ERC StG CodeSan: Code Sanitization for Vulnerability Pruning and Exploitation Mitigation
Despite massive efforts in securing software, about 60 security bugs are publicly reported each month. Systems software is prone to low level bugs caused by undefined behavior (memory corruption, type confusion, or API confusion). Exploits abuse undefined behavior to execute attacker specified code, or to leak information.
We propose code sanitization (CodeSan), a comprehensive approach to improve code quality. CodeSan will sanitize software by (i) automating bug discovery during development through software testing and (ii) protecting deployed software through reflective mitigations. CodeSan trades formal completeness for practical scalability in three steps: First, policy-based sanitization makes undefined behavior (through violations of memory safety, type safety, or API flow safety) explicit and detectable given concrete test inputs. Second, automatic test case generation increases testing coverage for large programs without the need for pre-existing test cases, enabling broader and automated use of policy-based sanitization. Third, for deployed software, reflective mitigations place runtime checks precisely where they are needed based on data-flow and control-flow coverage from our testing efforts. CodeSan complements formal approaches by protecting software that is currently out of reach due to its size, complexity, or low level nature.
CodeSan is a compelling, comprehensive, and adaptive approach to thoroughly address undefined behavior for complex software. The three proposed thrusts complement each other naturally and will immediately guard large software systems such as Google Chromium, Mozilla Firefox, the Android system, or the Linux kernel, making them resilient against attacks.
In line with PI Payer’s track record on open sourcing his group’s research artifacts on cast sanitization, transformative fuzzing, or control-flow hijacking mitigations, all prototypes produced during CodeSan will be released as open-source.
Duration: March 2020 to February 2026 (after a 1 year no-cost extension)
Publications, Prototypes, and Artifacts
CLower: Detecting Compiler Pessimization Bugs through Redundant Memory Accesses2026
Jianhao Xu, Kunbo Zhang, Mathias Payer, Kangjie Lu, and Bing Mao.
In OOPSLA'26: Object-Oriented Programming, Systems, Languages, and Applications, 2026 (DOI)
SYSYPHUZZ and the Pressure of More Coverage
Zhezhong Ren, Han Zheng, Zhiyao Feng, Qinying Wang, Marcel Busch, Yuqing Zhang, Chao Zhang, and Mathias Payer.
In NDSS'26: Network and Distributed System Security Symposium, 2026 (presentation, source, blog, DOI)
eBPF Misbehavior Detection: Fuzzing with a Specification-Based Oracle2025
Tao Lyu, Kumar Kartikeya Dwivedi, Thomas Bourgeat, Mathias Payer, Meng Xu, and Sanidhya Kashyap.
In SOSP'25: Symposium on Operating Systems Principles, 2025 (DOI)
Single-Address-Space FaaS with Jord
Yuanlong Li, Atri Bhattacharyya, Madhur Kumar, Abhishek Bhattacharjee, Yoav Etsion, Babak Falsafi, Sanidhya Kashyap, and Mathias Payer.
In ISCA'25: International Symposium on Computer Architecture, 2025 (DOI)
NASS: Fuzzing All Native Android System Services with Interface Awareness and Coverage
Philipp Mao, Marcel Busch, and Mathias Payer.
In SEC'25: Usenix Security Symposium, 2025 (source)
Hercules Droidot and the murder on the JNI Express
Luca Di Bartolomeo, Philipp Mao, Yu-Jye Tung, Jessy Ayala, Marcel Busch, Paolo Celada, Samuele Doria, Joshua Garcia, Eleonora Losiouk, and Mathias Payer.
In SEC'25: Usenix Security Symposium, 2025 (source)
TLBlur: Compiler-Assisted Automated Hardening against Controlled Channels on Off-the-Shelf Intel SGX Platforms
Daan Vanoverloop, Andres Sanchez, Flavio Toffalini, Frank Piessens, Mathias Payer, and Jo Van Bulck.
In SEC'25: Usenix Security Symposium, 2025 (source)
Liberating libraries through automated fuzz driver generation: Striking a Balance Without Consumer Code
Flavio Toffalini, Nicolas Badoux, Zurab Tsindaze, and Mathias Payer.
In FSE'25: ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, 2025 (presentation, source, DOI)
MendelFuzz: The Return of the Deterministic Stage
Han Zheng, Flavio Toffalini, Marcel Böhme, and Mathias Payer.
