Tyler William Thomas

PhD Student and GAANN Fellow, University of North Carolina
at Charlotte, College of Computing and Informatics

Research

Research Projects

Android Contextual Application Permissions

I have designed an Android app to study the utility or usefulness of contextual permission notifications. The application runs in the background of a user’s phone and displays a notification after a certain amount of time, telling the user that the running application has just done something that it is allowed to do. As an example, it might say “Android music player just took a picture.” In our paper we examined several aspects of these contextualized permissions. First, we examined which sort of permissions users wish to be informed about and which they do not. Second, we determined what types of notifications are most helpful and what types are annoying. Third, we analyzed how often users wish to be informed of these actions. We have submitted our paper to CHI.

android app picture android app picture android app picture

Interactive Static Analysis for Application-Specific Vulnerability Detection

I have explored the use of interactive static analysis techniques and graphical annotation for the detection of application specific vulnerabilities such as access control and cross-site request forgery. In the spring of 2014, I analyzed Moodle 2’s source code using our tool to evaluate the feasibility of this approach. Several zero-day vulnerabilities were discovered, confirmed by the Moodle team, and patched. The work resulted in a publication in SACMAT 2015

vulnerability detection picture

Teaching Security in Introductory Computer Science with Interactive Static Analysis

I have conducted two studies to assess whether or not the use of interactive static analysis techniques can be used to teach security to low level CS students. To do this, I took the main code base of our tool and modified it for this purpose. I then conducted studies with Dr. Hutchings at Elon and Dr. Awatif at JCSU. Results from the interviews at JCSU and the quantitative data received from Elon have been combined, and a journal paper has been written. It has been submitted for publication.


Interactive Code Annotation for Security Vulnerability Detection

I have also taken our interactive static analysis tool (for application specific vulnerabilities) and explored what might be necessary in the interfaces of such tools. I designed an interface, which encourages our process of interactive annotation, and I wrote a paper on the design for the Security Information Workers Workshop. The paper, Interactive Code Annotation for Security Vulnerability Detection, was accepted and published. I then conducted user studies with the interface and published a paper at VLHCC 2015. I am currently working on integrating secure code review techniques with this interactive annotation approach for mitigating vulnerabilities.

annotation picture

Social Impact of Expiring Tweets

My advisor desired to study the way users would behave if they had an option of setting tweets to expire on twitter. She desired to build a mobile android app and conduct a user study to examine this. However, attempts to design the software had failed since Twitter did not provide an API for Android devices. I inherited the project and immediately began searching for a solution. By completely redesigning the application and including a server component, I was able to overcome the problem. The application is now complete and we are in the process of collecting data.

twitter app picture

Research Presentations

2015 IEEE Symposium on Visual Languages and Human-Centric Computing
A Study of Interactive Code Annotation for Access Control Vulnerabilities. Atlanta, Georgia
2015 Poster Session at IEEE Symposium on Visual Languages and Human-Centric Computing
Exploring the Usability and Effectiveness of Interactive Annotation and Code Review for the Detection of Security Vulnerabilities. Atlanta, Georgia
2015 Graduate Consortium Presentation at IEEE Symposium on Visual Languages and Human-Centric Computing
Exploring the Usability and Effectiveness of Interactive Annotation and Code Review for the Detection of Security Vulnerabilities. Atlanta, Georgia
2014 ACM Workshop on Security Information Workers
Interactive Code Annotation for Security Vulnerability Detection. Scottsdale, Arizona
College of Computing and Informatics Flash Talks Fall 2014
Voted # 1 best out of ten presentations by the audience

Publications

T. Thomas, B. Chu, H. Lipford, J. Smith, and E. Murphy-Hill, “A study of interactive code annotation for access control vulnerabilities,” ser. VLHCC ’15. Washington, DC, USA: IEEE Computer Society, 2015.
T. Thomas, “Exploring the Usability and Effectiveness of Interactive Annotation and Code Review for the Detection of Security Vulnerabilities” VLHCC ’15 Graduate Consortium. Atlanta, GA USA 2015.
Jun Zhu, Bill Chu, Heather Lipford, and Tyler Thomas. 2015. Mitigating Access Control Vulnerabilities through Interactive Static Analysis. In Proceedings of the 20th ACM Symposium on Access Control Models and Technologies (SACMAT '15). ACM, New York, NY, USA, 199-209. http://dx.doi.org/10.1145/2752952.2752976
Heather Lipford, Tyler Thomas, Bill Chu, and Emerson Murphy-Hill. 2014. Interactive Code Annotation for Security Vulnerability Detection. In Proceedings of the 2014 ACM Workshop on Security Information Workers (SIW '14). ACM, New York, NY, USA, 17-22. DOI=10.1145/2663887.2663901 http://doi.acm.org/10.1145/2663887.2663901
A picture of a light blue globe.