Endadul Hoque
  • Assistant Professor
  • Dept. of EECS
  • Syracuse University
  •   enhoque AT syr.edu
About Me

I am an Assistant Professor in the Department of Electrical Engineering and Computer Science at Syracuse University (SU). Before joining SU, I was an Assistant Professor in the School of Computing and Information Sciences at Florida International University (FIU) . I received my Ph.D. in Computer Science from from the Department of Computer Science at Purdue University under the supervision of Prof. Cristina Nita-Rotaru in 2015. During 2016, I was a Postdoctoral Research Associate at Northeastern University (Host: Prof. Cristina Nita-Rotaru).


Academic positions
Awards and Grants
Fall 2020
I am currently looking for motivated graduate and undergraduate students who are interested in security of computer networks and systems, IoT security, vulnerability detection, and program analysis. If interested, please contact me through email.
  Latest News
Nov 2021
Two papers published in ACM CCS 2021
Aug 2020
Our project Retrofitting IoT Ecosystems with a Software-defined Overlay to Enforce Safety, Security, and Privacy Policies (in collaboration with Omar Chowdhury) has been funded under the NSF CNS Core program. Thanks NSF!
Jul 2019
I will join EECS@Syracuse as an Assistant Professor from Fall 2019
Feb 2018
Received Cisco Network Security Distinguished Paper Award for our TCPwn paper at NDSS 2018 (one of the top security conferences)
Oct 2017
Our paper "TCPwn" has been accepted in NDSS 2018 (one of the top security conferences)
Our paper titled "Automated Attack Discovery in TCP Congestion Control Using a Model-guided Approach" has been accepted at NDSS Symposium 2018. Many congratulations to Samuel Jero and the rest of the team. We received excellent reviews; here is an excerpt: "This is a really cool paper -- One of those that make you wish you had thought of the idea! It takes a classical problem and presents a refreshing new take on it [...]"
Oct 2017
Our SymCerts paper has been selected as a finalist for the CSAW’17 Applied Research Competition
Mar 2017
Our paper "CHIRON" has been accepted in DSN 2017
Our paper titled "Analyzing Operational Behavior of Stateful Protocol Implementations for Detecting Semantic Bugs" has been accepted at IEEE/IFIP International Conference on Dependable Systems and Networks (DSN) 2017. Many congratulations to Sze Yiu Chau and Omar Chowdhury
Feb 2017
Our paper "SymCerts" has been accepted in IEEE S&P 2017 (the top security conference, also known as Oakland)
Our paper titled "SymCerts: Practical Symbolic Execution For Exposing Noncompliance in X.509 Certificate Validation Implementations" has been accepted at IEEE Symposium on Security and Privacy (S&P) 2017. [Acceptance rate: 13%] Many congratulations to Sze Yiu Chau and Omar Chowdhury


My research focuses on security of computer networks and systems. Software of computer networks and systems continues to have exploitable vulnerabilities, which are lucrative targets for adversaries. Within this broad domain, my particular emphasis is on automated detection of vulnerabilities as well as creating resilient protocols and systems. My research primarily builds on and expands program analysis, software engineering, and formal verification. My interests span several domains of computing, including network communication protocols, operating systems, distributed systems, Internet-of-Things (IoT) systems, and embedded devices.


