{"id":19,"date":"2014-11-27T14:50:32","date_gmt":"2014-11-27T14:50:32","guid":{"rendered":"http:\/\/sdash.isg.rhul.ac.uk\/?page_id=19"},"modified":"2025-07-02T09:40:19","modified_gmt":"2025-07-02T09:40:19","slug":"about","status":"publish","type":"page","link":"https:\/\/santanu.uk\/","title":{"rendered":"About"},"content":{"rendered":"\n
\n
\n
\"\"<\/figure>\n<\/div>\n\n\n
\n

I am a Senior Lecturer in the Department of Computer Science at University of Surrey. My research interests are in Secure Software Engineering, specifically automatic analysis and transformation of software. <\/p>\n\n\n\n

I work on open-source software as well as binaries and have published my work in flagship venues across Software Engineering and Security such as ICSE, FSE and Usenix Security. I am funded and trained by the UK Research Councils through their New Investigator Award and Future Leaders Pathways programme. <\/p>\n\n\n\n

Selected Publications<\/strong>

<\/a><\/form>
Raffa G; Blasco J; O'Keeffe D; Dash S K<\/span>: CloudFlow: Identifying Security-sensitive Data Flows in Serverless Applications<\/span>. Usenix Security 2025, <\/span>Forthcoming.<\/span> (Type: Conference<\/span> | BibTeX<\/a><\/span>)<\/span>
Tileria M; Blasco J; Dash S K<\/span>: DocFlow: Extracting Taint Specifications from Software Documentation<\/a><\/span>. In: <\/span>Proceedings of the IEEE\/ACM 46th International Conference on Software Engineering, <\/span>ACM, <\/span>Lisbon, Portugal, <\/span>2024<\/span>.<\/span> (Type: Inproceedings<\/span> | Abstract<\/a><\/span> | Links<\/a><\/span> | BibTeX<\/a><\/span>)<\/span>
@inproceedings{10.1145\/3597503.3623312,
\r\ntitle = {DocFlow: Extracting Taint Specifications from Software Documentation},
\r\nauthor = {Marcos Tileria and Jorge Blasco and Santanu Kumar Dash},
\r\nurl = {https:\/\/doi.org\/10.1145\/3597503.3623312},
\r\ndoi = {10.1145\/3597503.3623312},
\r\nyear  = {2024},
\r\ndate = {2024-01-01},
\r\nurldate = {2024-01-01},
\r\nbooktitle = {Proceedings of the IEEE\/ACM 46th International Conference on Software Engineering},
\r\npublisher = {ACM},
\r\naddress = {Lisbon, Portugal},
\r\nseries = {ICSE '24},
\r\nabstract = {Security practitioners routinely use static analysis to detect security problems and privacy violations in Android apps. The soundness of these analyses depends on how the platform is modelled and the list of sensitive methods. Collecting these methods often becomes impractical given the number of methods available, the pace at which the Android platform is updated, and the proprietary libraries Google releases on each new version. Despite the constant evolution of the Android platform, app developers cope with all these new features thanks to the documentation that comes with each new Android release. In this work, we take advantage of the rich documentation provided by platforms like Android and propose DocFlow, a framework to generate taint specifications for a platform, directly from its documentation. DocFlow models the semantics of API methods using their documentation to detect sensitive methods (sources and sinks) and assigns them semantic labels. Our approach does not require access to source code, enabling the analysis of proprietary libraries for which the code is unavailable. We evaluate DocFlow using Android platform packages and closed-source Google Play Services libraries. Our results show that our framework detects sensitive methods with high precision, adapts to new API versions, and can be easily extended to detect other method types. Our approach provides evidence that Android documentation encodes rich semantic information to categorise sensitive methods, removing the need to analyse source code or perform feature extraction.},
\r\nkeywords = {},
\r\npubstate = {published},
\r\ntppubtype = {inproceedings}
\r\n}
\r\n<\/pre><\/div>
Close<\/a><\/p><\/div>
