I am a Professor in the School of Computer Science of Fudan University. I co-direct the System Software and Security Laboratory of Fudan University. I am also the co-founder and the coach of a great CTF Team in Fudan University, named Whitzard. We took part in many great world-wide CTF competitions and won good places.

I aim to do relevant and reasonable system research. My research interests span all areas in system security especially on widely-deployed and critical targets, while currently focusing on open-source software, kernels, Android/Web platforms.

My research covers a wide range of topics, including vulnerability discovery/exploitation/mitigation, malware/attack detection, privacy protection. To address these problems, we usually use multi-disciplined techniques such as Program Analysis, Machine/Deep Learning, NLP.

To prospective students/post-doctors: If you are interested in our research, please feel free to reach out.

Email: yuanxzhang [AT] fudan.edu.cn
Office (Jiangwan Campus): Room D6011, NO.2 Interdisciplinary Building, NO.2005 Songhu Road, Yangpu District, Shanghai


News


Background

  • 2022.12~now, Fudan University, School of Computer Science, Professor
  • 2017.12~2022.11, Fudan University, School of Computer Science, Associate Professor
  • 2014.07~2017.11, Fudan University, School of Computer Science, Assistant Professor
  • 2009.09~2014.06, Fudan University, School of Computer Science, Ph.D
  • 2005.09~2009.06, Nanjing University, Software Institute, B.Eng

