Kangjie Lu

Assistant Professor

Department of Computer Science & Engineering
University of Minnesota

Office: 5-217 Keller Hall, 200 Union St SE Minneapolis, MN 55455
Email: kjlu@umn.edu

Google scholar | GitHub


I am an assistant professor in the Computer Science & Engineering Department of the University of Minnesota--Twin Cities. I earned my Ph.D. in Computer Science from Georgia Tech in 2017.

My research strives to help users automatically uncover and address security problems, and to harden widely used systems while preserving their reliability and efficiency. I have developed multiple systems and tools that prevent advanced attacks, eliminate vulnerabilities, and detect privacy leaks. My work has resulted in many updates in popular systems such as the Linux kernel, the Android OS, and Apple’s iOS.

I'm looking for Ph.D. students, a postdoc, and visiting students. If you are interested in systems and security, please feel free to contact me! See details.

News

  • [07/30/2019] Got one paper that soundly and precisely identifies indirect-call targets in large programs accepted to ACM CCS'19
  • [07/07/2019] My proposal on checking security checks in OS kernels has been recommended for funding. Thanks NSF!
  • [06/21/2019] We got one paper on identifying security checks and detecting semantic bugs accepted to ESORICS'19
  • [05/25/2019] Our paper on detecting missing-check bugs in OS kernels has been accepted to USENIX Security'19
  • [11/26/2018] Invited to serve on the program committee of ACM CCS'19
  • [10/18/2018] Our paper on preventing memory disclosures via diversificaiton and replicated execution has been accepted to IEEE TDSC
  • [08/24/2018] Our proposal on detecting module-specific semantic errors has been award by NSF. Thanks NSF!
  • [07/24/2018] Our paper on detecting lacking-recheck bugs in OS kernels has been conditionally accepted to ACM CCS'18.
  • [02/01/2018] I will serve on the program committee of ACM CCS'18
  • [11/27/2017] Our paper on detecting real double-fetch bugs got accepted at IEEE S&P'18!
  • ...
  • Research

    For efficiency and flexibility purposes, widely used software systems such as operating systems and web servers are implemented in unsafe programming languages, and system designers often prioritize performance over security. As a result, these systems inherently suffer from a variety of vulnerabilities and insecure designs that have been exploited by adversaries to launch critical system attacks. System attacks constitute a major threat to our cyber world. The past several years have continuously witnessed critical system attacks targeting systems belonging to individuals, enterprises, and government agencies.

    My research aims to secure widely used software systems in an automated and practical manner: to help users automatically uncover and address security problems without requiring manual effort, and to protect widely used systems (e.g., the Linux kernel) while preserving their reliability and efficiency. I have worked towards my research goal in the following directions.

    Enabling precise and scalable whole-kernel analysis

    • MLTA precisely identifies indirect-call targets in large programs like kernels and browsers using a new layered type analysis.
    • CheQ can infer critical semantics in OS kernels, e.g., custom error codes, error handling, and security checks.

    Detecting vulnerabilities and insecure designs

    • Crix and CheQ employ cross-checking to find more than 400 new kernel bugs such as missing check and NULL-pointer dereferencing.
    • LRSan detects lacking-recheck bugs (a checked variable is further modified before being used). 19 new bugs found.
    • Deadline defines and detects double-fetch bugs in OS kernels using both static analysis and symbolic execution. 24 new bugs found.
    • Target spraying reliably exploits uninitialized-use vulnerabilities by employing tailored symbolic execution and guided fuzzing.
    • Jekyll uncovers insecurity with Apple's code signing and app review mechanisms, leading Apple to harden iOS.

    Hardening software systems

    • Bunshin enforces different and even conflicting security mechanisms in a program efficiently, using N-version programming.
    • UniSan eliminates the most common information-leak vulnerabilities is OS kernels.
    • ASLR-Guard and RuntimeASLR harden programs to prevent code-pointers leaks, using compiler techniques and dynamic instrumentation.
    • DFI protects data-flow integrity for critical data in OS kernels.

