Rocky Slavin, Ph.D.
Department of Computer Science
University of Texas at San Antonio
Office: NPB 410H (map)
Mobile Privacy Risk Mitigation
Mobile applications frequently access sensitive personal information to meet user or business requirements. Because such information is sensitive in general, regulators increasingly require mobileapp developers to publish privacy policies that describe what information is collected. Furthermore, regulators have fined companies when these policies are inconsistent with the actual data practices of mobile apps. As a means to assist developers, auditors, and end-users, I have created a framework and suite of tools to help bridge the semantic gap between natural language privacy policies and application code.
Automated Privacy Artifact Generation
Current approaches to the detection of policy-code misalignments depend on tedious manual processes which are subject to fatigue and obsolescence as APIs are updated. To alleviate this weakness, I am currently exploring the use of deep learning to automate the process of mapping code-level application program interfaces to natural language data types. By using Google’s Bidirectional Encoder Representations from Transformers (BERT) pre-trained language model the semantics of API methods in terms of natural language data types may be inferred. For example, the getLongitude() method is intuitively a location-oriented method. As a human, the "location-oriented" categorization of the method was obvious due to our knowledge of the term "latitude". This is a high-level example of how the mapping process works (with many fewer steps). I am using BERT’s ability to encode semantics as well as static program analysis techniques to develop a novel classifier to automate such tasks on a large scale based on information related to the method such as documentation, return types, code structure, and names.
Deep-learning Model for Bug Detection
Currently, most bug detection tools use static analysis techniques to detect software bugs. However, static analysis techniques have many limitations: code patterns or specifications must be manually defined, it is conservative, and it is not always scalable. Deep learning models and techniques have been shown to solve similar limitations in the past, and so may be successful in mitigating such limitations again. I am currently exploring a novel approach to applying deep learning to bug detection by using a behavioral language model as opposed to a logical one so as to better be applied to bug detection. The model determines the semantics of code by only utilizing code elements that affect behavior.
Security Requirements Patterns
Secure software depends upon the ability of software developers to respond to security risks early in the software development process. Despite a wealth of security requirements, often called security controls, there is a shortfall in the adoption and implementation of these requirements. This shortfall is due to the extensive expertise and higher level cognitive skillsets required to comprehend, decompose and reassemble security requirements concepts in the context of an emerging system design. To address this shortfall, we propose to develop two empirical methods: (1) a method to derive security requirements patterns from requirements catalogues using expert knowledge; and (2) a method to empirically evaluate these patterns for their "usability" by novice software developers against a set of common problem descriptions, including the developer's ability to formulate problems, select and instantiate patterns. The study results will yield a framework for discovering and evaluating security requirements patterns and new scientific knowledge about the limitations of pattern-based approaches when applied by novice software developers.
As a teacher, it is important to me that students not only understand the material I am teaching, but also realize how it is relevant to their own interests. This means demonstrating practicality and fostering dialog in the classroom. If I can turn a lecture into a conversation, I can better understand what my students need from me. In this way, not only is knowledge conveyed and retained more easily, but the course itself can be much more enjoyable.
Empathy and inclusion are among the most important tools I use for teaching. A major obstacle for many teachers is how easy it can be to take for granted what their students do and do not know. For this reason, I strive to continually put myself in the shoes of the student. If I can better understand their goals and background, I can better focus on what they need.
I believe it is also important to engage students outside the classroom. Whether it be through office hours, email, or Discord, encouraging communication is vital for quality education. To this end, I do whatever I can do be available and approachable for my students. Unfortunately, this often results in a line outside my office.
Title on hover
Description on hover
- Mitra Bokaei Hosseini, Rocky Slavin, Travis D. Breaux, and Jianwei Niu. Analyzing Privacy Policies through Syntax-Driven Semantic Analysis of Information Types, Information and Software Technology, 2021. (pdf)
- Hui Shen, Ram Krishnan, Rocky Slavin, and Jianwei Niu. Sequence Diagram Aided Security Policy Specification, IEEE Transactions on Dependable and Secure Computing (TDSC), 2014. (pdf)
Refereed Conference and Workshop Publications
- Gabriel A. Morales, Jingye Xu, Dakai Zhu, and Rocky Slavin "Lightweight Collaborative Inferencing for Real-Time Intrusion Detection in IoT Networks", 19th IEEE International Conference on Ubiquitous Intelligence and Computing (UIC'22), 2022, Haikou, China.
