supports POSIX APIs with 2x smaller TCB
  • Microns: Library-enclaves created by Panoply

Stateful Security Protocol Verification [ICFEM 2017]


  • A novel automatic verification approach for stateful security protocols with unbounded evolving of global states

SemGraft – Semantic Program Repair [ICSE 2018]


  • Uses a correct reference implementation to guide automated program repair for providing correctness guarantees of generated patches
  • This technique can correctly repair bugs in GNU Coreutils using BusyBox as a reference and vice versa

EffectiveSan: Dynamically Typed C/C++ [PLDI 2018]


  • A comprehensive dynamic type checker for C/C++ programs
  • Stores meta data (META) at the base of all objects
  • Given p into object q, use low-fat pointer base(p) to find (META)