    Identifying privacy leaks

    • AAPL employs enhanced data-flow analysis and peer-voting to detect suspicous privacy leaks in Android apps.
    • SUPOR automatically infers sensitive user inputs on a large scale.

    Analyzing malware


    Where Does It Go? Refining Indirect-Call Targets with Multi-Layer Type Analysis (to appear) [PDF]
    Kangjie Lu, and Hong Hu.
    In Proceedings of the 26th ACM Conference on Computer and Communications Security (CCS). London, UK, October 2019.
    Automatically Identifying Security Checks for Detecting Kernel Semantic Bugs [PDF | Code]
    Kangjie Lu, Aditya Pakki, and Qiushi Wu.
    In Proceedings of the 24th European Symposium on Research in Computer Security (ESORICS). Luxembourg, September 2019.
    Detecting Missing-Check Bugs via Semantic- and Context-Aware Criticalness and Constraints Inferences [PDF]
    Kangjie Lu, Aditya Pakki, and Qiushi Wu.
    In Proceedings of the 28th USENIX Security Symposium (Security). Santa Clara, CA, August 2019.
    Stopping Memory Disclosures via Diversification and Replicated Execution [PDF]
    Kangjie Lu, Meng Xu, Chengyu Song, Taesoo Kim, and Wenke Lee.
    IEEE Transactions on Dependable and Secure Computing (TDSC), October 2018.
    Check it Again: Detecting Lacking-Recheck Bugs in OS Kernels [PDF | Code]
    Wenwen Wang, Kangjie Lu, and Pen-Chung Yew.
    In Proceedings of the 25th ACM Conference on Computer and Communications Security (CCS). Toronto, Canada, October 2018.
    Precise and Scalable Detection of Double-Fetch Bugs in OS Kernels [PDF]
    Meng Xu, Chenxiong Qian, Kangjie Lu, Michael Backes, and Taesoo Kim.
    In Proceedings of the 39th IEEE Symposium on Security and Privacy (Oakland). San Francisco, CA, May 2018.
    Bunshin: Compositing Security Mechanisms through Diversification [PDF]
    Meng Xu, Kangjie Lu, Taesoo Kim, and Wenke Lee.
    In Proceedings of the 2017 USENIX Annual Technical Conference (ATC). Santa Clara, CA, July 2017.
    Unleashing Use-Before-Initialization Vulnerabilities in the Linux Kernel Using Targeted Stack Spraying [PDF]
    Kangjie Lu, Marie-Therese Walter, David Pfaff, Stefan Nürnberger, Wenke Lee, and Michael Backes.
    In Proceedings of the 2017 Annual Network and Distributed System Security Symposium (NDSS). San Diego, CA, February 2017.
    UniSan: Proactive Kernel Memory Initialization to Eliminate Data Leakages [PDF | Page | Code]
    Kangjie Lu, Chengyu Song, Taesoo Kim, and Wenke Lee.
    In Proceedings of the 23rd ACM Conference on Computer and Communications Security (CCS). Vienna, Austria, October 2016.
    Toward Engineering a Secure Android Ecosystem: A Survey of Existing Techniques [PDF]
    Meng Xu, Chengyu Song, Yang ji, Ming-Wei Shih, Kangjie Lu, Cong Zheng, Ruian Duan, Yeongjin Jang, Byoungyoung Lee, Chenxiong Qian, Sangho Lee, , and Taesoo Kim.
    ACM Computing Surveys 49(2), August 2016.
    How to Make ASLR Win the Clone Wars: Runtime Re-Randomization [PDF | Demo | Code]
    Kangjie Lu, Stefan Nürnberger, Michael Backes, and Wenke Lee.
    In Proceedings of the 2016 Annual Network and Distributed System Security Symposium (NDSS). San Diego, CA, February 2016.
    Enforcing Kernel Security Invariants with Data Flow Integrity [PDF]
    Chengyu Song, Byoungyoung Lee, Kangjie Lu, William R. Harris, Taesoo Kim, and Wenke Lee.
