Alessandro Orso, a professor in Georgia Institute of Technology’s College of Computing, won the ISSTA Impact Paper Award at the 2017 International Symposium on Software Testing and Analysis (ISSTA) conference in July in Santa Barbara, California.
Every year, the award honors a paper that has had considerable influence in the software testing and analysis field over the past decade. Orso – who is the associate chair for the School of Computer Science – won the award for his work on the 2007 paper entitled Dytan: A Generic Dynamic Taint Analysis Framework, coauthored with two former students: first author James Clause (now an assistant professor at University of Delaware) and Wanchun Li (now a cybersecurity consultant in Seattle).
The researchers first presented the paper at the ISSTA conference in 2007. Dynamic tainting (also known as dynamic information flow analysis) computes how data flows through a system by labeling inputs and tracking them as they are processed by the software. The method is often used in cybersecurity to ensure no malicious inputs reach sensitive parts of a system. At the time of this work, dynamic tainting systems were ad-hoc and specific to the data and task they were targeting.
In this research, Orso and his team built a framework for information flow analysis, called Dytan, that was general enough that others could customize it and use it for their research. While Orso and his students initially built the framework for their own debugging research, they soon realized that, by putting some extra effort into it, Dytan could benefit the broader research community.
“We saw it as a service to the community,” Orso said. “Since we’re doing this, let’s do it right and make it general enough and available so that people can use it.”
The broad implications of Dytan have rippled through the field and across CS areas. The paper has become the standard reference for dynamic tainting, cited more than 400 times in the software engineering, security, systems, database, and computer architecture communities. At one point, the researchers were even approached by Visa Europe, who were interested in using Dytan to track the flow of credit card information through their system.
Dynamic tainting analysis has expanded past Orso’s initial framework, but he still uses elements of it in his research today. For a current Defense Advanced Research Projects Agency (DARPA) project, for instance, Orso and his collaborators analyze cybersecurity attacks using dynamic tainting analysis to learn where attacks originate.
Orso said he is humbled and honored to be recognized for this research.
“It’s much more exciting because it’s given based on how successful your work really was based on the opinion of your peers and your community.”