Publications

  1. Accurate and Efficient Recurring Vulnerability Detection for IoT Firmware.
    Haoyu Xiao, Yuan Zhang, Minghang Shen, Chaoyang Lin, Can Zhang, Shengli Liu, Min Yang.
    In Proceedings of the 31st ACM Conference on Computer and Communications Security (CCS), Salt Lake City, USA, October 14-18, 2024. [Paper]
  2. Component Security Ten Years Later: An Empirical Study of Cross-Layer Threats in Real-World Mobile Applications.
    Keke Lian, Lei Zhang, Guangliang Yang, Shuo Mao, Xinjie Wang, Yuan Zhang, Min Yang.
    In Proceedings of ACM International Conference on the Foundations of Software Engineering (FSE), Brazil, Brazil, July 15-19, 2024. [Paper]
  3. How Well Industry-Level Cause Bisection Works in Real-World: A Study on Linux Kernel.
    Kangzheng Gu, Yuan Zhang, Jiajun Cao, Xin Tan, Min Yang.
    In Proceedings of ACM International Conference on the Foundations of Software Engineering (FSE) Industry Track, Brazil, Brazil, July 15-19, 2024. [Paper]
  4. Efficient Detection of Java Deserialization Gadget Chains via Bottom-up Gadget Search and Dataflow-aided Payload Construction.
    Bofei Chen, Lei Zhang, Xinyou Huang, Yinzhi Cao, Keke Lian, Yuan Zhang, Min Yang.
    In Proceedings of the 45th IEEE Symposium on Security and Privacy (S&P), San Francisco, CA, May 20-23, 2024. [Paper]
  5. SAMBA: Detecting SSL/TLS API Misuses in IoT Binary Applications.
    Kaizheng Liu, Ming Yang, Zhen Ling, Yuan Zhang, Chongqing Lei, Lan Luo, Xinwen Fu.
    In Proceedings of 43rd IEEE International Conference on Computer Communications (INFOCOM), Vancouver, Canada, May 20-23, 2024. [Paper]
  6. RecurScan: Detecting Recurring Vulnerabilities in PHP Web Applications.
    Youkun Shi, Yuan Zhang, Tianhao Bai, Lei Zhang, Xin Tan, Min Yang.
    In Proceedings of the 33rd ACM Web Conference (WWW), Singapore, May 13–17, 2024. [Paper]
  7. Interface Illusions: Uncovering the Rise of Visual Scams in Cryptocurrency Wallets.
    Guoyi Ye, Geng Hong, Yuan Zhang, Min Yang.
    In Proceedings of the 33rd ACM Web Conference (WWW), Singapore, May 13–17, 2024. [Paper]
  8. SCTrans: Constructing a Large Public Scenario Dataset for Simulation Testing of Autonomous Driving Systems.
    Jiarun Dai, Bufan Gao, Mingyuan Luo, Zongan Huang, Zhongrui Li, Yuan Zhang, Min Yang.
    In Proceedings of the 46th International Conference on Software Engineering (ICSE), Lisbon, Portugal, April 14-20, 2024. [Paper]
  9. SyzDirect: Directed Greybox Fuzzing for Linux Kernel.
    Xin Tan, Yuan Zhang, Jiadong Lu, Xin Xiong, Zhuang Liu, Min Yang.
    In Proceedings of the 30th ACM Conference on Computer and Communications Security (CCS), Copenhagen, Denmark, November 26-30, 2023. [Paper]
  10. NestFuzz: Enhancing Fuzzing with Comprehensive Understanding of Input Processing Logic.
    Peng Deng, Zhemin Yang, Lei Zhang, Guangliang Yang, Wenzheng Hong, Yuan Zhang, Min Yang.
    In Proceedings of the 30th ACM Conference on Computer and Communications Security (CCS), Copenhagen, Denmark, November 26-30, 2023. [Paper]
  11. TrustedDomain Compromise Attack in App-in-app Ecosystems.
    Zhibo Zhang, Zhangyue Zhang, Keke Lian, Guangliang Yang, Lei Zhang, Yuan Zhang, Min Yang.
    In Proceedings of the 1st ACM Workshop on Secure and Trustworthy Superapps (SaTS), co-located with ACM CCS, Copenhagen, Denmark, November 26, 2023. [Paper]
  12. Remote Code Execution from SSTI in the Sandbox: Automatically Detecting and Exploiting Template Escape Bugs.
    Yudi Zhao, Yuan Zhang, Min Yang.
    In Proceedings of the 32nd USENIX Security Symposium (USENIX Security), Anaheim, CA, USA, August 9-11, 2023. [AE Badges: Artifacts Functional; Results Reproduced; Artifacts Available]
    [Tech. Report] [Paper] [Source Code]
  13. Understanding the (In)Security of Cross-side Face Verification Systems in Mobile Apps: A System Perspective.
    Xiaohan Zhang, Haoqi Ye, Ziqi Huang, Xiao Ye, Yinzhi Cao, Yuan Zhang, Min Yang.
    In Proceedings of the 44th IEEE Symposium on Security and Privacy (S&P), San Francisco, CA, May 22-26, 2023. [Paper]
  14. AEM: Facilitating Cross-Version Exploitability Assessment of Linux Kernel Vulnerabilities.
    Zheyue Jiang, Yuan Zhang, Jun Xu, Xinqian Sun, Zhuang Liu, Min Yang.
    In Proceedings of the 44th IEEE Symposium on Security and Privacy (S&P), San Francisco, CA, May 22-26, 2023. [Paper]
  15. Precise (Un)Affected Version Analysis for Web Vulnerabilities.
    Youkun Shi, Yuan Zhang, Tianhan Luo, Xiangyu Mao, Min Yang.
    In Proceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering (ASE), Ann Arbor, Michigan, United States, October 10-14, 2022. [Paper]
