Sazzadur Rahaman

Interests

No activities entered.

Courses

Scholarly Contributions

Journals/Publications

• Afrose, S., Xiao, Y., Rahaman, S., Miller, B. P., & Yao, D. (2023). Evaluation of Static Vulnerability Detection Tools With Java Cryptographic API Benchmarks. IEEE Transactions on Software Engineering, 49(Issue 2). doi:10.1109/tse.2022.3154717
  More info

  Several studies showed that misuses of cryptographic APIs are common in real-world code (e.g., Apache projects and Android apps). There exist several open-sourced and commercial security tools that automatically screen Java programs to detect misuses. To compare their accuracy and security guarantees, we develop two comprehensive benchmarks named CryptoAPI-Bench and ApacheCryptoAPI-Bench. CryptoAPI-Bench consists of 181 unit test cases that cover basic cases, as well as complex cases, including interprocedural, field sensitive, multiple class test cases, and path sensitive data flow of misuse cases. The benchmark also includes correct cases for testing false-positive rates. The ApacheCryptoAPI-Bench consists of 121 cryptographic cases from 10 Apache projects. We evaluate four tools, namely, SpotBugs, CryptoGuard, CrySL, and another tool (anonymous) using both benchmarks. We present their performance and comparative analysis. The ApacheCryptoAPI-Bench also examines the scalability of the tools. Our benchmarks are useful for advancing state-of-the-art solutions in the space of misuse detection.
• Afrose, S., Allen, N., Cifuentes, C., Frantz, M., Heymann, E., Kantarcioglu, M., Keynes, N., Meng, N., Miller, B. P., Rahaman, S., Shaon, F., Tian, K., Xiao, Y., Yao, D. D., & Zhao, Y. (2022). Being the Developers’ Friend: Our Experience Developing a High-Precision Tool for Secure Coding. IEEE Security & Privacy, 20(6), 43-52. doi:10.1109/msec.2022.3159481
  More info

  We discuss the needs and challenges of deployable security research by sharing our experience designing CryptoGuard, a high-precision tool for detecting cryptographic application programming interface misuses. Our project has produced multiple benchmarks as well as measurement results on state-of-the-art solutions.
• Rahaman, S., Cai, H., Chowdhury, O., & Yao, D. (2022). From Theory to Code: Identifying Logical Flaws in Cryptographic Implementations in C/C++. IEEE Transactions on Dependable and Secure Computing, 19(Issue 6). doi:10.1109/tdsc.2021.3108031
  More info

  Cryptographic protocols are often expected to be provably secure. However, this security guarantee often falls short in practice due to various implementation flaws. We propose a new paradigm called cryptographic program analysis (CPA) which prescribes the use of program analysis to detect these implementation flaws at compile time. The principal insight of the CPA is that many of these flaws in cryptographic implementations can be mapped to the violation of meta-level properties of implementations. A program property that is necessary to realize a cryptographic property is referred to as meta-level property. We show that violations of these meta-level properties can be identified at compile-time that can serve as sufficient evidence of the encompassing flaws. We investigated existing literature on cryptographic implementation flaws and derived 25 corresponding meta-level properties. To instantiate the abstract paradigm of CPA, we develop a specification language based on deterministic finite automaton (DFA) and show that most of the meta-level properties can be expressed in terms of our language. We then develop a tool called TaintCrypt which uses static taint analysis to identify meta-level property violations of C/C++ cryptographic implementations at compile-time. We demonstrate the efficacy of TaintCrypt by analyzing open-source C/C++ cryptographic libraries (e.g., OpenSSL) and observe that TaintCrypt could have helped to avoid several high-profile flaws. We also evaluated TaintCrypt on 5 popular applications and libraries, which generated new security insights. The experimental evaluation on large-scale projects indicates the scalability of our approach.
• Debray, S. K., Rahaman, S., & Jacobsen, B. (2021). Optimization to the Rescue: Evading Binary Code Stylometry with Adversarial Use of Code Optimizations. Proceedings of the 2021 Worksop on Research on offensive and defensive techniques in the Context of Man At The End (MATE) Attacks.
  More info

  Recent work suggests that it may be possible to determine the author of a binary program simply by analyzing stylistic features preserved within it. As this poses a threat to the privacy of programmers who wish to distribute their work anonymously, we consider steps that can be taken to mislead such analysis. We begin by exploring the effect of compiler optimizations on the features used for stylistic analysis. Building on these findings, we propose a gray-box attack on a state-of-the-art classifier using compiler optimizations. Finally, we discuss our results, as well as implications for the field of binary stylometry.

