Muath   Alkhalaf

Work History

Work History
Jun 2015 - Present

Consultant

Yesser e-Government Program

A consultant for Yesser program to evaluate the e-services provided by Ministry of Interior. I have visited a number of MOI sectors including General Directorate of Public Security and General Directorate of Passports. In these visits, I was responsible for evaluating the e-services provided by them and give my recommendations.

Jun 2003 - Jun 2006

Information Security Engineer

Elm
  • Lead of development team of PKI infrastructure for Shomoos project. The project connects more than 5000 clients all around Saudi Arabia to MOI including hotels, shops, apartments. etc.
  • Lead of development team for Elm VPN, a VPN cryptographic gateway appliance built entirely inside Elm and used to secure end to end connections over the internet.
  • Member of Elm Penetration Testing team where we assessed the security of many government entities.
  • Installed and administered CVS, a version control system for web application development.
May 2006 - Aug 2006

Consultant

Advanced Electronics Company
  • Developed a system to handle billing of electricity service customers. The system was capable of handling 2 million customers simultaneously.
  • Developed the calibration software used in the quality assurance phase of the development process of the digital electricity meter. The software lowered the time for calibration phase in production line from 8 hours to 40 minutes through parallelization of the calibration software.
Jan 2015 - Present

Consultant

Center for Excellence in Information Assurance

I work as a consultant in Information Assurance at COEIA where I supervise a number of research projects and give consultation services to different government and private sector entities.

Aug 2014 - Present

Assistant Professor

King Saud University

I teach two courses:

  • Java Programming. I am the manager for this course which is taught to over 400 students by the 6 faculty members along with 7 TAs. I have Implemented and managed a web system for automatic grading of Java programming assignments which is the first of its kind in Saudi Arabia.
  • Advanced Software Engineering. This is a masters level course in which I teach how to engineer a software as a cloud service including requirement, design, testing and deployment. I teach new methodologies based on Agile development methodologies.

Education

Education
2008 - 2014

PHD Doctorate in Computer Science

University of California Santa Barbara

Thesis Title: Automatic Detection and Repair of Input Validation and Sanitization Bugs

My thesis won the 2015 ACM SIGSOFT Outstanding Doctoral Dissertation Award, This is the world most prestigious award for a dissertation in software engineering.

2006 - 2008

MASTERS  in Computer Science

University of California Santa Barbara

Project Title: Automated web service testing using interface grammars

1999 - 2003

BACHELORS  Degree in Computer and Information Sciences 

King Saud University

Graduated as the first of class with 4.81/5.0 GPA and first degree of honor.

CONFERENCES 

  • Presented the following paper at ISSTA 2012 conference:
    • Muath Alkhalaf, Shauvik Roy Choudhary, Mattia Fazzini, Tevfik Bultan, Alessandro Orso and Christopher Kruegel. "ViewPoints: Differential String Analysis for Discovering Client and Server-Side Input Validation Inconsistencies." Proceedings of the 2012 International Symposium on Software Testing and Analysis (ISSTA 2012), pages 56-66, Minneapolis, USA, July 15-20, 2012.
  • Presented the following paper at ICSE 2012 conference:
    • Muath Alkhalaf, Tevfik Bultan, and Jose L. Gallegos. "Verifying Client-Side Input Validation Functions Using String Analysis" Proceedings of the 34th International Conference on Software Engineering (ICSE 2012) pages 947-957, Zurich, Switzerland, June 2-9, 2012.
  • Presented the following paper at TACAS 2010 conference:
    • Fang Yu, Muath Alkhalaf and Tevfik Bultan. "Stranger: An Automata-based String Analysis Tool for PHP." Tool paper. Proceedings of the 16th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS 2010), LNCS 6015, pages 154-157, Paphos, Cyprus, March 20-28, 2010.
  • Presented the following paper at SoCal Programming Languages workshop 2013:
    • Muath Alkhalaf, Abdulbaki Aydin and Tevfik Bultan. " Differential Patching of Input Validation in Web Applications".
  • Presented the following paper at SoCal Programming Languages workshop 2011:
    • Muath Alkhalaf, Tevfik Bultan, and Jose L. Gallegos. "Verifying Client-Side Input Validation Functions Using String Analysis".
  • Received an NSF travel grant to attend the Summer Formal 2011: First Summer School on Formal Techniques, a one-week summer school which was organized by SRI International.

software Security tools

  • Lead developer for SemRep, which is a semantic differential repair tool for input validation and sanitization code. The tool can be found at (https://github.com/vlab-cs-ucsb/SemRep).
  • Lead developer for Stranger, which is an open source PHP analysis tool to detect web vulnerabilities in PHP web applications such as XSS and SQLI using symbolic string analysis. The tool can be found at (http://www.cs.ucsb.edu/~vlab/stranger/).
  • Co-developer for LibStranger, which is an open source automata-based symbolic string analysis library. The library can be found at (https://github.com/vlab-cs-ucsb/Stranger). Chosen as best library for String Analysis in IEEE/ACM 2014 Automated Software Engineering  conference.
  • Co-developer for Linux Alarm which is a Linux personal firewall implemented as undergraduate graduation project. The project is available in Sourceforge under http://sourceforge.net/projects/linuxalarm. It won King Abdulaziz Saudi National Award for Scientific Creativity.

