Hi! I'm Mohammad#,
a postdoctoral researcher in
Information Security at KTH in Sweden, working with Musard Balliu. Before joining KTH in January
2025,
I was a postdoctoral researcher at Chalmers, where I
completed my PhD in August 2024 under the supervision of Andrei Sabelfeld and Daniel Hedin.
Earlier
in my academic journey, I spent eight years at Amirkabir
(Tehran Polytechnic), where I earned my BSc in Software Engineering and MSc in Information
Security, and began my doctoral studies, all under the supervision of Mehran S. Fallah.
My research interests include:
Language-Based Security,
Web Security and Privacy,
Program Analysis, and
Information-Flow Security.
# My full name is Seyed Mohammad Mehdi
Ahmadpanah (in Persian: سید محمدمهدی احمدپناه). You can
listen
to
the pronunciation of my name here:
CodeX: Contextual Flow Tracking for Browser
Extensions,
CODASPY 2025 Mohammad M.
Ahmadpanah, Matías F. Gobbi, Daniel Hedin, Johannes Kinder, and Andrei Sabelfeld
abstract |
paper |
full
version |
code |
link
Browser extensions put millions of users at risk
when misusing their elevated privileges. Despite the current practices of
semi-automated
code
vetting, privacy-violating extensions still thrive in the official stores. We
propose an
approach for tracking contextual flows from browser-specific sensitive sources
like
cookies,
browsing history, bookmarks, and search terms to suspicious network sinks through
network
requests. We demonstrate the effectiveness of the approach by a prototype called
CodeX
that
leverages the power of CodeQL while breaking away from the conservativeness of
bug-finding
flavors of the traditional CodeQL taint analysis. Applying CodeX to the extensions
published
on
the Chrome Web Store between March 2021 and March 2024 identified 1,588 extensions
with
risky
flows. Manual verification of 339 of those extensions resulted in flagging 212 as
privacy-violating, impacting up to 3.6M users.
Language-Based Security and Privacy in Web-driven Systems,
PhD
thesis
2024 Supervisor: Andrei Sabelfeld, Co-supervisor: Daniel Hedin, Opponent: Deian Stefan,
Examiner:
David
Sands, Grading committee: Benjamin Nguyen, Melek Önen, Simin Nadjm-Tehrani, and Magnus
Almgren
abstract |
thesis |
video |
slides |
link
Modular programming is a core principle in software
development, which demands reducing design complexity through independent code
modules. A
prime
example of modular programming is systems offering various services and
applications
accessible
through the web. Their complex nature, heavy dependence on third-party modules,
and large
user
base call for principled approaches to user security and privacy.
This thesis focuses on securing web-driven systems, practically targeting
Trigger-Action
Platforms (TAPs) and browser extensions. Both increasingly popular systems empower
users
to
develop and publish applications that enhance digital lives through smart
automation and
personalized web browsing, respectively.
Our approach to software security and privacy is through the lens
of programming-language techniques. We identify vulnerabilities in popular TAP
applications
and prevent malicious behavior by sandboxing and fine-grained access control. To
minimize
data
access for TAPs with user-configured applications, we also present a
construction-by-design
paradigm for on-demand data minimization using lazy computation.
Besides access control and minimization, we study how sensitive
information is processed once access is granted, using information-flow analysis.
We
identify
privacy risks in browser extensions, such as exfiltration of cookies and browsing
history
over
the network. We develop a static analysis framework to track flows from
user-sensitive
data
to
network requests in browser extensions. Moreover, we revisit information-flow
policies
that
are not necessarily transitive, supporting coarse-grained policies where security
labels
are
specified at the level of modules. We leverage flow-sensitive type systems to
enforce
granular
security in module-based systems.
LazyTAP: On-Demand Data Minimization for Trigger-Action
Applications,
S&P 2023 Mohammad M. Ahmadpanah, Daniel Hedin, and Andrei Sabelfeld
abstract |
paper |
code |
teaser |
video |
poster |
link
Trigger-Action Platforms (TAPs) empower applications
(apps) for connecting otherwise unconnected devices and services. The current TAPs
like
IFTTT
require trigger services to push excessive amounts of sensitive data to the TAP
regardless
of
whether the data will be used in the app, at odds with the principle of data
minimization.