Proceedings Publications

• Kelso, E., Soneji, A., Navid, S. Z., Shoshitaishvili, Y., Rahaman, S., & Hasan, R. (2025). Investigating the Security & Privacy Risks from Unsanctioned Technology Use by Educators. In 2025 CHI Conference on Human Factors in Computing Systems, CHI EA 2025.
  More info

  With the increasing digitization of teaching and learning activities, technology-generated data has become the target of attacks from external adversaries and abuse by technology providers. Researchers have investigated stakeholders’ perceptions of security and privacy risks from technologies and how those risks are affecting institutional policies for acquiring new technologies. However, outside of institutional vetting and approval, there is a pervasive practice of using applications and devices acquired personally. It is unclear how these applications and devices affect the dynamics of the overall institutional ecosystem. We address this gap through an online survey-based study targeting educators and administrators from K-12 and higher education institutions in the United States. Our study identified 494 unique applications used by educators, and examined the perceived and subsequent risks associated with integrating these technologies into an institution’s ecosystem. The findings highlight a significant lack of privacy and security awareness among educators when selecting new tools, as well as widespread uncertainty regarding regulatory compliance. Additionally, institutional warnings and policies on unsanctioned app use appear to have limited effectiveness in changing educators’ behaviors. To mitigate these challenges, we identified the need for institutions to provide clear guidelines, data privacy and security training, and vetted alternatives that meet the needs of educators while ensuring compliance. A collaborative approach between educators and administrators will be key to balancing automation and data privacy.
• Ali, M., Muzammil, M., Karim, F., Naeem, A., Haroon, R., Haris, M., Nadeem, H., Sabir, W., Shaon, F., Zaffar, F., Yegneswaran, V., Gehani, A., & Rahaman, S. (2024). SoK: A Tale of Reduction, Security, and Correctness - Evaluating Program Debloating Paradigms and Their Compositions. In 28th European Symposium on Research in Computer Security (ESORICS).
  More info

  Automated software debloating of program source or binary code has tremendous potential to improve both application performance and security. Unfortunately, measuring and comparing the effectiveness of various debloating methods is challenging due to the absence of a universal benchmarking platform that can accommodate diverse approaches. In this paper, we first present DEBLOATBENCHA (Debloating benchmark for applications), an extensible and sustainable benchmarking platform that enables comparison of different research techniques. Then, we perform a holistic comparison of the techniques to assess the current progress. In the current version, we integrated four software debloating research tools: Chisel, Occam, Razor, and Piece-wise. Each tool is representative of a different class of debloaters: program source, compiler intermediate representation, executable binary, and external library. Our evaluation revealed interesting insights (i.e., hidden and explicit tradeoffs) about existing techniques, which might inspire future research. For example, all the binaries produced by Occam and Piece-Wise were correct, while Chisel significantly outperformed others in binary size and Gadget class reductions. In a first-of-its-kind composition, we also combined multiple debloaters to debloat a single binary. Our performance evaluation showed that, in both ASLR-proof and Turing-complete gadget expressively cases, several compositions (e.g., Chisel-Occam, Chisel-Occam-Razor) significantly outperformed the best-performing single tool (i.e., Chisel).
• Kelso, E., Soneji, A., Rahaman, S., Shoshitaishvili, Y., & Hasan, R. (2024). Trust, Because You Can’t Verify: Privacy and Security Hurdles in Education Technology Acquisition Practices. In 31st ACM SIGSAC Conference on Computer and Communications Security, CCS 2024.
  More info

