News
(archive)
Last Updated: September 2023
Algovis Release
I've finally gotten around to publishing the rudimentary, interactive algorithm
visualisation tool that I wrote
when teaching COMP90038 - Algorithms and Complexity (2021--2022) to aid students' understanding of
introductory algorithms and design techniques. The tool is called Algovis and you can get it from GitHub, including
full documentation, which shows the visualisations in action.
Insecurity Separation Logic
I am delighted to announce that our long-running work to develop an automatic and compositional methods for
detecting information leakage vulnerabilities in programs will appear at
ICFEM 2023. This
work includes not only the design of a new program logic for detecting
leakage (Insecurity Separation Logic) but also the implementation of its
automatic application inside two tools: our own Underflow tool, and as an extension to Meta's Infer static analyzer. All materials, plus an extended version of the
paper, are available on the COVERN project website.
Welcome Aaron Bembenek!
I am delighted to welcome Aaron Bembenek who joins the CATCH MURI project as a postdoc working at the intersection of formal methods and machine learning. Aaron completed his PhD at Harvard, advised by Stephen Chong. Aaron brings a wealth of expertise, including in logic programming and automated solving. |
|
Melbourne Business Analytics Conference - Generative AI Panel
|
I had a wonderful time this week talking about the relationship between
generative AI and cybersecurity as part of the
Navigating the Generative Frontier: The Evolution of Decision Making in the Age of AI panel at the 2023 Melbourne Business Analytics Conference. There is so much interest in this technology and much more to be done to educate organisations about how to make best use of it while avoiding its potential to increase exposure to cyber threats.
|
ACM Software System Award
|
I am honoured to be recognised amongst the 14-member team who this
year was awarded the ACM Software System Award for our work on the seL4 microkernel. Quoting from what I wrote for the University of Melbourne's announcement:
This marks the first time the ACM Software System Award has been awarded to an Australian-based team. The seL4 project represents two decades of sustained world-leading research. Since its original publication in 2009, the seL4 kernel has set the bar for how secure systems should be engineered, while demolishing long-held beliefs about the limits of what formal methods can achieve, demonstrating that system security need not come at the cost of performance.
Long live seL4!
|
CSF 2024
Please consider submitting to the IEEE Computer Security Foundations Symposium (CSF) 2024.
Tamara Rezk and I are Program Chairs for CSF 2024 and we warmly welcome submissions on topics at the intersection of computer security and formal foundations.
About Me
I am an academic in the School of Computing and Information Systems of the University of Melbourne. Prior to joining Melbourne in May 2016,
I was employed in the Software Systems
Research Group of NICTA (now Data61), and was a Conjoint Senior Lecturer in the school of
Computer Science and Engineering of
UNSW. I joined NICTA and UNSW in 2010 from
Oxford, where I completed a D.Phil. (PhD) in Computer Science, awarded in 2011.
Before moving to Oxford, I worked for the
Defence Science and Technology Organisation after my undergraduate study
at the University of Adelaide.
I live in Melbourne with my wife and two children, enjoy (and sometimes write and
record) alternative music,
and spend too much time on Twitter
engaging a hot-cold obsession with Australian politics, security and privacy.
I love great ales, informed by my days in Oxford, and rich reds, like any Adelaide
native.
Research and Collaborations
My research is focused on the problem of how to build highly secure computing
systems cost-effectively. As part of this, I work on ways to assess the security of
computer systems, methods to ensure the absence of vulnerabilities
in programs and systems, methods to detect vulnerabilities in programs, methods for designing
secure systems, and related topics. Below is a snapshot of my current research projects.
Current Research Projects
My current research projects include the following. This list does not include PhD student projects that
are yet to be made public.
Past and Dormant Research Projects
Some of my past and dormant research projects include the following.
My Group
Researchers
Current postdocs:
Current Research Assistants:
Previous postdocs and Research Assistants:
Research Students
Current PhD students:
Previous research students:
- Dongge Liu, University of Melbourne (PhD thesis: Software Testing with Monte Carlo Tree Search; supervised with Ben Rubinstein, Gidon Ernst, and Thuan Pham)
- Duc Than Nguyen, University of Melbourne (MPhil thesis: Foundations for Reasoning about Holistic Specifications; supervised with Ben Rubinstein)
- Robert Sison, UNSW (PhD thesis: Proving Confidentiality and Its Preservation Under Compilation for Mixed-Sensitivity Concurrent Programs; jointly supervised with Carroll Morgan and Kai Engelhardt)
- Daniel Matichuk, UNSW (PhD thesis:
Automation for Proof Engineering:
Machine-Checked Proofs At Scale
; co-supervised with Gerwin Klein)
- David (Knobby) Clarke, University of Melbourne (PhD thesis: Analyses
of Java Programs over Weak Memory; co-supervised with Tim Miller and Antonette Mendoza)
- Yude Lin, University of Melbourne (PhD thesis: Symbolic Execution with Over-Approximation; co-supervised with Tim Miller and Harald Sondergaard)
- Sidney Amani, UNSW (PhD thesis: A Methodology
for Trustworthy File Systems
)
- Japheth Lim, UNSW (Honours thesis: Automatically Proving the Correctness of C Code Generation)
- Sudeep Kanav (Masters student from TU Munich, thesis: Compiler Verification for a Data Format DSL)
Working with Me
I'm always looking for motivated students to work with. Check out my page for
prospective research students.