Furthermore, the rich features of modern TAPs, including IFTTT queries to support
multiple
trigger services and nondeterminism of apps, have been out of the reach of
previous data
minimization approaches like minTAP. This paper proposes LazyTAP, a new paradigm
for
fine-grained on-demand data minimization. LazyTAP breaks away from the traditional
push-all
approach of coarse-grained data over-approximation. Instead, LazyTAP pulls input
data
on-demand,
once it is accessed by the app execution. Thanks to the fine granularity, LazyTAP
enables
tight
minimization that naturally generalizes to support multiple trigger services via
queries
and
is
robust with respect to nondeterministic behavior of the apps. We achieve
seamlessness for
third-party app developers by leveraging laziness to defer computation and proxy
objects
to
load
necessary remote data behind the scenes as it becomes needed. We formally
establish the
correctness of LazyTAP and its minimization properties with respect to both IFTTT
and
minTAP.
We
implement and evaluate LazyTAP on app benchmarks showing that on average LazyTAP
improves
minimization by 95% over IFTTT and by 38% over minTAP, while incurring a tolerable
performance
overhead.
Securing Software in the Presence of Third-Party Modules,
Licentiate thesis
2021 Supervisor: Andrei Sabelfeld, Co-supervisor: Daniel Hedin, Opponent: Deian Stefan,
Examiner:
David
Sands
abstract |
thesis |
video |
slides |
link
Modular programming is a key concept in software
development where the program consists of code modules that are designed and
implemented
independently. This approach accelerates the development process and enhances
scalability
of
the
final product. Modules, however, are often written by third parties, aggravating
security
concerns such as stealing confidential information, tampering with sensitive data,
and
executing
malicious code.
Trigger-Action Platforms (TAPs) are concrete
examples of employing modular programming. Any user can develop TAP applications
by
connecting
trigger and action services, and publish them on public repositories. In the
presence of
malicious application makers, users cannot trust applications written by third
parties,
which
can threaten users’ and platform’s security.
We present SandTrap, a novel runtime monitor for JavaScript that
can be used to securely integrate third-party applications. SandTrap enforces
fine-grained
access control policies at the levels of module, API, value, and context. We
instantiate
SandTrap to IFTTT, Zapier, and Node-RED, three popular JavaScript-driven TAPs, and
illustrate
how it enforces various policies on a set of benchmarks while incurring a
tolerable
runtime
overhead. We also prove soundness and transparency of the monitoring framework on
an
essential
model of Node-RED.
Furthermore, nontransitive policies have been recently introduced
as a natural fit for coarse-grained information-flow control where labels are
specified at
the
level of modules. The flow relation does not need to be transitive, resulting in
nonstandard
noninterference and enforcement mechanism. We develop a lattice encoding to prove
that
nontransitive policies can be reduced to classical transitive policies. We also
devise a
lightweight program transformation that leverages standard flow-sensitive
information-flow
analyses to enforce nontransitive policies more permissively.
Trigger-Action Platforms (TAPs) play a vital role in
fulfilling the promise of the Internet of Things (IoT) by seamlessly connecting
otherwise
unconnected devices and services. While enabling novel and exciting applications
across a
variety of services, security and privacy issues must be taken into consideration
because
TAPs
essentially act as persons-in-the-middle between trigger and action services. The
issue is
further aggravated since the triggers and actions on TAPs are mostly provided by
third
parties
extending the trust beyond the platform providers.
Node-RED, an
open-source JavaScript-driven TAP, provides the opportunity for users to
effortlessly
employ
and link nodes via a graphical user interface. Being built upon Node.js,
third-party
developers can extend the platform's functionality through publishing nodes and
their
wirings,
known as flows.
This paper proposes an essential model for Node-RED, suitable to
reason about nodes and flows, be they benign, vulnerable, or malicious. We expand
on
attacks
discovered in recent work, ranging from exfiltrating data from unsuspecting users
to
taking
over the entire platform by misusing sensitive APIs within nodes. We present a
formalization
of a runtime monitoring framework for a core language that soundly and
transparently
enforces
fine-grained allowlist policies at module-, API-, value-, and context-level. We
introduce
the
monitoring framework for Node-RED that isolates nodes while permitting them to
communicate
via
well-defined API calls complying with the policy specified for each node.
