I am an Associate Professor in the School of Computer Science of Fudan University. I co-direct the System Software and Security Laboratory of Fudan University. I am also the co-founder and the coach of a great CTF Team in Fudan University, named Whitzard. We took part in many great world-wide CTF competitions and won good places.

I aim to do relevant and reasonable system research. My research interests span all areas in system security especially on widely-deployed and critical targets, while currently focusing on open-source software, kernels, Android/Web platforms.

My research covers a wide range of topics, including vulnerability discovery/exploitation/mitigation, malware/attack detection, privacy protection. To address these problems, we usually use multi-disciplined techniques such as Program Analysis, Machine/Deep Learning, NLP.

To prospective students/post-doctors: If you are interested in our research, please feel free to reach out.

Email: yuanxzhang [AT] fudan.edu.cn
Office (Jiangwan Campus): Room A6013, NO.2 Interdisciplinary Building, NO.2005 Songhu Road, Yangpu District, Shanghai


News

  • [Sept, 2021] I will join the TPC of WWW 2022 (Security, Privacy, and Trust Track). Welcome to submit!
  • [Aug, 2021] One paper accepted by IEEE S&P 2022. Congrats Lei & Keke!
  • [May, 2021] I will join the TPC of AsiaCCS 2022. Welcome to submit!
  • [May, 2021] I will join the Editorial Board of Empirical Software Engineering Journal. More information can be found here. Welcome to submit!
  • [May, 2021] One paper accepted by CCS 2021. Congrats Xin!
    >>> We observe that the security patch information for disclosed OSS vulnerabilities in CVE/NVD is usually incomplete and incorrect. To ease the locating of security patches, we propose PatchScout which ranks the code commits in the OSS code repository based on their correlations to a given vulnerability.
  • [April, 2021] I will join the TPC of USENIX Security 2022. Welcome to submit!
  • [March, 2021] I will join the TPC of ICICS 2021. Welcome to submit!
  • [March, 2021] One paper accepted by CCS 2021. Congrats Jiarun!
    >>> When a vulnerability is discovered by fuzzers on one software version, it is important to assess whether there are other versions that are also affected by this vulneabilty. We introduce a new technique, named PoC Migration, to assess the vulnerable versions of a known vulnerability. In particular, we identified 330 under-reported vulneable versions in MITRE/NIST.
  • [March, 2021] I will join the TPC of S&P 2022. Welcome to submit!
  • [Dec, 2020] Join the TPC of ESORICS 2021. Note that we have two submission cycles this year, welcome to submit!
  • [Oct, 2020] Join the TPC of EuroS&P 2021. Welcome to submit!
  • [Sep, 2020] One paper accepted by USENIX Security 2021. Congrats Xin & Xiyu!
    >>> This paper presents CID, a bug detector for reference counting bugs with a novel two-dimensional consistency checking design. By applying CID to the latest Linux kernel (5.6-rc2), we found 44 new bugs and the patches for the 34 bugs have already been merged into the kernel.

Background

  • 2017.12~now, Fudan University, School of Computer Science, Associate Professor
  • 2014.07~2017.11, Fudan University, School of Computer Science, Assistant Professor
  • 2009.09~2014.06, Fudan University, School of Computer Science, Ph.D
  • 2005.09~2009.06, Nanjing University, Software Institute, B.Eng