Semantic bug detection via compliance checking

Vulnerable Execution Discovery in Internet Security Protocols


For full publication list, click  

  Selected Publications
All your Credentials are Belong to Us: On Insecure WPA2-Enterprise Configurations
  • Man Hong Hue, Joyanta Debnath, Kin Man Leung, Li Li, Mohsen Minaei, M. Hammad Mazhar, Kailiang Xian, Endadul Hoque, Omar Chowdhury, and Sze Yiu Chau
  • Conference ACM SIGSAC Conference on Computer and Communications Security (CCS), Korea, Nov 2021.
Morpheus: Bringing The (PKCS) One To Meet the Oracle
  • Moosa Yahyazadeh, Sze Yiu Chau, Li Li, Man Hong Hue, Joyanta Debnath, Sheung Chiu Ip, Li Chun Ngai, Endadul Hoque, and Omar Chowdhury
  • Conference ACM SIGSAC Conference on Computer and Communications Security (CCS), Korea, Nov 2021.
PatrIoT: Policy Assisted Resilient Programmable IoT System
  • Moosa Yahyazadeh, Syed Rafiul Hussain, Endadul Hoque, and Omar Chowdhury
  • Conference International Conference on Runtime verification (RV), Los Angeles, CA, USA, Oct 2020.
aBBRate: Automating BBR Attack Exploration Using a Model-Based Approach
  • Anthony Peterson, Samuel Jero, Endadul Hoque, Dave Choffnes, and Cristina Nita-Rotaru
  • Conference International Symposium on Research in Attacks, Intrusions and Defenses (RAID), San Sebastian, Spain, Oct 2020.
A Formal Security Analysis of ZigBee (1.0 and 3.0)
  • Li Li, Proyash Podder, and Endadul Hoque
  • Conference Hot Topics in the Science of Security Symposium (HotSoS), Lawrence, KS, USA, Sep 2020.
Expat: Expectation-based Policy Analysis and Enforcement for Appified Smart-Home Platforms.
  • Moosa Yahyazadeh, Proyash Podder, Endadul Hoque, and Omar Chowdhury
  • Conference ACM Symposium on Access Control Models and Technologies (SACMAT), Toronto, ON, Canada, Jun 2019.
This paper focuses on developing a security mechanism geared towards appified smart-home platforms. Such platforms often expose programming interfaces for developing automation apps that mechanize different tasks among smart sensors and actuators (e.g., automatically turning on the AC when the room temperature is above 80 F). Due to the lack of effective access control mechanisms, these automation apps can not only have unrestricted access to the user's sensitive information (e.g., the user is not at home) but also violate user expectations by performing undesired actions. As users often obtain these apps from unvetted sources, a malicious app can wreak havoc on a smart-home system by either violating the user's security and privacy, or creating safety hazards (e.g., turning on the oven when no one is at home). To mitigate such threats, we propose Expat which ensures that user expectations are never violated by the installed automation apps at runtime. To achieve this goal, Expat provides a platform-agnostic, formal specification language Uei for capturing user expectations of the installed automation apps' behavior. For effective authoring of these expectations (as policies) in Uei, Expat also allows a user to check the desired properties (e.g., consistency, entailment) of them; which due to their formal semantics can be easily discharged by an SMT solver. Expat then enforces Uei policies in situ with an inline reference monitor which can be realized using the same app programming interface exposed by the underlying platform. We instantiate Expat for one of the representative platforms, OpenHAB, and demonstrate it can effectively mitigate a wide array of threats by enforcing user expectations while incurring only modest performance overhead.
Automated Attack Discovery in TCP Congestion Control Using a Model-guided Approach
  • Sameul Jero, Endadul Hoque, David Choffnes, Alan Mislove, and Cristina Nita-Rotaru
  • Conference Network and Distributed System Security Symposium (NDSS), San Diego, California, Feb 2018.
  • Cisco Network Security Distinguished Paper Award
  • Media Link
One of the most important goals of TCP is to ensure fairness and prevent congestion collapse by implementing congestion control. Various attacks against TCP congestion control have been reported over the years, most of which have been discovered through manual analysis. In this paper, we propose an automated method that combines the generality of implementation-agnostic fuzzing with the precision of runtime analysis to find attacks against implementations of TCP congestion control. It uses a model-guided approach to generate abstract attack strategies, by leveraging a state machine model of TCP congestion control to find vulnerable state machine paths that an attacker could exploit to increase or decrease the throughput of a connection to his advantage. These abstract strategies are then mapped to concrete attack strategies, which consist of sequences of actions such as injection or modification of acknowledgements and a logical time for injection. We design and implement a virtualized platform, TCPwn, that consists of a a proxy-based attack injector and a TCP congestion control state tracker that uses only network traffic to create and inject these concrete attack strategies. We evaluated 5 TCP implementations from 4 Linux distributions and Windows 8.1. Overall, we found 11 classes of attacks, of which 8 are new.
Analyzing Operational Behavior of Stateful Protocol Implementations for Detecting Semantic Bugs
  • Endadul Hoque, Omar Chowdhury, Sze Yiu Chau, Cristina Nita-Rotaru, and Ninghui Li
  • Conference IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), Denver, CO. June 2017
Network protocol implementations must comply with their specifications that include properties describing the correct operational behavior of the protocol in response to different temporal orderings of network events. Due to inconsistent interpretations of the specification, developers can unknowingly introduce semantic bugs, which cause the implementations to violate the respective properties. Detecting such bugs in stateful protocols becomes significantly difficult as their operations depend on their internal state machines and the complex interactions between the protocol logic. In this paper, we present an automated tool to help developers analyze their protocol implementations and detect semantic bugs violating the temporal properties of the protocols. Given an implementation, our tool (1) extracts the implemented finite state machine (FSM) of the protocol from the source code by symbolically exploring the code and (2) determines whether the extracted FSM violates given temporal properties by using an off-the-shelf model checker. We demonstrated the efficacy of our tool by applying it on 6 protocol implementations. We detected 11 semantic bugs (2 with security implications) when we analyzed these implementations against properties obtained from their publicly available specifications.
SymCerts: Practical Symbolic Execution For Exposing Noncompliance in X.509 Certificate Validation Implementations
  • Sze Yiu Chau, Omar Chowdhury, Endadul Hoque, Huangyi Ge, Aniket Kate, Cristina Nita-Rotaru, and Ninghui Li
  • Conference IEEE Symposium on Security and Privacy (S&P), San Jose, CA. May 2017.
  • Finalist - CSAW 2017 Applied Research Competition

