I am a member of the Technical Staff at MIT Lincoln Laboratory in the Cyber System Assessments Group while also finshing my Computer Science PhD at Northeastern University. My research interests focus on the intersection of dynamic program analysis, firmware security, and vulnerability discovery. In particular, I am interested in rehosting firmware into virtual environments where it will run correctly while also being closely analyzed and monitored. Towards this end, I have contributed to the development of a number of open source tools, most notably PANDA-re, a whole-system dynamic analysis platform that can be used for dynamic analysis of both traditional software systems and firmware. I’ve also developed courses focused on dynamic program analysis, whole system dynamic analysis, and firmware security which I’ve taught at various universities and companies both in the US and abroad.

All my publications are available as open access, at . Training materials can be shared upon request, and I am always happy to discuss my research and teaching.

🔥 News

• 2022.11: Ran my first international training course in Munich, Germany!
• 2022.01: Created and taught CS 4910 "Dynamic Program Analysis for System Security " at Northeastern University
• 2021.06: Presented our paper PyPANDA: taming the PANDAmonium of whole system dynamic analysis at NDSS BAR 2021
• 2021.05: Presented our SoK paper Enabling security analyses of embedded systems via rehosting at AsiaCCS 2021
• 2020.03: Completed graduate coursework and achieved PhD candidacy!
• 2018.09: Began PhD program at Northeastern University and joined the Khoury College of Computer Sciences
• 2017.07: Led the Lab RATs to a 10th place finish in DEF CON CTF CTF finals. News coverage
• 2016.12: Discovered 10 CVEs in a McAfee product. Technical write-up and news coverage

📝 Publications

• Homo in Machina: Improving Fuzz Testing Coverage via Compartment Analysis Josh Bundt, Andrew Fasano, Brendan Dolan-Gavitt, William Robertson, Timothy Leek. ACM AsiaCCS 2021. View pdf

• PyPANDA: Taming the PANDAmonium of Whole System Dynamic Analysis Luke Craig, Andrew Fasano, Tiemoko Ballo, Timothy Leek, Brendan Dolan-Gavitt, William Robertson. NDSS BAR 2021. View pdf

• Evaluating Synthetic bugs Josh Bundt, Andrew Fasano, Brendan Dolan-Gavitt, William Robertson, Timothy Leek. ACM AsiaCCS 2021.. View pdf

• SoK: Enabling Security Analyses of Embedded Systems via Rehosting Andrew Fasano, Tiemoko Ballo, Marius Muench, Tim Leek, Alexander Bulekov, Brendan Dolan-Gavitt, Manuel Egele, Aurelien Francillon, Long Lu, Nick Gregory, Davide Balzarotti, William Robertson. ACM AsisaCCS 2021. View pdf

• The Rode0day to Less Buggy Programs Andrew Fasano, Tim Leek, Brendan Dolan-Gavitt, Josh Bundt. IEEE Security and Privacy Magazine 2019. View pdf

🎖 Honors and Awards

• 2020.09 R&D100 Award: LAVA was awarded an R&D100 award for its impact advancing the state of the art in vulnerability discovery.
• 2019.09 MIT Lincoln Scholar Award: I was selected to receive full funding and a salary to pursue my PhD full time while maintaining employment at MIT Lincoln Laboratory.
• 2017.06 MIT Lincoln Laboratory Team Award: One of my projects was award a Team Award for outstanding technical achievement.

📖 Education

• 2018.09 - 2023.12 (anticipated), PhD in Computer Science at Northeastern University, Boston, MA, USA.
• 2015.09 - 2018.05, Part time Computer Science graduate coursework at Massachusetts Institute of Technology, Cambridge, MA, USA.
• 2010.09 - 2014.06, Bachelors in Computer Science at Rensselaer Polytechnic Institute, Troy, NY, USA.

💬 Invited Talks

• 2019.10, AvengerCon: “The LAVA has Hardened! Building a Better Bug Corpora to Evaluate Bug-Finders”
• 2019.08, USENIX WOOT “Rode0day: A Year of Bug-Finding Evaluations”
• 2018.08, USENIX WOOT “Rode0day: Searching for Truth with a Bug-Finding Competition”
• 2018.10, MIT Techsec “Intro to Web Security”