Kangjie Lu

Assistant Professor

Department of Computer Science & Engineering
University of Minnesota

Office: 5-217 Keller Hall, 200 Union St SE Minneapolis, MN 55455
Email: kjlu@umn.edu

Google scholar | GitHub


I am an assistant professor in the Computer Science & Engineering Department of the University of Minnesota--Twin Cities. I earned my Ph.D. in Computer Science from Georgia Tech in 2017.

My research strives to help users automatically uncover and address security problems, and to harden widely used systems while preserving their reliability and efficiency. I have developed multiple systems and tools that prevent advanced attacks, eliminate vulnerabilities, and detect privacy leaks. My work has resulted in many updates in popular systems such as the Linux kernel, the Android OS, and Apple’s iOS.

I'm looking for Ph.D. students, a postdoc, and visiting students. If you are interested in systems and security, please feel free to contact me! See details.

News

  • [10/18/2018] Our paper on preventing memory disclosures via diversificaiton and replicated execution has been accepted to IEEE TDSC
  • [08/24/2018] Our proposal on detecting module-specific semantic errors has been award by NSF. Thanks NSF!
  • [07/24/2018] Our paper on detecting lacking-recheck bugs in OS kernels has been conditionally accepted to ACM CCS'18.
  • [02/01/2018] I will serve on the program committee of ACM CCS'18
  • [11/27/2017] Our paper on detecting real double-fetch bugs got accepted at IEEE S&P'18!
  • [10/11/2017] I will serve on the program committee of USENIX Security'18
  • [09/16/2017] Openings available for Ph.D. students, a postdoc, and visiting students!
  • [08/28/2017] Started working at UMN as an assistant professor
  • [08/02/2017] I will serve on the program committee of AsiaCCS'18

    • Research

    For efficiency and flexibility purposes, widely used software systems such as operating systems and web servers are implemented in unsafe programming languages, and system designers often prioritize performance over security. As a result, these systems inherently suffer from a variety of vulnerabilities and insecure designs that have been exploited by adversaries to launch critical system attacks. System attacks constitute a major threat to our cyber world. The past several years have continuously witnessed critical system attacks targeting systems belonging to individuals, enterprises, and government agencies.

    My research aims to secure widely used software systems in an automated and practical manner: to help users automatically uncover and address security problems without requiring manual effort, and to protect widely used systems (e.g., the Linux kernel) while preserving their reliability and efficiency. I have worked towards my research goal in the following directions.

    Investigating vulnerabilities and insecure designs

    • LRSan detects lacking-recheck bugs (a checked variable is further modified before being used) in the Linux kernel. We found 19 new lacking-recheck bugs.
    • Deadline formally defines double-fetch bugs in OS kernels, and precisely and efficiently detects them using static program analysis and symbolic execution. We found 24 new double-fetch bugs in OS kernels.
    • Target spraying reliably exploits uninitialized-use vulnerabilities by employing tailored symbolic execution and guided fuzzing.
    • Jekyll uncovers insecurity with Apple's code signing and app review mechanisms, leading Apple to harden iOS.

    Hardening software systems

    • Bunshin enables different and even conflicting security mechanisms to be combined to secure a program while reducing the execution slowdown, using N-version programming.
    • UniSan eliminates the most common information-leak vulnerabilities is OS kernels.
    • ASLR-Guard and RuntimeASLR harden programs to prevent code-pointers leaks, using compiler techniques and dynamic instrumentation.
    • DFI protects data-flow integrity for critical data in OS kernels.

    Detecting privacy leaks

    • AAPL employs enhanced data-flow analysis and peer-voting to detect suspicous privacy leaks in Android apps.
    • SUPOR automatically infers sensitive user inputs on a large scale.