Publications

  1. Exploit The Last Straw that Breaks Android System.
    Lei Zhang, Keke Lian, Haoyu Xiao, Zhibo Zhang, Peng Liu, Yuan Zhang, Min Yang, Haixin Duan.
    In Proceedings of the 43rd IEEE Symposium on Security and Privacy (S&P), May 22-26, 2022 (coming soon).
  2. Locating the Security Patches for Disclosed OSS Vulnerabilities with Vulnerability-Commit Correlation Ranking.
    Xin Tan, Yuan Zhang, Chenyuan Mi, Jiajun Cao, Kun Sun, Yifan Lin, Min Yang.
    In Proceedings of the 28th ACM Conference on Computer and Communications Security (CCS), Seoul, South Korea, November 14-19, 2021 (coming soon).
  3. Facilitating Vulnerability Assessment through PoC Migration.
    Jiarun Dai, Yuan Zhang, Hailong Xu, Haiming Lyu, Zicheng Wu, Xinyu Xing, Min Yang.
    In Proceedings of the 28th ACM Conference on Computer and Communications Security (CCS), Seoul, South Korea, November 14-19, 2021 (coming soon).
  4. Detecting Kernel Refcount Bugs with Two-Dimensional Consistency Checking.
    Xin Tan, Yuan Zhang, Xiyu Yang, Kangjie Lu, Min Yang.
    In Proceedings of the 30th USENIX Security Symposium (USENIX Security), Vancouver, Canada, August 11-13, 2021. [Paper]
  5. Enhancing State-of-the-art Classifiers with API Semantics to Detect Evolved Android Malware.
    Xiaohan Zhang, Yuan Zhang, Ming Zhong, Daizong Ding, Yinzhi Cao, Yukun Zhang, Mi Zhang, Min Yang.
    In Proceedings of the 27th ACM Conference on Computer and Communications Security (CCS), Orlando, USA, November 9-13, 2020. [Nominated for the Best Paper Award] [Paper]
  6. PDiff: Semantic-based Patch Presence Testing for Downstream Kernels.
    Zheyue Jiang, Yuan Zhang, Jun Xu, Qi Wen, Zhenghe Wang, Xiaohan Zhang, Xinyu Xing, Min Yang, Zhemin Yang.
    In Proceedings of the 27th ACM Conference on Computer and Communications Security (CCS), Orlando, USA, November 9-13, 2020. [Paper]
  7. BScout: Direct Whole Patch Presence Test for Java Executables.
    Jiarun Dai, Yuan Zhang, Zheyue Jiang, Yingtian Zhou, Junyan Chen, Xinyu Xing, Xiaohan Zhang, Xin Tan, Min Yang, Zhemin Yang.
    In Proceedings of the 29th USENIX Security Symposium (USENIX Security), Boston, MA, USA, August 12-14, 2020. [Paper]
  8. An Ever-evolving Game: Evaluation of Real-world Attacks and Defenses in Ethereum Ecosystem.
    Shunfan Zhou, Zhemin Yang, Jie Xiang, Yinzhi Cao, Min Yang, Yuan Zhang.
    In Proceedings of the 29th USENIX Security Symposium (USENIX Security), Boston, MA, USA, August 12-14, 2020. [Paper]
  9. How Android Developers Handle Evolution-induced API Compatibility Issues: A Large-scale Study.
    Hao Xia, Yuan Zhang, Yingtian Zhou, Xiaoting Chen, Yang Wang, Xiangyu Zhang, Shuaishuai Cui, Gen Hong, Xiaohan Zhang, Min Yang, Zhemin Yang.
    In Proceedings of the 42nd International Conference on Software Engineering (ICSE), Seoul, South Korea, May 23-29, 2020. [Paper]
  10. TextExerciser: Feedback-driven Text Input Exercising for Android Applications.
    Yuyu He, Lei Zhang, Zhemin Yang, Yinzhi Cao, Keke Lian, Shuai Li, Wei Yang, Zhibo Zhang, Min Yang, Yuan Zhang, Haixin Duan.
    In Proceedings of the 41st IEEE Symposium on Security and Privacy (S&P), San Francisco, CA, May 18-20, 2020. [Paper]
  11. Hybrid Malware Detection Approach with Feedback-directed Machine Learning.
    Zhetao Li, Wenlin Li, Fuyuan Lin, Yi Sun, Min Yang, Yuan Zhang, Zhibo Wang.
    In SCIENCE CHINA Information Sciences, Volume 63, Issue 3: 139103 (2020)
  12. App in the Middle : Demystify Application Virtualization in Android and its Security Threats to over 100 Million Users.
    Lei Zhang, Zhemin Yang, Yuyu He, Mingqi Li, Sen Yang, Min Yang, Yuan Zhang, Zhiun Qian.
    In Proceedings of ACM SIGMETRICS / IFIP Performance, Phoenix, Arizona, USA, 2019. [Paper]
  13. How You Get Shot in the Back: A Systematical Study about Cryptojacking in the Real World.
