I am an Associate Professor in the School of Computer Science of Fudan University. I co-direct the System Software and Security Laboratory of Fudan University. I am also the co-founder and the coach of a great CTF Team in Fudan University, named Whitzard. We took part in many great world-wide CTF competitions and won good places.
I aim to do relevant and reasonable system research. My research interests span all areas in system security especially on widely-deployed and critical targets, while currently focusing on open-source software, kernels, Android/Web platforms.
My research covers a wide range of topics, including vulnerability discovery/exploitation/mitigation, malware/attack detection, privacy protection. To address these problems, we usually use multi-disciplined techniques such as Program Analysis, Machine/Deep Learning, NLP.
To prospective students/post-doctors: If you are interested in our research, please feel free to reach out.
Email: yuanxzhang [AT] fudan.edu.cn
Office (Jiangwan Campus): Room D6011, NO.2 Interdisciplinary Building, NO.2005 Songhu Road, Yangpu District, Shanghai
News
- [Jan, 2023] I will join the TPC of ICICS 2023. Welcome to submit!
- [Dec, 2022] One paper accepted by USENIX Security 2023. Congrats altman!
- [Oct, 2022] I will join the TPC of IEEE MetaCom 2023. Welcome to submit!
- [Aug, 2022] Our mobile app-in-app paper received Distinguished Paper Award at USENIX Security 2022!
- [July, 2022] One paper accepted by ASE 2022. Congrats Youkun, Tianhan, and Xiangyu!
- [Jun, 2022] One paper accepted by IEEE S&P 2023. Congrats Zheyue, Xinqian, and Zhuang!
- [Jun, 2022] I will join the TPC of USENIX ATC 2023. Welcome to submit!
- [Feb, 2022] I will join the TPC of USENIX Security 2023. Welcome to submit!
- [Feb, 2022] I will join the TPC of IEEE S&P 2023. Welcome to submit!
- [Feb, 2022] One paper accepted by USENIX Security 2022. Congrats Lei & Zhibo!
- [Jan, 2022] One paper accepted by WWW 2022. Congrats Xin & Jiajun!
- [Jan, 2022] One paper accepted by IEEE TDSC. Congrats Xiaohan!
- [Jan, 2022] Join the TPC of ESORICS 2022. We have two submission cycles this year (Jan 31 and May 22). Welcome to submit!
Background
- 2017.12~now, Fudan University, School of Computer Science, Associate Professor
- 2014.07~2017.11, Fudan University, School of Computer Science, Assistant Professor
- 2009.09~2014.06, Fudan University, School of Computer Science, Ph.D
- 2005.09~2009.06, Nanjing University, Software Institute, B.Eng
Publications
-
Remote Code Execution from SSTI in the Sandbox: Automatically Detecting and Exploiting Template Escape Bugs.In Proceedings of the 32nd USENIX Security Symposium (USENIX Security), Anaheim, CA, USA, August 9-11, 2023 (coming soon).
-
AEM: Facilitating Cross-Version Exploitability Assessment of Linux Kernel Vulnerabilities.In Proceedings of the 44th IEEE Symposium on Security and Privacy (S&P), San Francisco, CA, May 22-26, 2023. [Paper]
-
Precise (Un)Affected Version Analysis for Web Vulnerabilities.In Proceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering (ASE), Ann Arbor, Michigan, United States, October 10-14, 2022. [Paper]
-
Identity Confusion in WebView-based Mobile App-in-app Ecosystems.In Proceedings of the 31st USENIX Security Symposium (USENIX Security), Boston, MA, USA, August 10-12, 2022. [Distinguished Paper Award] [Paper]
-
Backporting Security Patches of Web Applications: A Prototype Design and Implementation on Injection Vulnerability Patches.In Proceedings of the 31st USENIX Security Symposium (USENIX Security), Boston, MA, USA, August 10-12, 2022. [Paper]
-
Exploit The Last Straw that Breaks Android System.In Proceedings of the 43rd IEEE Symposium on Security and Privacy (S&P), San Francisco, CA, May 22-26, 2022. [Paper]
-
Understanding the Practice of Security Patch Management across Multiple Branches in OSS Projects.In Proceedings of the 31st ACM Web Conference (WWW), Lyon, France, April 25–29, 2022. [Paper]
-
Slowing Down the Aging of Learning-based Malware Detectors with API Knowledge.In Transactions on Dependable and Secure Computing (TDSC), 2022. [Online]
-
Refcount Field Identification for Linux Kernel Based on Deep Learning.In the International Journal of Software & Informatics (IJSI). 2022, Vol. 12 Issue 3, p309-329.