    Analyzing malware


    Stopping Memory Disclosures via Diversification and Replicated Execution [PDF]
    Kangjie Lu, Meng Xu, Chengyu Song, Taesoo Kim, and Wenke Lee.
    IEEE Transactions on Dependable and Secure Computing (TDSC), October 2018.
    Check it Again: Detecting Lacking-Recheck Bugs in OS Kernels [PDF]
    Wenwen Wang, Kangjie Lu, and Pen-Chung Yew.
    In Proceedings of the 25th ACM Conference on Computer and Communications Security (CCS). Toronto, Canada, October 2018.
    Precise and Scalable Detection of Double-Fetch Bugs in OS Kernels [PDF]
    Meng Xu, Chenxiong Qian, Kangjie Lu, Michael Backes, and Taesoo Kim.
    In Proceedings of the 39th IEEE Symposium on Security and Privacy (Oakland). San Francisco, CA, May 2018.
    Bunshin: Compositing Security Mechanisms through Diversification [PDF]
    Meng Xu, Kangjie Lu, Taesoo Kim, and Wenke Lee.
    In Proceedings of the 2017 USENIX Annual Technical Conference (ATC). Santa Clara, CA, July 2017.
    Unleashing Use-Before-Initialization Vulnerabilities in the Linux Kernel Using Targeted Stack Spraying [PDF]
    Kangjie Lu, Marie-Therese Walter, David Pfaff, Stefan Nürnberger, Wenke Lee, and Michael Backes.
    In Proceedings of the 2017 Annual Network and Distributed System Security Symposium (NDSS). San Diego, CA, February 2017.
    UniSan: Proactive Kernel Memory Initialization to Eliminate Data Leakages [PDF | Page | Code]
    Kangjie Lu, Chengyu Song, Taesoo Kim, and Wenke Lee.
    In Proceedings of the 23rd ACM Conference on Computer and Communications Security (CCS). Vienna, Austria, October 2016.
    Toward Engineering a Secure Android Ecosystem: A Survey of Existing Techniques [PDF]
    Meng Xu, Chengyu Song, Yang ji, Ming-Wei Shih, Kangjie Lu, Cong Zheng, Ruian Duan, Yeongjin Jang, Byoungyoung Lee, Chenxiong Qian, Sangho Lee, , and Taesoo Kim.
    ACM Computing Surveys 49(2), August 2016.
    How to Make ASLR Win the Clone Wars: Runtime Re-Randomization [PDF | Demo | Code]
    Kangjie Lu, Stefan Nürnberger, Michael Backes, and Wenke Lee.
    In Proceedings of the 2016 Annual Network and Distributed System Security Symposium (NDSS). San Diego, CA, February 2016.
    Enforcing Kernel Security Invariants with Data Flow Integrity [PDF]
    Chengyu Song, Byoungyoung Lee, Kangjie Lu, William R. Harris, Taesoo Kim, and Wenke Lee.
    In Proceedings of the 2016 Annual Network and Distributed System Security Symposium (NDSS). San Diego, CA, February 2016.
    ASLR-Guard: Stopping Address Space Leakage for Code Reuse Attacks [PDF | Code | Page]
    Kangjie Lu, Chengyu Song, Byoungyoung Lee, Simon P. Chung, Taesoo Kim, and Wenke Lee.
    In Proceedings of the 22nd ACM Conference on Computer and Communications Security (CCS). Denver, Colorado, October 2015.
    SUPOR: Precise and Scalable Sensitive User Input Detection for Android Apps [PDF]
    Jianjun Huang, Zhichun Li, Xusheng Xiao, Zhenyu Wu, Kangjie Lu, Xiangyu Zhang, and Guofei Jiang.
    In Proceedings of the 24th USENIX Security Symposium (Security). Washington, DC, August 2015.
    Software Watermarking using Return-Oriented Programming [PDF]
    Haoyu Ma, Kangjie Lu, Xinjie Ma, Haining Zhang, Chunfu Jia, and Debin Gao.
    In Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security (ASIACCS). Singapore, April–June 2015.
    Checking more and alerting less: Detecting privacy leakages via enhanced data-flow analysis and peer voting [PDF]
    Kangjie Lu, Zhichun Li, Vasileios Kemerlis, Zhenyu Wu, Long Lu, Cong Zheng, Zhiyun Qian, Wenke Lee, and Guofei Jiang.
    In Proceedings of the 2015 Annual Network and Distributed System Security Symposium (NDSS). San Diego, CA, February 2015.
    RopSteg: Program Steganography with Return Oriented Programming [PDF]
    Kangjie Lu, Siyang Xiong, and Debin Gao.
    In Proceedings of the 4th ACM Conference on Data and Application Security and Privacy (CODASPY). San Antonio, Texas, USA, March 2014.
    Jekyll on iOS: When Benign Apps Become Evil [PDF]
    Tielei Wang, Kangjie Lu, Long Lu, Simon Chung, and Wenke Lee.
    In Proceedings of the 22th USENIX Security Symposium (Security). Washington, DC, August 2013.
    deRop: Removing Return-Oriented Programming from Malware [PDF]
    Kangjie Lu, Dabi Zou, Weiping Wen, and Debin Gao.
    In Proceedings of the 27th Annual Computer Security Applications Conference (ACSAC). Orlando, Florida, USA, December 2011.
    Packed, Printable, and Polymorphic Return-Oriented Programming [PDF]
    Kangjie Lu, Dabi Zou, Weiping Wen, and Debin Gao.
    In Proceedings of the 14th International Symposium on Recent Advances in Intrusion Detection (RAID). Menlo Park, California, USA, September 2011.