    Geng Hong, Zhemin Yang, Sen Yang, Lei Zhang, Yuhong Nan, Zhibo Zhang, Min Yang, Yuan Zhang, Zhiyun Qian, Haixin Duan.
    In Proceedings of the 25th ACM Conference on Computer and Communications Security (CCS), Toronto, Canada, October 15-19, 2018. [Paper]
  14. Invetter: Locating Insecure Input Validations in Android Services.
    Lei Zhang, Zhemin Yang, Yuyu He, Zhenyu Zhang, Zhiyun Qian, Geng Hong, Yuan Zhang, Min Yang.
    In Proceedings of the 25th ACM Conference on Computer and Communications Security (CCS), Toronto, Canada, October 15-19, 2018. [Paper]
  15. An Empirical Study of Web Resource Manipulation in Real-world Mobile Applications.
    Xiaohan Zhang, Yuan Zhang, Qianqian Mo, Hao Xia, Zhemin Yang, Min Yang, Xiaofeng Wang, Long Lu, Haixin Duan.
    In Proceedings of the 27th USENIX Security Symposium (USENIX Security), Baltimore, USA, August 15-17, 2018. [Paper] [Dataset]
  16. Detecting Third-Party Libraries in Android Applications with High Precision and Recall.
    Yuan Zhang, Jiarun Dai, Xiaohan Zhang, Sirong Huang, Zhemin Yang, Min Yang, Hao Chen.
    In Proceedings of IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), Campobasso, Italy, March 20-23, 2018. [Paper] [Source Code]
  17. Finding Clues for Your Secrets: Semantics-Driven, Learning-Based Privacy Discovery in Mobile Apps.
    Yuhong Nan, Zhemin Yang, Xiaofeng Wang, Yuan Zhang, Donglai Zhu, Min Yang.
    In Proceedings of Network and Distributed System Security Symposium (NDSS), San Diego, Feb 18-21, 2018. [Paper]
  18. Identifying User-Input Privacy in Mobile Applications at a Large Scale.
    Yuhong Nan, Zhemin Yang, Min Yang, Shunfan Zhou, Yuan Zhang, Guofei Gu, Xiaofeng Wang, Limin Sun.
    In IEEE Transactions on Information Forensics and Security (TIFS), 2017, 12(3), 647-661. [Paper]
  19. Rethinking Permission Enforcement Mechanism on Mobile Systems.
    Yuan Zhang, Min Yang, Guofei Gu, Hao Chen.
    In IEEE Transactions on Information Forensics and Security (TIFS), 2016, 9(11), 1828-1842. [Paper]
  20. FineDroid: Enforcing Permissions with System-wide Application Execution Context.
    Yuan Zhang, Min Yang, Guofei Gu, Hao Chen.
    In Proceedings of the 11th EAI International Conference on Security and Privacy in Communication Networks (SecureComm), Dallas, TX, October 26-29, 2015. [Paper]
  21. AppCracker: Widespread Vulnerabilities in User and Session Authentication in Mobile Apps.
    Fangda Cai, Hao Chen, Yuanyi Wu, Yuan Zhang.
    In Proceedings of 4th IEEE Mobile Security Technologies (MoST), co-located with IEEE S&P, San Jose, CA, May 21, 2015. [Paper]
  22. Permission Use Analysis for Vetting Undesirable Behaviors in Android Apps.
    Yuan Zhang, Min Yang, Zhemin Yang, Guofei Gu, Peng Ning, Binyu Zang.
    In IEEE Transactions on Information Forensics and Security (TIFS), 2014, 9(11), 1828-1842. [Paper]
  23. AppIntent: Analyzing Sensitive Data Transmission in Android for Privacy Leakage Detection.
    Zhemin Yang, Min Yang, Yuan Zhang, Guofei Gu, Peng Ning and X. Sean Wang.
    In Proceedings of the 20th ACM Conference on Computer and Communications Security (CCS), Berlin, Germany, November 4-8, 2013. [Paper]
  24. Vetting Undesirable Behaviors in Android Apps with Permission Use Analysis.
    Yuan Zhang, Min Yang, Bingquan Xu, Zhemin Yang, Guofei Gu, Peng Ning, X. Sean Wang, Binyu Zang.
    In Proceedings of the 20th ACM Conference on Computer and Communications Security (CCS), Berlin, Germany, November 4-8, 2013. [Paper]
  25. Swift: A Register-based JIT Compiler for Embedded JVMs.
    Yuan Zhang, Min Yang, Bo Zhou, Zhemin Yang, Weihua Zhang, Binyu Zang.
    In Proceedings of the 8th international conference on Virtual execution environments (VEE), London, UK, March 3-4, 2012. [Paper]