-
Locating the Security Patches for Disclosed OSS Vulnerabilities with Vulnerability-Commit Correlation Ranking.In Proceedings of the 28th ACM Conference on Computer and Communications Security (CCS), Seoul, South Korea, November 14-19, 2021. [Paper]
-
Facilitating Vulnerability Assessment through PoC Migration.In Proceedings of the 28th ACM Conference on Computer and Communications Security (CCS), Seoul, South Korea, November 14-19, 2021. [Paper]
-
Detecting Kernel Refcount Bugs with Two-Dimensional Consistency Checking.In Proceedings of the 30th USENIX Security Symposium (USENIX Security), Vancouver, Canada, August 11-13, 2021. [Paper]
-
Enhancing State-of-the-art Classifiers with API Semantics to Detect Evolved Android Malware.In Proceedings of the 27th ACM Conference on Computer and Communications Security (CCS), Orlando, USA, November 9-13, 2020. [Distinguished Paper Award Nomination] [Paper]
-
PDiff: Semantic-based Patch Presence Testing for Downstream Kernels.In Proceedings of the 27th ACM Conference on Computer and Communications Security (CCS), Orlando, USA, November 9-13, 2020. [Paper]
-
BScout: Direct Whole Patch Presence Test for Java Executables.In Proceedings of the 29th USENIX Security Symposium (USENIX Security), Boston, MA, USA, August 12-14, 2020. [Paper]
-
An Ever-evolving Game: Evaluation of Real-world Attacks and Defenses in Ethereum Ecosystem.In Proceedings of the 29th USENIX Security Symposium (USENIX Security), Boston, MA, USA, August 12-14, 2020. [Paper]
-
How Android Developers Handle Evolution-induced API Compatibility Issues: A Large-scale Study.In Proceedings of the 42nd International Conference on Software Engineering (ICSE), Seoul, South Korea, May 23-29, 2020. [Paper]
-
TextExerciser: Feedback-driven Text Input Exercising for Android Applications.In Proceedings of the 41st IEEE Symposium on Security and Privacy (S&P), San Francisco, CA, May 18-20, 2020. [Paper]
-
Hybrid Malware Detection Approach with Feedback-directed Machine Learning.In SCIENCE CHINA Information Sciences, Volume 63, Issue 3: 139103 (2020)
-
App in the Middle : Demystify Application Virtualization in Android and its Security Threats to over 100 Million Users.In Proceedings of ACM SIGMETRICS / IFIP Performance, Phoenix, Arizona, USA, 2019. [Paper]
-
How You Get Shot in the Back: A Systematical Study about Cryptojacking in the Real World.In Proceedings of the 25th ACM Conference on Computer and Communications Security (CCS), Toronto, Canada, October 15-19, 2018. [Paper]
-
Invetter: Locating Insecure Input Validations in Android Services.In Proceedings of the 25th ACM Conference on Computer and Communications Security (CCS), Toronto, Canada, October 15-19, 2018. [Paper]
-
An Empirical Study of Web Resource Manipulation in Real-world Mobile Applications.