    Advising

    • Aditya Pakki (PhD student, co-advised with Jon Weissman)
    • Qiushi Wu (PhD student)
    • Bowen Wang (PhD student)
    • Mehrad HajiAghaBozorgi (PhD student)

    Assistant Professor University of Minnesota, Minneapolis 2017.8 - Present
    Visiting Scholar MPI-SWS & CISPA, Saarland University, Saarbrücken, Germany 2016.5 - 2016.8
    Visiting Scholar MPI-SWS & CISPA, Saarland University, Saarbrücken, Germany 2015.5 - 2015.8
    Research Intern Samsung Research America, Santa Clara 2014.5 - 2014.8
    Research Intern NEC Labs America, Princeton 2013.5 - 2013.8
    Research Assistant Georgia Institute of Technology, Atlanta 2012.8 - 2017.8
    Research Engineer Singapore Management University, Singapore 2011.11 - 2012.6
    Research Assistant Singapore Management University, Singapore 2010.7 - 2011.8
    Research Assistant Peking University, Beijing, China 2009.9 - 2010.7

    Program Committees

    • The 25th ACM Conference on Computer and Communications Security (CCS '18)
    • The 27th USENIX Security Symposium (USENIX Security '18)
    • The 13th ACM Asia Conference on Computer and Communications Security (AsiaCCS '18)

    CVE-2016-5243: tipc: stack object link_info in tipc_nl_compat_link_dump() is disclosed without being properly initialized, causing kernel infoleak of up to 60 bytes.
    CVE-2016-4569: x25: stack object dte_facilities in x25_negotiate_facilities() is disclosed without being initialized, causing kernel infoleak of up to 8 bytes.
    CVE-2016-4578: ASLA: Two Linux kernel information leak vulnerabilities in timer.c; each can leak 8 bytes.
    CVE-2016-4569: ASLA: a Linux kernel information leak vulnerability in timer (stack object tread).
    CVE-2016-4486: netlink: an uninitialized data leak in linux kernel (stack object map in net/core/rtnetlink.c).
    CVE-2016-4482: usb: an uninitialized data leak in linux kernel (stack object ci in drivers/usb/core/devio.c).
    CVE-2016-4485: llc: an uninitialized data leak in linux kernel (stack object info in file net/llc/af_llc.c).
    CVE-2016-5244: rds: stack object minfo in net/rds/recv.c is disclosed without being fully initialized, causing 1 byte kernel infoleak.
    Link: wireless: the whole array mac_addr may be sent out without initialization. This can cause a kernel infoleak of 6 bytes.