  The education technology (EdTech) landscape is expanding rapidly in higher education institutes (HEIs). This growth brings enormous complexity. Protecting the extensive data collected by these tools is crucial for HEIs as data breaches and misuses can have dire security and privacy consequences for the data subjects, particularly students, who are often compelled to use these tools. This urges an in-depth understanding of HEI and EdTech vendor dynamics, which is largely understudied. To address this gap, we conducted a semi-structured interview study with 13 participants who are in EdTech leadership roles at seven HEIs. Our study uncovers the EdTech acquisition process in the HEI context, the consideration of security and privacy issues throughout that process, the pain points of HEI personnel in establishing adequate protection mechanisms in service contracts, and their struggle in holding vendors accountable due to a lack of visibility into their system and power-asymmetry, among other reasons. We discuss certain observations about the status quo and conclude with recommendations for HEIs, researchers, and regulatory bodies to improve the situation.
• Salim, S. I., Yang, R. Y., Cooper, A., Ray, S., Debray, S., & Rahaman, S. (2024). Impeding LLM-assisted Cheating in Introductory Programming Assignments via Adversarial Perturbation. In 2024 Conference on Empirical Methods in Natural Language Processing, EMNLP 2024.
  More info

  While Large language model (LLM)-based programming assistants such as CoPilot and ChatGPT can help improve the productivity of professional software developers, they can also facilitate cheating in introductory computer programming courses. Assuming instructors have limited control over the industrial-strength models, this paper investigates the baseline performance of 5 widely used LLMs on a collection of introductory programming problems, examines adversarial perturbations to degrade their performance, and describes the results of a user study aimed at understanding the efficacy of such perturbations in hindering actual code generation for introductory programming assignments. The user study suggests that i) perturbations combinedly reduced the average correctness score by 77%, ii) the drop in correctness caused by these perturbations was affected based on their detectability.
• Ali, M., Habib, R., Gehani, A., Rahaman, S., & Uzmi, Z. (2023). BLADE: Towards Scalable Source Code Debloating. In 2023 IEEE Secure Development Conference, SecDev 2023.
  More info

  Existing source code debloaters fall short due to low scalability and high runtime overhead when applied in dynamic cloud settings, where instances are spun up on the fly. To address this challenge, we propose BLADE that leverages the common coding idioms and language restrictions to build simple yet effective heuristics for faster source-code debloating. For example, usually, coding constructs are defined before used. Thus, the probability of breaking code after the removal of a node reduces with the depth of its position in the syntax tree. Also, while debloating certain functionalities, statements from a basic block have a higher possibility of getting removed together. To utilize these insights, BLADE employs a hierarchical source code reduction, where reduction candidates are chosen with reverse pre-order traversal, so that it removes uses before the definitions. Low runtime overhead makes BLADE practical to apply code debloating to large workloads. Our evaluation shows that BLADE runs faster than existing source code debloating tools. Compared to Chisel, BLADE is, on average, 2.3 faster and provides comparable reductions in the code size and attack surfaces. In comparison to Debop, another source code debloater, BLADE, on average, is 2.75 faster.
• Hassan, M., Tahir, T., Farrukh, M., Naveed, A., Naeem, A., Zaffar, F., Shaon, F., Gehani, A., & Rahaman, S. (2023). Evaluating Container Debloaters. In 2023 IEEE Secure Development Conference, SecDev 2023.
  More info