In FSE'25: ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, 2025 (presentation, source, DOI)
Sourcerer: channeling the void
Nicolas Badoux, Flavio Toffalini, and Mathias Payer.
In DIMVA'25: Conference on Detection of Intrusions and Malware and Vulnerability Assessment, 2025 (presentation, source, DOI)
Truman: Constructing Device Behavior Models from OS Drivers to Fuzz Virtual Devices
Zheyu Ma, Qiang Liu, Zheming Li, Tingting Yin, Wende Tan, Chao Zhang, and Mathias Payer.
In NDSS'25: Network and Distributed System Security Symposium, 2025 (presentation, source, video, DOI)
QMSan: Efficiently Detecting Uninitialized Memory Errors During Fuzzing
Matteo Marini, Daniele Cono D'Elia, Mathias Payer, and Leonardo Querzoni.
In NDSS'25: Network and Distributed System Security Symposium, 2025 (source, video, DOI)
DUMPLING: Fine-grained Differential JavaScript Engine Fuzzing
Liam Wachter, Julian Gremminger, Christian Wressnegger, Mathias Payer, and Flavio Toffalini.
In NDSS'25: Network and Distributed System Security Symposium, 2025 (presentation, distinguished paper award, source, video, DOI)
type++: Prohibiting Type Confusion with Inline Type Information
Nicolas Badoux, Flavio Toffalini, Yuseok Jeon, and Mathias Payer.
In NDSS'25: Network and Distributed System Security Symposium, 2025 (presentation, distinguished paper award, source, video, DOI)
Fuzzing JavaScript Engines with a Graph-based IR2024
Haoran Xu, Zhiyuan Jiang, Yongjun Wang, Shuhui Fan, Shenglin Xu, Peidai Xie, Shaojing Fu, and Mathias Payer.
In CCS'24: ACM Conference on Computer and Communication Security, 2024 (presentation, DOI)
Top of the Heap: Efficient Memory Error Protection of Safe Heap Objects
Kaiming Huang, Mathias Payer, Zhiyun Qian, Jack Sampson, Gang Tan, and Trent Jaeger.
In CCS'24: ACM Conference on Computer and Communication Security, 2024 (DOI)
Tango: Extracting Higher-Order Feedback through State Inference
Ahmad Hazimeh, Duo Xu, Qiang Liu, Yan Wang, and Mathias Payer.
In RAID'24: Recent Advances in Intrusion Detection, 2024 (best paper award, source, DOI)
Monarch: A Fuzzing Framework for Distributed File Systems
Tao Lyu, Liyi Zhang, Zhiyao Feng, Yueyang Pan, Yujie Ren, Meng Xu, Mathias Payer, and Sanidhya Kashyap.
In ATC'24: Usenix Annual Technical Conference, 2024
Exploiting Android's Hardened Memory Allocator
Philipp Mao, Elias Valentin Boschung, Marcel Busch, and Mathias Payer.
In WOOT'24: Usenix Workshop on Offensive Technologies, 2024 (presentation, best paper award)
GlobalConfusion: TrustZone Trusted Application 0-Days by Design
Marcel Busch, Philipp Mao, and Mathias Payer.
In SEC'24: Usenix Security Symposium, 2024 (presentation)
HyperPill: Fuzzing for Hypervisor-bugs by leveraging the Hardware Virtualization Interface
Alexander Bulekov, Qiang Liu, Manuel Egele, and Mathias Payer.
In SEC'24: Usenix Security Symposium, 2024 (presentation, distinguished paper award, source)
Spill the TeA: An Empirical Study of Trusted Application Rollback Prevention on Android
Marcel Busch, Philipp Mao, and Mathias Payer.
In SEC'24: Usenix Security Symposium, 2024 (presentation)
SURGEON: Performant, Flexible and Accurate Re-Hosting via Transplantation
Florian Hofhammer, Marcel Busch, Qinying Wang, Manuel Egele, and Mathias Payer.
In BAR'24: Workshop on Binary Analysis Research, 2024 (distinguished paper award, source, DOI)
Heqing Huang, Anshunkang Zhou, Mathias Payer, and Charles Zhang.
