Our first interview (in a new spotlight series on UT Dallas computer science faculty) is with Dr. Kevin Hamlen, a Louis A. Beecherl, Jr. Dis­tin­guished Pro­fes­sor of Com­put­er Science at UT Dallas, and the ex­ec­u­tive di­rec­tor of UT Dallas’ Cy­ber Se­cu­ri­ty Re­search and Edu­ca­tion In­sti­tute (CSI). His research interests involve lan­guage-based se­cu­ri­ty, which le­ver­ag­es pro­gram­ming lang­uage the­o­ry and com­pil­er de­sign to en­force soft­ware se­cu­ri­ty. His tech­ni­cal interests in­clude bi­na­ry soft­ware hard­en­ing, cy­ber ­de­cep­tion, mal­ware de­fense, cloud/​web/​mo­bile se­cu­ri­ty, mod­el-check­ing, au­to­mat­ed the­o­rem prov­ing, cer­ti­fy­ing com­pil­ers, and type-safe in­ter­me­di­ate lan­guag­es.

Dr. Hamlen’s colleague, Dr. Bhavani Thuraisingham, said: “We are extremely fortunate to have someone like Kevin with his unparalleled academic pedigree. … Within a year of joining us he became the first faculty in our department to win the prestigious Department of Defense Young Investigator Program Award. His award was funded by the Air Force Office of Scientific Research. Soon afterward, he received the prestigious NSF CAREER award. He is the only professor currently working in the department who has received both awards. … I am so pleased that he took over as the executive director of our Cyber Security Research and Education Institute (CSI) in Fall 2021, as he is highly respected among our sponsors in Washington DC.”

What brought you into the world of computer science?

Growing up in Buffalo, New York in the early ‘80s, I was one of those nerdy kids who became fascinated with personal computers, back when computers were decidedly un-cool. … There wasn’t much in the way of internet access back then, but the local university had a digital library catalog accessible by phone dial-in modem (1200 baud!). … I studied everything I could find, from email apps to operating systems, learning to program by example. … So, by the time computers and the internet started to really impact the public in the ‘90s, I found I was already an expert in something people around me suddenly cared about.

How did you end up at UT Dallas, and what made you choose to teach here?

By the time I finished my PhD at Cornell in 2006, I knew I wanted to pursue the “big picture” problems of computer science and cybersecurity, so I wanted to be in academics rather than industry.  UT Dallas was (and still is!) a relatively young school but with incredible growth potential and a world-class cybersecurity faculty.  I met Bhavani Thuraisingham, Gopal Gupta and D.T. Huynh, and I knew this is where I wanted to pursue my passion of discovering scientific foundations for computer security.

What are some current research projects you are working on? Can you also talk about past projects you have worked on? 

One of the biggest concerns I and many other cyber experts face today involves cyber defense “scalability”:  If it costs defenders millions of dollars per machine to secure a network, and yet it costs attackers mere pennies to launch successful attacks, then that’s a losing battle no matter how strong the defenses may be. 

My research has been addressing this through a new philosophy of software design, which we call “cyber-deceptive software engineering.” The idea is to make attacks much riskier and more expensive for attackers by engineering software to deceive attackers, not merely resist attacks. … We’re currently developing these solutions for the Army Research Office (ARO) in collaboration with Carnegie Mellon, and our paper has just won the Best Student Paper Award at IFIP Data Applications Security and Privacy (DBSec) in 2023.

Another class of problems I’ve been working on recently arises from the gray area between humans’ and machines’ understandings of computer code.  I recently concluded a project for the Defense Advanced Research Projects Agency (DARPA) called CHESS (Computers and Humans Exploring Software Security) in which I worked with UTD students to build a new kind of software vulnerability discovery algorithm.  Modern software systems are so large and complex that it’s very difficult for humans to manually find and fix every security flaw before the software gets deployed; they need the assistance of automated tools. 

