BEGIN:VCALENDAR
VERSION:2.0
PRODID:IEEE vTools.Events//EN
CALSCALE:GREGORIAN
BEGIN:VTIMEZONE
TZID:America/Chicago
BEGIN:DAYLIGHT
DTSTART:20260308T030000
TZOFFSETFROM:-0600
TZOFFSETTO:-0500
RRULE:FREQ=YEARLY;BYDAY=2SU;BYMONTH=3
TZNAME:CDT
END:DAYLIGHT
BEGIN:STANDARD
DTSTART:20261101T010000
TZOFFSETFROM:-0500
TZOFFSETTO:-0600
RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=11
TZNAME:CST
END:STANDARD
END:VTIMEZONE
BEGIN:VEVENT
DTSTAMP:20260609T115735Z
UID:F511EE44-BB91-4457-8136-A48EB9B23A5C
DTSTART;TZID=America/Chicago:20260608T180000
DTEND;TZID=America/Chicago:20260608T200000
DESCRIPTION:Fuzz testing has passed its 35 th birthday and\, in that time\,
  has gone from a disparaged and mocked\ntechnique to one that is the found
 ation of many efforts in software engineering and testing. The key\nidea b
 ehind fuzz testing is using random input and having an extremely simple te
 st oracle that only looks\nfor crashes or hangs in the program. Importantl
 y\, in all our studies\, all our tools\, test data\, and results\nwere mad
 e public so that others could reproduce the work. In addition\, we located
  the cause of each\nfailure that we caused and identified the common cause
 s of such failures.\n\nIn the last several years\, there has been a huge a
 mount of progress and new developments in fuzz\ntesting. Hundreds of paper
 s have been published on the subject and dozens of PhD dissertations have\
 nbeen produced. In this talk\, I will review the progress over the last 35
  years describing our simple\napproach – using what is now called black 
 box generational testing – and show how it is still relevant\nand effect
 ive today.\n\nIn 1990\, we published the results of a study of the reliabi
 lity of standard UNIX application/utility\nprograms. This study showed tha
 t by using simple (almost simplistic) random testing techniques\, we\ncoul
 d crash or hang 25-33% of these utility programs. In 1995\, we repeated an
 d significantly extended\nthis study using the same basic techniques: subj
 ecting programs to random input streams. This study\nalso included X-Windo
 w applications and servers. A distressingly large number of UNIX applicati
 ons still\ncrashed with our tests. X-window applications were at least as 
 unreliable as command-line applications.\nThe commercial versions of UNIX 
 fared slightly better than in 1990\, but the biggest surprise was that\nLi
 nux and GNU applications were significantly more reliable than the commerc
 ial versions.\nIn 2000\, we took another stab at random testing\, this tim
 e testing applications running on Microsoft\nWindows. Given valid random m
 ouse and keyboard input streams\, we could crash or hang 45% (NT) to\n64% 
 (Win2K) of these applications.\n\nIn 2006\, we continued the study\, looki
 ng at both command-line and GUI-based applications on the\nrelatively new 
 Mac OS X operating system. While the command-line tests had a reasonable 7
 % failure\nrate\, the GUI-based applications\, from a variety of vendors\,
  had a distressing 73% failure rate.\nRecently\, we decided to revisit our
  basic techniques on commonly used UNIX systems. We were\ninterested to se
 e that these techniques were still effective and useful.\nIn this talk\, I
  will discuss our testing techniques and then present the various test res
 ults in more detail.\nThese results include\, in many cases\, identificati
 on of the bugs and the coding practices that caused the\nbugs. In several 
 cases\, these bugs introduced issues relating to system security. The talk
  will conclude\nwith some philosophical musings on the current state of so
 ftware development.\n\nPapers on the four studies (1990\, 1995\, 2000\, 20
 06\, and 2020)\, the software and the bug reports can be\nfound at the UW 
 fuzz home page:\nhttp://www.cs.wisc.edu/~bart/fuzz/\n\nAbout the Speaker:\
 n\nBarton Miller is the Vilas Distinguished Achievement Professor at UW-Ma
