Hi! I'm Mohammad#,
a postdoctoral researcher in
Information Security at KTH in Sweden, working with Musard Balliu. Before joining KTH in January 2025,
I was a postdoctoral researcher at Chalmers, where I
completed my PhD in August 2024 under the supervision of Andrei Sabelfeld and Daniel Hedin.
Earlier
in my academic journey, I spent eight years at Amirkabir
(Tehran Polytechnic), where I earned my BSc in Software Engineering and MSc in Information
Security, and began my doctoral studies, all under the supervision of Mehran S. Fallah.
My research interests include:
Language-Based Security
Program Analysis
Information-Flow Security
Programming Languages
# My full name is Seyed Mohammad Mehdi
Ahmadpanah (in Persian: سید محمدمهدی احمدپناه). You can listen to
the pronunciation of my name here:
CodeX: Contextual Flow Tracking for Browser Extensions, CODASPY 2025 Mohammad M.
Ahmadpanah, Matías F. Gobbi, Daniel Hedin, Johannes Kinder, and Andrei Sabelfeld
abstract |
paper |
full
version |
code |
link
Browser extensions put millions of users at risk
when misusing their elevated privileges. Despite the current practices of semi-automated code
vetting, privacy-violating extensions still thrive in the official stores. We propose an
approach for tracking contextual flows from browser-specific sensitive sources like cookies,
browsing history, bookmarks, and search terms to suspicious network sinks through network
requests. We demonstrate the effectiveness of the approach by a prototype called CodeX that
leverages the power of CodeQL while breaking away from the conservativeness of bug-finding
flavors of the traditional CodeQL taint analysis. Applying CodeX to the extensions published
on
the Chrome Web Store between March 2021 and March 2024 identified 1,588 extensions with risky
flows. Manual verification of 339 of those extensions resulted in flagging 212 as
privacy-violating, impacting up to 3.6M users.
Language-Based Security and Privacy in Web-driven Systems, PhD thesis
2024 Supervisor: Andrei Sabelfeld, Co-supervisor: Daniel Hedin, Opponent: Deian Stefan, Examiner:
David
Sands, Grading committee: Benjamin Nguyen, Melek Önen, Simin Nadjm-Tehrani, and Magnus Almgren
abstract |
thesis |
video |
slides |
link
Modular programming is a core principle in software
development, which demands reducing design complexity through independent code modules. A
prime
example of modular programming is systems offering various services and applications
accessible
through the web. Their complex nature, heavy dependence on third-party modules, and large user
base call for principled approaches to user security and privacy.
This thesis focuses on securing web-driven systems, practically targeting Trigger-Action
Platforms (TAPs) and browser extensions. Both increasingly popular systems empower users to
develop and publish applications that enhance digital lives through smart automation and
personalized web browsing, respectively.
Our approach to software security and privacy is through the lens
of programming-language techniques. We identify vulnerabilities in popular TAP applications
and prevent malicious behavior by sandboxing and fine-grained access control. To minimize data
access for TAPs with user-configured applications, we also present a construction-by-design
paradigm for on-demand data minimization using lazy computation.
Besides access control and minimization, we study how sensitive
information is processed once access is granted, using information-flow analysis. We identify
privacy risks in browser extensions, such as exfiltration of cookies and browsing history over
the network. We develop a static analysis framework to track flows from user-sensitive data to
network requests in browser extensions. Moreover, we revisit information-flow policies that
are not necessarily transitive, supporting coarse-grained policies where security labels are
specified at the level of modules. We leverage flow-sensitive type systems to enforce granular
security in module-based systems.
LazyTAP: On-Demand Data Minimization for Trigger-Action Applications,
S&P 2023 Mohammad M. Ahmadpanah, Daniel Hedin, and Andrei Sabelfeld
abstract |
paper |
code |
teaser |
video |
poster |
link
Trigger-Action Platforms (TAPs) empower applications
(apps) for connecting otherwise unconnected devices and services. The current TAPs like IFTTT
require trigger services to push excessive amounts of sensitive data to the TAP regardless of
whether the data will be used in the app, at odds with the principle of data minimization.
