I am an assistant professor in the Computer Science & Engineering
Department of the University of Minnesota--Twin Cities.
I research and teach systems security. My primary research lies at
the intersection of security, operating systems, program analysis,
and compilers. My research also occasionally involves machine
learning and computer architecture.
I earned my Ph.D. in Computer Science from Georgia Tech in 2017.
I'm looking for Ph.D. students, a postdoc, and visiting students.
If you are interested in systems and security, please feel free to
contact me! Seedetails.
News
[03/03/2021] I will be on the program committee of IEEE S&P 2022.
[02/12/2021] Our work on detecting unsafe DMA accesses was accepted to USENIX Security'21. Unchecked and inconsistent DMA accesses are very common in drivers; we found about 300 such bugs in Linux drivers.
[01/15/2021] Glad to know our paper on symbolically executing PHP built-in functions got accepted to WWW'21. It supports cross-language symbolic execution, loosely-type inference, etc.
[11/21/2020] Our work on studying vulnerability-introducing patches got accepted to Oakland'21! We show that a malicious committer can practically and stealthily introduce vulnerabilities through minor patches into open-source projects. Disclaimer: We did not introduce any vulnerability or bug-introducing commit into OSS.
[11/03/2020] A paper accepted to NDSS'21: We developed a tool that can analyze pointer ownership for C and identify specialized allocation/deallocation. The tool identified many CVE-assigned memory leaks in the kernel.
[10/22/2020] Our work for refining indirect-call targets has been adopted by the ELISA project and the Linux foundation. Code found here.
[09/11/2020] Glad to share that we have two papers, on program analysis and kernel-bug detection, conditionally accepted to USENIX Security'21. One detects refcount bugs, and the other detects bugs resulted from disordered error handing. Congratulations to my students and collaborators!
[08/14/2020] Our paper on metrics-driven fuzzing evaluation finally got accepted to USENIX Security'21 following a revision. The platform is to be released.
[06/29/2020] Our paper studying the new security risks of Docker Hub, sensitive commands, massive unpatched vulnerabilities, and malware, is to appear in ESORICS'20.
[03/30/2020] Congrats to Aditya for his paper conditionally accepted to ACM CCS'20! This paper shows how exaggerated (excessive) error handling causes kernel and process crashing, and detects it with context-aware analysis.
...
Research
My research aims to secure widely used systems and foundational
software, such as OS kernels and compilers, in a principled and
practical manner---to discover new classes of vulnerabilities and
threats, to detect security bugs, and to protect software systems
from attacks. While actively discovering security issues with
empirical analysis, I strive to ensure that the proposed detection and
defense techniques are sharp and generic.
My work has resulted in many updates in popular systems such as the
Linux kernel, the Android OS, and Apple’s iOS. Specifically, I have
been working towards my research goals in the following directions.
Building-block development for software security
Program analysis: Indirect-call analysis, alias analysis
Defense: Intra-process isolation, control- and data-flow integrity
Concurrency bugs, memory disclosures, and side channels
System hardening against runtime attacks
Memory safety, control-flow integrity, (re-)randomization,
execute-only memory (in SGX)
Publications
2021
Understanding and Detecting Disordered Error Handling with Precise Function Pairing [PDF] Qiushi Wu, Aditya Pakki, Navid Emamdoost, Stephen McCamant, and Kangjie Lu. To appear in Proceedings of the 30th USENIX Security Symposium (Security'21). Vancouver, Canada, August 2021.
Static Detection of Unsafe DMA Accesses in Device Drivers Jia-Ju Bai, Tuo Li, Kangjie Lu, and Shi-Min Hu. To appear in Proceedings of the 30th USENIX Security Symposium (Security'21). Vancouver, Canada, August 2021.
Detecting Kernel Refcount Bugs with Two-Dimensional Consistency Checking Xin Tan, Yuan Zhang, Xiyu Yang, Kangjie Lu, and Min Yang. To appear in Proceedings of the 30th USENIX Security Symposium (Security'21). Vancouver, Canada, August 2021.
UNIFUZZ: A Holistic and Pragmatic Metrics-Driven Platform for Evaluating Fuzzers [PDF] Yuwei Li, Shouling Ji, Yuan Chen, Sizhuang Liang, Wei-Han Lee, Yueyao Chen, Chenyang Lyu, Chunming Wu, Raheem Beyah, Peng Cheng, Kangjie Lu, and Ting Wang. To appear in Proceedings of the 30th USENIX Security Symposium (Security'21). Vancouver, Canada, August 2021.
On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits Qiushi Wu, and Kangjie Lu. To appear in Proceedings of the 42nd IEEE Symposium on Security and Privacy (Oakland'21). Virtual conference, May 2021. ★ Note: The experiment did not introduce any bug or bug-introducing commit into OSS. It demonstrated weaknesses in the patching process in a safe way. No user was affected, and IRB exempt was issued. The experiment actually fixed three real bugs. Please see the clarifications.