Research interests

My research is on Software Verification and Security. More specifically, I worked on automatic detection and repair of bugs and security vulnerabilities in web applications such as Cross-Site Scripting (XSS) and SQL Injection (SQLI). I have published research papers in top software engineering and verification venues such as IEEE ICSE (largest and top conference in software engineering world wide) and ACM ISSTA (top conference in software testing). I won 2015 ACM SIGSOFT Outstanding Doctoral Dissertation Award. An independent paper published in IEEE/ACM ASE’14 conference ranked my string analysis library libStranger as best library compared to other libraries by Microsoft, MIT and UC Berkeley (see Scott Kausler and Elena Sherman “Evaluation of string constraint solvers in the context of symbolic execution”).

Publications

  • Muath Alkhalaf, Abdulbaki Aydin and Tevfik Bultan. "Semantic Differential Repair for Input Validation and Sanitization." Proceedings of 2014 International Symposium on Software Testing and Analysis (ISSTA 2014), pages 225-236, San Jose, California, USA, July 21-25, 2014.
  • Abdulbaki Aydin, Muath Alkhalaf and Tevfik Bultan. "Automated Test Generation from Vulnerability Signatures." Proceedings of the 7th International Conference on Software Testing, Verification and Validation (ICST 2014), pages 193-202, Cleveland, Ohio, USA, March 31-April 4, 2014.
  • Fang Yu, Muath Alkhalaf, Tevfik Bultan, Oscar H. Ibarra. "Automata-Based Symbolic String Analysis for Vulnerability Detection." Formal Methods in System Design, volume 44, number 1, pages 44-70, 2014
  • Muath Alkhalaf, Shauvik Roy Choudhary, Mattia Fazzini, Tevfik Bultan, Alessandro Orso and Christopher Kruegel. "ViewPoints: Differential String Analysis for Discovering Client and Server-Side Input Validation Inconsistencies." Proceedings of the 2012 International Symposium on Software Testing and Analysis (ISSTA 2012), pages 56-66, Minneapolis, USA, July 15-20, 2012.
  • Muath Alkhalaf, Tevfik Bultan, and Jose L. Gallegos. "Verifying Client-Side Input Validation Functions Using String Analysis." Proceedings of the 34th International Conference on Software Engineering (ICSE 2012) pages 947-957, Zurich, Switzerland, June 2-9, 2012.
  • Fang Yu, Muath Alkhalaf and Tevfik Bultan. "Patching Vulnerabilities with Sanitization Synthesis." Proceedings of the 33rd International Conference on Software Engineering (ICSE 2011), pages 251-260, Waikiki, Honolulu , Hawaii, USA, May 21-28, 2011.
  • Fang Yu, Muath Alkhalaf and Tevfik Bultan. "Stranger: An Automata-based String Analysis Tool for PHP." Tool paper. Proceedings of the 16th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS 2010), LNCS 6015, pages 154-157, Paphos, Cyprus, March 20-28, 2010.
  • Sylvain Halle, Tevfik Bultan, Graham Hughes, Muath Alkhalaf and Roger Villemaire. "Runtime Verification of Web Service Interface Contracts." IEEE Computer, volume 43, number 3, pages 59-66, March 2010.
  • Sylvain Halle, Graham Hughes, Tevfik Bultan, and Muath Alkhalaf. "Generating Interface Grammars from WSDL for Automated Verification of Web Services." Proceedings of the 7th International Conference on Service Oriented Computing (ICSOC 2009), pp. 516-530, Stockholm, Sweden, November 24-27, 2009.
  • Fang Yu, Muath Alkhalaf and Tevfik Bultan. "Generating Vulnerability Signatures for String Manipulating Programs Using Automata-based Forward and Backward Symbolic Analyses." Short paper. Proceedings of the 24th IEEE/ACM International Conference on Automated Software Engineering (ASE 2009), pp. 605-609, Auckland, New Zealand, November 16-20, 2009.
  • Graham Hughes, Tevfik Bultan and Muath Alkhalaf. "Client and Server Verification for Web Services Using Interface Grammars." Proceedings of the Workshop on Testing, Analysis and Verification of Web Software (TAV-WEB 2008), pp. 40-46, Seattle, Washington, July 21, 2008.