  16. Identity Confusion in WebView-based Mobile App-in-app Ecosystems.
    Lei Zhang, Zhibo Zhang, Ancong Liu, Yinzhi Cao, Xiaohan Zhang, Yanjun Chen, Yuan Zhang, Guangliang Yang, Min Yang.
    In Proceedings of the 31st USENIX Security Symposium (USENIX Security), Boston, MA, USA, August 10-12, 2022. [Distinguished Paper Award] [Paper]
  17. Backporting Security Patches of Web Applications: A Prototype Design and Implementation on Injection Vulnerability Patches.
    Youkun Shi, Yuan Zhang, Tianhan Luo, Xiangyu Mao, Yinzhi Cao, Ziwen Wang, Yudi Zhao, Zongan Huang, Min Yang.
    In Proceedings of the 31st USENIX Security Symposium (USENIX Security), Boston, MA, USA, August 10-12, 2022. [Paper]
  18. Exploit The Last Straw that Breaks Android System.
    Lei Zhang, Keke Lian, Haoyu Xiao, Zhibo Zhang, Peng Liu, Yuan Zhang, Min Yang, Haixin Duan.
    In Proceedings of the 43rd IEEE Symposium on Security and Privacy (S&P), San Francisco, CA, May 22-26, 2022. [Paper]
  19. Understanding the Practice of Security Patch Management across Multiple Branches in OSS Projects.
    Xin Tan, Yuan Zhang, Jiajun Cao, Kun Sun, Mi Zhang, Min Yang.
    In Proceedings of the 31st ACM Web Conference (WWW), Lyon, France, April 25–29, 2022. [Paper]
  20. Slowing Down the Aging of Learning-based Malware Detectors with API Knowledge.
    Xiaohan Zhang, Mi Zhang, Yuan Zhang, Ming Zhong, Xin Zhang, Yinzhi Cao, Min Yang.
    In Transactions on Dependable and Secure Computing (TDSC), 2022. [Online]
  21. Refcount Field Identification for Linux Kernel Based on Deep Learning.
    Xin Tan, Xiyu Yang, Jiajun Cao, Yuan Zhang.
    In the International Journal of Software & Informatics (IJSI). 2022, Vol. 12 Issue 3, p309-329.
  22. Locating the Security Patches for Disclosed OSS Vulnerabilities with Vulnerability-Commit Correlation Ranking.
    Xin Tan, Yuan Zhang, Chenyuan Mi, Jiajun Cao, Kun Sun, Yifan Lin, Min Yang.
    In Proceedings of the 28th ACM Conference on Computer and Communications Security (CCS), Seoul, South Korea, November 14-19, 2021. [Paper]
  23. Facilitating Vulnerability Assessment through PoC Migration.
    Jiarun Dai, Yuan Zhang, Hailong Xu, Haiming Lyu, Zicheng Wu, Xinyu Xing, Min Yang.
    In Proceedings of the 28th ACM Conference on Computer and Communications Security (CCS), Seoul, South Korea, November 14-19, 2021. [Paper]
  24. Detecting Kernel Refcount Bugs with Two-Dimensional Consistency Checking.
    Xin Tan, Yuan Zhang, Xiyu Yang, Kangjie Lu, Min Yang.
    In Proceedings of the 30th USENIX Security Symposium (USENIX Security), Vancouver, Canada, August 11-13, 2021. [Paper]
  25. Enhancing State-of-the-art Classifiers with API Semantics to Detect Evolved Android Malware.
    Xiaohan Zhang, Yuan Zhang, Ming Zhong, Daizong Ding, Yinzhi Cao, Yukun Zhang, Mi Zhang, Min Yang.
    In Proceedings of the 27th ACM Conference on Computer and Communications Security (CCS), Orlando, USA, November 9-13, 2020. [Distinguished Paper Award Nomination] [Paper]
  26. PDiff: Semantic-based Patch Presence Testing for Downstream Kernels.
    Zheyue Jiang, Yuan Zhang, Jun Xu, Qi Wen, Zhenghe Wang, Xiaohan Zhang, Xinyu Xing, Min Yang, Zhemin Yang.
    In Proceedings of the 27th ACM Conference on Computer and Communications Security (CCS), Orlando, USA, November 9-13, 2020. [Paper]
  27. BScout: Direct Whole Patch Presence Test for Java Executables.
    Jiarun Dai, Yuan Zhang, Zheyue Jiang, Yingtian Zhou, Junyan Chen, Xinyu Xing, Xiaohan Zhang, Xin Tan, Min Yang, Zhemin Yang.
    In Proceedings of the 29th USENIX Security Symposium (USENIX Security), Boston, MA, USA, August 12-14, 2020. [Paper]
  28. An Ever-evolving Game: Evaluation of Real-world Attacks and Defenses in Ethereum Ecosystem.
    Shunfan Zhou, Zhemin Yang, Jie Xiang, Yinzhi Cao, Min Yang, Yuan Zhang.
    In Proceedings of the 29th USENIX Security Symposium (USENIX Security), Boston, MA, USA, August 12-14, 2020. [Paper]
  29. How Android Developers Handle Evolution-induced API Compatibility Issues: A Large-scale Study.
    Hao Xia, Yuan Zhang, Yingtian Zhou, Xiaoting Chen, Yang Wang, Xiangyu Zhang, Shuaishuai Cui, Gen Hong, Xiaohan Zhang, Min Yang, Zhemin Yang.
    In Proceedings of the 42nd International Conference on Software Engineering (ICSE), Seoul, South Korea, May 23-29, 2020. [Paper]
  30. TextExerciser: Feedback-driven Text Input Exercising for Android Applications.
    Yuyu He, Lei Zhang, Zhemin Yang, Yinzhi Cao, Keke Lian, Shuai Li, Wei Yang, Zhibo Zhang, Min Yang, Yuan Zhang, Haixin Duan.
