Thuan Pham

Dr. Van-Thuan Pham

Research Fellow

About Me

Thuan Pham is currently a Research Fellow at Monash University, working on scalable and high-performance fuzz testing to improve the reliability of software systems running on IoT devices, mobile devices, personal computers, and servers. Before joining Monash, he worked in the TSUNAMi research center (National University of Singapore) which focuses on software and system security. He received his Ph.D. degree in Computer Science from the National University of Singapore (NUS) in July 2017. His research, in collaborations with companies and government agencies, has led to many papers published at premier journals and conferences (e.g., TSE, ICSE, ASE, ICST, CCS) as well as one US patent. He has developed several well-received security testing tools (e.g., AFLGo, AFLSmart, AFLNet), that have found 100+ (critical) vulnerabilities in large real-world software systems (e.g., PDFium, FFmpeg, LibXML2, LibAV, LibPNG, Binutils). His research has been featured in media channels like Theregister.co.uk and Securityweek.com.   

News

  • Jan 2020. Our paper entitled "AFLNet: A Greybox Fuzzer for Network Protocols" has been accepted at ICST 2020 (Testing Tools Track).
  • Dec 2019. My talk entitled "Secure Software Development with Continuous Fuzzing" has been accepted at Bsides Melbourne 2020.
  • Dec 2019. Our paper "Human-In-The-Loop Automatic Program Repair" has been accepted at ICST'20.
  • Sep 2019. I have attended the Shonan meeting on Fuzzing and Symbolic Execution in Tokyo .
  • Sep 2019. AFLSmart (Smart Greybox Fuzzing) has been accepted by TSE.
  • Feb 2019. We have released the source code of AFLSmart (Smart Greybox Fuzzing).
  • Dec 2018. I have joined Monash to work with Dr. Marcel Böhme on scalable and high-performance fuzz testing systems.
  • Nov 2018. We have published the preprint of AFLSmart on Arxiv. It has been quickly covered by media channels such as Theregister.co.uk, Securityweek.com and Twitter. We have received many requests to access the code from research community and industry.
  • Aug 2017. Our paper entitled "Directed Greybox Fuzzing" has been accepted at CCS 2017.
  • Feb 2017. served as a lab instructor for the 24-hour Fuzzing Hackathon at Fuzz Testing for Finding Vulnerabilities Workshop.
  • Feb 2017. Our new fuzzing technique has found several security bugs in widely-used utilities & libraries such as readelf, objdump, cxxfilt, nm and zlib in just a few days of execution. So far, 14 bugs have been confirmed and fixed by the maintainers. Five (5) CVEs have been assigned (CVE-2017-6965, CVE-2017-6966, CVE-2017-6969, CVE-2017-7209 and CVE-2017-7210)
  • Dec 2016. "Bucketing Failing Tests via Symbolic Analysis" has been accepted at FASE/ETAPS 2017.
  • July 2016. "Coverage-based Greybox Fuzzing as Markov Chain" has been accepted at CCS 2016.
  • July 2016. "Model-based Whitebox Fuzzing for Program Binaries" has been accepted at ASE 2016.
  • Apr 2016. Get an offer from Entrepreneur First (EF) - a Europe's leading pre-seed investment programme - to join their first cohort in Singapore to build technology start-ups.
  • Aug 2015. Get Research Achievement Awards from School of Computing, NUS.
  • Dec 2014. "Hercules: Reproducing Crashes in Real-World Application Binaries" will appear in ICSE 2015.

    • Publications

    AFLNet: A Greybox Fuzzer for Network Protocols

    Van-Thuan Pham, Marcel Böhme, and Abhik Roychoudhury
    IEEE International Conference on Software Testing, Verification and Validation 2020 (ICST'20) (Testing Tools Track)

    PDF

    Human-In-The-Loop Automatic Program Repair

    Marcel Böhme, Charaka Gheetal and Van-Thuan Pham
    IEEE International Conference on Software Testing, Verification and Validation 2020 (ICST'20)

    PDF

    Smart Greybox Fuzzing

    Van-Thuan Pham, Marcel Böhme, Andrew E. Santosa, Alexandru Răzvan Căciulescu and Abhik Roychoudhury
    IEEE Transactions on Software Engineering (TSE) 2019 (To appear)