  DOCKER containers have been widely used by organizations because they are lightweight and single hardware can run multiple instances of a container. However, this ease of virtualization comes with weaker isolation as compared to virtual machines. A compromised container can allow the attacker to escape to the host and gain privileged access. Several approaches have been developed to reduce the attack surface of containers either through the reduction of system calls or through slimming container images. Unfortunately, measuring the performance of container debloaters is challenging as there exists no platform for this purpose. This paper aims to address this gap, by building a unified platform to benchmark them.Currently, our benchmark includes 7 workload applications, and 3 container debloaters, i.e., SPEAKER, CONFINE (syscalls reduction tools), and SLIMTOOLKIT (image size reduction tool). We added several evaluation metrics in the framework, which include category-based system call reduction, CVEs mitigated, size reduction, and execution correctness.Our evaluation revealed interesting insights into the existing techniques. Both the system call reduction tools were able to produce correct debloated containers as compared to SLIMTOOLKIT (tool to reduce image size) which worked well too by reducing almost 79 percent of the size of the image but it failed to produce correct results on 2 out of 7 applications.
• Rahaman, S., Frantz, M., Miller, B., & Yao, D. (. (2023). SpanL: Creating Algorithms for Automatic API Misuse Detection with Program Analysis Compositions. In Secure Cryptographic Implementation Workshop collocated with 21st International Conference on Applied Cryptography and Network Security (ACNS).
  More info

  High-level language platforms provide APIs to aid developers in easily integrating security-relevant features in their code. Prior research shows that improper use of these APIs is a major source of insecurity in various application domains. Automatic code screening holds lots of potential to enable secure coding. However, building domain-specific security analysis tools requires both application domain and program analysis expertise. Interestingly, most of the prior works in developing domain-specific security analysis tools leverage some form of data flow analysis in the core. We leverage this insight to build a specification language named SpanL1 for domain-specific security screening. The expressiveness analysis shows that a rule requiring any composition of dataflow analysis can be modeled in our language. Our evaluation on four cryptographic API misuse problems shows that our prototype implementation of SpanL does not introduce any imprecision due to the expressiveness of the language(1 SpanL stands for Security sPecificAtioN Language.).
• Shaon, F., Rahaman, S., & Kantarcioglu, M. (2023). The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms. In 39th Annual Computer Security Applications Conference, ACSAC 2023.
  More info

  Distributed data analytics platforms (i.e., Apache Spark, Hadoop) provide high-level APIs to programmatically write analytics tasks that are run distributedly in multiple computing nodes. The design of these frameworks was primarily motivated by performance and usability. Thus, the security takes a back seat. Consequently, they do not inherently support fine-grained access control or offer any plugin mechanism to enable it, making them risky to be used in multi-tier organizational settings. There have been attempts to build "add-on"solutions to enable fine-grained access control for distributed data analytics platforms. In this paper, first, we show that straightforward enforcement of "add-on"access control is insecure under adversarial code execution. Specifically, we show that an attacker can abuse platform-provided APIs to evade access controls without leaving any traces. Second, we designed a two-layered (i.e., proactive and reactive) defense system to protect against API abuses. On submission of a user code, our proactive security layer statically screens it to find potential attack signatures prior to its execution. The reactive security layer employs code instrumentation-based runtime checks and sandboxed execution to throttle any exploits at runtime. Next, we propose a new fine-grained access control framework with an enhanced policy language that supports map and filter primitives. Finally, we build a system named SecureDL with our new access control framework and defense system on top of Apache Spark, which ensures secure access control policy enforcement under adversaries capable of executing code. To the best of our knowledge, this is the first fine-grained attribute-based access control framework for distributed data analytics platforms that is secure against platform API abuse attacks. Performance evaluation showed that the overhead due to added security is low.
• Staicu, C. A., Rahaman, S., Kiss, Á., & Backes, M. (2023). Bilingual Problems: Studying the Security Risks Incurred by Native Extensions in Scripting Languages. In 32nd USENIX Security Symposium, USENIX Security 2023, 9.
  More info