    In Proceedings of the 41st IEEE Symposium on Security and Privacy (S&P), San Francisco, CA, May 18-20, 2020. [Paper]
  31. Hybrid Malware Detection Approach with Feedback-directed Machine Learning.
    Zhetao Li, Wenlin Li, Fuyuan Lin, Yi Sun, Min Yang, Yuan Zhang, Zhibo Wang.
    In SCIENCE CHINA Information Sciences, Volume 63, Issue 3: 139103 (2020)
  32. App in the Middle : Demystify Application Virtualization in Android and its Security Threats to over 100 Million Users.
    Lei Zhang, Zhemin Yang, Yuyu He, Mingqi Li, Sen Yang, Min Yang, Yuan Zhang, Zhiun Qian.
    In Proceedings of ACM SIGMETRICS / IFIP Performance, Phoenix, Arizona, USA, 2019. [Paper]
  33. How You Get Shot in the Back: A Systematical Study about Cryptojacking in the Real World.
    Geng Hong, Zhemin Yang, Sen Yang, Lei Zhang, Yuhong Nan, Zhibo Zhang, Min Yang, Yuan Zhang, Zhiyun Qian, Haixin Duan.
    In Proceedings of the 25th ACM Conference on Computer and Communications Security (CCS), Toronto, Canada, October 15-19, 2018. [Paper]
  34. Invetter: Locating Insecure Input Validations in Android Services.
    Lei Zhang, Zhemin Yang, Yuyu He, Zhenyu Zhang, Zhiyun Qian, Geng Hong, Yuan Zhang, Min Yang.
    In Proceedings of the 25th ACM Conference on Computer and Communications Security (CCS), Toronto, Canada, October 15-19, 2018. [Paper]
  35. An Empirical Study of Web Resource Manipulation in Real-world Mobile Applications.
    Xiaohan Zhang, Yuan Zhang, Qianqian Mo, Hao Xia, Zhemin Yang, Min Yang, Xiaofeng Wang, Long Lu, Haixin Duan.
    In Proceedings of the 27th USENIX Security Symposium (USENIX Security), Baltimore, USA, August 15-17, 2018. [Paper] [Dataset]
  36. Detecting Third-Party Libraries in Android Applications with High Precision and Recall.
    Yuan Zhang, Jiarun Dai, Xiaohan Zhang, Sirong Huang, Zhemin Yang, Min Yang, Hao Chen.
    In Proceedings of IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), Campobasso, Italy, March 20-23, 2018. [Paper] [Source Code]
  37. Finding Clues for Your Secrets: Semantics-Driven, Learning-Based Privacy Discovery in Mobile Apps.
    Yuhong Nan, Zhemin Yang, Xiaofeng Wang, Yuan Zhang, Donglai Zhu, Min Yang.
    In Proceedings of Network and Distributed System Security Symposium (NDSS), San Diego, Feb 18-21, 2018. [Paper]
  38. Identifying User-Input Privacy in Mobile Applications at a Large Scale.
    Yuhong Nan, Zhemin Yang, Min Yang, Shunfan Zhou, Yuan Zhang, Guofei Gu, Xiaofeng Wang, Limin Sun.
    In IEEE Transactions on Information Forensics and Security (TIFS), 2017, 12(3), 647-661. [Paper]
  39. Rethinking Permission Enforcement Mechanism on Mobile Systems.
    Yuan Zhang, Min Yang, Guofei Gu, Hao Chen.
    In IEEE Transactions on Information Forensics and Security (TIFS), 2016, 9(11), 1828-1842. [Paper]
  40. FineDroid: Enforcing Permissions with System-wide Application Execution Context.
    Yuan Zhang, Min Yang, Guofei Gu, Hao Chen.
    In Proceedings of the 11th EAI International Conference on Security and Privacy in Communication Networks (SecureComm), Dallas, TX, October 26-29, 2015. [Paper]
  41. AppCracker: Widespread Vulnerabilities in User and Session Authentication in Mobile Apps.
    Fangda Cai, Hao Chen, Yuanyi Wu, Yuan Zhang.
    In Proceedings of 4th IEEE Mobile Security Technologies (MoST), co-located with IEEE S&P, San Jose, CA, May 21, 2015. [Paper]
  42. Permission Use Analysis for Vetting Undesirable Behaviors in Android Apps.
    Yuan Zhang, Min Yang, Zhemin Yang, Guofei Gu, Peng Ning, Binyu Zang.
    In IEEE Transactions on Information Forensics and Security (TIFS), 2014, 9(11), 1828-1842. [Paper]
  43. AppIntent: Analyzing Sensitive Data Transmission in Android for Privacy Leakage Detection.
    Zhemin Yang, Min Yang, Yuan Zhang, Guofei Gu, Peng Ning, X. Sean Wang.
    In Proceedings of the 20th ACM Conference on Computer and Communications Security (CCS), Berlin, Germany, November 4-8, 2013. [Paper]
  44. Vetting Undesirable Behaviors in Android Apps with Permission Use Analysis.
    Yuan Zhang, Min Yang, Bingquan Xu, Zhemin Yang, Guofei Gu, Peng Ning, X. Sean Wang, Binyu Zang.
    In Proceedings of the 20th ACM Conference on Computer and Communications Security (CCS), Berlin, Germany, November 4-8, 2013. [Paper]
  45. Swift: A Register-based JIT Compiler for Embedded JVMs.
    Yuan Zhang, Min Yang, Bo Zhou, Zhemin Yang, Weihua Zhang, Binyu Zang.
    In Proceedings of the 8th International Conference on Virtual Execution Environments (VEE), London, UK, March 3-4, 2012. [Paper]