    In Proceedings of the 2016 Annual Network and Distributed System Security Symposium (NDSS). San Diego, CA, February 2016.
    ASLR-Guard: Stopping Address Space Leakage for Code Reuse Attacks [PDF | Page | Code]
    Kangjie Lu, Chengyu Song, Byoungyoung Lee, Simon P. Chung, Taesoo Kim, and Wenke Lee.
    In Proceedings of the 22nd ACM Conference on Computer and Communications Security (CCS). Denver, Colorado, October 2015.
    SUPOR: Precise and Scalable Sensitive User Input Detection for Android Apps [PDF]
    Jianjun Huang, Zhichun Li, Xusheng Xiao, Zhenyu Wu, Kangjie Lu, Xiangyu Zhang, and Guofei Jiang.
    In Proceedings of the 24th USENIX Security Symposium (Security). Washington, DC, August 2015.
    Software Watermarking using Return-Oriented Programming [PDF]
    Haoyu Ma, Kangjie Lu, Xinjie Ma, Haining Zhang, Chunfu Jia, and Debin Gao.
    In Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security (ASIACCS). Singapore, April–June 2015.
    Checking more and alerting less: Detecting privacy leakages via enhanced data-flow analysis and peer voting [PDF]
    Kangjie Lu, Zhichun Li, Vasileios Kemerlis, Zhenyu Wu, Long Lu, Cong Zheng, Zhiyun Qian, Wenke Lee, and Guofei Jiang.
    In Proceedings of the 2015 Annual Network and Distributed System Security Symposium (NDSS). San Diego, CA, February 2015.
    RopSteg: Program Steganography with Return Oriented Programming [PDF]
    Kangjie Lu, Siyang Xiong, and Debin Gao.
    In Proceedings of the 4th ACM Conference on Data and Application Security and Privacy (CODASPY). San Antonio, Texas, USA, March 2014.
    Jekyll on iOS: When Benign Apps Become Evil [PDF]
    Tielei Wang, Kangjie Lu, Long Lu, Simon Chung, and Wenke Lee.
    In Proceedings of the 22th USENIX Security Symposium (Security). Washington, DC, August 2013.
    deRop: Removing Return-Oriented Programming from Malware [PDF]
    Kangjie Lu, Dabi Zou, Weiping Wen, and Debin Gao.
    In Proceedings of the 27th Annual Computer Security Applications Conference (ACSAC). Orlando, Florida, USA, December 2011.
    Packed, Printable, and Polymorphic Return-Oriented Programming [PDF]
    Kangjie Lu, Dabi Zou, Weiping Wen, and Debin Gao.
    In Proceedings of the 14th International Symposium on Recent Advances in Intrusion Detection (RAID). Menlo Park, California, USA, September 2011.

    Advising

    • Aditya Pakki (PhD student)
    • Qiushi Wu (PhD student)
    • Bowen Wang (PhD student)

    Assistant Professor University of Minnesota, Minneapolis 2017.8 - Present
    Visiting Scholar MPI-SWS & CISPA, Saarland University, Saarbrücken, Germany 2016.5 - 2016.8
    Visiting Scholar MPI-SWS & CISPA, Saarland University, Saarbrücken, Germany 2015.5 - 2015.8
    Research Intern Samsung Research America, Santa Clara 2014.5 - 2014.8
    Research Intern NEC Labs America, Princeton 2013.5 - 2013.8
    Research Assistant Georgia Institute of Technology, Atlanta 2012.8 - 2017.8
    Research Engineer Singapore Management University, Singapore 2011.11 - 2012.6
    Research Assistant Singapore Management University, Singapore 2010.7 - 2011.8
    Research Assistant Peking University, Beijing, China 2009.9 - 2010.7

    Program Committees

    • ACM Conference on Computer and Communications Security (CCS'18, '19)
    • The 27th USENIX Security Symposium (USENIX Security'18)
    • The 13th ACM Asia Conference on Computer and Communications Security (AsiaCCS'18)