A&S Graduate Studies
[PAST EVENT] Amit Seal Ami, Computer Science - Ph.D. Dissertation Proposal
Abstract:
The improvement and adoption of security-focused static analysis tools have significantly improved the detection of vulnerabilities, such as crypto-API misuse and data leaks. We are continuously becoming more dependent on these security analysis techniques because of their convenience automation, continuous integration/development support, and statically finding vulnerabilities efficiently.
However, there is a critical gap in these tools' practical and effective application. Other than static benchmarks, we have yet to devise a mechanism to identify previously unknown flaws in these tools. Furthermore, how industry professionals perceive these tools, and their limitations is unknown. As a result, the current progress towards designing and developing effective, practical static analysis-based security tools is hindered.
To address these gaps, we (1) contextualize mutation testing techniques by proposing and implementing a framework called µSE. µSE systematically evaluates static analysis-based data-leak detectors, identifying previously unknown soundness issues/flaws and exploring the propagation of 25 found flaws that may propagate or even resurface, across the lifecycle of three data leak detectors, due to implicit dependencies, assumptions, or similar design principles. Next, (2) we evaluate cryptographic API misuse detectors (crypto-detectors). To do this, we create a taxonomy of crypto-API misuse based on the existing state-of-the-art literature and documentation from industry sources spanning over the past 20 years. By analyzing the patterns of underlying crypto-APIs, we develop mutation operators and mutation scopes for creating mutations of crypto-API misuse. An implementation of this approach, namely MASC, is used to systematically evaluate 14 prominent crypto-detectors from industry and academia, finding 25 previously unknown flaws affecting these crypto-detectors. Based on our discussion with the developers of the crypto-detectors about the nature of the found flaws, we identify and highlight the need to shift from a technique-centric to a security-centric approach to address evolving software security challenges. Afterward, (3) we study the gap that exists in the design and adoption of static analysis-based security tools. Through interviews with 20 real-world practitioners, we analyze their perceptions, expectations, and challenges with SAST tools. By applying thematic analysis, we identify critical insights into developer needs and discuss areas for improvement in SAST design and development.
Finally, we propose a research plan based on the insights, where we qualitatively analyze a statistically significant sample of existing bug reports of open-source static analysis-based security testing tools to identify the internal, implicit factors that influence the addressing of the reported bugs.
Bio:
Amit Seal Ami is a Ph.D. candidate in the Department of Computer Science at William & Mary, advised by Dr. Adwait Nadkarni and Dr. Denys Poshyvanyk. His work has led to the discovery of over 20 critical flaws in highly popular security tools used by thousands of developers in the industry and has had an impact on the security of most consumer software used by people, be it mobile apps on our phones, or cloud services that enable them. His research has been published at highly selective venues in security and SE, such as IEEE S&P (2022, 2024), USENIX Security (2024), FSE (2023), ACM TOPS (2021), and ICSE (2021), and has been supported by the CoVA CCI Dissertation Fellowship. His work has been recognized through the Distinguished Paper Award at the prestigious IEEE S&P 2024. He is also a COVES’22 Policy Fellow and worked with the Joint Commission on Technology and Science, Commonwealth of Virginia, to help improve existing security policies for information technology in the state. Previously, he received his Bachelor's and Master's in Software Engineering from the Institute of Information Technology, University of Dhaka, Bangladesh, where he later developed an outreach program for students to connect with the W&M CSCI faculty.
For more information: https://amitsealami.com
Sponsored by: Computer Science