In Oakland'24: IEEE International Symposium on Security and Privacy, 2024 (presentation, DOI)
SyzTrust: State-aware Fuzzing on Trusted OS Designed for IoT Devices
Qinying Wang, Boyu Chang, Shouling Ji, Yuan Tian, Xuhong Zhang, Binbin Zhao, Gaoning Pan, Chenyang Lyu, Mathias Payer, Wenhai Wang, and Raheem Beyah.
In Oakland'24: IEEE International Symposium on Security and Privacy, 2024 (presentation, source, DOI)
Gwangmu Lee, Duo Xu, Solmaz Salimi, Byoungyoung Lee, and Mathias Payer.
In AsiaCCS'24: ACM Symp. on InformAtion, Computer and Communications Security, 2024 (presentation, source, DOI)
datAFLow: Toward a Data-Flow-Guided Fuzzer
Adrian Herrera, Mathias Payer, and Antony Hosking.
In TOSEM'23: ACM Transactions on Software Engineering and Methodology, 2023 (source, DOI)
Silent Bugs Matter: A Study of Compiler-Introduced Security Bugs
Jianhao Xu, Kangjie Lu, Zhengjie Du, Zhu Ding, Linke Li, Qiushi Wu, Mathias Payer, and Bing Mao.
In SEC'23: Usenix Security Symposium, 2023
ARMore: Pushing Love Back Into Binaries
Luca Di Bartolomeo, Hossein Moghaddas, and Mathias Payer.
In SEC'23: Usenix Security Symposium, 2023 (source)
GLeeFuzz: Fuzzing WebGL Through Error-Message-Guided Mutation2023
Hui Peng, Zhihao Yao, Ardalan Amiri Sani, Dave (Jing) Tian, and Mathias Payer.
In SEC'23: Usenix Security Symposium, 2023 (source)
WarpAttack: Bypassing CFI through Compiler-Introduced Double-Fetches
Jianhao Xu, Luca Di Bartolomeo, Flavio Toffalini, Bing Mao, and Mathias Payer.
In Oakland'23: IEEE International Symposium on Security and Privacy, 2023 (presentation, source, DOI)
ViDeZZo: Dependency-aware Virtual Device Fuzzing
Qiang Liu, Flavio Toffalini, Yajin Zhou, and Mathias Payer.
In Oakland'23: IEEE International Symposium on Security and Privacy, 2023 (source, DOI)
TEEzz: Fuzzing Trusted Applications on COTS Android Devices
Marcel Busch, Mathias Payer, Aravind Machiry, Christopher Kruegel, Giovanni Vigna, and Chad Spensky.
In Oakland'23: IEEE International Symposium on Security and Privacy, 2023
Evocatio: Conjuring Bug Capabilities from a Single PoC2022
Zhiyuan Jiang, Shuitao Gan, Adrian Herrera, Flavio Toffalini, Lucio Romerio, Chaojing Tang, Manuel Egele, Chao Zhang, and Mathias Payer.
In CCS'22: ACM Conference on Computer and Communication Security, 2022 (source, DOI)
PACMem: Enforcing Spatial and Temporal Memory Safety via ARM Pointer Authentication
Yuan Li, Wende Tan, Zhizheng Lv, Songtao Yang, Mathias Payer, Ying Liu, and Chao Zhang.
In CCS'22: ACM Conference on Computer and Communication Security, 2022 (DOI)
Minerva: Browser API Fuzzing with Dynamic Mod-Ref Analysis
Chijin Zhou, Quan Zhang, Mingzhe Wang, Lihua Guo, Jie Liang, Zhe Liu, Mathias Payer, and Yu Jiang.
In FSE'22: ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, 2022
BreakMi: Reversing, Exploiting and Fixing Xiaomi Fitness Tracking Ecosystem
Marco Casagrande, Eleonora Losiouk, Mauro Conti, Mathias Payer, and Daniele Antonioli.
In CHES'22: IACR Conference on Crypotographic Hardware and Embedded Systems, 2022 (source)
On the Insecurity of Vehicles Against Protocol-Level Bluetooth Threats
Daniele Antonioli, and Mathias Payer.
In WOOT'22: Usenix Workshop on Offensive Technologies, 2022
Midas: Systematic Kernel TOCTTOU Protection
Atri Bhattacharyya, Uros Tesic, and Mathias Payer.