The X.509 Public-Key Infrastructure has long been used in the SSL/TLS protocol to achieve authentication. A recent trend of Internet-of-Things (IoT) systems employing small footprint SSL/TLS libraries for secure communication has further propelled its prominence. The security guarantees provided by X.509 hinge on the assumption that the underlying implementation rigorously scrutinizes X.509 certificate chains, and accepts only the valid ones. Noncompliant implementations of X.509 can potentially lead to attacks and/or interoperability issues. In the literature, black-box fuzzing has been used to find flaws in X.509 validation implementations; fuzzing, however, cannot guarantee coverage and thus severe flaws may remain undetected. To thoroughly analyze X.509 implementations in small footprint SSL/TLS libraries, this paper takes the complementary approach of using symbolic execution.

We observe that symbolic execution, a technique proven to be effective in finding software implementation flaws, can also be leveraged to expose noncompliance in X.509 implementations. Directly applying an off-the-shelf symbolic execution engine on SSL/TLS libraries is, however, not practical due to the problem of path explosion. To this end, we propose the use of SymCerts, which are X.509 certificate chains carefully constructed with a mixture of symbolic and concrete values. Utilizing SymCerts and some domain-specific optimizations, we symbolically execute the certificate chain validation code of each library and extract path constraints describing its accepting and rejecting certificate universes. These path constraints help us identify missing checks in different libraries. For exposing subtle but intricate noncompliance with X.509 standard, we cross-validate the constraints extracted from different libraries to find further implementation flaws. Our analysis of 9 small footprint X.509 implementations has uncovered 48 instances of noncompliance. Findings and suggestions provided by us have already been incorporated by developers into newer versions of their libraries.

Automated Adversarial Testing of Unmodified Wireless Routing Implementations
  • Endadul Hoque, Hyojeong Lee, Rahul Potharaju, Charles Killian, and Cristina Nita-Rotaru
  • Journal IEEE/ACM Transactions on Networking (ToN), vol 24, issue 6, Dec 2016.
Numerous routing protocols have been designed and subjected to model checking and simulations. However, model checking the design or testing the simulator-based prototype of a protocol does not guarantee that the implementation is free of bugs and vulnerabilities. Testing implementations beyond their basic functionality (also known as adversarial testing) can increase protocol robustness. We focus on automated adversarial testing of real-world implementations of wireless routing protocols. In our previous work we created Turret, a platform that uses a network emulator and virtualization to test unmodified binaries of general distributed systems. Based on Turret, we create Turret-W designed specifically for wireless routing protocols. Turret-W includes new functionalities such as differentiating routing messages from data messages to enable evaluation of attacks on the control plane and the data plane separately, support for several additional protocols (e.g., those that use homogeneous/heterogenous packet formats, those that run on geographic forwarding (not just IP), those that operate at the data link layer instead of the network layer), support for several additional attacks (e.g., replay attacks) and for establishment of adversarial side-channels that allow for collusion. Turret-W can test not only general routing attacks, but also wireless specific attacks such as wormhole. Using Turret-W on publicly available implementations of five representative routing protocols, we (re-)discovered 37 attacks and 3 bugs. All these bugs and 5 of the total attacks were not previously reported to the best of our knowledge.
Building Robust Distributed Systems and Network Protocols Using Adversarial Testing and Behavioral Analysis
  • Endadul Hoque and Cristina Nita-Rotaru
  • Conference IEEE Cybersecurity Development Conference (SecDev), Boston, MA. Nov 2016
We describe our experience over the past five years with building more robust distributed systems and network protocols by using adversarial testing and behavioral analysis. We describe the benefits and disadvantages of both approaches and the design of the tools we have built (Turret, Turret-W, SNAKE, and Chiron). We discuss how we applied them to byzantine-resilient state machine replication, wireless routing protocols, transport protocols, TLS, and IoT implementation of application-level protocols.

Fall 2021

  • CSE 486: Design of Operating Systems [course page]

  • CIS600/CIS700/CSE691/CSE791: Security and Assurance of Software Stacks [course page]

Spring 2021

  • CIS 657: Principles of Operating Systems [course page]

Fall 2020

  • CIS600/CIS700/CSE691/CSE791: Security and Assurance of Emerging Areas [course page]

Spring 2020

  • CIS 657: Principles of Operating Systems [course page]

Fall 2019

Courses Taught at FIU

  • CIS 5373: Systems Security

    [Spring 2019, Fall 2018, Fall 2017]
  • COT 5428: Formal Foundations of Cybersecurity

    [Spring 2018]

Program Committee Member

Program Chair/Co-chair

Contact Me

The best way to contact me is through email!

  enhoque AT syr.edu