Nontransitive Noninterference (NTNI) and
Nontransitive Types (NTT) are a new security condition and enforcement for
policies, which
in
contrast to Denning's classical lattice model, assume no transitivity of the
underlying
flow
relation. Nontransitive security policies are a natural fit for coarse-grained
information-flow
control where labels are specified at module rather than variable level of
granularity.
While the nontransitive and transitive policies pursue different
goals and have different intuitions, this paper demonstrates that nontransitive
noninterference can be in fact reduced to classical transitive noninterference. We
develop
a
power-lattice encoding that establishes a precise relation between NTNI and
classical
noninterference. Our results make it possible to clearly position the new NTNI
characterization with respect to the large body of work on noninterference.
Further, we
devise
a lightweight program transformation that enables us to leverage standard
flow-sensitive
information-flow analyses to enforce nontransitive policies. We demonstrate
several
immediate
benefits of our approach, both theoretical and practical. First, we improve the
permissiveness
over (while retaining the soundness of) the nonstandard NTT enforcement. Second,
our
results
naturally generalize to a language with intermediate input and outputs. Finally,
we
demonstrate the practical benefits by leveraging state-of-the-art flow-sensitive
tool
JOANA
to
enforce nontransitive policies for Java programs.
SandTrap: Securing JavaScript-driven Trigger-Action
Platforms, USENIX
Security 2021 Mohammad M. Ahmadpanah, Daniel Hedin, Musard Balliu, Lars Eric Olsson, and
Andrei
Sabelfeld
abstract |
paper |
full
version |
code |
video |
poster |
link
Trigger-Action Platforms (TAPs) seamlessly connect a
wide variety of otherwise unconnected devices and services, ranging from IoT
devices to
cloud
services and social networks. TAPs raise critical security and privacy concerns
because a
TAP
is
effectively a “person-in-the-middle” between trigger and action services.
Third-party
code,
routinely deployed as “apps” on TAPs, further exacerbates these concerns. This
paper
focuses
on
JavaScript-driven TAPs. We show that the popular IFTTT and Zapier platforms and an
open-source
alternative Node-RED are susceptible to attacks ranging from exfiltrating data
from
unsuspecting
users to taking over the entire platform. We report on the changes by the
platforms in
response
to our findings and present an empirical study to assess the implications for
Node-RED.
Motivated by the need for a secure yet flexible way to integrate third-party
JavaScript
apps,
we
propose SandTrap, a novel JavaScript monitor that securely combines the Node.js vm
module
with
fully structural proxy-based two-sided membranes to enforce fine-grained access
control
policies. To aid developers, SandTrap includes a policy generation mechanism. We
instantiate
SandTrap to IFTTT, Zapier, and Node-RED and illustrate on a set of benchmarks how
SandTrap
enforces a variety of policies while incurring a tolerable runtime overhead.
Improving Multi-Execution-based Mechanisms for Enforcing
Information
Flow
Policies,
Master's
thesis
2017 Supervisor: Mehran S. Fallah, Opponents: Mehdi Shajari and Ramtin Khosravi (Grade:
20/20)
abstract |
thesis |
slides
|
link
Secure Multi-Execution (SME) proves to be a
successful technique for enforcing noninterference. A security mechanism based on
SME
schedules
and executes multiple copies of a given program, one copy for each security level,
and
controls
the input/output operations of the copies in a certain manner. A main challenge in
devising
such
mechanisms is to achieve precision, which basically stipulates that changes to the
executions
of
secure programs must be as minimal as possible. Although research in this area has
yielded
interesting results, the proposed mechanisms do not attain an acceptable level of
precision
even
for the security policies that are weakly sensitive to the timing behavior of
programs.
This
paper proposes a sound and highly precise mechanism for a strong timing-sensitive
noninterference. Using a specific round-robin-like scheduler, the mechanism indeed
arrives
at
a
highest level of precision demanding that the relative order of input/output
events from
different security levels should be preserved.
Security policies can be categorized as properties
and non-properties. Information flow control is one of the important
confidentiality and
integrity policies. The difference between expressing policies using only one or
more than
one
trace entails several enforcement mechanisms.
Two main types of
security enforcement mechanisms are static and dynamic. The common feature of
static
mechanisms is being conservative due to source-code static analysis before the
execution.
