I joined Indiana University Bloomington in June 2018 as an Assistant Professor of Computer Science after three years' experience of building large commercial systems at Amazon. Now I'm leading the System Security Group at IU with Prof. XiaoFeng Wang and Prof. Xiaojing Liao. Our group is known to be one of top productive system security teams in the world in terms of publishing at top 4 security conferences (see System Security Circus).
My research focus is logic and design flaws in various commodity systems, especially iOS/Mac OS, Android, IoT, Cloud, Web, and applications on them. I am one of the very first few practitioners in iOS and Mac OS security research (see my papers S&P16, CCS15, CCS13). What my group focused on are typically fundamental design problems (see our media reports and publications), less of implementation bugs. With in-depth understanding of systems and how security problems can indeed happen in the first place, we derive new secure design principles and invent solutions to protect real systems of Apple, Android, AWS, IoT and more.
Our research on OSX, iOS, Android, Cloud has been reported by Time, CNN, Forbes, Mirror, Fox News, Yahoo, CNET, The Register, Sina, 163, Sohu and more. Official blog of Facebook, 1Password discussed about our research on authentication security. Apple, Android, Dropbox, Evernote officially acknowledged our findings and efforts to help protect their users.
Research Areas & Interests:
News
My research focus is logic and design flaws in various commodity systems, especially iOS/Mac OS, Android, IoT, Cloud, Web, and applications on them. I am one of the very first few practitioners in iOS and Mac OS security research (see my papers S&P16, CCS15, CCS13). What my group focused on are typically fundamental design problems (see our media reports and publications), less of implementation bugs. With in-depth understanding of systems and how security problems can indeed happen in the first place, we derive new secure design principles and invent solutions to protect real systems of Apple, Android, AWS, IoT and more.
Our research on OSX, iOS, Android, Cloud has been reported by Time, CNN, Forbes, Mirror, Fox News, Yahoo, CNET, The Register, Sina, 163, Sohu and more. Official blog of Facebook, 1Password discussed about our research on authentication security. Apple, Android, Dropbox, Evernote officially acknowledged our findings and efforts to help protect their users.
Research Areas & Interests:
- Logic & Design Flaws: [Security'19] [CCS'17][S&P'16][CCS'15][S&P'14][CCS'14][CCS'13][NDSS'13]
- Data-driven Security: [S&P'16][CCS'16-1][CCS'16-2]
News
- (8/14/2019) Apple acknowledged our reported vulnerability on Safari.
- (8/2/2019) Tencent acknowledged our reported vulnerability on Wechat.
- (8/2/2019) Opera puts my students and my names on its hall of fame for our vulnerability finding.
- (7/11/2019) Philips acknowledged our reported vulnerability on HUE, their IoT platform.
- (6/20/2019) Chrome acknowledged our reported vulnerability with CVE-2019-5767.
- (6/20/2019) Samsung acknowledged our reported vulnerability on SmartThings, their IoT platform.
- (6/1/2019) The first paper I advised after 3 years in industry, to automatically discover logic flaws in online payment services, will appear in Usenix Security 2019.
- (5/29/2019) Will serve on the Program Committee of NDSS 2020.
- (5/20/2019) I am awarded by Faculty Research Support Program of Indiana University for IoT logic flaw research.
- (12/1/2018) My students and I are awarded by Chrome for new logic flaw discovery.
- (11/12/2018) Will serve on the Program Committee of ACM CCS 2019.
- (7/1/2018) Will serve on the Program Committee of NDSS 2019.
- (6/18/2018) Joined Indiana University Bloomington as Assistant Professor of Computer Science.
- (9/18/2017) Transferred to AWS Security, Amazon, Inc.
- (7/30/16) Forbes reported our attack on Apple airdrop.
- (7/2/16) Will speak at Blackhat 2016!
- (2/9/16) We have two papers accepted by Oakland 2016.
- (12/8/15) Apple acknowledged our security reports with CVE-2015-7045.
- (11/23/15) Start to work at Information Security, Amazon, Inc..
- (10/25/15) Our Apple attack paper is among top 10 finalists of CSAW Best Paper Award.
- (10/6/15) I will serve on the Student PC of Oakland 2016.
- (9/30/15) Forbes, Threatpost, appleinsider follow up with our discovered XARA vulnerabilities.
- (9/29/15) Apple acknowledged our security report with CVE-2015-5836.
- (9/16/15) Apple acknowledged our security report with CVE-2015-5835.
- (8/28/15) My advisor Dr. XiaoFeng Wang with our System Security Lab is among top 5 in the world.
- (8/13/15) Apple acknowledged our security report with CVE-2015-3786.
- (8/10/15) Our attack paper on OSX and iOS (XARA vulnerabilities) will appear in CCS 2015.
- (7/16/15) Evernote acknowledged our names on their Security Hall of Fame.
- (7/1/15) Android/Google acknowledged our names on their Android Security Acknowledgements.
- (10/24/14) Our attack paper on Android Push messaging will appear in CCS 2014.
- (4/25/14) Got the third place in National Security Innovation Competition 2014 after competing with teams from 112 universities/organizations.
- (3/20/14) Forbes.com, Yahoo and many other news agencies reported our research on Android update vulnerabilities.
- (2/03/14) Our attack paper on Android OS update is accepted by IEEE Symposium on Security and Privacy 2014.
