Tyler William Thomas

PhD Student and GAANN Fellow, University of North Carolina at Charlotte, College of Computing and Informatics

Research

Research Projects

Security Code Review

My research dissertation topic lies at the intersection of cybersecurity, human-computer interaction, and software engineering. My dissertation suggests and discusses the process of tool assisted security code review as a potential technique to detect and remediate security vulnerabilities in application source code. In my dissertation, I conduct a study of actual application security experts to determine their workflows and challenges. Using the feedback and results from that study, I design a prototype security code review tool, and I explore the process, warnings, and collaboration between various potential roles of users for this type of tool. My previous research focuses on usable techniques for detecting application-specific security vulnerabilities from within the IDE, the design and effectiveness of contextual security messages during application development, the use of IDE based security warnings to teach security concepts to undergraduates, and the ideal frequency and layout of application privacy notifications on smartphones.

android app picture

Android Contextual Application Permissions

I have designed an Android app to study the utility or usefulness of contextual permission notifications. The application runs in the background of a user’s phone and displays a notification after a certain amount of time, telling the user that the running application has just done something that it is allowed to do. As an example, it might say “Android music player just took a picture.” In our paper we examined several aspects of these contextualized permissions. First, we examined which sort of permissions users wish to be informed about and which they do not. Second, we determined what types of notifications are most helpful and what types are annoying. Third, we analyzed how often users wish to be informed of these actions.

android app picture android app picture android app picture

Interactive Static Analysis for Application-Specific Vulnerability Detection

I have explored the use of interactive static analysis techniques and graphical annotation for the detection of application specific vulnerabilities such as access control and cross-site request forgery. In the spring of 2014, I analyzed Moodle 2’s source code using our tool to evaluate the feasibility of this approach. Several zero-day vulnerabilities were discovered, confirmed by the Moodle team, and patched. The work resulted in a publication in SACMAT 2015

vulnerability detection picture

Teaching Security in Introductory Computer Science with Interactive Static Analysis

I have conducted two studies to assess whether or not the use of interactive static analysis techniques can be used to teach security to low level CS students. To do this, I took the main code base of our tool and modified it for this purpose. I then conducted studies with Dr. Hutchings at Elon and Dr. Awatif at JCSU. Results from the interviews at JCSU and the quantitative data received from Elon have been combined, and a journal paper has been written. It has been submitted for publication.


Interactive Code Annotation for Security Vulnerability Detection

I have also taken our interactive static analysis tool (for application specific vulnerabilities) and explored what might be necessary in the interfaces of such tools. I designed an interface, which encourages our process of interactive annotation, and I wrote a paper on the design for the Security Information Workers Workshop. The paper, Interactive Code Annotation for Security Vulnerability Detection, was accepted and published. I then conducted user studies with the interface and published a paper at VLHCC 2015. I am currently working on integrating secure code review techniques with this interactive annotation approach for mitigating vulnerabilities.

annotation picture

Social Impact of Expiring Tweets

My advisor desired to study the way users would behave if they had an option of setting tweets to expire on twitter. She desired to build a mobile android app and conduct a user study to examine this. However, attempts to design the software had failed since Twitter did not provide an API for Android devices. I inherited the project and immediately began searching for a solution. By completely redesigning the application and including a server component, I was able to overcome the problem. The application is now complete and we are in the process of collecting data.

twitter app picture

Research Presentations

2015 IEEE Symposium on Visual Languages and Human-Centric Computing
A Study of Interactive Code Annotation for Access Control Vulnerabilities. Atlanta, Georgia
2015 Poster Session at IEEE Symposium on Visual Languages and Human-Centric Computing
Exploring the Usability and Effectiveness of Interactive Annotation and Code Review for the Detection of Security Vulnerabilities. Atlanta, Georgia
2015 Graduate Consortium Presentation at IEEE Symposium on Visual Languages and Human-Centric Computing
Exploring the Usability and Effectiveness of Interactive Annotation and Code Review for the Detection of Security Vulnerabilities. Atlanta, Georgia
2014 ACM Workshop on Security Information Workers
Interactive Code Annotation for Security Vulnerability Detection. Scottsdale, Arizona
College of Computing and Informatics Flash Talks Fall 2014
Voted # 1 best out of ten presentations by the audience

Publications

Michael Whitney, Heather Richter Lipford, Bill Chu, and Tyler Thomas. "Embedding Secure Coding Instruction into the IDE: Complementing Early and Intermediate CS Courses with ESIDE" In press, Journal of Educational Computing Research, 2017.
Tyler Thomas, Heather Lipford, Bill Chu, Justin Smith, and Emerson Murphy-Hill. "What questions remain? an examination of how developers understand an interactive static analysis tool." In WSIW@SOUPS, 2016.
T. Thomas, B. Chu, H. Lipford, J. Smith, and E. Murphy-Hill, "A study of interactive code annotation for access control vulnerabilities," ser. VLHCC ’15. Washington, DC, USA: IEEE Computer Society, 2015.
T. Thomas, "Exploring the Usability and Effectiveness of Interactive Annotation and Code Review for the Detection of Security Vulnerabilities" VLHCC ’15 Graduate Consortium. Atlanta, GA USA 2015.
Jun Zhu, Bill Chu, Heather Lipford, and Tyler Thomas. 2015. Mitigating Access Control Vulnerabilities through Interactive Static Analysis. In Proceedings of the 20th ACM Symposium on Access Control Models and Technologies (SACMAT '15). ACM, New York, NY, USA, 199-209. http://dx.doi.org/10.1145/2752952.2752976
Heather Lipford, Tyler Thomas, Bill Chu, and Emerson Murphy-Hill. 2014. Interactive Code Annotation for Security Vulnerability Detection. In Proceedings of the 2014 ACM Workshop on Security Information Workers (SIW '14). ACM, New York, NY, USA, 17-22. DOI=10.1145/2663887.2663901 http://doi.acm.org/10.1145/2663887.2663901
A picture of a light blue globe.