My area of research is software engineering, with emphasis on software testing and analysis. My interests include development of techniques for improving software reliability, security, and trustworthiness, and the validation of such techniques on real systems.

I'm currently working on three main projects, discussed below. Representative papers are available on my publications page.

• Testing and Analysis of Deployed Software (sponsored by NSF). One of the limitations of traditional quality-assurance approaches is that they assess the software in-house, on developers' platforms, on a limited number of configurations, and using developer's provided workloads. As a consequence, the behavior they exercise is often not representative of how the software will perform in the field. This is especially true with today's software, which is increasingly commoditized and configurable and must operate on rich and heterogeneous environments; increasingly complex software can behave very differently in different environments and configurations, and it is difficult to assess its quality outside the actual time and context in which it executes. To address this limitation, my research investigates ways of leveraging the increasing connectivity and computational power of user machines to collect data from fielded software systems and use such data to help improve software quality. My recent work in this area focuses on three main themes: remote data collection, program-behavior classification, and record and replay techniques.


• Testing of Evolving Software (sponsored by NSF, IBM, and Microsoft). Successful software is corrected, adapted, and enhanced to provide new functionality throughout its lifetime. Regression testing, which is the re-testing of a system as it evolves, is performed on each release and is one of the most expensive maintenance activities. My research in the area of regression testing focuses mainly on the problems of regression test selection and test suite augmentation. Regression Test Selection (RTS) consists of selecting a subset of an existing test suite that does not need to be rerun on the new version of a program, with the goal of saving testing effort RTS techniques can improve the efficiency of regression testing, but they are not concerned with the effectiveness of existing test suites in testing changed software. To address this issue, my research also investigates approaches for test suite augmentation: assessing whether a test suite adequately exercises the effects of changes performed on the software and, if not, suggesting how to augment the test suite.


• Web Application Security and Reliability (sponsored by NSF and DHS). Many software systems have evolved to include a web-based component that makes them available to the public via the Internet. Most people use these web applications on a daily basis, when paying e-bills, shopping on-line, or simply reading the news. Faults in the implementation of these applications can cause failures whose effects range from annoyances to the user to loss of critical data. Furthermore, such faults can make web applications vulnerable to a variety of attacks that can result in leaking of confidential and even sensitive information. My research in the area of web application security and reliability focuses on the use of static and dynamic analysis techniques to identify faults in web applications and protect them from attacks.