Furthermore, the rich features of modern TAPs, including IFTTT queries to support multiple
trigger services and nondeterminism of apps, have been out of the reach of previous data
minimization approaches like minTAP. This paper proposes LazyTAP, a new paradigm for
fine-grained on-demand data minimization. LazyTAP breaks away from the traditional push-all
approach of coarse-grained data over-approximation. Instead, LazyTAP pulls input data
on-demand,
once it is accessed by the app execution. Thanks to the fine granularity, LazyTAP enables
tight
minimization that naturally generalizes to support multiple trigger services via queries and
is
robust with respect to nondeterministic behavior of the apps. We achieve seamlessness for
third-party app developers by leveraging laziness to defer computation and proxy objects to
load
necessary remote data behind the scenes as it becomes needed. We formally establish the
correctness of LazyTAP and its minimization properties with respect to both IFTTT and minTAP.
We
implement and evaluate LazyTAP on app benchmarks showing that on average LazyTAP improves
minimization by 95% over IFTTT and by 38% over minTAP, while incurring a tolerable performance
overhead.
Securing Software in the Presence of Third-Party Modules, Licentiate thesis
2021 Supervisor: Andrei Sabelfeld, Co-supervisor: Daniel Hedin, Opponent: Deian Stefan, Examiner:
David
Sands
abstract |
thesis |
video |
slides |
link
Modular programming is a key concept in software
development where the program consists of code modules that are designed and implemented
independently. This approach accelerates the development process and enhances scalability of
the
final product. Modules, however, are often written by third parties, aggravating security
concerns such as stealing confidential information, tampering with sensitive data, and
executing
malicious code.
Trigger-Action Platforms (TAPs) are concrete
examples of employing modular programming. Any user can develop TAP applications by connecting
trigger and action services, and publish them on public repositories. In the presence of
malicious application makers, users cannot trust applications written by third parties, which
can threaten users’ and platform’s security.
We present SandTrap, a novel runtime monitor for JavaScript that
can be used to securely integrate third-party applications. SandTrap enforces fine-grained
access control policies at the levels of module, API, value, and context. We instantiate
SandTrap to IFTTT, Zapier, and Node-RED, three popular JavaScript-driven TAPs, and illustrate
how it enforces various policies on a set of benchmarks while incurring a tolerable runtime
overhead. We also prove soundness and transparency of the monitoring framework on an essential
model of Node-RED.
Furthermore, nontransitive policies have been recently introduced
as a natural fit for coarse-grained information-flow control where labels are specified at the
level of modules. The flow relation does not need to be transitive, resulting in nonstandard
noninterference and enforcement mechanism. We develop a lattice encoding to prove that
nontransitive policies can be reduced to classical transitive policies. We also devise a
lightweight program transformation that leverages standard flow-sensitive information-flow
analyses to enforce nontransitive policies more permissively.
Trigger-Action Platforms (TAPs) play a vital role in
fulfilling the promise of the Internet of Things (IoT) by seamlessly connecting otherwise
unconnected devices and services. While enabling novel and exciting applications across a
variety of services, security and privacy issues must be taken into consideration because TAPs
essentially act as persons-in-the-middle between trigger and action services. The issue is
further aggravated since the triggers and actions on TAPs are mostly provided by third parties
extending the trust beyond the platform providers.
Node-RED, an
open-source JavaScript-driven TAP, provides the opportunity for users to effortlessly employ
and link nodes via a graphical user interface. Being built upon Node.js, third-party
developers can extend the platform's functionality through publishing nodes and their wirings,
known as flows.
This paper proposes an essential model for Node-RED, suitable to
reason about nodes and flows, be they benign, vulnerable, or malicious. We expand on attacks
discovered in recent work, ranging from exfiltrating data from unsuspecting users to taking
over the entire platform by misusing sensitive APIs within nodes. We present a formalization
of a runtime monitoring framework for a core language that soundly and transparently enforces
fine-grained allowlist policies at module-, API-, value-, and context-level. We introduce the
monitoring framework for Node-RED that isolates nodes while permitting them to communicate via
well-defined API calls complying with the policy specified for each node.
