Thuan Pham

Dr. Van-Thuan Pham

ARC DECRA Fellow & Senior Lecturer at the University of Melbourne

About

Thuan Pham is a Senior Lecturer in Cyber Security at the University of Melbourne (UoM). He has been working on scalable and high-performance fuzz testing to improve the reliability & security of software systems. Before joining UoM, he worked with Dr. Marcel Böhme at Monash University and Provost's Chair Professor Abhik Roychoudhury at National University of Singapore (NUS) as a postdoctoral Research Fellow. He received his Ph.D. degree in Computer Science from NUS in July 2017. His research, in collaboration with companies and government agencies, has led to many papers published at premier journals and conferences (e.g., TSE, EMSE, ICSE, CCS, ISSTA), one U.S. patent, and one Australian provisional patent. One of his papers won a Distinguished Paper Award at ICSE'24. He has developed several open-source automated security testing tools (e.g., AFLGo, AFLSmart, AFLNet, AFLTeam) that are responsible for 100+ (critical) vulnerabilities discovered in large real-world software systems. His research has been featured on media channels like Theregister.co.uk and Securityweek.com.   

News

  • Apr 2024. I have been invited to join the Program Committee of ICSE 2025 and ISSTA 2025
  • Mar 2024. Our ICSE'24 paper "EDEFuzz: A Web API Fuzzer for Excessive Data Exposures" won a Distinguished Paper Award!
  • Sept 2023. I have been promoted to Senior Lecturer (US equiv. Associate Professor), effective from 1st Sept 2023.
  • June 2023. Our paper in collaboration with Google "Registered Report: Beyond The Coverage Plateau - A Comprehensive Study of Fuzz Blockers" has been accepted to Fuzzing 2023 Workshop
  • June 2023. Our paper "EDEFuzz: A Web API Fuzzer for Excessive Data Exposures" has been accepted to ICSE 2024
  • May 2023. I have been invited to join the Program Committee of ISSTA 2024
  • Dec 2022. A provisional patent has been filed for our work on detecting excessive data exposures from Web APIs
  • Sept 2022. I have been awarded an ARC DECRA 2023 (with ~410k AUD from ARC & 50k from UoM) to conduct my research on Human-In-The-Loop Fuzzing. A PhD position is open for this project, starting from 2023.
  • Sept 2022. I have been invited to join the Program Committee of ICSE 2024
  • Jun 2022. I have been invited to join the Dagstuhl seminar 23131 "Software Bug Detection: Challenges and Synergies"
  • Apr 2022. Our paper entitled "Human-in-the-Loop Oracle Learning for Semantic Bugs in String Processing Programs" has been accepted to ISSTA 2022.
  • Dec 2021. AFLTeam (Alpha version) has been released at https://github.com/MelbourneFuzzingHub/aflteam.
  • Nov 2021. I have been invited to join the Fuzzing'22 Program Committee. Please consider to submit your papers.
  • Oct 2021. I will be speaking at the FuzzCon Europe 2021 online conference about our work on effective parallel fuzzing.
  • Aug 2021. Our paper entitled "Towards Systematic and Dynamic Task Allocation for Collaborative Parallel Fuzzing" has been accepted to ASE 2021 (NIER Track).
  • Jan 2021. We have released ProFuzzBench - A Benchmark for Stateful Protocol Fuzzing. Please check it out.
  • Nov 2020. I have been invited to join the USENIX Security '21 Program Committee. Please consider to submit your papers.
  • July 2020. I have joined the University of Melbourne as a Lecturer in Cyber Security.
  • Publications

    EDEFuzz: A Web API Fuzzer for Excessive Data Exposures

    Lianglu Pan, Shaanan Cohney, Toby Murray, and Van-Thuan Pham
    ACM/IEEE International Conference on Software Engineering (ICSE) 2024

    PDF

    Human-in-the-Loop Oracle Learning for Semantic Bugs in String Processing Programs

    Charaka Gheetal, Van-Thuan Pham, Aldeida Aleti, and Marcel Böhme
    The ACM SIGSOFT International Symposium on Software Testing and Analysis 2020 (ISSTA'22)

    PDF

    State Selection Algorithms and Their Impact on The Performance of Stateful Network Protocol Fuzzing

    Dongge Liu, Van-Thuan Pham, Gidon Ernst, Toby Murray, Benjamin I.P. Rubinstein
    IEEE International Conference on Software Analysis, Evolution and Reengineering 2022 (SANER'22) (RENE Track)

    PDF

    Towards Systematic and Dynamic Task Allocation for Collaborative Parallel Fuzzing

    Van-Thuan Pham, Manh-Dung Nguyen, Quang-Trung Ta, Toby Murray, Benjamin I.P. Rubinstein
    IEEE/ACM International Conference on Automated Software Engineering 2021 (ASE'21) (NIER Track)

    PDF Video

    ProFuzzBench: A Benchmark for Stateful Protocol Fuzzing

    Roberto Natella, and Van-Thuan Pham
    ACM International Symposium on Software Testing and Analysis 2021 (ISSTA'21) (Tool Demonstrations Track)