On the Feasibility of Automated Built-in Function Modeling for PHP Symbolic Execution [PDF] Penghui Li, Wei Meng, Kangjie Lu, and Changhua Luo. To appear in Proceedings of the 30th International World Wide Web Conference (WWW'21). Virtual conference, April 2021.
Detecting Kernel Memory Leaks in Specialized Modules with Ownership Reasoning [PDF] Navid Emamdoost, Qiushi Wu, Kangjie Lu, and Stephen McCamant. In Proceedings of the 2021 Annual Network and Distributed System Security Symposium (NDSS'21). San Diego, CA, February 2021.
Cross-Architecture Testing for Compiler-Introduced Security Bugs Jianhao Xu, Kangjie Lu, and Bing Mao. In the 5th Workshop on Principles of Secure Compilation (PriSC'21), co-located with POPL'21. Online, January 2021.
2020
Exaggerated Error Handling Hurts! An In-Depth Study and Context-Aware Detection [PDF] Aditya Pakki, and Kangjie Lu. In Proceedings of the 27th ACM Conference on Computer and Communications Security (CCS'20). Orlando, FL, November 2020.
Understanding the Security Risks of Docker Hub [PDF] Peiyu Liu, Shouling Ji, Lirong Fu, Kangjie Lu, Xuhong Zhang, Wei-Han Lee, Tao Lu, Wenzhi Chen, and Raheem Beyah. In Proceedings of the 25th European Symposium on Research in Computer Security (ESORICS'20). Guildford, UK, September 2020.
Fuzzing Error Handling Code using Context-Sensitive Software Fault Injection [PDF] Zu-Ming Jiang, Jia-Ju Bai, Kangjie Lu, and Shi-Min Hu. In Proceedings of the 29th USENIX Security Symposium (Security'20). Boston, MA, August 2020.
SEIMI: Efficient and Secure SMAP-Enabled Intra-process Memory Isolation [PDF] Zhe Wang, Chenggang Wu, Mengyao Xie, Yinqian Zhang, Kangjie Lu, Xiaofeng Zhang, Yuanming Lai, Yan Kang, and Min Yang. In Proceedings of the 41st IEEE Symposium on Security and Privacy (Oakland'20). San Francisco, CA, May 2020.
MPTEE: Bringing Flexible and Efficient Memory Protection to Intel SGX [PDF] Wenjia Zhao, Kangjie Lu, and Yong Qi. In Proceedings of the 15th European Conference on Computer Systems (EuroSys'20). Crete, Greece, April 2020.
Precisely Characterizing Security Impact in a Flood of Patches via Symbolic Rule Comparison [PDF] Qiushi Wu, Yang He, Stephen McCamant, and Kangjie Lu. In Proceedings of the 2020 Annual Network and Distributed System Security Symposium (NDSS'20). San Diego, CA, February 2020.
2019
Where Does It Go? Refining Indirect-Call Targets with Multi-Layer Type Analysis [PDF] Kangjie Lu, and Hong Hu. In Proceedings of the 26th ACM Conference on Computer and Communications Security (CCS'19). London, UK, November 2019. ★ Best Paper Award (1/947)
Automatically Identifying Security Checks for Detecting Kernel Semantic Bugs [PDF | Code] Kangjie Lu, Aditya Pakki, and Qiushi Wu. In Proceedings of the 24th European Symposium on Research in Computer Security (ESORICS'19). Luxembourg, September 2019.
Detecting Missing-Check Bugs via Semantic- and Context-Aware Criticalness and Constraints Inferences [PDF | Code] Kangjie Lu, Aditya Pakki, and Qiushi Wu. In Proceedings of the 28th USENIX Security Symposium (Security'19). Santa Clara, CA, August 2019.
2018
Stopping Memory Disclosures via Diversification and Replicated Execution [PDF] Kangjie Lu, Meng Xu, Chengyu Song, Taesoo Kim, and Wenke Lee. IEEE Transactions on Dependable and Secure Computing (TDSC'18), October 2018.
Check it Again: Detecting Lacking-Recheck Bugs in OS Kernels [PDF | Code] Wenwen Wang, Kangjie Lu, and Pen-Chung Yew. In Proceedings of the 25th ACM Conference on Computer and Communications Security (CCS'18). Toronto, Canada, October 2018.
Precise and Scalable Detection of Double-Fetch Bugs in OS Kernels [PDF] Meng Xu, Chenxiong Qian, Kangjie Lu, Michael Backes, and Taesoo Kim. In Proceedings of the 39th IEEE Symposium on Security and Privacy (Oakland'18). San Francisco, CA, May 2018.
