I am a Professor in the School of Computer Science of Fudan University. I co-direct the System Software and Security Laboratory of Fudan University. I am also the co-founder and the coach of a great CTF Team in Fudan University, named Whitzard. We took part in many great world-wide CTF competitions and won good places.
I aim to do relevant and reasonable system research. My research interests span all areas in system security especially on widely-deployed and critical targets, while currently focusing on open-source software, kernels, Android/Web platforms.
My research covers a wide range of topics, including vulnerability discovery/exploitation/mitigation, malware/attack detection, privacy protection. To address these problems, we usually use multi-disciplined techniques such as Program Analysis, Machine/Deep Learning, NLP.
To prospective students/post-doctors: If you are interested in our research, please feel free to reach out.
Email: yuanxzhang [AT] fudan.edu.cn
Office (Jiangwan Campus): Room D6011, NO.2 Interdisciplinary Building, NO.2005 Songhu Road, Yangpu District, Shanghai
News
- [Sept, 2023] I will join the TPC of CODASPY 2024. Welcome to submit!
- [Aug, 2023] One paper accepted by ICSE 2024. Congrats Jiarun!
- [Aug, 2023] Two papers accepted by CCS 2023. Congrats Peng & Xin!
- [May, 2023] I will join the TPC of SaTS 2023 (Secure and Trustworthy Superapps Workshop). This might be the first workshop on discussing security and privacy issues of mobile super apps. Welcome to submit!
- [May, 2023] I will join the TPC of USENIX Security 2024. Welcome to submit!
- [March, 2023] I will join the TPC of NDSS 2024. Welcome to submit!
- [March, 2023] One paper accepted by IEEE S&P 2023. Congrats Xiaohan!
- [Jan, 2023] I will join the TPC of ICICS 2023. Welcome to submit!
- [Dec, 2022] One paper accepted by USENIX Security 2023. Congrats altman!
- [Oct, 2022] I will join the TPC of IEEE MetaCom 2023. Welcome to submit!
- [Aug, 2022] Our mobile app-in-app paper received Distinguished Paper Award at USENIX Security 2022!
Background
- 2022.12~now, Fudan University, School of Computer Science, Professor
- 2017.12~2022.11, Fudan University, School of Computer Science, Associate Professor
- 2014.07~2017.11, Fudan University, School of Computer Science, Assistant Professor
- 2009.09~2014.06, Fudan University, School of Computer Science, Ph.D
- 2005.09~2009.06, Nanjing University, Software Institute, B.Eng
Publications
-
SCTrans: Constructing a Large Public Scenario Dataset for Simulation Testing of Autonomous Driving Systems.In Proceedings of the 46th International Conference on Software Engineering (ICSE), Lisbon, Portugal, April 14-20, 2024.
-
SyzDirect: Directed Greybox Fuzzing for Linux Kernel.In Proceedings of the 30th ACM Conference on Computer and Communications Security (CCS), Copenhagen, Denmark, November 26-30, 2023.
-
NestFuzz: Enhancing Fuzzing with Comprehensive Understanding of Input Processing Logic.In Proceedings of the 30th ACM Conference on Computer and Communications Security (CCS), Copenhagen, Denmark, November 26-30, 2023.
-
TrustedDomain Compromise Attack in App-in-app Ecosystems.In Proceedings of the 1st ACM Workshop on Secure and Trustworthy Superapps (SaTS), co-located with ACM CCS, Copenhagen, Denmark, November 26, 2023.
-
Remote Code Execution from SSTI in the Sandbox: Automatically Detecting and Exploiting Template Escape Bugs.In Proceedings of the 32nd USENIX Security Symposium (USENIX Security), Anaheim, CA, USA, August 9-11, 2023 (coming soon). [AE Badges: Artifacts Functional; Results Reproduced; Artifacts Available] [Tech. Report] [Paper] [Source Code]
-
Understanding the (In)Security of Cross-side Face Verification Systems in Mobile Apps: A System Perspective.In Proceedings of the 44th IEEE Symposium on Security and Privacy (S&P), San Francisco, CA, May 22-26, 2023. [Paper]
-
AEM: Facilitating Cross-Version Exploitability Assessment of Linux Kernel Vulnerabilities.In Proceedings of the 44th IEEE Symposium on Security and Privacy (S&P), San Francisco, CA, May 22-26, 2023. [Paper]
-
Precise (Un)Affected Version Analysis for Web Vulnerabilities.In Proceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering (ASE), Ann Arbor, Michigan, United States, October 10-14, 2022. [Paper]
-
Identity Confusion in WebView-based Mobile App-in-app Ecosystems.In Proceedings of the 31st USENIX Security Symposium (USENIX Security), Boston, MA, USA, August 10-12, 2022. [Distinguished Paper Award] [Paper]
-
Backporting Security Patches of Web Applications: A Prototype Design and Implementation on Injection Vulnerability Patches.In Proceedings of the 31st USENIX Security Symposium (USENIX Security), Boston, MA, USA, August 10-12, 2022. [Paper]
-
Exploit The Last Straw that Breaks Android System.In Proceedings of the 43rd IEEE Symposium on Security and Privacy (S&P), San Francisco, CA, May 22-26, 2022. [Paper]
-
Understanding the Practice of Security Patch Management across Multiple Branches in OSS Projects.In Proceedings of the 31st ACM Web Conference (WWW), Lyon, France, April 25–29, 2022. [Paper]
-
Slowing Down the Aging of Learning-based Malware Detectors with API Knowledge.In Transactions on Dependable and Secure Computing (TDSC), 2022. [Online]
-
Refcount Field Identification for Linux Kernel Based on Deep Learning.In the International Journal of Software & Informatics (IJSI). 2022, Vol. 12 Issue 3, p309-329.
