Picture
I joined Indiana University Bloomington in June 2018 as an Assistant Professor of Computer Science after three years' experience of building large commercial systems at Amazon. Now I'm co-leading the System Security Group at IU. 

​My current research focus is security analysis on IoT and mobile systems (both iOS and Android), which has led to the discovery of many design/logic vulnerabilities on commercial and open-source systems. My research broadly involves protocol design and analysis, program analysis, formal verification, machine learning/NLP, etc. I am among the very first few pioneers in iOS security research (see my papers CCS'20, S&P'16, CCS'15, CCS'13). What my group discovered are typically fundamental design weaknesses (see our media reports and publications), versus implementation bugs/mistakes. With in-depth understanding of systems and innovative, in-depth cause/challenge analysis, we generalize new design principles and develop solutions to protect real systems of Apple, Google, Amazon/AWS, Microsoft, Samsung, IBM, Alibaba, PayPal, Firefox, Tencent and much more. Our research on OSX, iOS, Android, Cloud has been reported by Time, CNN, Forbes, Mirror, Fox News, Yahoo, CNET, The Register, Sina, 163, Sohu and more.

Research Areas & Interests:
  • IoT and mobile systems security: [CCS'20-1][CCS'20-3][Security'20][S&P'20][CCS'17][S&P'16][CCS'15][S&P'14][CCS'14][CCS'13]
    • formal verification & program analysis & reverse engineering
    • new attacks/vulnerabilities and defenses
  • Web services and payment systems (PayPal, Alipay, etc.): [Security'19][NDSS'13]
    • machine learning & NLP ​
    • new attacks and defenses
  • Cyber crime, smart contracts: [Security'21][S&P'16-2][CCS'16-1][CCS'16-2]
  • Discovering security and privacy issues combining NLP with program analysis: ​[CCS'20-2]

Our group is looking for highly motivated PhD students who are interested in system security and privacy. Don't hesitate to send me an email if you want to do high-impact research. 

