Tomasz Biadacz, a graduate from Wrocław University of Science and Technology, was distinguished by the Program Council of the Teleinformatics Forum and a special NASK PIB award for the best thesis in the field of cybersecurity. The awards were presented during the 27th Teleinformatics Forum.

The laureate is a graduate from Wrocław University of Science and Technology, and his thesis entitled "Assessment of the possibility of using static analysis to identify web application security threats" was prepared under the supervision of Bogumiła Hnatkowska, Ph.D. from the Department of Applied Computer Science, currently Vice-Dean of the Faculty for Academic and Educational Affairs.

– The topic for the thesis was born during a brainstorming session. It is a combination of the fields of computer sciences that I am interested in, i.e. software development, web applications and cybersecurity – says Tomasz Biadacz. – While reading professional literature, I tried to identify the most popular vulnerabilities to attacks that web applications are subjected to and I wanted to determine to what an extent static code analysis can be used to find them – he adds. His attention was drawn to a relatively poor description of the use of static code analysis in the context of attacks via unsecured data deserialization. That is why he decided to conduct his further research in this direction.

Static code analysis, or static computer software analysis, is a method of debugging (verifying) code without running the application. This process is usually performed by an automated tool, as opposed to code review which is performed by a human. It is widely used in software engineering, software development processes, and quality maintenance teams.
In his work, our distinguished graduate described, among other things, the mechanism of serialization and deserialization of data in Java and Kotlin languages, presented several possible attacks using unsecured deserialization, and prepared a list of the most popular methods of counteracting such attacks. In further stages, he tried to determine the frequency of the data deserialization mechanism in projects written in Java and Kotlin, and to test generally available tools in terms of the effectiveness of detecting the previously described vulnerabilities.

Step by step

– One of the stages of my work was to determine the frequency of the deserialization mechanism in projects. By reviewing repositories, I was able to determine that this mechanism is present in 18% of the analysed projects written in Java and over 7% of projects in Kotlin – Biadacz explains.

Following this path, he tried to test the generally available tools of static analysis for their effectiveness. It turned out that of the three tested tools, only one managed to identify unsecured deserialization for one test case written in Java.
However, none of the examined tools managed to detect unsecured deserialization in Kotlin, which indicated the need to implement an original rule to detect this vulnerability. This was also confirmed by the research conducted on previously found public projects, in which it was also impossible to find places with vulnerabilities.

In the next stage of work, our graduate presented his own proposal for a rule for detecting unsecured deserialization in the Kotlin language. Then he tested its effectiveness on previous test cases and projects, and managed to demonstrate its 100% effectiveness in each of the experiments.

A number of challenges

– One of the biggest challenges in the preparation of the thesis was to conduct a thorough literature analysis. I tried to establish what is the current knowledge in the field I am researching and how I could contribute to it through my work – explains Tomasz Biadacz. – Another challenge was to prepare an original static analysis rule for vulnerability detection. I hadn't had the opportunity to do something like this before, so while carrying out my work, I was constantly learning something new. Another problem was poor documentation attached to the tool in which I ran my own rule. I needed a lot of extra time to figure out how it works and how I can use it for my needs, he adds.

It must be remembered that the thesis was written in the conditions of the coronavirus epidemic, when classes at Wroclaw University of Science and Technology were remote. However, Tomasz Biadacz admits that the pandemic did not adversely affect the process of writing the thesis, and in fact it helped.

– As a result, I could spend more time collecting materials and writing the thesis. It could have been a challenge to perform a literature analysis, but thanks to the numerous digital collections of scientific works, I was able to carry it out without visiting libraries. – As for the research I carried out as part of the thesis, I could easily do it on my computer. The pandemic was also not a challenge when communicating with the supervisor. We were in touch on an ongoing basis, and we consulted all comments or doubts by e-mail or via videoconferences – he emphasizes.

Tomasz Biadacz graduated from the IT field with a specialization in "Applications of Specialist Information Technologies", and he currently works as a software developer in the E-commerce industry.