On
the other side, runtime monitoring is a well-known technique among dynamic
mechanisms.
Recently, permissiveness of dynamic techniques for enforcing information flow
policies,
compared to static analysis, has attracted increasing attention. Hybrid approaches
make
use
of source-code analysis as additional information on other possible executions of
the
program
under the monitor. Security enforcement mechanisms can be measured in terms of
soundness,
transparency, and precision.
In this technical report, we review the notion of security
policies and hyperproperties. We study a wide range of enforcement techniques,
including
static mechanisms, dynamic mechanisms, program rewriting, and hybrid analysis. We
also
review
the characterization of various dynamic mechanisms and runtime monitors (with or
without
prior
knowledge of possible behaviors of the program) in the literature with reference
to
enforcement paradigms and comparison factors.
A Tool for Rewriting-Based Enforcement of Noninterference in
While
Programs,
Bachelor's thesis
2015 Supervisor: Mehran S. Fallah, Opponent: MohammadReza Razzazi (Grade: 20/20)
abstract |
thesis
|
code
|
slides
|
link
Program rewriting has recently been suggested as a
means of enforcing security policies and proven more powerful than execution
monitoring
and
static analysis. We implement a novel, sound and transparent rewriting mechanism
using
Program
Dependence Graphs (PDG) to enforce progress-sensitive and -insensitive
noninterference in
programs with observable intermediate values.
Information
Security Talks, February
2024
Invited speaker and research visitor hosted by David
Basin, ETH
Zurich Fixing the Dripping TAP: Security and Privacy in Trigger-Action Platforms |
slides
Research visitor hosted by Santiago Diaz,
Google
Zurich, February 2024
SPLiTS
Seminars, February 2024
Invited speaker and research visitor hosted by Tamara Rezk, Inria
Sophia Antipolis LazyTAP: On-Demand Data Minimization for Trigger-Action Applications | slides
Amirkabir
and Sharif, December 2023
Fixing the Dripping TAP: Security and Privacy in Trigger-Action Platforms |
slides
CCS'23,
November 2023
Data Minimization by Construction for Trigger-Action Applications | poster
Research visitor
hosted by Daniel
Hedin, Mälardalen, September and October 2022
FOSAD'22,
August
2022
SandTrap: Securing JavaScript-driven Trigger-Action Platforms | slides Capture The Flag competitions: demo, experience with students, and open
discussion | slides
SWITS'22
, June 2022
SandTrap: Securing JavaScript-driven Trigger-Action Platforms | slides The Chalmers GU-KTH-Aarhus CTF competition | slides
CSF'20, June 2020
Nontransitive Policies Transpiled | slides
Member of the ShiftLeft and CHAINS projects, and the LangSec research group, KTH, January 2025
-
present
Member of the ChalmersGU-KTH-Aarhus educational CTF organization team, Chalmers and
KTH,
2021
-
2025
Recipient of the Adlerbert Foreign Student Hospitality Foundation
Scholarship, 2021 -
2024
Awarded bug bounties for responsibly disclosing code injection and JavaScript
sandbox
breakout
vulnerabilities on IFTTT, in collaboration with
Daniel Hedin
and
Andrei Sabelfeld, 2020 and 2023
Member of the CyberSecIT
project,
Chalmers, September 2022 - January 2025
Admitted to Tarbiat-Modares University and achieved 43rd place in
the Nationwide University Entrance Exam for MSc in Information Technology
(30K applicants), Iran, 2015
Recognized as an active member of The Student
Scientific
Association of Computer Engineering Department (Announced as The Best Student
Scientific Association
of the university), Amirkabir, 2015
Elected as the most polite and most online student of the class of 2015,
Computer Engineering Department, Amirkabir, 2015
Member of the Formal
Security
Lab,
Amirkabir, September 2015 - September 2019
Member of the university team for the National Scientific Olympiad in
Computer
Engineering,
Amirkabir, 2014
Top 2% ranking in the Nationwide University Entrance Exam
in Math and Engineering (260K applicants), Iran, 2011
Top 1.5% ranking in the Nationwide University Entrance Exam
in English (108K applicants), Iran, 2011
Skipped three grades of elementary school as an exceptional talent,
2002