- Zhiwei Wang, Kevin Liu, Jingye Xu, Jingjing Chen, Yufang Jin, and Rocky Slavin "A Vision-Based Low-Cost Power Wheelchair Assistive Driving System for Smartphones", 18th IEEE International Conference on Embedded Software Systems (ICESS'22), 2022, Chengdu, China.
- Mitra Bokaei Hosseini, John Heaps, Rocky Slavin, Travis D. Breaux, and Jianwei Niu. Ambiguity and Generality in Natural Language Privacy Policies, 29th IEEE International Requirements Engineering Conference (RE'21), 2021. (pdf)
- Xueling Zhang, Xiaoyin Wang, Rocky Slavin, and Jianwei Niu. ConDySTA: Context-Aware Dynamic Supplement to Static Taint Analysis, 42nd IEEE Symposium on Security and Privacy (S&P'21), 2021. (pdf)
- Xueling Zhang, Xiaoyin Wang, Rocky Slavin, Travis D. Breaux, and Jianwei Niu. "How Does Misconfiguration of Analytic Services Compromise Mobile Privacy?", 42nd ACM/IEEE International Conference on Software Engineering (ICSE'20), 2020, Seoul, South Korea. (pdf)
- Mitra Bokaei Hosseini, Rocky Slavin, Travis D. Breaux, Xiaoyin Wang, Jianwei Niu. Disambiguating Requirements through Syntax-Driven Semantic Analysis of Information Types, 26th International Working Conference on Requirements Engineering: Foundation for Software Quality (REFSQ'20), 2020, Pisa, Italy. Distinguished Research Paper Award (pdf)
- Steven O'Hara and Rocky Slavin. Modernizing Parsing Tools: Parsing and Analysis with Object-Oriented Programming, 8th ACM SIGPLAN International Workshop on the State Of the Art in Program Analysis (SOAP'19), 2019, Phoenix, AZ, USA. (pdf)
- Rocky Slavin, Jean-Michel Lehker, Jianwei Niu, and Travis D. Breaux. Managing Security Requirements Patterns using Feature Diagram Hierarchies, 22nd IEEE International Requirements Engineering Conference (RE'14), 2014, Karlskrona, Sweden. (pdf)
- Jean-Michel Lehker, Rocky Slavin, and Jianwei Niu. Integration of Security Pattern Selection Practices with Pattern Storage, Symposium and Bootcamp on the Science of Security (HotSoS'14), 2014, Raleigh. (pdf)
- Rocky Slavin, Hui Shen, and Jianwei Niu. Characteristics and Boundaries of Security Requirements Patterns, Second International Workshop on Requirements Patterns (RePa'12), 2012, Chicago. (pdf)
- Hanan Hibshi, Rocky Slavin, Jianwei Niu, and Travis D. Breaux. Rethinking Security Requirements in RE Research. Technical Report CSTR-2014-005, University of Texas at San Antonio Department of Computer Science, 2014. (pdf)
- Hui Shen, Ram Krishnan, Rocky Slavin, and Jianwei Niu. Sequence Diagram Aided Security Policy Specification. Technical Report CSTR-2017-001, University of Texas at San Antonio Department of Computer Science, 2014. (pdf)
- Rocky Slavin. Applying Semantic Analysis for the Alignment of Natural Language Privacy Policies with Application Code. Ph.D. Dissertation, University of Texas at San Antonio, Aug. 2017. (pdf)
- Rocky Slavin. Does your Android App Collect More than it Promises to?, IEEE Software Blog, 2016, http://blog.ieeesoftware.org/2016/05/does-your-android-app-collect-more-than.html.
When I'm not working on my research I'm having fun with my wife and daughter and working on my astrophotography.