Mohammad Ghafari
YOU?
Author Swipe
View article: Automated Testing of Broken Authentication Vulnerabilities in Web APIs with AuthREST
Automated Testing of Broken Authentication Vulnerabilities in Web APIs with AuthREST Open
We present AuthREST, an open-source security testing tool targeting broken authentication, one of the most prevalent API security risks in the wild. AuthREST automatically tests web APIs for credential stuffing, password brute forcing, and…
View article: Metaverse Security and Privacy Research: A Systematic Review
Metaverse Security and Privacy Research: A Systematic Review Open
The rapid growth of metaverse technologies, including virtual worlds, augmented reality, and lifelogging, has accelerated their adoption across diverse domains. This rise exposes users to significant new security and privacy challenges due…
View article: Security Bug Report Prediction Within and Across Projects: A Comparative Study of BERT and Random Forest
Security Bug Report Prediction Within and Across Projects: A Comparative Study of BERT and Random Forest Open
Early detection of security bug reports (SBRs) is crucial for preventing vulnerabilities and ensuring system reliability. While machine learning models have been developed for SBR prediction, their predictive performance still has room for…
View article: Poisoned Source Code Detection in Code Models
Poisoned Source Code Detection in Code Models Open
Deep learning models have gained popularity for conducting various tasks involving source code. However, their black-box nature raises concerns about potential risks. One such risk is a poisoning attack, where an attacker intentionally con…
View article: Benchmarking Prompt Engineering Techniques for Secure Code Generation with GPT Models
Benchmarking Prompt Engineering Techniques for Secure Code Generation with GPT Models Open
Prompt engineering reduces reasoning mistakes in Large Language Models (LLMs). However, its effectiveness in mitigating vulnerabilities in LLM-generated code remains underexplored. To address this gap, we implemented a benchmark to automat…
View article: The Dilemma of Privacy Protection for Developers in the Metaverse
The Dilemma of Privacy Protection for Developers in the Metaverse Open
To investigate the level of support and awareness developers possess for dealing with sensitive data in the metaverse, we surveyed developers, consulted legal frameworks, and analyzed API documentation in the metaverse. Our preliminary res…
View article: Phishing Awareness via Game-Based Learning
Phishing Awareness via Game-Based Learning Open
The increased use of digital devices and applications has led to a rise in phishing attacks. We develop a serious game to raise awareness about phishing attacks and help people avoid these threats in a risk-free learning environment. This …
View article: ChatGPT’s Potential in Cryptography Misuse Detection: A Comparative Analysis with Static Analysis Tools
ChatGPT’s Potential in Cryptography Misuse Detection: A Comparative Analysis with Static Analysis Tools Open
The correct adoption of cryptography APIs is challenging for mainstream developers, often resulting in widespread API misuse. Meanwhile, cryptography misuse detectors have demonstrated inconsistent performance and remain largely inaccessib…
View article: From Struggle to Simplicity with a Usable and Secure API for Encryption in Java
From Struggle to Simplicity with a Usable and Secure API for Encryption in Java Open
Cryptography misuses are prevalent in the wild. Crypto APIs are hard to use\nfor developers, and static analysis tools do not detect every misuse. We\ndeveloped SafEncrypt, an API that streamlines encryption tasks for Java\ndevelopers. It …
View article: LLM Security Guard for Code
LLM Security Guard for Code Open
Many developers rely on Large Language Models (LLMs) to facilitate software\ndevelopment. Nevertheless, these models have exhibited limited capabilities in\nthe security domain. We introduce LLMSecGuard, a framework to offer enhanced\ncode…
View article: Mining REST APIs for Potential Mass Assignment Vulnerabilities
Mining REST APIs for Potential Mass Assignment Vulnerabilities Open
REST APIs have a pivotal role in accessing protected resources. Despite the availability of security testing tools, mass assignment vulnerabilities are common in REST APIs, leading to unauthorized manipulation of sensitive data. We propose…
