History and Future of Automated Vulnerability Analysis

The software upon which our modern society operates is riddled with security vulnerabilities. These vulnerabilities allow hackers access to our sensitive data and make our system insecure. To identify vulnerabilities in software, human experts, or vulnerability researchers, are employed. These human experts are quite expensive. And, more fundamentally, human experts cannot analyze every change made to every piece of software (any of which could introduce a security vulnerability). Therefore, automated vulnerability analysis techniques were developed to automatically perform the process of identifying security vulnerabilities in software systems. These tools attempt to democratize the vulnerability analysis process: allowing any developer to identify vulnerabilities in their software automatically, thus finding such vulnerabilities before a malicious hacker. In this keynote, I will discuss the history of automated vulnerability analysis, from both the binary and the web perspective. Binary fuzzing and black-box web application vulnerability analysis have many aspects in common, yet are often thought of separately. From this, I will discuss the future of automated vulnerability analysis, and how we can achieve the effectiveness of a human vulnerability researcher.