ACES Sophomore Wins NSA Paper Competition

George Klees (‘22) was recognized by the NSA as a leading researcher on the winning paper in the 7th Annual Best Scientific Cybersecurity Paper Competition.

The National Security Agency (NSA) established the Annual Best Scientific Cybersecurity Paper Competition to encourage the development of scientific foundations of cybersecurity. Each year, NSA invites nominations of papers that demonstrate outstanding contribution to the field; Distinguished Experts then review these nominations and determine which paper best embodies the criteria of the competition: rigorous research, generalizable results, and clarity of presentation.

Awardees are then invited to the NSA heaadquarters to receive the award and present their findings to experts in cybersecurity.

Klees worked under the supervision of Michael Hicks, professor in the Department of Computer Science, alongside Shiyi Wei, Andrew Ruef, and Benji Cooper. The team previously presented their research at the ACM SIGSACConference on Computer and Communications Security (CCS ‘18) in Toronto last year.

Their paper, “Evaluating Fuzz Testing,” investigates the evaluation process of fuzz testing tools. “Fuzzing” is an automated process for finding vulnerabilities in computer programs by investigating how software code holds up while reading large amounts of random data. As a result, this skill is vital for cybersecurity professionals, as it is successful in uncovering security flaws in real-world programs.

Klees and his fellow researchers evaluated 32 fuzz testing papers, recognizing problems within each evaluation. As a solution, the research team developed their own unique and extensive evaluation process before experimentally characterizing the configuration options. As a result, the research team demonstrated that existing ad-hoc evaluation methodologies can lead to wrong or deceiving assessments. From their data, the team then developed guidance on evaluating tools.

According to the competition’s webpage, the paper was recognized for its embodiment of the attributes of outstanding science, as well as best meeting the aforementioned criteria.

In discussing the paper’s contributions to cybersecurity research, the website states: “This paper is a step forward in bringing scientific understanding to the security community. It is grounded to current understanding by its methodological survey of evaluation practices, then advances the science through quantitative analysis and proposes conclusions that apply broadly in the fuzzing community. This paper is already having tremendous impact on fuzzing research, setting the standard for how evaluations should be done. It is bringing scientific principles, such as rigorous conclusions and reproducibility to an area in need of scientific understanding.”

Klees had a significant role in the research, and was primarily responsible for “planning and running the experiments, analyzing the data, and finding important trends.” As a result, he is listed as the paper's first author, a rare experience for undergraduate researchers.

Klees is a sophomore computer science and cybersecurity student and a member of the ACES Living-Learning Program. Outside of this research, he was a he was a software engineer for YugaByte of Sunnyvale, California this past summer. There, he helped the corporation develop their PostgreSQL-compatible distributed database software. Through a variety of experiences, Klees has developed strong skills and a depth of knowledge in software development, computer systems, reverse engineering, and cybersecurity red-teaming through his work experience and numerous personal projects.

Klees is also a captain of the ACES Competition Team, a group of ACES students that work together to apply their technical expertise, knowledge of theory and ethics to solve problems and complete objectives during cybersecurity competitions. The team was recently recognized as 8th in the nation by National Cyber League (NCL) and Cyber Skyline.

In light of receiving the award, Klees recognizes the big-picture importance of the research.

“It was a startling but very welcome surprise to find out that our paper won the NSA's competition for best cybersecurity paper. Since its publication last year, the paper has been getting a fair amount of recognition in the security community, which is something I'm glad about,” said Klees. “We've made what I think is a substantial contribution to the rigor of fuzzing research, ensuring that future work in the field obtains results in a genuine way that assures their legitimacy. Basic standards like multiple trials, statistical tests, and mindfulness of the specific complications that arise in this type of research go a long way towards establishing confidence in future software fuzzing research.

Read more about the competition and runner-up papers at https://cps-vo.org/group/sos/papercompetition.

Published October 15, 2019