  Scripting languages are continuously gaining popularity due to their ease of use and the flourishing software ecosystems surrounding them. These languages offer crash and memory safety by design. Thus, developers do not need to understand and prevent low-level security issues like the ones plaguing the C code. However, scripting languages often allow native extensions, a way for custom C/C++ code to be invoked directly from the high-level language. While this feature promises several benefits, such as increased performance or the reuse of legacy code, it can also break the language's guarantees, e.g., crash safety. In this work, we first provide a comparative analysis of the security risks of native extension APIs in three popular scripting languages. Additionally, we discuss a novel methodology for studying the misuse of the native extension API. We then perform an in-depth study of npm, an ecosystem that is most exposed to threats introduced by native extensions. We show that vulnerabilities in extensions can be exploited in their embedding library by producing reads of uninitialized memory, hard crashes, or memory leaks in 33 npm packages simply by invoking their API with well-crafted inputs. Moreover, we identify six open-source web applications in which a weak adversary can deploy such exploits remotely. Finally, we were assigned seven security advisories for the work presented in this paper, most labeled as high severity.
• Anandayuvaraj, D., Bland, F. L., Davis, J. C., Detti, A., Gopalakrishna, N. K., & Rahaman, S. (2022). "If security is required": engineering and security practices for machine learning-based IoT devices. In 4th International Workshop on Software Engineering Research and Practice for the IoT, SERP4IoT 2022 : As per pdf title page ACM/IEEE not mentioned in Title page though it is mentioned as SERP4IoT 2022, the fourth edition of the International Workshop on Software Engineering Research & Practices for the Internet of Things, It was held in conjunction with the 44th ACM/IEEE International Conference on Software Engineering (ICSE 2022) in Foreword.
  More info

  The latest generation of IoT systems incorporate machine learning (ML) technologies on edge devices. This introduces new engineering challenges to bring ML onto resource-constrained hardware, and complications for ensuring system security and privacy. Existing research prescribes iterative processes for machine learning enabled IoT products to ease development and increase product success. However, these processes mostly focus on existing practices used in other generic software development areas and are not specialized for the purpose of machine learning or IoT devices.
• Afrose, S., Rahaman, S., & Yao, D. D. (2020). A Comprehensive Benchmark on Java Cryptographic API Misuses. In Proceedings of the Tenth ACM Conference on Data and Application Security and Privacy, 177-178.
  More info

  Misuses of cryptographic APIs are prevalent in existing real-world Java code. Some open-sourced and commercial cryptographic vulnerability detection tools exist that capture misuses in Java program. To analyze their efficiency and coverage, we build a comprehensive benchmark named CryptoAPI-Bench that consists of 171 unit test cases. The test cases include basic cases and complex cases. We assess four tools i.e., SpotBugs, CryptoGuard, CrySL, and Coverity using CryptoAPI-Bench and show their relative performance.
• Hassanshahi, B., Islam, M., Krishnan, P., Meng, N., Rahaman, S., & Yao, D. D. (2020). Coding Practices and Recommendations of Spring Security for Enterprise Applications. In 2020 IEEE Secure Development (SecDev), 49-57.
  More info

  Spring security is tremendously popular among practitioners for its ease of use to secure enterprise applications. In this paper, we study the application framework misconfiguration vulnerabilities in the light of Spring security, which is relatively understudied in the existing literature. Towards that goal, we identify 6 types of security anti-patterns and 4 insecure vulnerable defaults by conducting a measurement-based approach on 28 Spring applications. Our analysis shows that security risks associated with the identified security anti-patterns and insecure defaults can leave the enterprise application vulnerable to a wide range of high-risk attacks. To prevent these high-risk attacks, we also provide recommendations for practitioners. Consequently, our study has contributed one update to the official Spring security documentation while other security issues identified in this study are being considered for future major releases by Spring security community.
• Rahaman, S., Xiao, Y., Afrose, S., Tian, K., Frantz, M., Meng, N., Miller, B. P., Shaon, F., Kantarcioglu, M., & Yao, D. D. (2020). Deployment-quality and Accessible Solutions for Cryptography Code Development. In Proceedings of the Tenth ACM Conference on Data and Application Security and Privacy, 174-176.
  More info

