Table of Content
- 1. Why Crypto-detectors Fail: A Systematic Evaluation of Cryptographic Misuse Detection Techniques - IEEE S&P’22
- 2. Systematic Mutation-based Evaluation of the Soundness of Security-focused Android Static Analysis Techniques - ACM TOPS’2021
- 3. Mobile Application Testing Lab / ICT Innovation Fund 2015 / ICSE’18 Tool Demonstrations
- 4. ICT Fellowship 2013 - Providing Rationale of Method Change for Object Oriented Programming
- Academia/Industry Projects
- Pet Projects
1. Why Crypto-detectors Fail: A Systematic Evaluation of Cryptographic Misuse Detection Techniques - IEEE S&P’22
The correct use of security techniques, in particular,
cryptography, is central to ensuring data security in modern software systems, whereas the incorrect use results in compromising security.
Several academic and commercial security analysis tools exist that help identify the incorrect use of
cryptography related techniques.
Stakeholders, such as researchers, code-hosting services, app markets and developers rely on these security analysis tools to avoid introducing vulnerabilities through improper use of those techniques.
However, we know very little regarding their actual effectiveness at finding cryptography-specific techniques, and whether these techniques contain flaw(s). Unfortunately, beyond manually created benchmarks, there is no approach for systematically evaluating crypto-detectors. Instead, what we need is a systematic, data-driven, evolving approach that can be used reliably to evaluate the security techniques. Furthermore, we need to understand why flaws in cryptography-specific security techniques occur.
2. Systematic Mutation-based Evaluation of the Soundness of Security-focused Android Static Analysis Techniques - ACM TOPS’2021
Mobile application security has been a major area of focus for security research over the course of the last decade. Numerous application analysis tools have been proposed in response to malicious, curious, or vulnerable apps. However, existing tools, and specifically, static analysis tools, trade soundness of the analysis for precision and performance and are hence soundy. Unfortunately, the specific unsound choices or flaws in the design of these tools is often not known or well documented, leading to misplaced confidence among researchers, developers, and users. This article describes the Mutation-Based Soundness Evaluation (μSE) framework, which systematically evaluates Android static analysis tools to discover, document, and fix flaws, by leveraging the well-founded practice of mutation analysis. We implemented μSE and applied it to a set of prominent Android static analysis tools that detect private data leaks in apps. In a study conducted previously, we used μSE to discover 13 previously undocumented flaws in FlowDroid, one of the most prominent data leak detectors for Android apps. Moreover, we discovered that flaws also propagated to other tools that build upon the design or implementation of FlowDroid or its components. This article substantially extends our μSE framework and offers a new in-depth analysis of two more major tools in our 2020 study; we find 12 new, undocumented flaws and demonstrate that all 25 flaws are found in more than one tool, regardless of any inheritance-relation among the tools. Our results motivate the need for systematic discovery and documentation of unsound choices in soundy tools and demonstrate the opportunities in leveraging mutation testing in achieving this goal.
3. Mobile Application Testing Lab / ICT Innovation Fund 2015 / ICSE’18 Tool Demonstrations
The team members of this innovation fund project are Dr. Kazi Sakib, Md. Rayhanur Rahman and me, Amit Seal Ami. The target was to help make mobile application testing easier for both beginner and expert level mobile app developers. We targeted primarily Android app developers and created MobiCoMonkey, previously known as MobileMonkey. The project concluded satisfactorily in 2017, with a publication at the ICSE’18 Demonstrations Track Paper.
4. ICT Fellowship 2013 - Providing Rationale of Method Change for Object Oriented Programming
During M.Sc. degree in Software Engineering, I received fellowship from the ICT Division, Bangladesh for my work supervised by Dr. Md. Shariful Islam. We focused on providing rationale of method change for object oriented programming to developer for codes stored in distributed version control system. This was successfully finished in 2014.
Sub Project Manager Team Member - E-Presence/DU
It is a World Bank Funded sub project of University of Dhaka, under the Higher Education Quality Enhancement Project of University Grants Commission. Designing and implementing the campus security is the aim of this sub project. The other members are Dr. Kazi Muheymin-Us-Sakib, Dr. Md. Shariful Islam, Rayhanur Rahman and Asif Imran.
Projects I started working on during my student years.
1. Brightness Controller - 2013
Brightness Controller allows you to control Brightness of your Primary, Secondary and more Displays in Linux. It is a software based dimmer. Due to its lightweight nature and usefulness, it has been featured in OMG! Ubuntu! and many other linux related websites.
2. Internet Information Services Express server Manager (IISEM) - 2012
IIS Express Manager is a project which’s primary goal is to provide a front-end to the existing functionality of IIS Express server. It has been covered by Microsoft MVP, disussed in Microsoft Community Blogs and referenced at various other websites.