Discussion of AI and its applications to security seems unavoidable nowadays, and, alas, this keynote is no exception. But is it actually useful for problems we care about, like fuzzing? In classic academic fashion I will answer “maybe” at great length, but hopefully with enough concrete examples and references to actual code that the talk will be worth listening to. I will cover: 1) Places where it seems obviously misguided (input generation in the fuzzing loop); 2) Areas where it seems to have demonstrable benefits (harness generation); and 3) Promising future directions (generating input seeds, evolving input seed generators).

Brendan Dolan-Gavitt is an Assistant Professor in the Computer Science and Engineering Department at NYU-Poly. He holds a Ph.D. in computer science from Georgia Tech (2014) and a BA in Math and Computer Science from Wesleyan University (2006). Dolan-Gavitt’s research interests span many areas of cyber security, including program analysis, virtualization security, memory forensics, and embedded and cyber-physical systems. His research focuses on developing techniques to ease or automate the understanding of large, real-world software systems in order to develop novel defenses against attacks, typically by subjecting them to static and dynamic analyses that reveal hidden and undocumented assumptions about their design and behavior. His work has been presented at top security conferences such as the ACM Conference on Computer and Communications Security (CCS) and the IEEE Symposium on Security and Privacy. He also led the development of PANDA, an open-source platform for architecture-neutral dynamic analysis, which has users around the world and has been featured in technical press such as The Register. His most recent work, which focuses on developing techniques to probe industrial control systems for vulnerabilities, has been funded by the Office of Naval Research. Prior to joining NYU, he was a postdoctoral researcher at Columbia University.