• Angr projects:
  • Type inference and reverse engineering
  • Decompilation?
  • Static checkers (null pointer / divide by zero?)
• Bug injection (LAVA) projects
  • Reading: LAVA paper
  • Using test cases to improve KLEE
    • We have 68 examples of tiny programs that KLEE fails to find a bug in. Why? How can we fix KLEE so it can find those?
  • Precisely measuring attacker-controlled data
    • Liveness
    • TCN
  • New bug types:
    • Null pointer deref
    • Divide by zero
    • Use after free (hard)
    • Concurrency bug (very hard)
  • Making bugs look more realistic
    • Changing data flow
  • Difficulty-preserving obfuscation
    • Hard to diff without making it harder to understand
• Fuzzing projects
  • Deoptimization and constant extraction passes
    • Do these actually get better coverage?
    • What other optimizations? Loop unrolling?
  • Other interesting LLVM passes for fuzzing
    • Constant extraction
    • Data flow?
• PANDA Projects
  • Reading: PANDA paper
  • Dynamic Slicing
  • Symbolic Execution (along a trace)
  • Smarter introspection (API & syscall tracing)
  • Dynamic function comparisons
• Firmware projects
  • Auto-detecting the base address and entry point
  • Interrupt explorer (Casey/?)
  • Coverage-guided fuzzing (Nick/Danny)
• Malware projects
  • Defeating environment-sensitive malware
    • Create test programs that implement different evasions
    • Write PANDA plugin that implements countermeasures
    • Evaluate countermeasures on some incoming malware samples
  • Something else interesting with the 65,000 traces we have :)