The Applied Programming Languages, Software Engineering, and Education (APPLeSEEd) Lab tackles problems in software, security, and systems and cultivates computational thinking.

Cyber Security and Privacy Research Cluster

The Cyber Security and Privacy (CyberSP) Cluster is a university-wide research cluster formed as part of the Faculty Cluster Initiative that focuses on security and privacy in cyberspace.

Current Research Projects

Corporate Entity Tracking Automation

This project will develop statistical inference and automated reasoning techniques that provide the foundations for automatically analyzing large sets of corporate and individual entity metadata on a large scale. Using real-world datasets drawn from public and proprietary data, we will evaluate our techniques for several applications, e.g., investigating foreign ownership in US industries via shell corporations, and tracking government subcontractor relationships for foreign influence.

This work is supported by a DARPA Young Faculty Award.

Inferring and Securing Software Configurations

Highly-configurable software forms the basis of much modern computing infrastructure, because configurability enables extensive reuse. However, software configurability opens the door to misconfiguration vulnerabilities, which are invalid settings that expose software weaknesses. Misconfiguration is one of the most critical and common security risks. Real-world software, however, can have an enormous number of possible configurations and often lacks explicit information about what configurations are secure, leaving users to find and validate configuration settings manually. Compounding the problem, a complete computing system may combine hundreds or thousands of software packages whose configuration settings interact unexpectedly. The goal of this project is to automate the creation of valid configurations that are reliable and secure. As the world increasingly depends on smart infrastructure and Internet-of-Things devices to enhance lives, this research will benefit society by improving the reliability and security of the configurable software used in these computing devices.

This work is supported by an NSF CAREER Award.

Analysis of Configurable Software

Highly-configurable software, e.g., the Linux kernel, form our most critical infrastructure, underpinning everything from high-performance computing clusters to Internet-of-things devices. Keeping these systems secure and reliable with automated tools is essential. However, their high degree of configurability leaves most critical software without comprehensive tool support. The problem is that most software tools do not scale to the colossal number of configurations of large systems. With millions of configurations in complex systems like Linux, there are simply too many to analyze individually. Instead, my goal is to make tools that work on all configurations simultaneously.

Research results include

  • [PLDI 2012] (SuperC) parsing both C proper and the C preprocessor together
  • [ESEC/FSE 2017] (kmax) analyzing all configurations of the Kbuild build system
  • [ICSE-NIER 2019] investigating new programming language constructs to replace the preprocessor
  • [ESEC/FSE 2019] simulating variability-aware analysis using configuration sampling tools developed with collaborators [TR 2018, TR 2019]
  • [ESEC/FSE 2021] (kclause) extracting build configuration constraints from the Kconfig specification and
  • [JASE 2022] variability-aware static analysis
  • [ICSE 2022] (SugarC) automatically transforming unpreprocessed C to pure C
  • [ICSE 2024] (Maki) addressing the portability of macro functions

This work has been supported in part by an NSF grant. (This is part of a multi-institution grant with UT Dallas.)

Dormant Research Projects

Side-Channel Attack Detection and Mitigation

A side channel is an observable aspect of a program’s execution, distinct from its input or output. Running time, memory usage, power consumption, network packet count, and more can all be side channels. If one of these happens to be correlated with secret information processed by the program, an attacker can exploit this to discover the secret, e.g., an encryption key or a password. Such side-channel attacks are particularly insidious. Even when a program is functionally correct, the performance characteristics of its algorithm may be a security vulnerability. Previous work includes the use of program analysis techniques to identify timing channel vulnerabilities [PLDI 2017] (Blazer). Continuing work includes using compiler- and architecture-based mitigation [DAC 2021].

Blockchain Smart Contracts

Smart contracts automate the execution or negotiation of a contract and have become a popular addition to blockchains. A smart contract can be seen as a concurrent shared object stored indefinitely on a blockchain. But in the most popular smart contract platform, Ethereum, no concurrency control is built into the language. To make consensus easy, all operations are performed sequentially , a disaster for throughput. Previous work includes adding concurrency to smart contract execution using speculative concurrency [PODC17a, PODC17b] and proof-carrying smart contracts [WTSC18].