2017
Bunshin: Compositing Security Mechanisms through Diversification [PDF] Meng Xu, Kangjie Lu, Taesoo Kim, and Wenke Lee. In Proceedings of the 2017 USENIX Annual Technical Conference (ATC'17). Santa Clara, CA, July 2017.
Unleashing Use-Before-Initialization Vulnerabilities in the Linux Kernel Using Targeted Stack Spraying [PDF] Kangjie Lu, Marie-Therese Walter, David Pfaff, Stefan Nürnberger, Wenke Lee, and Michael Backes. In Proceedings of the 2017 Annual Network and Distributed System Security Symposium (NDSS'17). San Diego, CA, February 2017.
2016
UniSan: Proactive Kernel Memory Initialization to Eliminate Data Leakages [PDF | Code | Page] Kangjie Lu, Chengyu Song, Taesoo Kim, and Wenke Lee. In Proceedings of the 23rd ACM Conference on Computer and Communications Security (CCS'16). Vienna, Austria, October 2016.
Toward Engineering a Secure Android Ecosystem: A Survey of Existing Techniques [PDF] Meng Xu, Chengyu Song, Yang ji, Ming-Wei Shih, Kangjie Lu, Cong Zheng, Ruian Duan, Yeongjin Jang, Byoungyoung Lee, Chenxiong Qian, Sangho Lee, , and Taesoo Kim. ACM Computing Surveys (CSUR'16) 49(2), August 2016.
How to Make ASLR Win the Clone Wars: Runtime Re-Randomization [PDF | Code | Demo] Kangjie Lu, Stefan Nürnberger, Michael Backes, and Wenke Lee. In Proceedings of the 2016 Annual Network and Distributed System Security Symposium (NDSS'16). San Diego, CA, February 2016.
Enforcing Kernel Security Invariants with Data Flow Integrity [PDF] Chengyu Song, Byoungyoung Lee, Kangjie Lu, William R. Harris, Taesoo Kim, and Wenke Lee. In Proceedings of the 2016 Annual Network and Distributed System Security Symposium (NDSS'16). San Diego, CA, February 2016.
2015
ASLR-Guard: Stopping Address Space Leakage for Code Reuse Attacks [PDF | Code | Page] Kangjie Lu, Chengyu Song, Byoungyoung Lee, Simon P. Chung, Taesoo Kim, and Wenke Lee. In Proceedings of the 22nd ACM Conference on Computer and Communications Security (CCS'15). Denver, Colorado, October 2015.
SUPOR: Precise and Scalable Sensitive User Input Detection for Android Apps [PDF] Jianjun Huang, Zhichun Li, Xusheng Xiao, Zhenyu Wu, Kangjie Lu, Xiangyu Zhang, and Guofei Jiang. In Proceedings of the 24th USENIX Security Symposium (Security'15). Washington, DC, August 2015.
Software Watermarking using Return-Oriented Programming [PDF] Haoyu Ma, Kangjie Lu, Xinjie Ma, Haining Zhang, Chunfu Jia, and Debin Gao. In Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security (ASIACCS'15). Singapore, April–June 2015.
Checking more and alerting less: Detecting privacy leakages via enhanced data-flow analysis and peer voting [PDF] Kangjie Lu, Zhichun Li, Vasileios Kemerlis, Zhenyu Wu, Long Lu, Cong Zheng, Zhiyun Qian, Wenke Lee, and Guofei Jiang. In Proceedings of the 2015 Annual Network and Distributed System Security Symposium (NDSS'15). San Diego, CA, February 2015.
2014
RopSteg: Program Steganography with Return Oriented Programming [PDF] Kangjie Lu, Siyang Xiong, and Debin Gao. In Proceedings of the 4th ACM Conference on Data and Application Security and Privacy (CODASPY'14). San Antonio, Texas, USA, March 2014.
2013
Jekyll on iOS: When Benign Apps Become Evil [PDF] Tielei Wang, Kangjie Lu, Long Lu, Simon Chung, and Wenke Lee. In Proceedings of the 22th USENIX Security Symposium (Security'13). Washington, DC, August 2013.
2011
deRop: Removing Return-Oriented Programming from Malware [PDF] Kangjie Lu, Dabi Zou, Weiping Wen, and Debin Gao. In Proceedings of the 27th Annual Computer Security Applications Conference (ACSAC'11). Orlando, Florida, USA, December 2011.
Packed, Printable, and Polymorphic Return-Oriented Programming [PDF] Kangjie Lu, Dabi Zou, Weiping Wen, and Debin Gao. In Proceedings of the 14th International Symposium on Recent Advances in Intrusion Detection (RAID'11). Menlo Park, California, USA, September 2011.