Syed Taha Ali

Rijha Safdar, Danyail Mateen, Syed Taha Ali et al.

Large Language Models (LLMs) have demonstrated exceptional progress in multiple domains of software engineering including software vulnerability detection. Using LLMs to automate vulnerability detection in the wild is an important and relatively under-explored problem. In this paper we propose QuiLL, the first comprehensive evaluation framework for real-world vulnerability detection. Our solution consists of an end-to-end pipeline that draws together cutting-edge LLM optimization techniques and strategies specifically catering to the complexities of real-world vulnerability detection. Our specific contributions include (i) diverse prompt designs for vulnerability detection and reasoning (ii) a real-world vector data store constructed from the National Vulnerability Database to provide dynamic in-context learning, and (iii) a novel scoring metric which quantifies accuracy and reasoning quality of model predictions. QuiLL enables researchers to easily and systematically benchmark and compare the vulnerability detection capabilities of various LLMs and assess their readiness for deployment in actual code production pipelines.

Rijha Safdar, Danyail Mateen, Syed Taha Ali et al.

AI-based solutions demonstrate remarkable results in identifying vulnerabilities in software, but research has consistently found that this performance does not generalize to unseen codebases. In this paper, we specifically investigate the impact of model architecture, parameter configuration, and quality of training data on the ability of these systems to generalize. For this purpose, we introduce VulGate, a high quality state of the art dataset that mitigates the shortcomings of prior datasets, by removing mislabeled and duplicate samples, updating new vulnerabilities, incorporating additional metadata, integrating hard samples, and including dedicated test sets. We undertake a series of experiments to demonstrate that improved dataset diversity and quality substantially enhances vulnerability detection. We also introduce and benchmark multiple encoder-only and decoder-only models. We find that encoder-based models outperform other models in terms of accuracy and generalization. Our model achieves \textbf{6.8\%} improvement in recall on the benchmark BigVul dataset and outperforms others on unseen projects, demonstrating enhanced generalizability. Our results highlight the role of data quality and model selection in the development of robust vulnerability detection systems. Our findings suggest a direction for future systems with high cross-project effectiveness.

Aamna Tariq, Hina Binte Haq, Syed Taha Ali

Credential fraud is a widespread practice that undermines investment and confidence in higher education systems and bears significant economic and social costs. Legacy credential verification systems are typically time-consuming, costly, and bureaucratic, and struggle against certain classes of credential fraud. In this paper, we propose a comprehensive blockchain-based credential verification solution, Cerberus, which is considerably more efficient, easy and intuitive to use, and effectively mitigates widespread manifestations of credential fraud. Cerberus also improves significantly upon other blockchain-based solutions in the research literature: it adheres closely to the existing credential verification ecosystem, it addresses a threat model informed by real-world fraud scenarios. Moreover, Cerberus uses on-chain smart contracts for credential revocation, and it does not entail students or employers to manage digital identities or cryptographic credentials to use the system. We prototype our solution and describe our attempt to design an online verification service with a rich feature set, including data privacy, transcript verification, and selective disclosure of data. We hope this effort contributes positively to towards alleviating the problem of fake credentials.

Hina Binte Haq, Ronan McDermott, Syed Taha Ali

Pakistan recently conducted small-scale trials of a remote Internet voting system for overseas citizens. In this contribution, we report on the experience: we document the unique combination of sociopolitical, legal, and institutional factors motivating this exercise. We describe the system and it's reported vulnerabilities, and we also highlight new issues pertaining to materiality. If this system is deployed in the next general elections, as seems likely, this development would constitute the largest enfranchised diaspora in the world. Our goal in this paper, therefore, is to provide comprehensive insight into Pakistan's experiment with Internet voting, emphasize outstanding challenges, and identify directions for future research.

Syed Taha Ali, Dylan Clarke, Patrick McCorry

In this paper, we undertake a comprehensive survey of key trends and innovations in the development of research-based and commercial micropayment systems. Based on our study, we argue that past solutions have largely failed because research has focused heavily on cryptographic and engineering innovation, whereas fundamental issues pertaining to usability, psychology, and economics have been neglected. We contextualize the range of existing challenges for micropayments systems, discuss potential deployment strategies, and identify critical stumbling blocks, some of which we believe researchers and developers have yet to fully recognize. We hope this effort will motivate and guide the development of micropayments systems.

Syed Taha Ali, Judy Murray

Advances in E2E verifiable voting have the potential to fundamentally restore trust in elections and democratic processes in society. In this chapter, we provide a comprehensive introduction to the field. We trace the evolution of privacy and verifiability properties in the research literature and describe the operations of current state-of-the-art E2E voting systems. We also discuss outstanding challenges to the deployment of E2E voting systems, including technical, legal, and usability constraints. Our intention, in writing this chapter, has been to make the innovations in this domain accessible to a wider audience. We have therefore eschewed description of complex cryptographic mechanisms and instead attempt to communicate the fundamental intuition behind the design of E2E voting systems. We hope our work serves as a useful resource and assists in the future development of E2E voting.