-
Locating the Security Patches for Disclosed OSS Vulnerabilities with Vulnerability-Commit Correlation Ranking.In Proceedings of the 28th ACM Conference on Computer and Communications Security (CCS), Seoul, South Korea, November 14-19, 2021. [Paper]
-
Facilitating Vulnerability Assessment through PoC Migration.In Proceedings of the 28th ACM Conference on Computer and Communications Security (CCS), Seoul, South Korea, November 14-19, 2021. [Paper]
-
Detecting Kernel Refcount Bugs with Two-Dimensional Consistency Checking.In Proceedings of the 30th USENIX Security Symposium (USENIX Security), Vancouver, Canada, August 11-13, 2021. [Paper]
-
Enhancing State-of-the-art Classifiers with API Semantics to Detect Evolved Android Malware.In Proceedings of the 27th ACM Conference on Computer and Communications Security (CCS), Orlando, USA, November 9-13, 2020. [Distinguished Paper Award Nomination] [Paper]
-
PDiff: Semantic-based Patch Presence Testing for Downstream Kernels.In Proceedings of the 27th ACM Conference on Computer and Communications Security (CCS), Orlando, USA, November 9-13, 2020. [Paper]
-
BScout: Direct Whole Patch Presence Test for Java Executables.In Proceedings of the 29th USENIX Security Symposium (USENIX Security), Boston, MA, USA, August 12-14, 2020. [Paper]
-
An Ever-evolving Game: Evaluation of Real-world Attacks and Defenses in Ethereum Ecosystem.In Proceedings of the 29th USENIX Security Symposium (USENIX Security), Boston, MA, USA, August 12-14, 2020. [Paper]
-
How Android Developers Handle Evolution-induced API Compatibility Issues: A Large-scale Study.In Proceedings of the 42nd International Conference on Software Engineering (ICSE), Seoul, South Korea, May 23-29, 2020. [Paper]
-
TextExerciser: Feedback-driven Text Input Exercising for Android Applications.In Proceedings of the 41st IEEE Symposium on Security and Privacy (S&P), San Francisco, CA, May 18-20, 2020. [Paper]
-
Hybrid Malware Detection Approach with Feedback-directed Machine Learning.In SCIENCE CHINA Information Sciences, Volume 63, Issue 3: 139103 (2020)
-
App in the Middle : Demystify Application Virtualization in Android and its Security Threats to over 100 Million Users.In Proceedings of ACM SIGMETRICS / IFIP Performance, Phoenix, Arizona, USA, 2019. [Paper]
-
How You Get Shot in the Back: A Systematical Study about Cryptojacking in the Real World.In Proceedings of the 25th ACM Conference on Computer and Communications Security (CCS), Toronto, Canada, October 15-19, 2018. [Paper]
-
Invetter: Locating Insecure Input Validations in Android Services.In Proceedings of the 25th ACM Conference on Computer and Communications Security (CCS), Toronto, Canada, October 15-19, 2018. [Paper]
-
An Empirical Study of Web Resource Manipulation in Real-world Mobile Applications.
