Shaanan is a Senior Lecturer and ARC DECRA Fellow whose research centers on the interplay between computer systems and the law, with particular focus on applications of cryptography. Shaanan recently completed a Postdoctoral Fellowship at Princeton University. Prior to that he served in the office of U.S Senator Ron Wyden as a Cybersecurity Fellow.
Archive
TrustedThings
A collaborative on vulnerability discovery combining systems, formal methods, and dynamic software testing.
TrustedThings is a collaboration between Shaanan Cohney, Toby Murray, and Thuan Pham focused on vulnerability discovery in systems that are difficult to test.
The work integrates systems thinking, formal methods, and dynamic testing, building on prior advances in scalable fuzzing and automated security testing. Current efforts include identifying excessive data exposures, improving end-to-end Web API fuzzing, and linking program structure to more effective test generation. The collaboration also supports joint student supervision and contract-funded Masters projects in software security.
Team
Leads
Researchers and PhD students
Masters students
Matthew Pham, Ryan Chen, Han Perry, Xiaocong Zhang, Qingyun Wu, Michael Maxwell Wenn, Haodong Gu, Zachary Duthie, and Simon Kelly.
Undergraduate students
Fane Ye and Ray Zhang.
Research
What we work on
- Finding vulnerabilities in software systems that are hard to test with conventional methods.
- Web APIs, stateful network protocols, and other systems with incomplete specifications, deep state, or weak bug oracles.
- Automated testing methods that recover structure from real artefacts and use that structure to drive fuzzing.
- Metamorphic fuzzing for excessive data exposure, end-to-end fuzzing for undocumented APIs, stronger stateful protocol fuzzing, and code-review-guided fuzzing.
- Making vulnerability discovery work on systems that standard fuzzing handles poorly.
Activity
Shared supervision and project work
- Joint PhD and Masters supervision, shared tool-building, and partner-linked project work in automated software security.
- Recent student work spanning Web API security testing, protocol fuzzing and reverse engineering, and source-code- and review-guided test generation.
Outcomes
Selected publications, patent, and recognition
Awarded paper
Detecting Excessive Data Exposures in Web Server Responses with Metamorphic Fuzzing
Lianglu Pan, Shaanan Cohney, Toby Murray, and Van-Thuan Pham. ICSE 2024.
Received the Distinguished Paper Award at the 46th ACM/IEEE International Conference on Software Engineering.
Paper
Trailblazer: Practical End-to-end Web API Fuzzing
Lianglu Pan, Shaanan Cohney, Toby Murray, and Van-Thuan Pham. ISSTA 2025 Registered Report.
Paper
Following Dragons: Code Review-Guided Fuzzing
Viet Hoang Luu, Amirmohammad Pasdar, Wachiraphan Charoenwet, Toby Murray, Shaanan Cohney, and Van-Thuan Pham. 2026 arXiv preprint.
Patent
System and Method for Detecting Excessive Data Exposures
Australian Provisional Patent 2022903182. Lianglu Pan, Toby Murray, Thuan Pham, and Shaanan Cohney.
Funding
Joint support
CSA, Research Contract for 2x Masters Projects
$110,000 AUD · 2024 · with Van Thuan Pham and Toby Murray
Defense Science Technology Group, Research Contract for PhD Supervision
$30,000 AUD · 2024 · with Van Thuan Pham and Toby Murray
Feedback-Guided Security Testing for Embedded Systems
University CIS Competitive Grant · $35,000 AUD · 2023 · with Van Thuan Pham and Toby Murray