  Cryptographic API misuses seriously threatens software security. Automatic screening of cryptographic misuse vulnerabilities has been a popular and important line of research over the years. However, the vision of producing a scalable detection tool that developers can routinely use to screen millions of line of code has not been achieved yet. Our main technical goal is to attain a high precision and high throughput approach based on specialized program analysis. Specifically, we design inter-procedural program slicing on top of a new on-demand flow-, context- and field- sensitive data flow analysis. Our current prototype named CryptoGuard can detect a wide range of Java cryptographic API misuses with a precision of 98.61%, when evaluated on 46 complex Apache Software Foundation projects (including, Spark, Ranger, and Ofbiz). Our evaluation on 6,181 Android apps also generated many security insights. We created a comprehensive benchmark named CryptoApi-Bench with 40-unit basic cases and 131-unit advanced cases for in-depth comparison with leading solutions (e.g., SpotBugs, CrySL, Coverity). To make CryptoGuard widely accessible, we are in the process of integrating CryptoGuard with the Software Assurance Marketplace (SWAMP). SWAMP is a popular no-cost service for continuous software assurance and static code analysis.
• Afrose, S., Rahaman, S., & Yao, D. (2019). CryptoAPI-Bench: A Comprehensive Benchmark on Java Cryptographic API Misuses. In 2019 IEEE Cybersecurity Development (SecDev), 49-61.
  More info

  Several studies showed that misuses of cryptographic APIs are common in real-world code (e.g., Apache projects and Android apps). There exist several open-sourced and commercial security tools that automatically screen Java programs to detect misuses. In order to compare their accuracy and security guarantees, we develop a comprehensive benchmark named CryptoAPI-Bench. CryptoAPI-Bench consists of 171 unit test cases that cover basic cases, as well as complex cases, including interprocedural, field sensitive, multiple class test cases, and path sensitive data flow of misuse cases. The benchmark also includes correct cases for testing false positive rates. We evaluate CryptoAPI-Bench on four tools, namely, SpotBugs, CryptoGuard, CrySL, and Coverity and present their performance and comparative analysis. Our benchmark is useful for advancing state-of-the-art solutions in the space of misuse detection.
• Rahaman, S., Wang, G., & Yao, D. D. (2019). Security Certification in Payment Card Industry: Testbeds, Measurements, and Recommendations. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, 481-498.
  More info

  The massive payment card industry (PCI) involves various entities such as merchants, issuer banks, acquirer banks, and card brands. Ensuring security for all entities that process payment card information is a challenging task. The PCI Security Standards Council requires all entities to be compliant with the PCI Data Security Standard (DSS), which specifies a series of security requirements. However, little is known regarding how well PCI DSS is enforced in practice. In this paper, we take a measurement approach to systematically evaluate the PCI DSS certification process for e-commerce websites. We develop an e-commerce web application testbed, BuggyCart, which can flexibly add or remove 35 PCI DSS related vulnerabilities. Then we use the testbed to examine the capability and limitations of PCI scanners and the rigor of the certification process. We find that there is an alarming gap between the security standard and its real-world enforcement. None of the 6 PCI scanners we tested are fully compliant with the PCI scanning guidelines, issuing certificates to merchants that still have major vulnerabilities. To further examine the compliance status of real-world e-commerce websites, we build a new lightweight scanning tool named PciCheckerLite and scan 1,203 e-commerce websites across various business sectors. The results confirm that 86% of the websites have at least one PCI DSS violation that should have disqualified them as non-compliant. Our in-depth accuracy analysis also shows that PciCheckerLite's output is more precise than w3af. We reached out to the PCI Security Council to share our research results to improve the enforcement in practice.
• Rahaman, S., Xiao, Y., Afrose, S., Shaon, F., Tian, K., Frantz, M., Kantarcioglu, M., & Yao, D. D. (2019). CryptoGuard: High Precision Detection of Cryptographic Vulnerabilities in Massive-sized Java Projects. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, 2455-2472.
  More info