Teaching

Undergraduate level:
  • Principles of Reverse Engineering (in School of Computer Science)
    • Spring 2018, Spring 2019, Spring 2020, Spring 2021
  • System Security: Attacks & Defenses (in School of Software)
    • Fall 2016, Fall 2017, Fall 2018, Fall 2019, Fall 2020
  • Compiler Principles (in School of Software)
    • Fall 2017
Graduate level:
  • Emerging Attack & Defense Techniques (in School of Software)
    • Spring 2019, Spring 2020, Spring 2021
  • Computer Network Security (in School of Software)
    • Spring 2016, Spring 2017, Spring 2018

Services

Organization
  • Session Chair for Inscrypt 2021
  • Session Chair for AsiaCCS 2021
  • Session Chair for NDSS 2021 (AP Replay Session)
  • Organization/Technical Commitee Member of InForSec
Technical Program Committee:
  • the 43rd IEEE Symposium on Security and Privacy (S&P 2022)
  • the 31st USENIX Security Symposium (USENIX Security 2022)
  • the 31st International World Wide Web Conference, Track: Security, Privacy, and Trust (WWW 2022)
  • the 17th ACM ASIA Conference on Computer and Communications Security (AsiaCCS 2022)
  • the 23rd International Conference on Information and Communications Security (ICICS 2021)
  • the 26th European Symposium on Research in Computer Security (ESORICS 2021)
  • the 6th IEEE European Symposium on Security and Privacy (EuroS&P 2021)
  • the 11th ACM Conference on Data and Application Security and Privacy (CODASPY 2021)
  • the 16th ACM ASIA Conference on Computer and Communications Security (AsiaCCS 2021)
  • the 16th EAI Conference on Security and Privacy in Communication Networks (SecureComm 2020)
  • the 25th European Symposium on Research in Computer Security (ESORICS 2020)
Editorial Board:
Journal Reviewer:
  • IEEE Transactions on Network and Service Management 2020
  • Computer Communications 2020
  • Computer & Security 2016, 2017, 2018, 2019, 2020, 2021
  • Journal of Software 2016, 2017, 2018, 2019, 2020
  • IEEE Transactions on Dependable and Secure Computing (TDSC) 2018, 2019
  • IEEE Transactions on Mobile Computing (TMC) 2016
  • ACM Transactions on Information Systems (TOIS) 2016
  • SCIENCE CHINA Information Sciences 2016
  • IEEE Transactions on Information Forensics and Security (TIFS) 2015

Last Modified: May 14, 2021, Contact: yuanxzhang [AT] fudan.edu.cn