Kevin Dennis
Ph.D. Student
University of South Florida
University of South Florida
Department of Computer Science and Engineering
kevindennis@usf.edu
Curriculum Vitae (last updated 2024)
kevindennis@usf.edu
Curriculum Vitae (last updated 2024)
Publications
Preventing Variadic Function Attacks Through Argument Width Counting. Brennan Ward*, Kevin Dennis*, Gabriel Laverghetta, Parisa Momeni, and Jay Ligatti. Software Engineering Research, Management and Applications (SERA). Springer, 2025. (To appear) (*co-first authors)
Variadic-function attacks and format-string attacks continue to threaten modern C/C++ software applications. When successfully executed, attackers are able to read, write, or execute arbitrary program memory. While such attacks are well-known, and a number of mitigating techniques have been proposed, the only widely adopted mitigations are compiler warnings. These warnings are an incomplete solution because they rely on programmers to take action. To address the problem of variadic-function attacks, this paper proposes Argument Width Counting (AWC), a new memory access-control policy that, when enforced, mitigates all observed variadic-function attacks, including format-string attacks. AWC tracks the initial width or size of variadic arguments allocated on the stack and requires that variadic functions cannot request more bytes than initially allocated. When enforced, this policy limits variadic functions to the segments of memory allocated to the variadic arguments.
A prototype for AWC has been implemented and evaluated on LLVM's Clang C/C++ compiler and the accompanying libc++ standard library. The implementation modifies the compiler's function-generation code to store variadic argument widths and to validate these values later when variadic arguments are accessed. As part of the evaluation, the prototype's performance overhead was tested and compared to existing solutions. Due to the simplicity of the related calculations and checks, the prototype incurs low overhead and outperforms the existing lightweight solutions. Microbenchmarking AWC returns around 22% overhead for 0 to 16 arguments. This overhead is less than 1% when benchmarked on real-world programs.
Large-Scale Analysis of GitHub and CVEs to Determine Prevalence of SQL Concatenations. Kevin Dennis, Bianca Dehaan, Parisa Momeni, Gabriel Laverghetta, and Jay Ligatti. Proceedings of the 21st International Conference on Security and Cryptography (SECRYPT), SciTePress, pages 286-297.
SQL Injection Attacks (SQLIAs) remain one of the top security risks in modern web applications. Vulnerabilities to SQLIAs arise when unsanitized input is concatenated into dynamically constructed SQL statements. Because existing prepared statement implementations cannot insert identifiers into prepared statements, programmers have no choice but to concatenate dynamically determined identifiers directly into SQL statements. If an identifier is not sanitized before concatenation, a kind of SQLIA called a SQL Identifier Injection Attack (SQL-IDIA) is possible.
To investigate the prevalence of SQL concatenations in real code, we conducted, to our knowledge, the largest analysis of open-source software to date. We crawled 4,762,175 files in 944,316 projects on GitHub to identify SQL statements constructed using concatenation and potential SQL-IDIAs.
Our crawler classified 42% of Java, 91% of PHP, and 56% of C# files as constructing SQL statements via concatenation. It further found that 27% of the Java, 6% of the PHP, and 22% of the C# files of these concatenations contain identifiers. Manual analysis indicates that the automated SQL-IDIA classifier achieved an overall accuracy of 93.4%. Further testing suggests approximately 22.7% of web applications may be exploitable via a SQL-IDIA. PHP applications were particularly exploitable at 38% of applications.
ProProv: A Language and Graphical Tool for Specifying Data Provenance Policies. Kevin Dennis, Shamaria Engram, Tyler Kaczmarek, and Jay Ligatti. Proceedings of the IEEE International Conference on Trust, Privacy and Security in Intelligent Systems, and Applications (TPS), December 2022. (Student Best Paper Award)
The Function-as-a-Service cloud computing paradigm has made large-scale application development convenient and efficient as developers no longer need to deploy or manage the necessary infrastructure themselves. However, as a consequence of this abstraction, developers lose insight into how their code is executed and data is processed. Cloud providers currently offer little to no assurance of the integrity of customer data. One approach to robust data integrity verification is the analysis of data provenance-—logs that describe the causal history of data, applications, users, and non-person entities. This paper introduces ProProv, a new domain-specific language and graphical user interface for specifying policies over provenance metadata to automate provenance analyses.
To evaluate the convenience and usability of the new ProProv interface, 61 individuals were recruited to construct provenance policies using both ProProv and the popular, general-purpose policy specification language Rego—used as a baseline for comparison. We found that, compared to Rego, the ProProv interface greatly increased the number of policies successfully constructed, improved the time taken to construct those policies, and reduced the failed-attempt rate. Participants successfully constructed 73% of the requested policies using ProProv, compared to 41% using Rego. To further evaluate the usability of the tools, participants were given a 10-question questionnaire measured using the System Usability Scale (SUS). The median SUS score for the graphical ProProv interface was above average and fell into the “excellent” category, compared to below average and “OK” for Rego. These results highlight the impacts that graphical domainspecific tools can have on the accuracy and speed of policy construction.
Cybersecurity Vulnerabilities in Mobile Fare Payment Applications: A Case Study. Kevin Dennis, Maxat Alibayev, Sean J. Barbeau, and Jay Ligatti. Transportation Research Record (TRR), September, 2020. https://doi.org/10.1177/0361198120945982.
Mobile fare payment applications are becoming increasingly commonplace in the public transportation industry as both a customer convenience and an effort to reduce fare management costs and improve operations for agencies. However, there is relatively little literature on vulnerabilities and liabilities in mobile fare payment applications. Furthermore, few public agencies or supporting vendors have policies or established processes in place to receive vulnerability reports or patch vulnerabilities discovered in their technologies. Given the rapidly increasing number of data breaches in general industry IT systems, as well as the fact that mobile fare payment apps are a nexus between customer and agency financial information, the security of these mobile applications deserve further scrutiny. This paper presents a vulnerability discovered in a mobile fare payment application deployed at a transit agency in Florida that, due to the system architecture, may have affected customers in as many as 40 cities across the United States - an estimated 1,554,000 users. Lessons learned from the vulnerability disclosure process followed by the research team as well as recommendations for public agencies seeking to improve the security of these types of applications are also discussed.
Cybersecurity in Public Transportation: A Literature Review. Kevin Dennis, Maxat Alibayev, Sean Barbeau, and Jay Ligatti. Proceedings of the 98th Transportation Research Board Annual Meeting (TRB), January, 2019.
Transportation information technologies (IT) have significantly developed in recent years from individual nodes to large, interconnected networks of devices, similar to those seen in modern IT systems. With this rapid development comes security concerns that have typically been constrained to classical computer systems. This paper reviews the existing literature regarding the state of cybersecurity in public transportation, focusing on the technical aspects of security previously published in technical venues. In particular, the paper examines transit technologies, equipment, and protocols for known vulnerabilities and defenses. Existing attack and vulnerabilities were identified for the following technologies: connected vehicles (CVs), autonomous vehicles (AVs), electronic ticketing systems, traffic signal controllers, traffic signal priority/preemption (TSP), and dynamic message signs (DMS). No known vulnerabilities were found in the literature for AVL/CAD systems, online trip planners, mobile fare payment, onboard Wi-Fi, CCTV, and APCs, but given their complexity, their wide attack surfaces, and the known vulnerabilities in related technologies, the authors believe that it is reasonable to expect that security vulnerabilities do exist in these technologies as well. Several directions for future work are discussed, including better employee training, architecture of on-board Wi-Fi systems used for critical operational purposes, and data encryption and sharing policies at the agency, especially as related to customer data.