  Cryptographic API misuses, such as exposed secrets, predictable random numbers, and vulnerable certificate verification, seriously threaten software security. The vision of automatically screening cryptographic API calls in massive-sized (e.g., millions of LoC) programs is not new. However, hindered by the practical difficulty of reducing false positives without compromising analysis quality, this goal has not been accomplished. CryptoGuard is a set of detection algorithms that refine program slices by identifying language-specific irrelevant elements. The refinements reduce false alerts by 76% to 80% in our experiments. Running our tool, CryptoGuard, on 46 high-impact large-scale Apache projects and 6,181 Android apps generated many security insights. Our findings helped multiple popular Apache projects to harden their code, including Spark, Ranger, and Ofbiz. We also have made progress towards the science of analysis in this space, including manually analyzing 1,295 Apache alerts, confirming 1,277 true positives (98.61% precision), and in-depth comparison with leading solutions including CrySL, SpotBugs, and Coverity.
• Rahaman, S., Xiao, Y., Afrose, S., Tian, K., Frantz, M., Meng, N., Miller, B. P., Shaon, F., Kantarcioglu, M., & Yao, D. D. (2019). Poster: Deployment-quality and Accessible Solutions for Cryptography Code Development. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, 2545-2547.
  More info

  Cryptographic API misuses seriously threaten software security. Automatic screening of cryptographic misuse vulnerabilities has been a popular and important line of research over the years. However, the vision of producing a scalable detection tool that developers can routinely use to screen millions of line of code has not been achieved yet. Our main technical goal is to attain a high precision and high throughput approach based on specialized program analysis. Specifically, we design inter-procedural program slicing on top of a new on-demand flow-, context- and field- sensitive data flow analysis. Our current prototype named CryptoGuard can detect a wide range of Java cryptographic API misuses with a precision of 98.61%,, when evaluated on 46 complex Apache Software Foundation projects (including, Spark, Ranger, and Ofbiz). Our evaluation on 6,181 Android apps also generated many security insights. We created a comprehensive benchmark named CryptoAPI-Bench with 40-unit basic cases and 131-unit advanced cases for in-depth comparison with leading solutions (e.g., SpotBugs, CrySL, Coverity). To make CryptoGuard widely accessible, we are in the process of integrating CryptoGuard with the Software Assurance Marketplace (SWAMP). SWAMP is a popular no-cost service for continuous software assurance and static code analysis.
• Afrose, S., Frantz, M., Rahaman, S., Xiao, Y., & Yao, D. D. (2018). Tutorial: Principles and Practices of Secure Cryptographic Coding in Java. In 2020 IEEE Secure Development (SecDev), 122-123.
  More info

  Various software libraries and frameworks provide a variety of APIs to support secure coding. However, misusing these APIs can cost developers tremendous time and effort, introduce security vulnerabilities to software, and cause serious consequences like data leakage or Denial of Service (DoS) on servers. Our tutorial aims to educate people on the best practice of secure coding, the pitfalls that should be avoided, and the detection tools and fixing suggestions of insecure code.To increase the security awareness of developers and improve the quality of their software products, we propose a 90-minute tutorial to teach participants the principles and practices of Java secure coding, including the SSL/TLS and Spring Security configuration. In this tutorial, we will introduce the principles of using security APIs, analyze typical API misuse cases to explain the causes and effects. We will also introduce a tool that we recently developed to automatically detect API misuse in Java.There are five parts in our tutorial. To reveal the secure coding practice, we will first introduce the findings in our recent study on StackOverflow posts relevant to Java security. Second, we will discuss the recommended principles of API usage by security experts. Third, to correlate the principles with existing practice, we will discuss some API misuse examples for the SSL/TLS certificate verification, Spring Security authentication, etc. Fourth, we will ask participants to examine extra code examples and discuss the security property. Finally, We will give an overview of the available tools and resources, demonstrate a tool named CryptoGuard that we developed to automatically detect API misuse in Java. We will also help participants install and use CryptoGuard plugins on their own machines and ask them for trials.By actively involving participants in code discussion and tool trial, we aim to raise the security awareness among developers, improve their secure coding capabilities, and equip them with the tools they need for secure coding.
• Rahaman, S., & Yao, D. (2017). Program Analysis of Cryptographic Implementations for Security. In 2017 IEEE Cybersecurity Development (SecDev), 61-68.
  More info