In SEC'22: Usenix Security Symposium, 2022 (source)
ProFactory: Improving IoT Security via Formalized Protocol Customization
Fei Wang, Jianliang Wu, Yuhong Nan, Yousra Aafer, Xiangyu Zhang, Dongyan Xu, and Mathias Payer.
In SEC'22: Usenix Security Symposium, 2022 (source)
The Taming of the Stack: Isolating Stack Data from Memory Errors
Kaiming Huang, Yongzhe Huang, Mathias Payer, Zhiyun Qian, Jack Sampson, Gang Tan, and Trent Jaeger.
In NDSS'22: Network and Distributed System Security Symposium, 2022 (DOI)
Preventing Kernel Hacks with HAKCs
Derrick McKee, Yianni Giannaris, Carolina Ortega Perez, Howard Shrobe, Mathias Payer, Hamed Okhravi, and Nathan Burow.
In NDSS'22: Network and Distributed System Security Symposium, 2022 (presentation, distinguished paper award, source, DOI)
BLURtooth: Exploiting Cross-Transport Key Derivation in Bluetooth Classic and Bluetooth Low Energy
Daniele Antonioli, Nils Tippenhauer, Kasper Rasmussen, and Mathias Payer.
In AsiaCCS'22: ACM Symp. on InformAtion, Computer and Communications Security, 2022 (project, video, DOI)
Igor: Crash Deduplication Through root-Cause Clustering2021
Zhiyuan Jiang, Xiyue Jiang, Ahmad Hazimeh, Chaojing Tang, Chao Zhang, and Mathias Payer.
In CCS'21: ACM Conference on Computer and Communication Security, 2021 (source, DOI)
Principal Kernel Analysis: A Tractable Methodology to Simulate Scaled GPU Workloads
Cesar Avalos Baddouh, Mahmoud Khairy, Roland N. Green, Mathias Payer, and Timothy G. Rogers.
In MICRO'21: International Symposium on Microarchitecture, 2021
Code Specialization through Dynamic Feature Observation
Priyam Biswas, Nathan Burow, and Mathias Payer.
In CODASPY'21: ACM Conference on Data and Application Security and Privacy, 2021 (source, DOI)
LIGHTBLUE: Automatic Profile-Aware Debloating of Bluetooth
Jianliang Wu, Ruoyu Wu, Daniele Antonioli, Mathias Payer, Nils Ole Tippenhauer, Dongyan Xu, Dave (Jing) Tian, and Antonio Bianchi.
In SEC'21: Usenix Security Symposium, 2021 (source)
Too Quiet in the Library: An Empirical Study of Security Updates in Android Apps' Native Code
Sumaya Almanee, Arda Unal, Mathias Payer, and Joshua Garcia.
In ICSE'21: International Conference on Software Engineering, 2021 (video, source, DOI)
Seed Selection for Successful Fuzzing
Adrian Herrera, Hendra Gunadi, Shane Magrath, Michael Norrish, Mathias Payer, and Tony Hosking.
In ISSTA'21: ACM SIGSOFT International Symposium on Software Testing and Analysis, 2021 (DOI)
Gramatron: Effective Grammar-aware Fuzzing
Prashast Srivastava, and Mathias Payer.
In ISSTA'21: ACM SIGSOFT International Symposium on Software Testing and Analysis, 2021 (source, DOI)
MAGMA: A Ground-Truth Fuzzing Benchmark
Ahmad Hazimeh, Adrian Herrera, and Mathias Payer.
In SIGMETRICS'21: ACM SIGMETRICS, 2021 (source, DOI)
FuZZan: Efficient Sanitizer Metadata Design for Fuzzing2020
Yuseok Jeon, WookHyun Han, Nathan Burow, and Mathias Payer.
In ATC'20: Usenix Annual Technical Conference, 2020 (source)
USBFuzz: A Framework for Fuzzing USB Drivers by Device Emulation
Hui Peng, and Mathias Payer.
In SEC'20: Usenix Security Symposium, 2020 (source)
HALucinator: Firmware Re-hosting Through Abstraction Layer Emulation
Abraham A. Clements, Eric Gustafson, Tobias Scharnowski, David Fritz, Christopher Kruegel, Giovanni Vigna, Saurabh Bagchi, and Mathias Payer.
In SEC'20: Usenix Security Symposium, 2020 (HALucinator source, HALfuzz source)