-
Detecting Third-Party Libraries in Android Applications with High Precision and Recall.In Proceedings of IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), Campobasso, Italy, March 20-23, 2018. [Paper] [Source Code]
-
Finding Clues for Your Secrets: Semantics-Driven, Learning-Based Privacy Discovery in Mobile Apps.In Proceedings of Network and Distributed System Security Symposium (NDSS), San Diego, Feb 18-21, 2018. [Paper]
-
Identifying User-Input Privacy in Mobile Applications at a Large Scale.In IEEE Transactions on Information Forensics and Security (TIFS), 2017, 12(3), 647-661. [Paper]
-
Rethinking Permission Enforcement Mechanism on Mobile Systems.In IEEE Transactions on Information Forensics and Security (TIFS), 2016, 9(11), 1828-1842. [Paper]
-
FineDroid: Enforcing Permissions with System-wide Application Execution Context.In Proceedings of the 11th EAI International Conference on Security and Privacy in Communication Networks (SecureComm), Dallas, TX, October 26-29, 2015. [Paper]
-
AppCracker: Widespread Vulnerabilities in User and Session Authentication in Mobile Apps.In Proceedings of 4th IEEE Mobile Security Technologies (MoST), co-located with IEEE S&P, San Jose, CA, May 21, 2015. [Paper]
-
Permission Use Analysis for Vetting Undesirable Behaviors in Android Apps.In IEEE Transactions on Information Forensics and Security (TIFS), 2014, 9(11), 1828-1842. [Paper]
-
AppIntent: Analyzing Sensitive Data Transmission in Android for Privacy Leakage Detection.In Proceedings of the 20th ACM Conference on Computer and Communications Security (CCS), Berlin, Germany, November 4-8, 2013. [Paper]
-
Vetting Undesirable Behaviors in Android Apps with Permission Use Analysis.In Proceedings of the 20th ACM Conference on Computer and Communications Security (CCS), Berlin, Germany, November 4-8, 2013. [Paper]
-
Swift: A Register-based JIT Compiler for Embedded JVMs.In Proceedings of the 8th International Conference on Virtual Execution Environments (VEE), London, UK, March 3-4, 2012. [Paper]
Teaching
- Principles of Reverse Engineering (in School of Computer Science)
- Spring 2018, Spring 2019, Spring 2020, Spring 2021, Spring 2022, Spring 2023
- System Security: Attacks & Defenses (in School of Software)
- Fall 2016, Fall 2017, Fall 2018, Fall 2019, Fall 2020, Fall 2021, Fall 2022
- Compiler Principles (in School of Software)
- Fall 2017
- Emerging Attack & Defense Techniques (in School of Software)
- Spring 2019, Spring 2020, Spring 2021, Spring 2022, Spring 2023
- Computer Network Security (in School of Software)
- Spring 2016, Spring 2017, Spring 2018
Services
- Session Chair for Inscrypt 2021
- Session Chair for AsiaCCS 2021
- Session Chair for NDSS 2021 (AP Replay Session)
- Organization/Technical Commitee Member of InForSec
- the 25th International Conference on Information and Communications Security (ICICS 2023)
- the 2023 International Conference on Metaverse Computing, Networking and Applications (MetaCom 2023)
- the 44th IEEE Symposium on Security and Privacy (S&P 2023)
- the 32nd USENIX Security Symposium (USENIX Security 2023)
- the 2023 USENIX Annual Technical Conference (USENIX ATC 2023)
- the 27th European Symposium on Research in Computer Security (ESORICS 2022)
- the 43rd IEEE Symposium on Security and Privacy (S&P 2022)
- the 31st USENIX Security Symposium (USENIX Security 2022)
- the 31st International World Wide Web Conference (WWW 2022)
- the 17th ACM ASIA Conference on Computer and Communications Security (AsiaCCS 2022)
- the 24th International Conference on Information and Communications Security (ICICS 2022)
- the 26th European Symposium on Research in Computer Security (ESORICS 2021)
- the 6th IEEE European Symposium on Security and Privacy (EuroS&P 2021)
- the 11th ACM Conference on Data and Application Security and Privacy (CODASPY 2021)
- the 16th ACM ASIA Conference on Computer and Communications Security (AsiaCCS 2021)
- the 23rd International Conference on Information and Communications Security (ICICS 2021)
- the 16th EAI Conference on Security and Privacy in Communication Networks (SecureComm 2020)
- the 25th European Symposium on Research in Computer Security (ESORICS 2020)
- Empirical Software Engineering (EMSE), 2021-now
- Journal of Software (Special Issue: System Software Security Track, in Chinese), 2021
- IEEE Transactions on Software Engineering (TSE) 2023
- IEEE Transactions on Dependable and Secure Computing (TDSC) 2018, 2019, 2021, 2022
- Computer & Security 2016, 2017, 2018, 2019, 2020, 2021, 2022
- Journal of Software 2016, 2017, 2018, 2019, 2020, 2021, 2022
- IEEE Transactions on Computers (TC) 2021
- IEEE Transactions on Network and Service Management 2020
- Computer Communications 2020
- IEEE Transactions on Mobile Computing (TMC) 2016
- ACM Transactions on Information Systems (TOIS) 2016
- SCIENCE CHINA Information Sciences 2016
- IEEE Transactions on Information Forensics and Security (TIFS) 2015