Nontransitive Noninterference (NTNI) and
Nontransitive Types (NTT) are a new security condition and enforcement for policies, which in
contrast to Denning's classical lattice model, assume no transitivity of the underlying flow
relation. Nontransitive security policies are a natural fit for coarse-grained
information-flow
control where labels are specified at module rather than variable level of granularity.
While the nontransitive and transitive policies pursue different
goals and have different intuitions, this paper demonstrates that nontransitive
noninterference can be in fact reduced to classical transitive noninterference. We develop a
power-lattice encoding that establishes a precise relation between NTNI and classical
noninterference. Our results make it possible to clearly position the new NTNI
characterization with respect to the large body of work on noninterference. Further, we devise
a lightweight program transformation that enables us to leverage standard flow-sensitive
information-flow analyses to enforce nontransitive policies. We demonstrate several immediate
benefits of our approach, both theoretical and practical. First, we improve the permissiveness
over (while retaining the soundness of) the nonstandard NTT enforcement. Second, our results
naturally generalize to a language with intermediate input and outputs. Finally, we
demonstrate the practical benefits by leveraging state-of-the-art flow-sensitive tool JOANA to
enforce nontransitive policies for Java programs.
SandTrap: Securing JavaScript-driven Trigger-Action Platforms, USENIX
Security 2021 Mohammad M. Ahmadpanah, Daniel Hedin, Musard Balliu, Lars Eric Olsson, and Andrei
Sabelfeld
abstract |
paper |
full
version |
code |
video |
poster |
link
Trigger-Action Platforms (TAPs) seamlessly connect a
wide variety of otherwise unconnected devices and services, ranging from IoT devices to cloud
services and social networks. TAPs raise critical security and privacy concerns because a TAP
is
effectively a “person-in-the-middle” between trigger and action services. Third-party code,
routinely deployed as “apps” on TAPs, further exacerbates these concerns. This paper focuses
on
JavaScript-driven TAPs. We show that the popular IFTTT and Zapier platforms and an open-source
alternative Node-RED are susceptible to attacks ranging from exfiltrating data from
unsuspecting
users to taking over the entire platform. We report on the changes by the platforms in
response
to our findings and present an empirical study to assess the implications for Node-RED.
Motivated by the need for a secure yet flexible way to integrate third-party JavaScript apps,
we
propose SandTrap, a novel JavaScript monitor that securely combines the Node.js vm module with
fully structural proxy-based two-sided membranes to enforce fine-grained access control
policies. To aid developers, SandTrap includes a policy generation mechanism. We instantiate
SandTrap to IFTTT, Zapier, and Node-RED and illustrate on a set of benchmarks how SandTrap
enforces a variety of policies while incurring a tolerable runtime overhead.
Improving Multi-Execution-based Mechanisms for Enforcing Information Flow
Policies,
Master's thesis
2017 Supervisor: Mehran S. Fallah, Opponents: Mehdi Shajari and Ramtin Khosravi (Grade: 20/20)
abstract |
thesis |
slides
|
link
Secure Multi-Execution (SME) proves to be a
successful technique for enforcing noninterference. A security mechanism based on SME
schedules
and executes multiple copies of a given program, one copy for each security level, and
controls
the input/output operations of the copies in a certain manner. A main challenge in devising
such
mechanisms is to achieve precision, which basically stipulates that changes to the executions
of
secure programs must be as minimal as possible. Although research in this area has yielded
interesting results, the proposed mechanisms do not attain an acceptable level of precision
even
for the security policies that are weakly sensitive to the timing behavior of programs. This
paper proposes a sound and highly precise mechanism for a strong timing-sensitive
noninterference. Using a specific round-robin-like scheduler, the mechanism indeed arrives at
a
highest level of precision demanding that the relative order of input/output events from
different security levels should be preserved.
Security policies can be categorized as properties
and non-properties. Information flow control is one of the important confidentiality and
integrity policies. The difference between expressing policies using only one or more than one
trace entails several enforcement mechanisms.
Two main types of
security enforcement mechanisms are static and dynamic. The common feature of static
mechanisms is being conservative due to source-code static analysis before the execution. On
the other side, runtime monitoring is a well-known technique among dynamic mechanisms.
