posts in cybersecurity

Testing Programs Expecting Highly Constrained Inputs

19 May 2026 – in blog and cybersecurity

Recently, I was able to present some of my research ideas as part of the doctoral symposium track at ICSE 2026 in Rio de Janeiro. They are available as a three page extended abstract and a poster. The repository for the experiments is here.

FTZ: A State-Inferring Fuzzer for the TCP/IP Stack of Zephyr

30 April 2025 – in blog and cybersecurity

For my master’s thesis, I wrote a state-inferring structure-aware coverage and state guided fuzzer for the TCP/IP stack of the open-source real-time operating system Zephyr based on LibAFL.

Three Step Plan to Security

02 October 2023 – updated on 19 January 2025 – in blog and cybersecurity

tl;dr: Properly use a password manager on an up-to-date, backed-up device.

Differential Fuzzing on coreutils Using LibAFL

25 June 2024 – in LibAFL, blog, coreutils,, cybersecurity, and fuzzing,

After reading about fuzzing and testing a fuzzer, I wanted to delve deeper into the inner workings. In discussions with my advisor, we found that there is a lot of work on some parts of fuzzers, such as advanced scheduling algorithms, but the oracle of what constitutes an illegal state has received comparably little attention.

Running KLEE on GNU coreutils

13 February 2024 – in KLEE, blog, coreutils, cybersecurity, fuzzing, and symbex

While I read a lot about symbolic execution in fuzzing for a seminar, I wanted to actually do it. Since KLEE appeared to be one of the most influential fuzzing tool, I decided to attempt to reproduce the findings in their original paper. Additionally, I chose to compare different versions of GNU’s coreutils to investigate the quality of software over time.

Challenges and Mitigation Strategies in Symbolic Execution Based Fuzzing Through the Lens of Survey Papers

15 December 2023 – in blog, cybersecurity, fuzzing, review, and symbex

In a security seminar at MSE I surveyed existing review papers on symbolic execution-based fuzzing and wrote my own survey paper. I focused on fundamental challenges that symbex introduces in fuzzing and classified the approaches I found to mitigate them into several categories. The work is available here.

Ghidrion

07 July 2023 – in Ghidra, blog, cybersecurity, rev, and symbex

For my bachelor’s thesis, Silvan Flum and I developed Ghidrion, a plugin for Ghidra that allows the use of Morion, a suite of tools to use symbolic execution.