 dison\nMiller is a co-PI on the Trusted CI NSF Cybersecurity Center of Exc
 ellence\, where he leads the\nsoftware assurance effort. His research inte
 rests include software security\, in-depth vulnerability\nassessment\, bin
 ary and malicious code analysis and instrumentation\, extreme scale system
 s\, and\nparallel and distributed program measurement and debugging. In 19
 88\, Miller founded the field of\nFuzz random software testing\, which is 
 the foundation of many security and software engineering\ndisciplines. In 
 1992\, Miller (working with his then­student Prof. Jeffrey Hollingsworth)
  founded the\nfield of dynamic binary code instrumentation and coined the 
 term “dynamic instrumentation”.\nMiller is a Fellow of the ACM and rec
 ently won the Jean Claude Laprie Award in dependable\ncomputing for his wo
 rk on fuzz testing.\n\nMiller was a member of the FAA VECTOR Task Force re
 viewing cybersecurity of the U.S. aviation\ninfrastructure. He was the cha
 ir of the Institute for Defense Analysis Center for Computing Sciences\nPr
 ogram Review Committee\, member of the U.S. National Nuclear Safety Admini
 stration Los\nAlamos and Lawrence Livermore National Labs Cyber Security R
 eview Committee (POFMR)\,\nmember of the Los Alamos National Laboratory Co
 mputing\, Communications and Networking\nDivision Review Committee\, has b
 een on the U.S. Secret Service Electronic Crimes Task Force\n(Chicago Area
 ) is currently an advisor to the Wisconsin National Guard 176 th Cyber Pre
 vention\nTeam and the Wisconsin Security Research Consortium.\n\nRoom: 302
 \, Bldg: Madison Central Library\, 201 West Mifflin Street\, Madison\, Wis
 consin\, United States\, 53703\, Virtual: https://events.vtools.ieee.org/m
 /558704
LOCATION:Room: 302\, Bldg: Madison Central Library\, 201 West Mifflin Stree
 t\, Madison\, Wisconsin\, United States\, 53703\, Virtual: https://events.
 vtools.ieee.org/m/558704
ORGANIZER:harrison@glsan.com
SEQUENCE:16
SUMMARY:Random Testing with ‘Fuzz’: 35 Years of Finding Bugs
URL;VALUE=URI:https://events.vtools.ieee.org/m/558704
X-ALT-DESC:Description: &lt;br /&gt;&lt;p&gt;Fuzz testing has passed its 35 th birthday
  and\, in that time\, has gone from a disparaged and mocked&lt;br&gt;technique t
 o one that is the foundation of many efforts in software engineering and t
 esting. The key&lt;br&gt;idea behind fuzz testing is using random input and havi
 ng an extremely simple test oracle that only looks&lt;br&gt;for crashes or hangs
  in the program. Importantly\, in all our studies\, all our tools\, test d
 ata\, and results&lt;br&gt;were made public so that others could reproduce the w
 ork. In addition\, we located the cause of each&lt;br&gt;failure that we caused 
 and identified the common causes of such failures.&lt;/p&gt;\n&lt;p&gt;&lt;br&gt;In the last
  several years\, there has been a huge amount of progress and new developm
 ents in fuzz&lt;br&gt;testing. Hundreds of papers have been published on the sub
 ject and dozens of PhD dissertations have&lt;br&gt;been produced. In this talk\,
  I will review the progress over the last 35 years describing our simple&lt;b
 r&gt;approach &amp;ndash\; using what is now called black box generational testin
 g &amp;ndash\; and show how it is still relevant&lt;br&gt;and effective today.&lt;/p&gt;\n
 &lt;p&gt;&lt;br&gt;In 1990\, we published the results of a study of the reliability of
  standard UNIX application/utility&lt;br&gt;programs. This study showed that by 
 using simple (almost simplistic) random testing techniques\, we&lt;br&gt;could c
 rash or hang 25-33% of these utility programs. In 1995\, we repeated and s
 ignificantly extended&lt;br&gt;this study using the same basic techniques: subje
 cting programs to random input streams. This study&lt;br&gt;also included X-Wind
 ow applications and servers. A distressingly large number of UNIX applicat
