Brett Stone-Gross received the 2009-2010 Outstanding Publication Award for his paper, “Your Botnet is My Botnet: Analysis of a Botnet Takeover,” published at CCS 2009. The work involved exploiting the architecture of the Torpig botnet to infiltrate its command-and-control structure. This allowed the security research team to analyze the operations of the botnet including the type and amount of data stolen from infected computers. During a 10 day period, nearly 70GB of data was collected from more than 180,000 infected computers including credit cards, social security numbers, and login credentials. Brett is currently a fifth-year PhD student under the supervision of Professor Christopher Kruegel.

Fang Yu, supervised by Prof. Tevfik Bultan, received this year’s Outstanding Dissertation Award for his thesis titled “Automatic Verification of String Manipulating Programs.” Errors in string manipulation are the main cause of most important security vulnerabilities in Web applications such as SQL command injection (SQLI), Cross-site scripting (XSS) and Malicious File Execution (MFE). In his thesis, Fang presents a formal characterization of the string verification problem, investigates the decidability boundary for verification of string systems, presents automata-based symbolic forward and backward reachability analyses, summarization and abstraction techniques and combines these results in a sound automatic verification approach for string manipulating programs. Fang is the lead developer of Stranger, an automata-based string analysis tool for Web applications written in PHP. Stranger is capable of detecting, preventing, and proving the absence vulnerabilities such as XSS, SQLI, and MFE using the techniques presented in Fang’s dissertation. Results from Fang’s dissertation have been published in TACAS’10, TACAS’09, ASE’09, and SPIN’08.