4 minute read
RISING SENIOR MAKES THE MOST OF EARLY TANDON CONNECTIONS
by NYUTandon
Alan Cao, who begins his senior year in the Computer Science and Engineering Department this fall, has been actively engaged in research at NYU Tandon longer than some graduate students. His initial research work, back in 2018, was in the Secure Systems Laboratory. As a high school student, he worked with Associate Professor of Computer Science and Engineering Justin Cappos and 2022 Ph.D. graduate Preston Moore on the CrashSimulator project (see https:// ssl.engineering.nyu.edu/papers/moore_ crashsim_issre2019.pdf ). For Cao, it was an introduction to “work that uniquely involved building systems and mitigations for security.” After finding out that NYU “aligned to that interest greatly and was a school local to me,” he noted that he “quickly sought to get involved,” not only to have a chance to “implement software that tries to solve complex security problems, but to also learn more about security research itself.”
Four years later, Cao has an impressive list of achievements to share on his resume. He has been an active member of the OSIRIS lab, for which he currently serves as a lab manager, and he was honored with a 2022 Leadership Award from Tandon’s Department of Computer Science and Engineering in recognition of “outstanding leadership in student activities.“ In an interview conducted via email while he completes a summer internship with Meta Platforms Inc., Cao answered a few questions about his accomplishments to date and what he has learned along the way.
CyberByte: What, if anything, about those early lab experiences inspired your current research interests?
Cao: I was very fortunate to pick up various knowledge from the people that I worked with. It also definitely kicked off an interest in trying to pursue work where my job is answering novel security research questions, whether it’s building automation to quickly detect vulnerabilities, or defending against rising threats.
CyberByte: In addition to the Leadership Award mentioned above, you also won recognition this year for a paper called “What the Fork? Finding and Analyzing Malware in GitHub Forks” that you presented at the Workshop on Measurements, Attacks, and Defenses for the Web (MADWeb) this April. How did that project evolve?
Cao: Professor Brendan Dolan-Gavitt is the faculty advisor for the OSIRIS Lab, and his focus on both reverse engineering and doing en-masse analysis of open-sourced codebases aligned greatly with my interests. Thus, I thought he was the most appropriate person to reach out to about fulfilling my senior design credits. During this time, I had a peak interest in opensource supply chain security, specifically in the tactics threat actors use when propagating malware through package registries. I noticed this trend slowly showing up through GItHub forks, and wanted to understand if this is a significant threat in open source software. We built and scaled up detection infrastructure, and measured and reversed any samples we were able to find. We demonstrated the efficacy of our techniques by scanning 68,879 forks of 35 popular cryptocurrency repositories, which led to the discovery of 26 forked repositories that were hosting malware. I personally was very surprised to get an award for it during the conference.
It definitely could not have been done without guidance and inspiration from Dolan-Gavitt. I hope the paper is a great stepping stone for research that not only tries to catch malware effectively, but also leads to secure design choices that can ultimately wipe out these classes of threats.
CyberByte: You have held internships with three significant tech firms (Apple, Trail of Bits, and now Meta). Have any of these experiences influenced what type of work you might want to do when you graduate?
Cao: I really enjoyed that all three experiences challenged me to try to solve difficult problems in unique ways, which required potentially novel ideas and demanded a good amount of engineering. The ability to do this in a job is definitely a necessity for me, and I would love to continue working in roles that present the opportunity to do ample security research. Furthermore, I hope that any future positions allow me to find vulnerabilities and/or do reverse engineering/binary analysis, and produce reusable software/ services that others can adopt.
CyberByte: You have also served as lab manager for OSIRIS. What does this entail? Has it been difficult to keep activities going after two years of Covid and the changes it brought to the program?
Cao: As a lab manager for OSIRIS, a lot of my responsibilities are logistical. This includes corresponding with faculty and staff to ensure that our members have funding, proper access to resources, and the ability to host smaller in-person events. I also help manage the lab space, maintain some infrastructure, and communicate with prospective members about the lab. COVID-19 was definitely a game-changer for us, as we became largely a remote organization, and a bit inactive with our usual activities. Over time, however, we actually grew in popularity with more graduate students studying cybersecurity. This meant we had access to a group of part-time grad students that may already be working in the industry. Their presence opens more mentorship opportunities, and meaningful experiences for students interested in the cybersecurity space. Overall the lab was able to withstand the substantial changes to how we’ve operated pre-COVID, and also see this interesting shift that hopefully attracts a lot more newcomers, and delivers a positive experience for members and their academic/industry goals.
CyberByte: I know you have also been active in CSAW. What types of things have you done for that event?
Cao: For CSAW, I helped as an organizer in the Fall of 2020, just as we went remote. This meant hosting the CTF, writing challenges, asking sponsors for challenges, and facilitating the rounds of the competition. While I’m not the primary lead for the recent CTF round, I still help with administrative tasks and by writing some challenges
CyberByte: What, if anything, are you looking forward to in your senior year?
Cao: I’m looking forward to wrapping up all the non-engineering classes that I have left over, and using free time to pursue personal projects, working with the lab, and also socializing with friends and family a lot more. And also finally graduating too and starting work in the industry.