 ions still&lt;br&gt;crashed with our tests. X-window applications were at least 
 as unreliable as command-line applications.&lt;br&gt;The commercial versions of 
 UNIX fared slightly better than in 1990\, but the biggest surprise was tha
 t&lt;br&gt;Linux and GNU applications were significantly more reliable than the 
 commercial versions.&lt;br&gt;In 2000\, we took another stab at random testing\,
  this time testing applications running on Microsoft&lt;br&gt;Windows. Given val
 id random mouse and keyboard input streams\, we could crash or hang 45% (N
 T) to&lt;br&gt;64% (Win2K) of these applications.&lt;/p&gt;\n&lt;p&gt;&lt;br&gt;In 2006\, we conti
 nued the study\, looking at both command-line and GUI-based applications o
 n the&lt;br&gt;relatively new Mac OS X operating system. While the command-line 
 tests had a reasonable 7% failure&lt;br&gt;rate\, the GUI-based applications\, f
 rom a variety of vendors\, had a distressing 73% failure rate.&lt;br&gt;Recently
 \, we decided to revisit our basic techniques on commonly used UNIX system
 s. We were&lt;br&gt;interested to see that these techniques were still effective
  and useful.&lt;br&gt;In this talk\, I will discuss our testing techniques and t
 hen present the various test results in more detail.&lt;br&gt;These results incl
 ude\, in many cases\, identification of the bugs and the coding practices 
 that caused the&lt;br&gt;bugs. In several cases\, these bugs introduced issues r
 elating to system security. The talk will conclude&lt;br&gt;with some philosophi
 cal musings on the current state of software development.&lt;/p&gt;\n&lt;p&gt;Papers o
 n the four studies (1990\, 1995\, 2000\, 2006\, and 2020)\, the software a
 nd the bug reports can be&lt;br&gt;found at the UW fuzz home page:&lt;br&gt;&lt;a href=&quot;h
 ttp://www.cs.wisc.edu/~bart/fuzz/&quot;&gt;http://www.cs.wisc.edu/~bart/fuzz/&lt;/a&gt;&lt;
 /p&gt;\n&lt;p&gt;&amp;nbsp\;&lt;/p&gt;\n&lt;p&gt;About the Speaker:&lt;/p&gt;\n&lt;p&gt;&lt;br&gt;Barton Miller is th
 e Vilas Distinguished Achievement Professor at UW-Madison&lt;br&gt;Miller is a c
 o-PI on the Trusted CI NSF Cybersecurity Center of Excellence\, where he l
 eads the&lt;br&gt;software assurance effort. His research interests include soft
 ware security\, in-depth vulnerability&lt;br&gt;assessment\, binary and maliciou
 s code analysis and instrumentation\, extreme scale systems\, and&lt;br&gt;paral
 lel and distributed program measurement and debugging. In 1988\, Miller fo
 unded the field of&lt;br&gt;Fuzz random software testing\, which is the foundati
 on of many security and software engineering&lt;br&gt;disciplines. In 1992\, Mil
 ler (working with his then&amp;shy\;student Prof. Jeffrey Hollingsworth) found
 ed the&lt;br&gt;field of dynamic binary code instrumentation and coined the term
  &amp;ldquo\;dynamic instrumentation&amp;rdquo\;.&lt;br&gt;Miller is a Fellow of the ACM
  and recently won the Jean Claude Laprie Award in dependable&lt;br&gt;computing 
 for his work on fuzz testing.&lt;/p&gt;\n&lt;p&gt;&lt;br&gt;Miller was a member of the FAA V
 ECTOR Task Force reviewing cybersecurity of the U.S. aviation&lt;br&gt;infrastru
 cture. He was the chair of the Institute for Defense Analysis Center for C
 omputing Sciences&lt;br&gt;Program Review Committee\, member of the U.S. Nationa
 l Nuclear Safety Administration Los&lt;br&gt;Alamos and Lawrence Livermore Natio
 nal Labs Cyber Security Review Committee (POFMR)\,&lt;br&gt;member of the Los Al
 amos National Laboratory Computing\, Communications and Networking&lt;br&gt;Divi
 sion Review Committee\, has been on the U.S. Secret Service Electronic Cri
 mes Task Force&lt;br&gt;(Chicago Area) is currently an advisor to the Wisconsin 
 National Guard 176 th Cyber Prevention&lt;br&gt;Team and the Wisconsin Security 
 Research Consortium.&lt;/p&gt;
END:VEVENT
END:VCALENDAR

