Meet Our Mayhem Hero: Jacob Clemente
As part of the Mayhem Heroes program, ForAllSecure visited various university campuses in the Spring of 2022. At the end of April, ForAllSecure hosted a day-long hackathon at Arizona State University where 181 students participated in the day-long in person training program followed by an online training held soon after. Over the next several weeks, the combined groups of ASU students contributed over 300 GitHub Open Source Software integrations for our Mayhem Heroes program.
Open source software is mission critical, but its security is severely under-tested. As part of Phase 1, ForAllSecure is offered up to $2 million to meet these needs with its Mayhem Heroes program. Anyone who agreed to our terms and conditions and then successfully integrated Mayhem into a qualified OSS GitHub project received $1,000. Jacob is one of those heroes.
"My experience with software development was predated by my introduction to programming. In the sixth grade, I was an avid fan of Minecraft. Having played the game for four years, I built up enough motivation to create something of my own. What started off as building basic modifications for the game led to my interest in the field of computer science. From there, it was a matter of time until I began writing software to solve niche problems I and many others faced."
How did you learn about ForAllSecure & the Heroes program?
I learned about ForAllSecure and Mayhem Heroes through a bit of chance. During a lecture from a cybersecurity course I was taking in my sophomore year, my professor had a slide providing an opportunity to get $100. It said that anyone who attended was eligible to receive $100, with an additional $1,000 for those who could successfully integrate Mayhem into a Github repository. I was unfamiliar with the term "fuzzing", but I figured that I should be able to learn the ropes if I put my mind to it.
What brought you to the Heroes program?
My interest was piqued with the prospect of earning $1,000 for completing an integration bounty. Even if I was unable to successfully integrate a repository, I would still get $100 for attending the hackathon. What sealed the deal for me was the fact that you could submit multiple bounties. To earn a reward directly proportional to the effort you put in was something that I found irresistible.
What is your biggest success with the Heroes program?
My biggest success I had with the Mayhem Heroes program was the gradual learning and understanding of various open-source paradigms. The way projects are written, built, interacted with, and how they perform is incredibly variable. However, you can come to understand some common vectors for attack and potential vulnerabilities with enough studying. With a solid grasp on how programs might be potentially exploited, it becomes much easier to find a way to fuzz it.
What is the biggest software bug that you’ve identified using Mayhem?
Unfortunately, I cannot give a definite answer as to what the biggest software bug I identified is. However, I can say that a large portion of the repositories I fuzzed with Mayhem yielded some interesting results. Some of those produced test suites with over 800 edges explored, while others had at least 10 unique program crashes in a 90 second test. The worrisome part of these potential vulnerabilities is how unexpected it is to find them in the target program. For something as unsuspecting as reading a media file, this can be used to crash systems.
How do you stay motivated to continue learning?
Staying motivated to continue learning really comes down to connecting the material to your own life. What are your interests? What are your hobbies? How can you improve them? If the reward for learning is a quantifiable improvement in your day-to-day life, it is much easier to stick through some of the drags that accompany the learning process. I am lucky enough to have a passion in programming that overlaps with my everyday hobbies in technology. If the praxis is useful to you, the learning is all the more desirable.
What impact has the Heroes Community had on your development experience?
The Mayhem Heroes community has given me a wealth of experience in understanding the fundamentals of large-scale software development. Additionally, I have learnt just how vulnerable the software we use on our devices can be. Anytime I write code now, I think of ways it can be exploited and the risk that it poses. Mayhem Heroes has also taught me how valuable of a resource fuzzing is to testing the security of production code.
What advice do you have for the new class of Heroes?
My advice to the new Mayhem Heroes is to really dig into the repositories you come across. What at first glance might seem to be a trivial program with no potential for exploitation may in fact prove to be a security disaster waiting to happen. The good news for fuzzing binaries is that Mayhem does most of the work for you. Your task is to point it in the right direction; find an entry point that has the strongest potential for numerous edge cases.