Hasso-Plattner-Institut25 Jahre HPI
Hasso-Plattner-Institut25 Jahre HPI

Open-Source Fuzzing (Wintersemester 2023/2024)

Dozent: Dr. Jiska Classen (Cybersecurity - Mobile & Wireless)

Allgemeine Information

  • Semesterwochenstunden: 4
  • ECTS: 6
  • Benotet: Ja
  • Einschreibefrist: 01.10.2023 - 31.10.2023
  • Lehrform: Seminar
  • Belegungsart: Wahlpflichtmodul
  • Lehrsprache: Englisch
  • Maximale Teilnehmerzahl: 6

Studiengänge, Modulgruppen & Module

IT-Systems Engineering BA
  • Softwarebasissysteme
    • HPI-SB4 Interactive Systeme
  • ISAE: Internet, Security & Algorithm Engineering
    • HPI-ISAE-G Grundlagen
  • ISAE: Internet, Security & Algorithm Engineering
    • HPI-ISAE-V Vertiefung
  • OSIS: Operating Systems & Information Systems Technology
    • HPI-OSIS-G Grundlagen
  • OSIS: Operating Systems & Information Systems Technology
    • HPI-OSIS-V Vertiefung


This seminar consists of two parts:

  1. An introduction to security analysis and fuzzing (approximately three classic lectures).
  2. A security research project, which will be graded.

The security research project can be done individually or in small groups (up to four students). Each group chooses a real-world target. In case vulnerabilities are found, students coordinately disclose them to the vendors, thereby improving the security of open-source software projects. Instead of fuzzing a particular target, students can also choose to improve state-of-the-art fuzzers.

Targets should be open-source. If students prefer a closed-source target, collaboration with Master students in the course Reverse Engineering for Security Analysis is possible.


A strong programming background in a low-level programming language, such as C, is required. Students must extend fuzzers and triage crashes in their targets during the projects.

Students should be proficient in the programming language of the target they choose. Ideally, these are languages with memory safety issues, such as C or C++. State-of-the-art fuzzing libraries (AFL++libafl) are written in C/Rust, with bindings for further programming languages.



Grading is based on the projects. Since there is no guarantee of finding vulnerabilities in real-world software, grading will consider the quality of the results. Grading will be based on the following deliverables:

  • Project proposal (10%)
  • Regular demonstration of the progress in the form of multiple mid-term presentations (60%)
  • The final presentation of the results (30%)

Grading the mid-term and final results includes quality of code and results, overall progress, and presentation style. PDFs of presentation slides must be handed in a day before each presentation date.

Source code created during the seminar will be open-sourced under the MIT license or a license compatible with extended projects (e.g., Apache, GPL).


Kickoff: October 19, 15:15, room HE.51/52.

The course is organized via Moodle.

Should there be more than 6 students who would like to attend this seminar, everyone can indicate their interest until October 22nd. Students will then be selected during the second lecturing week.

Details for this process will be announced in the kickoff, and only if there are more than 6 students. Please do not apply before.