-
Detecting Third-Party Libraries in Android Applications with High Precision and Recall.In Proceedings of IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), Campobasso, Italy, March 20-23, 2018. [Paper] [Source Code]
-
Finding Clues for Your Secrets: Semantics-Driven, Learning-Based Privacy Discovery in Mobile Apps.In Proceedings of Network and Distributed System Security Symposium (NDSS), San Diego, Feb 18-21, 2018. [Paper]
-
Identifying User-Input Privacy in Mobile Applications at a Large Scale.In IEEE Transactions on Information Forensics and Security (TIFS), 2017, 12(3), 647-661. [Paper]
-
Rethinking Permission Enforcement Mechanism on Mobile Systems.In IEEE Transactions on Information Forensics and Security (TIFS), 2016, 9(11), 1828-1842. [Paper]
-
FineDroid: Enforcing Permissions with System-wide Application Execution Context.In Proceedings of the 11th EAI International Conference on Security and Privacy in Communication Networks (SecureComm), Dallas, TX, October 26-29, 2015. [Paper]
-
AppCracker: Widespread Vulnerabilities in User and Session Authentication in Mobile Apps.In Proceedings of 4th IEEE Mobile Security Technologies (MoST), co-located with IEEE S&P, San Jose, CA, May 21, 2015. [Paper]
-
Permission Use Analysis for Vetting Undesirable Behaviors in Android Apps.In IEEE Transactions on Information Forensics and Security (TIFS), 2014, 9(11), 1828-1842. [Paper]
-
AppIntent: Analyzing Sensitive Data Transmission in Android for Privacy Leakage Detection.In Proceedings of the 20th ACM Conference on Computer and Communications Security (CCS), Berlin, Germany, November 4-8, 2013. [Paper]
-
Vetting Undesirable Behaviors in Android Apps with Permission Use Analysis.In Proceedings of the 20th ACM Conference on Computer and Communications Security (CCS), Berlin, Germany, November 4-8, 2013. [Paper]
-
Swift: A Register-based JIT Compiler for Embedded JVMs.In Proceedings of the 8th International Conference on Virtual Execution Environments (VEE), London, UK, March 3-4, 2012. [Paper]
Teaching
- Principles of Reverse Engineering (in School of Computer Science)
- Spring 2023, Spring 2022, Spring 2021, Spring 2020, Spring 2019, Spring 2018
- System Security: Attacks & Defenses (in School of Software)
- Fall 2023, Fall 2022, Fall 2021, Fall 2020, Fall 2019, Fall 2018, Fall 2017, Fall 2016,
- Compiler Principles (in School of Software)
- Fall 2017
- Emerging Attack & Defense Techniques (in School of Software)
- Spring 2023, Spring 2022, Spring 2021, Spring 2020, Spring 2019
- Computer Network Security (in School of Software)
- Spring 2018, Spring 2017, Spring 2016
Services
- Session Chair for Inscrypt 2021
- Session Chair for AsiaCCS 2021
- Session Chair for NDSS 2021 (AP Replay Session)
- Organization/Technical Commitee Member of InForSec
- the 33rd USENIX Security Symposium (USENIX Security 2024)
- the 2024 Network and Distributed System Security Symposium (NDSS 2024)
- the 14th ACM Conference on Data and Application Security and Privacy (CODASPY 2024)
- ACM Workshop on Secure and Trustworthy Superapps (SaTS 2023)
- the 25th International Conference on Information and Communications Security (ICICS 2023)
- the 2023 International Conference on Metaverse Computing, Networking and Applications (MetaCom 2023)
- the 44th IEEE Symposium on Security and Privacy (S&P 2023)
- the 32nd USENIX Security Symposium (USENIX Security 2023)
- the 2023 USENIX Annual Technical Conference (USENIX ATC 2023)
- the 27th European Symposium on Research in Computer Security (ESORICS 2022)
- the 43rd IEEE Symposium on Security and Privacy (S&P 2022)
- the 31st USENIX Security Symposium (USENIX Security 2022)
- the 31st International World Wide Web Conference (WWW 2022)
- the 17th ACM ASIA Conference on Computer and Communications Security (AsiaCCS 2022)
- the 24th International Conference on Information and Communications Security (ICICS 2022)
- the 26th European Symposium on Research in Computer Security (ESORICS 2021)
- the 6th IEEE European Symposium on Security and Privacy (EuroS&P 2021)
- the 11th ACM Conference on Data and Application Security and Privacy (CODASPY 2021)
- the 16th ACM ASIA Conference on Computer and Communications Security (AsiaCCS 2021)
- the 23rd International Conference on Information and Communications Security (ICICS 2021)
- the 16th EAI Conference on Security and Privacy in Communication Networks (SecureComm 2020)
- the 25th European Symposium on Research in Computer Security (ESORICS 2020)
- Empirical Software Engineering (EMSE), 2021-now
- Journal of Software (Special Issue: System Software Security Track, in Chinese), 2021
- IEEE Transactions on Software Engineering (TSE) 2023
- IEEE Transactions on Dependable and Secure Computing (TDSC) 2018, 2019, 2021, 2022
- Computer & Security 2016, 2017, 2018, 2019, 2020, 2021, 2022
- Journal of Software 2016, 2017, 2018, 2019, 2020, 2021, 2022
- IEEE Transactions on Computers (TC) 2021
- IEEE Transactions on Network and Service Management 2020
- Computer Communications 2020
- IEEE Transactions on Mobile Computing (TMC) 2016
- ACM Transactions on Information Systems (TOIS) 2016
- SCIENCE CHINA Information Sciences 2016
- IEEE Transactions on Information Forensics and Security (TIFS) 2015