    PDF

    Coverage-based Greybox Fuzzing as Markov Chain

    Marcel Böhme, Van-Thuan Pham and Abhik Roychoudhury
    IEEE Transactions on Software Engineering (TSE) 2018

    Directed Greybox Fuzzing

    Marcel Böhme, Van-Thuan Pham, Manh-Dung Nguyen and Abhik Roychoudhury
    ACM Conference on Computer and Communications Security (CCS) 2017

    PDF

    Bucketing Failing Tests via Symbolic Analysis

    Van-Thuan Pham, Sakaar Khurana, Subhajit Roy and Abhik Roychoudhury
    International Conference on Fundamental Approaches to Software Engineering (FASE) 2017

    PDF

    Coverage-based Greybox Fuzzing as Markov Chain

    Marcel Böhme, Van-Thuan Pham and Abhik Roychoudhury
    ACM Conference on Computer and Communications Security (CCS) 2016

    PDF

    Model-based Whitebox Fuzzing for Program Binaries

    Van-Thuan Pham, Marcel Böhme, Abhik Roychoudhury
    IEEE/ACM International Conference on Automated Software Engineering (ASE) 2016

    PDF Slides Video

    Hercules: Reproducing Crashes in Real-World Application Binaries

    Van-Thuan Pham, Wei Boon Ng, Konstantin Rubinov and Abhik Roychoudhury
    ACM/IEEE International Conference on Software Engineering (ICSE) 2015

    PDF

    Integrated Timing Analysis of Application and Operating Systems Code

    Lee Kee Chong, Clement Ballabriga, Van-Thuan Pham, Sudipta Chattopadhyay and Abhik Roychoudhury
    IEEE Real-time Systems Symposium (RTSS) 2013

    A General Solution supporting Real-time and Remote Electrocardiogram Diagnostic based on Embedded and Mobile Technology

    Dung Cao Tuan, Thuan Pham Van, Viet Hoang Anh
    International Symposium on Information and Communication Technology (SoICT) 2012

    Patent

    Autonomous reasoning system for vulnerability analysis

    Praveen Murthy, Bogdan Copos and Thuan Pham
    (Short description) Automated vulnerability detection and program repair system working directly on program binaries.
    United States Patent - US9767290B2

    Selected Work Experience

    Research Fellow - NUS (8/2017 - Present)

    Doing research on Fuzz testing techniques for vulnerability detection & crash reproduction.

    Research Associate - NUS (4/2017 - 7/2017)

    Doing research on Fuzz testing techniques for vulnerability detection & crash reproduction.

    Research Assistant - NUS (5/2016 - 3/2017)

    Doing research on Fuzz testing techniques for vulnerability detection & crash reproduction.

    Research Intern - Fujitsu Laboratories of America (2/2015 - 5/2015)

    Involved in a team to build an automated Cyber Reasoning System (CRS) to participate in the DARPA Cyber Grand Challenge - The World’s first all-machine hacking tournament.

    Lecturer - Hanoi University of Science and Technology (8/2007 - 8/2012)

    Taught courses in subjects such as Microprocessors, Embedded Systems, Microsoft .NET Framework and involved in R&D and technonogy transfers activities.

    Co-founder & Trainer - Embedded247 Training Center (5/2011 - 7/2012)

    Designed courses & involved in training activities.

    Co-founder & Research Lead - Mimas Solutions and Services jsc., (5/2011 - 7/2012)

    Designed and developed prototypes for emotion & image recognition systems.

    Research Intern - Orange France Telecom (2/2009 - 7/2009)

    Designed and evaluated routing protocols for wireless sensor networks.

    Awards

    Research Achievement Award AY2014/2015 - School of Computing, NUS (AY2014/2015)

    Presented to PhD students who have achieved outstanding research performance.

    3rd prize VIFOTEC Scientific and Technological Innovation Award - Ministry of Science and Technology (Vietnam) (2011)

    For an automatic mirror-rotation based Goniophotometer hardware & software system. The product was bought by Rang Dong Lighting Ltd., one of the biggest lighting companies in Vietnam.

    Top 5 Intel & DST Asia Pacific Challenge 2011 - (2011)

    For a Brain-Computer-Interace (BCI) based emotion recognition system.

    1st prize Vietnamese Talent Award - (2010)

    For a system helping disabled people to control electronic/electrical devices via brain signals.