Security practitioners routinely use static analysis to detect security problems and privacy violations in Android apps. The soundness of these analyses depends on how the platform is modelled and the list of sensitive methods. Collecting these methods often becomes impractical given the number of methods available, the pace at which the Android platform is updated, and the proprietary libraries Google releases on each new version. Despite the constant evolution of the Android platform, app developers cope with all these new features thanks to the documentation that comes with each new Android release. In this work, we take advantage of the rich documentation provided by platforms like Android and propose DocFlow, a framework to generate taint specifications for a platform, directly from its documentation. DocFlow models the semantics of API methods using their documentation to detect sensitive methods (sources and sinks) and assigns them semantic labels. Our approach does not require access to source code, enabling the analysis of proprietary libraries for which the code is unavailable. We evaluate DocFlow using Android platform packages and closed-source Google Play Services libraries. Our results show that our framework detects sensitive methods with high precision, adapts to new API versions, and can be easily extended to detect other method types. Our approach provides evidence that Android documentation encodes rich semantic information to categorise sensitive methods, removing the need to analyse source code or perform feature extraction.<\/div>
Close<\/a><\/p><\/div>
P\u00e2rtachi P; Dash S K; Allamanis M; Barr E T<\/span>: Flexeme: Untangling Commits Using Lexical Flows<\/a><\/span>. 28th ACM Joint European Software Engineering Conference \r\n and Symposium on the Foundations of Software Engineering, <\/span>ESEC\/FSE '20 <\/span>ACM, <\/span>2020<\/span>.<\/span> (Type: Conference<\/span> | Links<\/a><\/span> | BibTeX<\/a><\/span>)<\/span>
P\u00e2rtachi P; Dash S K; Treude C; Barr E T<\/span>: POSIT: Simultaneously Tagging Natural and Programming Languages<\/a><\/span>. ICSE '20: 42nd International Conference on Software Engineering, \r\n Seoul, South Korea, 27 June - 19 July, 2020, <\/span>ACM, <\/span>2020<\/span>.<\/span> (Type: Conference<\/span> | Links<\/a><\/span> | BibTeX<\/a><\/span>)<\/span>
Dash S K; Allamanis M; Barr E T<\/span>: RefiNym: Using Names to Refine Types<\/span>. 26th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, <\/span>ESEC\/FSE'18 <\/span>2018<\/span>.<\/span> (Type: Conference<\/span> | BibTeX<\/a><\/span>)<\/span>
Jordaney R; Sharad K; Dash S K; Wang Z; Papini D; Nouretdinov I; Cavallaro L<\/span>: Transcend: Detecting Concept Drift in Malware Classification Models<\/span>. 26th USENIX Security Symposium (USENIX Security 17), <\/span>USENIX Association, <\/span>2017<\/span>.<\/span> (Type: Conference<\/span> | BibTeX<\/a><\/span>)<\/span>
@conference{transcend,
\r\ntitle = {Transcend: Detecting Concept Drift in Malware Classification Models},
\r\nauthor = {Roberto Jordaney and Kumar Sharad and Santanu K. Dash and Zhi Wang and Davide Papini and Ilia Nouretdinov and Lorenzo Cavallaro},
\r\nyear  = {2017},
\r\ndate = {2017-01-01},
\r\nurldate = {2017-01-01},
\r\nbooktitle = {26th USENIX Security Symposium (USENIX Security 17)},
\r\npages = {625--642},
\r\npublisher = {USENIX Association},
\r\nkeywords = {},
\r\npubstate = {published},
\r\ntppubtype = {conference}
\r\n}
\r\n<\/pre><\/div>
Close<\/a><\/p><\/div><\/td><\/tr><\/table><\/div><\/p>\n<\/div><\/div>\n<\/div><\/div>\n<\/div><\/div>\n","protected":false},"excerpt":{"rendered":"
I am a Senior Lecturer in the Department of Computer Science at University of Surrey. My research interests are in Secure Software Engineering, specifically automatic analysis and transformation of software. I work on open-source software as well as binaries and have published my work in flagship venues across Software Engineering and Security such as ICSE, […]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"open","template":"","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"class_list":["post-19","page","type-page","status-publish","hentry"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/santanu.uk\/index.php\/wp-json\/wp\/v2\/pages\/19","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/santanu.uk\/index.php\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/santanu.uk\/index.php\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/santanu.uk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/santanu.uk\/index.php\/wp-json\/wp\/v2\/comments?post=19"}],"version-history":[{"count":78,"href":"https:\/\/santanu.uk\/index.php\/wp-json\/wp\/v2\/pages\/19\/revisions"}],"predecessor-version":[{"id":378,"href":"https:\/\/santanu.uk\/index.php\/wp-json\/wp\/v2\/pages\/19\/revisions\/378"}],"wp:attachment":[{"href":"https:\/\/santanu.uk\/index.php\/wp-json\/wp\/v2\/media?parent=19"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}