Omar Chowdhury - Stony Brook University

About Me

I am currently a SUNY Empire Innovation Scholar and an Associate Professor of Computer Science at the Stony Brook University. Before joining Stony Brook University in Fall 2022, I was an Assistant Professor of Computer Science at the University of Iowa, where I was awarded the Dean's Scholar Award.

Before joining the University of Iowa in 2016, I was a post-doctoral research associate at Cylab, Carnegie Mellon University (Host: Prof. Anupam Datta) and Purdue University (Host: Prof. Ninghui Li). I received my Ph.D. in Computer Science from the University of Texas at San Antonio under the supervision of Prof. Jianwei Niu and Prof. William H. Winsborough (deceased). I received my undergraduate education in Computer Science and Engineering (CSE) at the Bangladesh University of Engineering and Technology (BUET).

Research

My research lies in Computer Security and Privacy. I generally use techniques from formal verification, automated reasoning, runtime verification, programming languages, software engineering, human-computer interaction, and measurement to solve practically-relevant computer security and privacy problems.

In the broad area of Computer Security and Privacy, I am particularly interested in problems in the software and network security domains. My current work includes addressing security and privacy problems in SSL/TLS, X.509 PKI, Cellular Network, Wi-Fi, Internet-of-Things (IoT), and Regulatory Compliance. I am also interested in solving fundamental problems in automated reasoning and formal verification.

The research of my group has been funded by both National Science Foundation (NSF) and Defense Advanced Research Projects Agency (DARPA), including a DARPA Young Faculty Award (YFA). Findings of our research have resulted in enhancements in the implementations and designs of widely used protocols (e.g., 4G LTE, 5G, WPA2 enterprise) and cryptographic libraries.

Awards

Amazon Science Research Award, 2024
Teachers Rated Excellent Educators by their Students (TREES) Award, College of Engineering and Applied Sciences, Stony Brook University, 2024
Test of Time Award, ACM SACMAT 2023
Dean's Scholar Award, College of Liberal Arts and Sciences (CLAS), The University of Iowa, 2022
Best Paper Award (Runner Up), ACM CCS 2021
Best Student Paper Award, ACNS 2020
DARPA Young Faculty Award (YFA), 2019
Best Paper Award (Cybersecurity and Software Track), IEEE DASC 2019
Best Paper Award, ACSAC 2019
Distinguished Paper Award Honorable Mention, NDSS 2019
CSAW North America Finalist, CSAW 2017 Applied Research Competition
Best Paper Award, ACM SACMAT 2012
Upsilon Pi Epsilon Programming Excellence Award, ACM ICPC World Finals

CVEs & Vulnerability Disclosures

Findings from our research group have led to the discovery of numerous Common Vulnerabilities and Exposures (CVEs) and vulnerability disclosures (CVDs) in widely deployed cryptographic libraries, network protocols, and mobile operating systems.

CVEs Discovered

GSMA Hall of Fame Inductions (CVDs)

Critical Severity Vulnerabilities

Affected Systems & Libraries

SymCerts IEEE S&P 2017

CVE-2017-1000415 MatrixSSL 5.9 Medium

CVE-2017-1000416 axTLS Embedded SSL 5.3 Medium

CVE-2017-1000417 MatrixSSL 5.3 Medium

Bleichenbacher Signature Forgery (1st) NDSS 2019

CVE-2018-15836 Openswan 7.5 High

CVE-2018-16151 strongSwan 7.5 High

CVE-2018-16152 strongSwan 7.5 High

CVE-2018-16253 axTLS Embedded SSL 5.9 Medium

CVE-2018-16150 axTLS Embedded SSL 5.9 Medium

CVE-2018-16149 axTLS Embedded SSL 5.9 Medium

Related work (ACSAC 2018) also uncovered vulnerabilities breaking content delivery in major apps including Bloomberg Businessweek+, Forbes Magazine, and Amazon Music. No CVEs were issued due to the sensitivity of the findings.

AT Command Interface — Bluetooth Vulnerabilities 2019

CVE-2019-16400 Samsung Galaxy S8+, S3, Note 2 Denial of Service Samsung phones accept AT commands over Bluetooth, enabling Denial of Service attacks.

CVE-2019-16401 Samsung Galaxy S8+, S3, Note 2 Privacy Leak Exposes sensitive information (IMSI, IMEI, call status, Internet service status) via AT commands over Bluetooth.

Cellular Network Vulnerabilities (4G LTE / 5G) 5GReasoner & Related Work, 2019–2021

CVD-2018-0014 4G & 5G Networks — ToRPEDO, PIERCER, IMSI-Cracking GSMA Hall of Fame Three vulnerabilities exploiting side-channel weaknesses in 4G and 5G paging protocols.

CVD-2019-0029 5G Networks — 11 New Vulnerabilities GSMA Hall of Fame Uncovered using 5GReasoner, a formal verification framework for 5G protocol security.

CVD-2021-0050 4G & 5G NAS Layer — Samsung & MediaTek Modems GSMA Hall of Fame Three NAS layer baseband vulnerabilities: CVE-2021-25471 (Samsung), CVE-2021-25480 (Samsung), CVE-2021-40148 (MediaTek).

Wi-Fi Security ACM CCS 2021

CVE-2020-27055 Android 7.5 High

CVE-2021-21212 Chrome OS 6.5 Medium

CVE-2021-37964 Chrome OS 3.3 Low

Morpheus — Bleichenbacher Signature Forgery (2nd) ACM CCS 2021

CVE-2020-36315 RELIC 5.3 Medium

CVE-2020-36316 RELIC 5.5 Medium

CVE-2021-30004 wpa_supplicant 5.3 Medium

CVE-2021-30130 phpseclib 7.5 High

CVE-2021-30246 jsrsasign 9.1 Critical

CVE-2022-24771 node-forge 7.5 Medium

CVE-2022-24772 node-forge 7.5 Medium