Publications by Flavio Toffalini

MendelFuzz: The Return of the Deterministic Stage

Mathias Josef Payer, Flavio Toffalini, Han Zheng

Can a fuzzer cover more code with minimal corruption of the initial seed? Before a seed is fuzzed, the early greybox fuzzers first systematically enumerated slightly corrupted inputs by applying every mutation operator to every part of the seed, once per g ...

Association for Computing Machinery (ACM)2025

Liberating Libraries through Automated Fuzz Driver Generation: Striking a Balance without Consumer Code

Mathias Josef Payer, Flavio Toffalini

Fuzz testing a software library requires developers to write fuzz drivers, specialized programs exercising the library. Given a driver, fuzzers generate interesting inputs that trigger the library’s bugs. Writing fuzz drivers manually is a cumbersome proce ...

Association for Computing Machinery (ACM)2025

EmbedWatch: Fat Pointer Solution for Detecting Spatial Memory Errors in Embedded Systems

Flavio Toffalini

This paper introduces EmbedWatch, an innovative crash reporting system specifically designed for embedded devices. EmbedWatch integrates fat pointer principles with remote attestation, efficiently addressing spatial memory errors across various memory segm ...

Association for Computing Machinery, Inc2024

TuneFuzz: Adaptively Exploring Target Programs

Mathias Josef Payer, Flavio Toffalini, Han Zheng

In this report, we present TuneFuzz, an extension of FishFuzz that introduces two key improvements: An optimization that targets different sets of code locations (allowing user-selection of targets) and removes the need for Link Time Optimization. Subseque ...

Association for Computing Machinery, Inc2024

CRYSTALLIZER: A Hybrid Path Analysis Framework to Aid in Uncovering Deserialization Vulnerabilities

Mathias Josef Payer, Flavio Toffalini

Applications use serialization and deserialization to exchange data. Serialization allows developers to exchange messages or perform remote method invocation in distributed applications. However, the application logic itself is responsible for security. Ad ...

Assoc Computing Machinery2023

WarpAttack: Bypassing CFI through Compiler-Introduced Double-Fetches

Mathias Josef Payer, Flavio Toffalini, Luca Di Bartolomeo, Jianhao Xu

Code-reuse attacks are dangerous threats that attracted the attention of the security community for years. These attacks aim at corrupting important control-flow transfers for taking control of a process without injecting code. Nowadays, the combinations o ...

IEEE COMPUTER SOC2023

FISHFUZZ: Catch Deeper Bugs by Throwing Larger Nets

Mathias Josef Payer, Flavio Toffalini, Han Zheng, Yuqing Zhang, Jiayuan Zhang

Fuzzers effectively explore programs to discover bugs. Greybox fuzzers mutate seed inputs and observe their execution. Whenever a seed reaches new behavior (e.g., new code or higher execution frequency), it is stored for further mutation. Greybox fuzzers d ...

Usenix Assoc2023

VIDEZZO: Dependency-aware Virtual Device Fuzzing

Mathias Josef Payer, Flavio Toffalini, Qiang Liu

A virtual machine interacts with its host environment through virtual devices, driven by virtual device messages, e.g., I/O operations. By issuing crafted messages, an adversary can exploit a vulnerability in a virtual device to escape the virtual machine, ...

Institute of Electrical and Electronics Engineers Inc.2023

Designing a Provenance Analysis for SGX Enclaves

Mathias Josef Payer, Flavio Toffalini

SGX enclaves are trusted user-space memory regions that ensure isolation from the host, which is considered malicious. However, enclaves may suffer from vulnerabilities that allow adversaries to compromise their trustworthiness. Consequently, the SGX isola ...

ASSOC COMPUTING MACHINERY2022

Evocatio: Conjuring Bug Capabilities from a Single PoC

Mathias Josef Payer, Flavio Toffalini

The popularity of coverage-guided greybox fuzzers has led to a tsunami of security-critical bugs that developers must prioritize and fix. Knowing the capabilities a bug exposes (e.g., type of vulnerability, number of bytes read/written) enables prioritizat ...

Association for Computing Machinery2022