To address this problem, we built a different sort of bug-finding system in which the human-machine interaction is a mutual collaboration.  The machine looks for code that appears suspicious (possibly vulnerable) and ranks its findings from most to least concerning. … In bug-finding challenges conducted by DARPA, our system was deemed the most highly intuitive and usable by code review teams, and managed to find many previously undiscovered vulnerabilities in mission-critical software systems.

What are some practical applications of your research?

In practice, the language-based approach provides a basis for achieving the highest levels of security and safety for software systems.  For example, my lab at UTD has developed and patented a variety of “software hardening” algorithms that automatically secure untrustworthy software by changing its underlying “formula” into a new one for which there is a complete mathematical proof that certain classes of attacks cannot succeed.  Several of these have been incorporated into software systems that require highest security, such as military systems used by the Navy and Air Force.

Can you explain your research into lan­guage-based se­cu­ri­ty in laymen’s terms?

Language-based security uses the mathematics of computer programming languages to secure computing systems.  At its heart, every computer program is an enormous math formula.  Each variable in the formula stands for the inputs from the user (e.g., mouse clicks), and the output is whatever the program does in response (e.g., saving a file or displaying a video). … In contrast, the language-based way of analyzing such a formula is to apply mathematical laws to it, like algebra.  If a series of mathematical steps proves that the software formula always yields secure outputs, then there are no strange inputs left for criminals to try.  Such a proof is “complete” for the entire infinity of possible inputs because it didn’t depend on any values of the variables.

Where do you see your future research efforts focused on?

Cyber security is a continuously evolving battle, so we’re constantly looking ahead and trying to anticipate the next threat and the next opportunity.  I think AI is poised to be both of those things soon, but maybe not in the way most people expect. … At the same time, AI-powered security analyses and defenses might offer our best hope of keeping pace with that complexity because they can be programmed to “understand” aspects of software that perplex humans.

You are also executive director of the UT Dallas Cyber Security Research and Education Institute (CSI). Can you talk about the institute and what it does?

The UT Dallas CSI brings together faculty from across computer science, as well as other schools at UTD (e.g., economic, political, management, mathematics, brain & behavioral sciences) to tackle far-reaching cyber security challenges and research problems.  We have about 20 member-faculty from computer science with expertise in data security, software security, secure AI, hardware security, network security, cryptography, and cyber security education.

One reason the institute is so critical for our work is because of the (sometimes unexpected!) diversity of skills required to thwart skilled cyber criminals successfully. … It’s wonderful to work at a place where if I suddenly encounter a research problem in a domain I know little about, I can be certain that down the hall is a world-renowned expert who I can turn to for help.

Can you talk about your research lab and the students involved? How do you get research students involved in your work?

I direct the Software Languages Security Lab (SL)² at UTD.  I try to infuse each course I teach with examples and exercises drawn from real life, so students often become involved in research as they take classes from me and other professors and start to become curious about some of the practical applications of what they’re learning.  Sometimes a student project will turn into something with real-world promise.  When that happens, I start inviting the students to attend our research meetings and help them become engaged.

What advice would you give to a student just starting out their graduate program or any student wanting to enter the world of research?

I often advise my computer science students there is so much they should be learning outside the classroom, and that’s especially true if they want to do research. … The people who turn out to be the best CS researchers are often the ones who decided on a whim to try building their own operating system or self-driving robot, having never taken a class about it, and maybe failed or somehow half succeeded, but were left dreaming that there must be a better way.  The search for that better way is what ultimately led them to ask questions nobody had ever asked before.

You’ve been at UTD for many years. Have you seen changes in the research focus of the department in general and in your own research focus?

UTD has undergone incredible growth since I joined back in 2006, especially in cybersecurity.  When I first joined, Dr. Thuraisingham had a grand vision of growing a world-class cyber program at a young university. … I was one of her early recruits … along with Latifur Khan and Murat Kantarcioglu.  Since then, our dream has really become a reality.  Cyber has become a core discipline within most computer science departments around the world, with unquestionable influence on almost every aspect of society and nearly three times the demand of most other CS careers.  It’s been a wild ride!