Recently, permissiveness of dynamic techniques for enforcing information flow policies,
compared to static analysis, has attracted increasing attention. Hybrid approaches make use
of source-code analysis as additional information on other possible executions of the program
under the monitor. Security enforcement mechanisms can be measured in terms of soundness,
transparency, and precision.
In this technical report, we review the notion of security
policies and hyperproperties. We study a wide range of enforcement techniques, including
static mechanisms, dynamic mechanisms, program rewriting, and hybrid analysis. We also review
the characterization of various dynamic mechanisms and runtime monitors (with or without prior
knowledge of possible behaviors of the program) in the literature with reference to
enforcement paradigms and comparison factors.
A Tool for Rewriting-Based Enforcement of Noninterference in While
Programs,
Bachelor's thesis 2015 Supervisor: Mehran S. Fallah, Opponent: MohammadReza Razzazi (Grade: 20/20)
abstract |
thesis
|
code
|
slides
|
link
Program rewriting has recently been suggested as a
means of enforcing security policies and proven more powerful than execution monitoring and
static analysis. We implement a novel, sound and transparent rewriting mechanism using Program
Dependence Graphs (PDG) to enforce progress-sensitive and -insensitive noninterference in
programs with observable intermediate values.
Information
Security Talks, February
2024
Invited speaker and research visitor hosted by David
Basin, ETH
Zurich Fixing the Dripping TAP: Security and Privacy in Trigger-Action Platforms | slides
Research visitor hosted by Santiago Diaz, Google
Zurich, February 2024
SPLiTS
Seminars, February 2024
Invited speaker and research visitor hosted by Tamara Rezk, Inria
Sophia Antipolis LazyTAP: On-Demand Data Minimization for Trigger-Action Applications | slides
Amirkabir
and Sharif, December 2023
Fixing the Dripping TAP: Security and Privacy in Trigger-Action Platforms | slides
CCS'23,
November 2023
Data Minimization by Construction for Trigger-Action Applications | poster
Research visitor
hosted by Daniel
Hedin, Mälardalen, September and October 2022
FOSAD'22,
August
2022
SandTrap: Securing JavaScript-driven Trigger-Action Platforms | slides Capture The Flag competitions: demo, experience with students, and open
discussion | slides
SWITS'22
, June 2022
SandTrap: Securing JavaScript-driven Trigger-Action Platforms | slides The Chalmers GU-KTH-Aarhus CTF competition | slides
CSF'20, June 2020
Nontransitive Policies Transpiled | slides
Member of the ShiftLeft and CHAINS projects, and the LangSec research group, KTH, January 2025 - present
Member of the ChalmersGU-KTH-Aarhus educational CTF organization team, Chalmers and KTH, 2021 -
2025
Recipient of the Adlerbert Foreign Student Hospitality Foundation Scholarship, 2021 -
2024
Awarded bug bounties for responsibly disclosing code injection and JavaScript sandbox
breakout
vulnerabilities on IFTTT, in collaboration with Daniel Hedin and
Andrei Sabelfeld, 2020 and 2023
Member of the CyberSecIT
project,
Chalmers, September 2022 - January 2025
Admitted to Tarbiat-Modares University and achieved 43rd place in
the Nationwide University Entrance Exam for MSc in Information Technology
(30K applicants), Iran, 2015
Recognized as an active member of The Student Scientific
Association of Computer Engineering Department (Announced as The Best Student
Scientific Association
of the university), Amirkabir, 2015
Elected as the most polite and most online student of the class of 2015,
Computer Engineering Department, Amirkabir, 2015
Member of the Formal Security
Lab,
Amirkabir, September 2015 - September 2019
Member of the university team for the National Scientific Olympiad in Computer
Engineering,
Amirkabir, 2014
Top 2% ranking in the Nationwide University Entrance Exam
in Math and Engineering (260K applicants), Iran, 2011
Top 1.5% ranking in the Nationwide University Entrance Exam
in English (108K applicants), Iran, 2011
Skipped three grades of elementary school as an exceptional talent, 2002
