Doctoral student earns ACM award for research on security verification

Xiao Liu, doctoral student in the College of Information Sciences and Technology at Penn State. Credit: Erin Cassidy Hendrick / Penn StateCreative Commons

UNIVERSITY PARK, Pa. — Xiao Liu, a doctoral student in the College of Information Sciences and Technology (IST), was recently awarded a bronze medal for her research during the Association for Computing Machinery (ACM) Graduate Student Research Competition at the 2017 Programming Language Design and Implementation (PLDI) Conference held in Barcelona, Spain.

Her research is focused on enhancing regular expressions, or “regex,” a tool that computer programmers often use for security purposes, including virus detection. Although users wouldn’t come across regex, computer programmers use it to filter valid inputs, such as phone numbers. The back-end programming is designed to reject any string of characters that doesn’t fit, such as including a letter in a phone number.

“While regular expressions are widely used, they are widely abused,” Liu said. “Input validations using regular expressions are constantly being found inefficient due to errors, resulting in many security vulnerabilities.”

This is because if the regex isn’t able to fend off incorrect information, it can allow hackers to inject code snippets to reveal the data they’re trying to capture.

Traditionally, when a regex is used, it is verified by test oracles, which accept samples to determine whether a test has passed or failed. For example, if the regex was looking for a seven-digit phone number, a tester would try combinations of answers, some that were only six numbers and some that included letters. While this method is simple, it’s not an exhaustive way to test the entirety of options a regex could face.

Xiao’s research proposes a new way of looking at this problem. She introduces a new method of verifying a correct regex by leveraging equivalence checking and natural language processing. This approach offers a simpler and more straightforward way to create code to define what the regex is looking for and, therefore, decide its correctness.

“Essentially, we want to write another regex [to] cross validate the original one,” she said.

This research was funded by startup funds awarded to Dinghao Wu, associate professor in IST and Liu’s adviser, and in the future will be supported by Wu’s PNC Technologies Career Development Professorship.

“[Liu’s] developing a method and tool to allow people to automatically verify the correctness of regular expressions, which are used in many web applications for security sanitization of potentially adversarial inputs,” Wu said. “This can help programmers to improve the security and quality of their software.”

He added, “It’s really an honor for her to receive this bronze medal, which speaks to the high-quality research she’s been doing.”

Last Updated September 05, 2017