    PDF

    AFLNet: A Greybox Fuzzer for Network Protocols

    Van-Thuan Pham, Marcel Böhme, and Abhik Roychoudhury
    IEEE International Conference on Software Testing, Verification and Validation 2020 (ICST'20) (Testing Tools Track)

    PDF Video

    Human-In-The-Loop Automatic Program Repair

    Marcel Böhme, Charaka Gheetal and Van-Thuan Pham
    IEEE International Conference on Software Testing, Verification and Validation 2020 (ICST'20)

    PDF

    Smart Greybox Fuzzing

    Van-Thuan Pham, Marcel Böhme, Andrew E. Santosa, Alexandru Răzvan Căciulescu and Abhik Roychoudhury
    IEEE Transactions on Software Engineering (TSE) 2019 (To appear)

    PDF

    Coverage-based Greybox Fuzzing as Markov Chain

    Marcel Böhme, Van-Thuan Pham and Abhik Roychoudhury
    IEEE Transactions on Software Engineering (TSE) 2018

    Directed Greybox Fuzzing

    Marcel Böhme, Van-Thuan Pham, Manh-Dung Nguyen and Abhik Roychoudhury
    ACM Conference on Computer and Communications Security (CCS) 2017

    PDF

    Bucketing Failing Tests via Symbolic Analysis

    Van-Thuan Pham, Sakaar Khurana, Subhajit Roy and Abhik Roychoudhury
    International Conference on Fundamental Approaches to Software Engineering (FASE) 2017

    PDF

    Coverage-based Greybox Fuzzing as Markov Chain

    Marcel Böhme, Van-Thuan Pham and Abhik Roychoudhury
    ACM Conference on Computer and Communications Security (CCS) 2016

    PDF

    Model-based Whitebox Fuzzing for Program Binaries

    Van-Thuan Pham, Marcel Böhme, Abhik Roychoudhury
    IEEE/ACM International Conference on Automated Software Engineering (ASE) 2016

    PDF Slides Video

    Hercules: Reproducing Crashes in Real-World Application Binaries

    Van-Thuan Pham, Wei Boon Ng, Konstantin Rubinov and Abhik Roychoudhury
    ACM/IEEE International Conference on Software Engineering (ICSE) 2015

    PDF

    Integrated Timing Analysis of Application and Operating Systems Code

    Lee Kee Chong, Clement Ballabriga, Van-Thuan Pham, Sudipta Chattopadhyay and Abhik Roychoudhury
    IEEE Real-time Systems Symposium (RTSS) 2013

    A General Solution supporting Real-time and Remote Electrocardiogram Diagnostic based on Embedded and Mobile Technology

    Dung Cao Tuan, Thuan Pham Van, Viet Hoang Anh
    International Symposium on Information and Communication Technology (SoICT) 2012

    Patent

    Autonomous reasoning system for vulnerability analysis

    Praveen Murthy, Bogdan Copos and Thuan Pham
    (Short description) Automated vulnerability detection and program repair system working directly on program binaries.
    United States Patent - US9767290B2

    Selected Work Experience

    Lecturer - University of Melbourne (From 7/2020)

    Teaching and doing research on software security.

    Research Fellow - Monash University (12/2018 - 6/2020)

    Worked on Fuzz testing techniques for vulnerability detection.

    Research Fellow - NUS (8/2017 - 11/2018)

    Worked on Fuzz testing techniques for vulnerability detection & crash reproduction.

    Research Associate - NUS (4/2017 - 7/2017)

    Worked on Fuzz testing techniques for vulnerability detection & crash reproduction.

    Research Assistant - NUS (5/2016 - 3/2017)

    Worked on Fuzz testing techniques for vulnerability detection & crash reproduction.

    Research Intern - Fujitsu Laboratories of America (2/2015 - 5/2015)

    Involved in a team to build an automated Cyber Reasoning System (CRS) to participate in the DARPA Cyber Grand Challenge - The World’s first all-machine hacking tournament.

    Lecturer - Hanoi University of Science and Technology (8/2007 - 8/2012)

    Taught courses in subjects such as Microprocessors, Embedded Systems, Microsoft .NET Framework and involved in R&D and technonogy transfers activities.

    Co-founder & Trainer - Embedded247 Training Center (5/2011 - 7/2012)

    Designed courses & involved in training activities.

    Co-founder & Research Lead - Mimas Solutions and Services jsc., (5/2011 - 7/2012)

    Designed and developed prototypes for emotion & image recognition systems.

    Research Intern - Orange France Telecom (2/2009 - 7/2009)

    Designed and evaluated routing protocols for wireless sensor networks.

    Awards

    Research Achievement Award AY2014/2015 - School of Computing, NUS (AY2014/2015)

    Presented to PhD students who have achieved outstanding research performance.

    3rd prize VIFOTEC Scientific and Technological Innovation Award - Ministry of Science and Technology (Vietnam) (2011)

    For an automatic mirror-rotation based Goniophotometer hardware & software system. The product was bought by Rang Dong Lighting Ltd., one of the biggest lighting companies in Vietnam.

    Top 5 Intel & DST Asia Pacific Challenge 2011 - (2011)

    For a Brain-Computer-Interace (BCI) based emotion recognition system.

    1st prize Vietnamese Talent Award - (2010)

    For a system helping disabled people to control electronic/electrical devices via brain signals.