News​​​
  • (9/23/2020) Our work that studies the app-in-app paradigm (a.k.a. mini programs, Snap minis, iMessage apps, etc.) is accepted to Black Hat (europe) 2020. The emerging paradigm is seen in many popular social computing apps, e.g., Snapchat, Facebook, TikTok, iMessages, Wechat, Kodi, etc.
  • (9/8/2020) Our paper that introduces the first systematic, automatic analysis on Apple kernel drivers is accepted to CCS 2020. 
  • (9/8/2020) Our paper that detects API misuses based on automatic NLP-based document analysis is accepted to CCS 2020.
  • (6/15/2020) Our work that sheds lights on new security risks in IoT access delegation will appear in Usenix Security 2020.
  • (6/5/2020) Congrats to our student Haoran Lu (co-advised with Prof. Xiaojing Liao), who publishes his first paper (as the first author) at CCS (2020).
  • (3/29/2020) Apple acknowledged two macOS kernel vulnerabilities we found, with new CVE-2020-3851. See Apple security updates.
  • (2/7/2020) Wired reported my recent work that caught a real-world cybercrime of Facebook data stealing.
  • (2/7/2020) Facebook Bug Bounty Program highlighted the work of my team in its official 2019 (annual) review report.
  • (1/27/2020) Apple assigned two CVEs for kernel vulnerabilities we discovered, which allow user-space applications on iOS/iPadOS/tvOS to execute arbitrary code with kernel privileges: CVE-2020-3834, CVE-2020-3858.
  • (1/1/2020) My group received a total of $44,000+ bug bounties in 2019.
  • (12/30/2019) Google awarded us $5,000 bug bounty for discovering malicious SDKs.
  • (12/29/2019) Samsung awarded us another $1,000 bug bounty for discovering security flaws in its IoT cloud platform, Samsung SmartThings.
  • (12/10/2019) Apple acknowledged kernel bug (CVE-2019-8836) we discovered, which affects iOS/iPadOS/watchOS/tvOS (see Apple security updates for iOS/iPadOS,  tvOS/watchOS).
  • (12/6/2019) I will serve on the Program Committee of ACM CCS 2020.
  • (12/5/2019) Facebook awarded my group $30,000 as bug bounty, for our report of real-world cyber crime that steals Facebook user OAuth token/PII.
  • (11/26/2019) Samsung awarded us $1,000 for discovering security flaws in its IoT cloud platform, Samsung SmartThings.
  • (11/26/2019) Microsoft acknowledged me and my students on its monthly Online Service Acknowledgements for finding security flaws in Azure IoT cloud.
  • (11/19/2019) Twitter awarded us $560 for discovering new attacks against Twitter users in the wild.
  • (10/22/2019) Microsoft awarded us $4000 for discovering security flaw in Azure IoT Hub.
  • (10/1/2019) The paper I advised, that discovers new design flaws in IoT messaging protocol is accepted by IEEE S&P (Oakland) 2020.
  • (9/25/2019) Our IoT security research is accepted by Black Hat (Europe) 2019. See the presentation.
  • (8/14/2019) Apple acknowledged our reported vulnerability on Safari. 
  • (8/2/2019) Tencent acknowledged our reported vulnerability on Wechat. 
  • (8/2/2019) Opera puts my students and my names on its hall of fame for our vulnerability finding. 
  • (7/11/2019) Philips acknowledged our reported vulnerability on HUE, their IoT platform. 
  • (6/20/2019) Chrome acknowledged our reported vulnerability with CVE-2019-5767. Also see the chromium bug page
  • (6/20/2019) Samsung acknowledged our reported vulnerability on SmartThings, their IoT platform. 
  • (6/1/2019) Microsoft awarded us $2500 for discovering security flaw in Azure IoT.
  • (6/1/2019) Suning awarded us $300 for discovering security flaw in Suning IoT cloud.
  • (6/1/2019) The first paper I advised after 3 years in industry, to automatically discover logic flaws in online payment services, will appear in Usenix Security 2019.
  • (5/29/2019) Will serve on the Program Committee of NDSS 2020.
  • (5/20/2019) I am awarded by Faculty Research Support Program of Indiana University for IoT logic flaw research.
  • (12/1/2018) My students and I are awarded by Chrome for new logic flaw discovery.
  • (11/12/2018) Will serve on the Program Committee of ACM CCS 2019.
  • (7/1/2018) Will serve on the Program Committee of NDSS 2019.
  • (6/18/2018) Joined Indiana University Bloomington as Assistant Professor of Computer Science.
  • (9/18/2017) Transferred to AWS Security, Amazon, Inc.
  • (7/30/16) Forbes reported our attack on Apple airdrop.
  • (7/2/16) Will speak at Blackhat 2016!
  • (2/9/16) We have two papers accepted by Oakland 2016.
  • (12/8/15) Apple acknowledged our security reports with CVE-2015-7045.
  • (11/23/15) Start to work at Information Security, Amazon, Inc..
  • (10/25/15) Our Apple attack paper is among top 10 finalists of CSAW Best Paper Award.
  • (10/6/15) I will serve on the Student PC of Oakland 2016.
  • (9/30/15) Forbes, Threatpost, appleinsider follow up with our discovered XARA vulnerabilities.
  • (9/29/15) Apple acknowledged our security report with CVE-2015-5836.
  • (9/16/15) Apple acknowledged our security report with CVE-2015-5835.
  • (8/28/15) Our System Security Lab is among top 5 in the world.
  • (8/13/15) Apple acknowledged our security report with CVE-2015-3786
  • (8/10/15) Our attack paper on OSX and iOS (XARA vulnerabilities) will appear in CCS 2015.
  • (7/16/15) Evernote acknowledged our names on their Security Hall of Fame.  
  • (7/1/15) Android/Google acknowledged our names on their Android Security Acknowledgements.
  • (10/24/14) Our attack paper on Android Push messaging will appear in CCS 2014.
  • (4/25/14) Got the third place in National Security Innovation Competition 2014 after competing with teams from 112 universities/organizations.
  • (3/20/14) Forbes.comYahoo and many other news agencies reported our research on Android update vulnerabilities.
  • (2/03/14) Our attack paper on Android OS update is accepted by IEEE Symposium on Security and Privacy 2014.