I am an assistant professor in the Computer Science & Engineering Department of the University of Minnesota--Twin Cities. I research and teach systems security. My primary research lies at the intersection of security, operating systems, program analysis, and compilers. My research also occasionally involves machine learning and computer architecture. I earned my Ph.D. in Computer Science from Georgia Tech in 2017.
I'm looking for Ph.D. students, a postdoc, and visiting students. If you are interested in systems and security, please feel free to contact me! See details.
The "hypocrite commits" work
On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits
- 11/21/2020: Paper accepted
- 12/15/2020: Clarifications
- 04/21/2021: The Linux incident happened due to superfluous patches from Aditya Pakki for a new bug-finding project
- 04/24/2021: Open letter to Linux
- 04/26/2021: Paper withdrawn
- 04/27/2021: Full disclosure of case study
- 04/27/2021: Department response to the Linux Foundation: The three hypocrite patches never were intended to be added to code, and, in fact, were not added.
- 05/05/2021: The Linux Technical Advisory Board report: No malicious or bad-faith code found in the re-reviewed UMN patches.
- [02/12/2021] Our work on detecting unsafe DMA accesses was accepted to USENIX Security'21. Unchecked and inconsistent DMA accesses are very common in drivers; we found about 300 such bugs in Linux drivers.
- [01/15/2021] Glad to know our paper on symbolically executing PHP built-in functions got accepted to WWW'21. It supports cross-language symbolic execution, loosely-type inference, etc.
- [11/03/2020] A paper accepted to NDSS'21: We developed a tool that can analyze pointer ownership for C and identify specialized allocation/deallocation. The tool identified many CVE-assigned memory leaks in the kernel.
- [10/22/2020] Our work for refining indirect-call targets has been adopted by the ELISA project and the Linux foundation. Code found here.
- [09/11/2020] Glad to share that we have two papers, on program analysis and kernel-bug detection, conditionally accepted to USENIX Security'21. One detects refcount bugs, and the other detects bugs resulted from disordered error handing. Congratulations to my students and collaborators!
- [08/14/2020] Our paper on metrics-driven fuzzing evaluation finally got accepted to USENIX Security'21 following a revision. The platform is to be released.
- [06/29/2020] Our paper studying the new security risks of Docker Hub, sensitive commands, massive unpatched vulnerabilities, and malware, is to appear in ESORICS'20.
- [03/30/2020] Congrats to Aditya for his paper conditionally accepted to ACM CCS'20! This paper shows how exaggerated (excessive) error handling causes kernel and process crashing, and detects it with context-aware analysis.
- [03/04/2020] SEIMI accepted to Oakland'20! It securely runs user code in kernel mode (ring 0) using virtualization techniques.
- [02/21/2020] Our fuzzing work got accepted to USENIX Security'20! Using a new context-sensitive fault-injection technique, we are able to effectively fuzz-test error-handling code that is largely missed by current fuzzing. Many new bugs were found in well-tested programs like OpenSSL.
My research aims to secure widely used systems and foundational software, such as OS kernels and compilers, in a principled and practical manner---to discover new classes of vulnerabilities and threats, to detect security bugs, and to protect software systems from attacks. While actively discovering security issues with empirical analysis, I strive to ensure that the proposed detection and defense techniques are sharp and generic. My work has resulted in many updates in popular systems such as the Linux kernel, the Android OS, and Apple’s iOS. Specifically, I have been working towards my research goals in the following directions.
- Building-block development for software security
- Program analysis: Indirect-call analysis, alias analysis
- Defense: Intra-process isolation, control- and data-flow integrity
- Whole-kernel analysis for detecting security bugs
- Cross-checking, rule inference, staged symbolic execution, security-check identification, error-handling analysis
- Multi-dimensional and semantic-informed fuzzing
- Timing/concurrency mutation, context-sensitive fault injection (for fuzzing error handling)
- Compiler-bug discovery and secure compilation
- Concurrency bugs, memory disclosures, and side channels
- System hardening against runtime attacks
- Memory safety, control-flow integrity, (re-)randomization, execute-only memory (in SGX)
- Spring 2021: CSCI 5271: Introduction to Computer Security
- Fall 2020: CSCI 8271: Security and Privacy in Computing
- Spring 2020: CSCI 4061: Introduction to Operating Systems
- Fall 2019: CSCI 8271: Security and Privacy in Computing
- Spring 2019: CSCI 4061: Introduction to Operating Systems
- Fall 2018: CSCI 5271: Introduction to Computer Security
- Spring 2018: CSCI 8980: Topics in Systems Security
- PhD students
- Master's students
- Zhengwen Jiang
- Tanglin Zhou
- Yang He
- Undergraduate students
- Joe Numainville
|Assistant Professor||University of Minnesota, Minneapolis||2017.8 - Present|
|Visiting Scholar||MPI-SWS & CISPA, Saarland University, Saarbrücken, Germany||2016.5 - 2016.8|
|Visiting Scholar||MPI-SWS & CISPA, Saarland University, Saarbrücken, Germany||2015.5 - 2015.8|
|Research Intern||Samsung Research America, Santa Clara||2014.5 - 2014.8|
|Research Intern||NEC Labs America, Princeton||2013.5 - 2013.8|
|Research Assistant||Georgia Institute of Technology, Atlanta||2012.8 - 2017.8|
|Research Assistant||Singapore Management University, Singapore||2010.7 - 2012.6|
|Research Assistant||Peking University, Beijing, China||2009.9 - 2010.7|
- The ACM Conference on Computer and Communications Security (CCS): 2018, 2019, 2020, 2021
- The USENIX Security Symposium (USENIX Security): 2018, 2021
- The Network and Distributed System Security Symposium (NDSS): 2021
- The ACM Asia Conference on Computer and Communications Security (AsiaCCS): 2018, 2021