Academic Work

Background

In June 2010, I defended my PhD thesis "Improving Dynamic Analysis with Data Flow Analysis" (advised by Dr. Calvin Lin) and am therefore now Dr. Walter Chang.

I received my Bachelor of Arts in Computer Science at Cornell University. During my time there, I did research with the Cornell Network Research Group and later the Autonomous Underwater Vehicle Team.

Some additional details are in my resume.

From the abstract to my doctoral dissertation [PDF] on "Improving Dynamic Analysis with Data Flow Analysis"

Many challenges in software quality can be tackled with dynamic analysis. However, these techniques are often limited in their efficiency or scalability as they are often applied uniformly to an entire program. In this thesis, we show that dynamic program analysis can be made significantly more efficient and scalable by first performing a static data flow analysis so that the dynamic analysis can be selectively applied only to important parts of the program. We apply this general principle to the design and implementation of two different systems, one for runtime security policy enforcement and the other for software test input generation.

For runtime security policy enforcement, we enforce user-defined policies using a dynamic data flow analysis that is more general and flexible than previous systems. Our system uses the user-defined policy to drive a static data flow analysis that identifies and instruments only the statements that may be involved in a security vulnerability, often eliminating the need to track most objects and greatly reducing the overhead. For taint analysis on a set of five server programs, the slowdown is only 0.65%, two orders of magnitude lower than previous taint tracking systems. Our system also has negligible overhead on file disclosure vulnerabilities, a problem that taint tracking cannot handle.

For software test case generation, we introduce the idea of targeted testing, which focuses testing effort on select parts of the program instead of treating all program paths equally. Our "Bullseye" system uses a static analysis performed with respect to user-defined "interesting points" to steer the search down certain paths, thereby finding bugs faster. We also introduce a compiler transformation that allows symbolic execution to automatically perform boundary condition testing, revealing bugs that could be missed even if the correct path is tested. For our set of 9 benchmarks, Bullseye finds bugs an average of 2.5x faster than a conventional depth-first search and finds numerous bugs that DFS could not. In addition, our automated boundary condition testing transformation allows both Bullseye and depth-first search to find numerous bugs that they could not find before, even when all paths were explored.

Publications

PhD Thesis

Improving Dynamic Analysis with Data Flow Analysis. Doctoral dissertation, Walter Chang, The University of Texas at Austin, August 2010. [PDF]

Peer-Reviewed Conference Publications

Walter Chang, Brandon Streiff, and Calvin Lin. Efficient and Extensible Security Enforcement Using Dynamic Data Flow Analysis. In Proceedings of the 15th ACM Conference on Computer and Communications Security. October 2008. [PDF]
This paper in CCS'08 shows how a wide range of security policies can be enforced efficiently by using a combination of static and dynamic data flow analysis. By framing the policy in a manner accessible to dynamic data flow analysis, we can derive and use the corresponding static data flow analysis to identify and eliminate any instrumentation that does not affect the results of any security checks that lead to actual vulnerabilities. Since this proportion is typically small, we can achieve extremely minimal overheads, usually less than 1% and often within the noise for the performance of typical server programs.

Non Peer-Reviewed Works

Steve Cook, Calvin Lin, and Walter Chang. Securing Legacy C Applications Using Dynamic Data Flow Analysis. In Crosstalk - The Journal of Defense Software Engineering, September 2008. [PDF]
This is a more "general-audience" treatment of the same work in my CCS'08 paper, with more emphasis on aspects of interest to the defense community. Crosstalk is a DoD internal software engineering magazine; we were invited to write a short article for a special issue on secure software.
Cornell AUV Team. For AUVSI/ONR 2002. [PDF]
The Association for Unmanned Vehicle Systems International and the Office of Naval Research sponsor an annual competition for autonomous underwater vehicles. As a part of this competition, teams must submit a short paper on the design of their robot submarine. This is our 2002 paper.
Cornell AUV Team. For AUVSI/ONR 2001. [PDF]
Again, for the AUVSI competition. This is the 2001 paper.
Cornell AUV Team. For AUVSI/ONR 2000. [PDF]
Again, for the AUVSI competition. This is the 2000 paper.

Unpublished

Srinivasan Keshav, Cristian Estan, Haye Chan, and Walter Chang. A toolkit for discovering topology and delays in the Internet. Unpublished, 1999. [PS]
This was written when I did a stint in network measurement research as a freshman at Cornell. It describes Argus, a toolkit for automated network topology discovery. Argus uses a number of heuristics and tricks to rapidly guess at hosts and generate maps of arbitrary networks. After my superviser S. Keshav left to form Ensim the project went nowhere. I haven't touched this in almost a decade, so my memory is fuzzy on most of the specifics. The paper describes most of the concrete work we got done on the project.