Software and Artifacts
My group has developed various pieces of software, plus formal
artifacts embedded in interactive theorem provers such as program logics and compilers.
All are available under open source licenses.
Software
SecC: Verified Security for Concurrent C Programs
SecC is the first autoactive program verifier able to verify information flow security
for concurrent C programs.
More Information ->
Legion: Principled Automatic Test Case Generation
Legion automatically generates test cases for programs, generalising traditional
concolic testing and fuzzing, orchestrating program exploration via Monte-Carlo
Tree Search.
More Information ->
Underflow: Compositional Vulnerability Detection for C Programs
Underflow is the first first automatic tool able to compositionally detect memory-safety and information-leakage vulnerabilities in C programs.
More Information ->
Algovis: Rudimentary, Interactive Algorithm Visualisation in Python
When teaching COMP90038 - Algorithms and Complexity (2021--2022) I created a simple visualisation framework
to allow introductory algorithms students to interactively visualise the various
algorithms, and to experiment with variations on those algorithms, to better understand
them.
More Information ->
Artifacts
A
general-purpose logic that enables one to perform under-approximate reasoning about relational
properties, and the fist logic able to prove when programs are insecure.
More Information ->
SecRSL: How to Prove Efficient, Concurrent Programs Secure
The first security separation program logic able to reason about C11's weak
memory concurrency features used by highly-efficient concurrent C programs.
More Information ->
VERONICA: Verified Secure Declassification for Concurrent Programs
VERONICA is a verification method, embedded in the Isabelle/HOL theorem prover, for verifying secure declassification policies for concurrent programs.
More Information ->
A program logic for concurrent C-like programs with pointers, arrays etc., for proving they do not leak sensitive information.
More Information ->
COVERN Compiler: Verified Secure Compilation for Concurrent Programs
The COVERN Compiler is a proof-of-concept compiler embedded in the Isabelle/HOL theorem prover that provably preserves information flow security when compiling concurrent programs.
More Information ->
COVERN Logic: Verified Security for Concurrent Programs
The COVERN logic, embedded in the Isabelle/HOL theorem prover, allows one to prove that concurrent programs do not leak sensitive information.
More Information ->
Bugs
Like any researcher who works on security, my work necessarily involves discovering bugs in software.
As somebody who works on tools for proving things about programs (including the presence of bugs),
my work not only uncovers bugs in ordinary programs but also bugs in
programs that reason about other programs. Below is a
list of some bugs I've uncovered in program analysis tools during my research:
Teaching
In 2023, I am teaching:
I previusly taught:
- COMP90038 - Algorithms and Complexity (2018--2022)
- SWEN90006 - Software Security & Testing (2016--2021)
- COMP4161 - Advanced Topics in Software Verification (2010, 2011, 2012, 2013, 2014 as Lecturer in Charge, 2015)
- COMP9241 - Advanced Operating Systems (Guest lecturer in Operating Systems Security, 2011, 2012, 2013, 2014, 2015)
I have also taught half-day courses to industry on topics including:
- Separation Logic
- Software Model Checking for C code using
CBMC
If your company develops
software and would like to know how you can more easily detect and remove bugs
during development, and would like to know more, please get in touch.
Service
I am
a
Research Integrity Advisor, serve as an undergraduate Academic Advisor, as well as regularly chairing Academic Misconduct Committee hearings, amongst other things. I am also Deputy Director of the Defence Science Institute.
I am an Associate Editor for IEEE Security & Privacy and serve on a range of Program Committees (see below).
I am a member of IFIP WG 1.7 on Theoretical Foundations of Security
Analysis and Design.
Steering Committees
- IEEE Computer Security Foundations Symposium (2023--2027)
- International Conference on Formal Methods in Software Engineering (FormaliSE) (2023--2025)
- ACM Workshop on Programming Languages and Analysis for Security (PLAS) (2016--2020)
Edited Books
Program Committees
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
2015
2014
2013
2012
2010