View article: Time to separate from StackOverflow and match with ChatGPT for encryption
Time to separate from StackOverflow and match with ChatGPT for encryption Open
Cryptography is known as a challenging topic for developers. We studied StackOverflow posts to identify the problems that developers encounter when using Java Cryptography Architecture (JCA) for symmetric encryption. We investigated securi…
View article: Gameful Introduction to Cryptography for Dyslexic Students
Gameful Introduction to Cryptography for Dyslexic Students Open
Cryptography has a pivotal role in securing our digital world. Nonetheless, it is a challenging topic to learn. In this paper, we show that despite its complex nature, dyslexia$-$a learning disorder that influences reading and writing skil…
View article: Time to Separate from StackOverflow and Match with ChatGPT for Encryption
Time to Separate from StackOverflow and Match with ChatGPT for Encryption Open
Cryptography is known as a challenging topic for developers. We studied StackOverflow posts to identify the problems that developers encounter when using Java Cryptography Architecture (JCA) for symmetric encryption. We investigated securi…
View article: Insecure by Design in the Backbone of Critical Infrastructure
Insecure by Design in the Backbone of Critical Infrastructure Open
We inspected 45 actively deployed Operational Technology (OT) product families from ten major vendors and found that every system suffers from at least one trivial vulnerability. We reported a total of 53 weaknesses, stemming from insecure…
View article: Wasmizer: Curating WebAssembly-driven Projects on GitHub
Wasmizer: Curating WebAssembly-driven Projects on GitHub Open
WebAssembly has attracted great attention as a portable compilation target for programming languages. To facilitate in-depth studies about this technology, we have deployed Wasmizer, a tool that regularly mines GitHub projects and makes an…
View article: Naturalistic Static Program Analysis
Naturalistic Static Program Analysis Open
Static program analysis development is a non-trivial and time-consuming task. We present a framework through which developers can define static program analyses in natural language. We show the application of this framework to identify cry…
View article: MSR 2023 Dataset
MSR 2023 Dataset Open
This is the artifact that accompanies the paper titled: "Wasmizer: Curating WebAssembly-driven Projects on GitHub". It contains: - the scripts we used to produce a dataset of WebAssembly binaries - a dataset of WebAssembly binaries (8915 …
View article: MSR 2023 Dataset
MSR 2023 Dataset Open
This is the artifact that accompanies the paper titled: "Wasmizer: Curating WebAssembly-driven Projects on GitHub". It contains: - the scripts we used to produce a dataset of WebAssembly binaries - a dataset of WebAssembly binaries (8915 …
View article: Modular Abstract Definitional Interpreters for WebAssembly
Modular Abstract Definitional Interpreters for WebAssembly Open
Even though static analyses can improve performance and secure programs against vulnerabilities, no static whole-program analyses exist for WebAssembly (Wasm) to date. Part of the reason is that Wasm has many complex language concerns, and…
View article: Message from the General Chair and Program Co-Chairs SCAM 2022
Message from the General Chair and Program Co-Chairs SCAM 2022 Open
On behalf of the SCAM 2022 Conference and Program Committee, we would like to welcome you to the beautiful Limassol, Cyprus for the 22nd IEEE International Working Conference on Source Code Analysis and Manipulation, co-located with the 38…
View article: Developers Struggle with Authentication in Blazor WebAssembly
Developers Struggle with Authentication in Blazor WebAssembly Open
WebAssembly is a growing technology to build cross-platform applications. We aim to understand the security issues that developers encounter when adopting WebAssembly. We mined WebAssembly questions on Stack Overflow and identified 359 sec…
View article: Mining unit test cases to synthesize API usage examples
Mining unit test cases to synthesize API usage examples Open
Software developers study and reuse existing source code to understand how to properly use application programming interfaces (APIs). However, manually finding sufficient and adequate code examples for a given API is a difficult and a time…