Thesis topic: Fuzz Testing for the Android Virtual Machine
During Fuzz Testing, one generates deliberately invalid inputs to see how the tested program can cope with this input. When a program sanitizes inputs insufficiently, this can be the source of important security vulnerabilities such as buffer overflows.
Goal of this thesis project is to write and evaluate a fuzzing framework for the Dalvik Virtual Machine (which is the VM used to run Android). A challenge will be to generate invalid inputs that are not totally random (as such inputs would likely not expose new bugs) but to instead generate inputs that are close to legal Android programs. For this to work, the fuzzing frame work will need to have an understanding of what legal bytecode sequences are, and how they can be turned into illegal ones. This will require parsing Android bytecode into an intermediate representation, applying transformations on this level, and synthesizing (illegal) bytecode from the transformed representation. For the parsing and synthesis, existing (dis)assemblers for Dalvik bytecode may be used.
The student's thesis should contain an evaluation section describing how the framework has been applied to find bugs in an existing Dalvik virtual machine.
Master students will be asked to implement more or more complex fuzzing transformations compared to Bachelor students.
Are you interested? Please email me for further information. (at firstname.lastname@example.org)