  Cryptographic implementation errors in popular open source libraries (e.g., OpenSSL, GnuTLS, BotanTLS, etc.) and the misuses of cryptographic primitives (e.g., as in Juniper Network) have been the major source of vulnerabilities in the wild. These serious problems prompt the need for new compile-time security checking. Such security enforcements demand the study of various cryptographic properties and their mapping into enforceable program analysis rules. We refer to this new security approach as cryptographic program analysis (CPA). In this paper, we show how cryptographic program analysis can be performed effectively andits security applications. Specifically, we systematically investigate different threat categories on various cryptographicimplementations and their usages. Then, we derive varioussecurity rules, which are enforceable by program analysistools during code compilation. We also demonstrate the capabilities of static taint analysis to enforce most of these security rules and provide a prototype implementation. We point out promising future research and development directions in this new area of cryptographic program analysis.
• Rahaman, S., Cheng, L., Yao, D. D., Li, H., & Park, J. J. (2017). Provably Secure Anonymous-yet-Accountable Crowdsensing with Scalable Sublinear Revocation. In Proceedings on Privacy Enhancing Technologies, 2017, 384-403.
  More info

  Abstract Group signature schemes enable anonymous-yet-accountable communications. Such a capability is extremely useful for applications, such as smartphone-based crowdsensing and citizen science. However, the performance of modern group signature schemes is still inadequate to manage large dynamic groups. In this paper, we design the first provably secure verifier-local revocation (VLR) - based group signature scheme that supports sublinear revocation, named Sublinear Revocation with Backward unlinkability and Exculpability (SRBE). To achieve this performance gain, SRBE introduces time bound pseudonyms for the signer. By introducing low-cost short-lived pseudonyms with sublinear revocation checking, SRBE drastically improves the efficiency of the group-signature primitive. The backward-unlinkable anonymity of SRBE guarantees that even after the revocation of a signer, her previously generated signatures remain unlinkable across epochs. This behavior favors the dynamic nature of real-world crowdsensing settings. We prove its security and discuss parameters that influence its scalability. Using SRBE, we also implement a prototype named GroupSense for anonymous-yet-accountable crowdsensing, where our experimental findings confirm GroupSense’s scalability. We point out the open problems remaining in this space.
• Rahaman, M. S., Eshan, T. A., Al Abdullah, S., & Rahman, M. S. (2014). Antibandwidth problem for itchy caterpillars. In 2014 International Conference on Informatics, Electronics and Vision, ICIEV 2014.
  More info

  The antibandwidth problem is to label the vertices of a graph of n vertices by 1, 2, 3,..., n bijectively, such that the minimum difference of labels of adjacent vertices is maximized. The antibandwidth problem is known as NP-hard for general graphs. In this paper, we give an antibandwidth labeling scheme for a special class of trees called itchy caterpillar and study the lower bound of antibandwidth problem for the same class of graphs. We also give exact results for some of its subclasses. The result for itchy caterpillars with hair length 1, is the first nontrivial exact result of antibandwidth problem for any class of graphs. © 2014 IEEE.
• Islam, M. R., Rahaman, S., Hasan, R., Noel, R. R., Salekin, A., & Ferdous, H. S. (2013). A Novel Approach for Constructing Emulator for Microsoft Kinect XBOX 360 Sensor in the .NET Platform. In 2013 4th International Conference on Intelligent Systems, Modelling and Simulation, 1-6.
  More info

  The Microsoft Kinect sensor has brought a new era of Natural User Interface (NUI) based gaming and the associated SDK has provided access to its powerful sensors, which can be utilized in many ways, especially in research purposes. We have already seen its use in robotics, developing assistive technologies, and augmented reality, aside from gaming. Thousands of people around the world are playing with its built-in multimodal sensors, but still a complete emulator for the Kinect sensor device is lacking, thus requiring a physical device to do any experiments with it. In this work, we have come forward with a novel design of an emulator for the Kinect sensor and its implementation in the .NET platform using the Microsoft Kinect SDK. We have demonstrated the applicability of our system through detailed software design, code descriptions to incorporate this emulator in user's own code, and video demonstration of our proposed system.