Teaching

Undergraduate level:
  • Principles of Reverse Engineering (in School of Computer Science)
    • Spring 2024, Spring 2023, Spring 2022, Spring 2021, Spring 2020, Spring 2019, Spring 2018
  • System Security: Attacks & Defenses (in School of Software)
    • Fall 2023, Fall 2022, Fall 2021, Fall 2020, Fall 2019, Fall 2018, Fall 2017, Fall 2016,
  • Compiler Principles (in School of Software)
    • Fall 2017
Graduate level:
  • Emerging Attack & Defense Techniques (in School of Software)
    • Spring 2024, Spring 2023, Spring 2022, Spring 2021, Spring 2020, Spring 2019
  • Computer Network Security (in School of Software)
    • Spring 2018, Spring 2017, Spring 2016

Services

Organization
  • Session Chair for Inscrypt 2021
  • Session Chair for AsiaCCS 2021
  • Session Chair for NDSS 2021 (AP Replay Session)
  • Organization/Technical Commitee Member of InForSec
Editorial Board:
Technical Program Committee:
  • the 31th ACM Conference on Computer and Communications Security (ACM CCS 2024)
  • the 33rd USENIX Security Symposium (USENIX Security 2024)
  • the 2024 Network and Distributed System Security Symposium (NDSS 2024)
  • the 14th ACM Conference on Data and Application Security and Privacy (CODASPY 2024)
  • ACM Workshop on Secure and Trustworthy Superapps (SaTS 2023)
  • the 25th International Conference on Information and Communications Security (ICICS 2023)
  • the 2023 International Conference on Metaverse Computing, Networking and Applications (MetaCom 2023)
  • the 44th IEEE Symposium on Security and Privacy (S&P 2023)
  • the 32nd USENIX Security Symposium (USENIX Security 2023)
  • the 2023 USENIX Annual Technical Conference (USENIX ATC 2023)
  • the 27th European Symposium on Research in Computer Security (ESORICS 2022)
  • the 43rd IEEE Symposium on Security and Privacy (S&P 2022)
  • the 31st USENIX Security Symposium (USENIX Security 2022)
  • the 31st International World Wide Web Conference (WWW 2022)
  • the 17th ACM ASIA Conference on Computer and Communications Security (AsiaCCS 2022)
  • the 24th International Conference on Information and Communications Security (ICICS 2022)
  • the 26th European Symposium on Research in Computer Security (ESORICS 2021)
  • the 6th IEEE European Symposium on Security and Privacy (EuroS&P 2021)
  • the 11th ACM Conference on Data and Application Security and Privacy (CODASPY 2021)
  • the 16th ACM ASIA Conference on Computer and Communications Security (AsiaCCS 2021)
  • the 23rd International Conference on Information and Communications Security (ICICS 2021)
  • the 16th EAI Conference on Security and Privacy in Communication Networks (SecureComm 2020)
  • the 25th European Symposium on Research in Computer Security (ESORICS 2020)