Mathias Payer

Mathias Payer

Security Testing Hard-to-Reach-Code


Vulnerabilities in code enable adversaries to exploit programs, e.g., leaking private information or escalating privileges to gain code execution. Memory corruption and type confusion are common bug classes that are the basis of most vulnerabilities in low level software written in C or C++. Despite the rise of strong mitigations such as stack cookies, ASLR, DEP, or most recently Control-Flow Integrity, exploits are still prevalent as none of these defenses offers complete protection. This situation calls for program testing techniques that discover reachable vulnerabilities before an attacker. Finding and fixing bugs is the only way to protect against any exploitation.

As current programs are massively complex with hundreds of millions of lines of code, finding all bugs is infeasible. In a first step we develop an automatic approach to assess the attack surface of programs. By focusing on code that processes adversary-controlled input we can restrict the amount of code that must be vetted. Memory corruption and type confusion bugs inherently result in undefined behavior. For example, a buffer overflow may result in a segmentation fault, corruption of another memory object, or a write to an unused memory region. Sanitization is a technique that makes undefined behavior explicit by instrumenting the program with policy checks during compilation. Whenever a policy check fails, e.g., when writing past the end of a buffer, the sanitizer reports the bug location and additional details. Sanitization is a dynamic software testing technique and therefore requires concrete executions to detect bugs. Fuzzing complements sanitization by automatically generating inputs to trigger new code paths. We will discuss the combination of fuzzing and sanitization to test exposed code and to secure the current attack surface.


Mathias Payer is a security researcher and an assistant professor at the EPFL school of computer and communication sciences (IC), leading the HexHive group. His research focuses on protecting applications in the presence of vulnerabilities, with a focus on memory corruption and type violations. He is interested in software security, system security, binary exploitation, effective mitigations, fault isolation/privilege separation, strong sanitization, and software testing (fuzzing) using a combination of binary analysis and compiler-based techniques. All prototype implementations are open-source.

After 4 years at Purdue university, he joined EPFL in 2018. Before joining Purdue in 2014 he spent two years as PostDoc in Dawn Song’s BitBlaze group at UC Berkeley. He graduated from ETH Zurich with a Dr. sc. ETH in 2012, focusing on enforcing security policies through low-level binary translation. He co-founded the EPFL polygl0t and Purdue b01lers CTF teams.