I am an Associate Professor in the department of Computer Science at Indiana University Bloomington. I joined IU in 2018 after a few years' experience of building large commercial systems at Amazon/AWS. Now I'm directing the System Security Foundations lab at IU. I am a recipient of Outstanding Junior Faculty Award of Indiana University Bloomington (class of 2024), NSF CAREER award (2021, cloud-based IoT systems security), Facebook Research Award (2021, Privacy Enhancing Technologies), 5 Facebook Whitehat awards (2012, 2013, 2020, 2021), Google Developer Data Protection award (2019), Microsoft Whitehat award (2019), Android Security Acknowledgements (2013 - 2016, 2018), Apple Security Acknowledgement (2015, 2019, 2020), among others.
Research I led has significantly and extensively changed security design (access control, authentication) in apps/systems that people use everyday, across Android, iOS/iPad/MacOS, Chrome, Apple Home (HomeKit), Google Home, SmartThings, Facebook, AWS IoT, Azure IoT, etc., which have implemented and deployed our security designs/protections. My research is featured with formal methods and guarantees for security and privacy-compliance in systems, in particular, IoT, cloud, mobile, and software supply chain. My research have led to the discovery of 60+ new types of vulnerabilities in the design of commercial and open-source systems, uncovering novel attack techniques. What my group focused on are typically fundamental design challenges (see our media reports and publications), versus implementation bugs/mistakes. Our research has been reported by Time, CNN, Forbes, Mirror, Fox News, Yahoo, CNET, The Register, and more.
New PhD student: I will admit one PhD student (UIUC, Fall '25) interested in both systems and AI.
Research Areas & Interests:
News
Research I led has significantly and extensively changed security design (access control, authentication) in apps/systems that people use everyday, across Android, iOS/iPad/MacOS, Chrome, Apple Home (HomeKit), Google Home, SmartThings, Facebook, AWS IoT, Azure IoT, etc., which have implemented and deployed our security designs/protections. My research is featured with formal methods and guarantees for security and privacy-compliance in systems, in particular, IoT, cloud, mobile, and software supply chain. My research have led to the discovery of 60+ new types of vulnerabilities in the design of commercial and open-source systems, uncovering novel attack techniques. What my group focused on are typically fundamental design challenges (see our media reports and publications), versus implementation bugs/mistakes. Our research has been reported by Time, CNN, Forbes, Mirror, Fox News, Yahoo, CNET, The Register, and more.
New PhD student: I will admit one PhD student (UIUC, Fall '25) interested in both systems and AI.
Research Areas & Interests:
- IoT systems: [Oakland'24][Security'23-IoTProfiler][CCS'22-PVerifier][CCS'22-MaaGIoT][CCS'21-DMC][Security'20-VerioT][S&P'20-MQTT][S&P'16-ZeroConfig][BlackHat23][BlackHat22-Europe][BlackHat22-Asia][BlackHat21][BlackHat20][BlackHat19]
- Privacy violation/compliance: [Security'24][NDSS'24][Security'23-Lalaine][Security'23-IoTProfiler][Security'22-RTBF][Security'21-XLDH]
- AI/NLP for security and privacy: [CCS'23][Security'23-LalaineNLP][Security'21-DEFIER][Security'21-tosNLP][CCS'20-iDEA][CCS'20-apiNLP][Security'19-paymentNLP]
- iOS systems: [CCS'20-iDEA][CCS'20-app-in-app][S&P'16-ZeroConfig][CCS'15-XARA][CCS'13-MobileOrigin][BlackHat16]
- Android systems: [CCS'20-app-in-app][Security'19][CCS'17-DeepLink][S&P'14-Pileup][CCS'14-PushMessaging][CCS'13-MobileOrigin]
- Cybercrime: [S&P'22-devops][Security'21-DEFIER][S&P'16-SEISE][CCS'16-iACE][CCS'16-Lurking]
- Web security: [CCS'20-app-in-app][Security'19][S&P'14-Pileup][CCS'13-MobileOrigin] [NDSS'13]
News
- (5/13/2024) I received Outstanding Junior Faculty Award of Indiana University Bloomington (class of 2024), among five awardees.
- (5/1/2024) I will speak at IEEE S&P '24.
- (5/1/2024) I joined the PC of PETS 2025.
- (4/1/2024) I am promoted to Associate Professor at IU (effective 7/1/2024).
- (2/26/2024) I founded and organized the Workshop on Security and Privacy in Standardized IoT co-located with NDSS '24 (SDIoTSec '24) to promote security research in IoT standards and standardized IoT together with Prof. L Jean Camp.
- (3/9/2023) Will join PC of PETS 2024!
- (3/1/2023) Will speak at Black Hat Asia 2023.
- (10/21/2023) Will join PC of WiSec 2023.
- (9/15/2022) Our IoT access-control research based on formal methods is accepted at Black Hat 22 (Europe). See the link. Congrats to my students Ze Jin and Yiwei who will present.
- (8/26/2022) Two IoT security papers to appear at ACM CCS 2022 (both focus on novel vulnerabilities/defenses: one based on formal reasoning, the other armed with formal proofs). Congrats to my students.
- (1/24/2022) I received an NSF CAREER award to investigate security of cloud-based IoT systems with novel formal methods.
- (7/2021) I received a Facebook research award (2021, Privacy Enhancing Technologies) to investigate cross-library data harvesting (XLDH) cybercrime. Our preliminary work entitled "Understanding Malicious Cross-library Data Harvesting on Android" is published at Usenix Security 2021.
- (6/9/2021) I received an NSF award (lead-PI) to further improve our formal verification tool named "VerioT" (see our Usenix Security 2020 paper) dedicated for verifying IoT protocols in real systems. The project is entitled "FMitF: Track II: Usability, Scalability, and Deployment Improvement of VerioT."
- (1/2021) I will serve on the TPC of ACM WiSec 2021.
- (9/23/2020) Our work that studies the app-in-app paradigm (a.k.a. mini programs, Snap minis, iMessage apps, etc.) is accepted to Black Hat (europe) 2020. The emerging paradigm is seen in many popular social computing apps, e.g., Snapchat, Facebook, TikTok, iMessages, Wechat, Kodi, etc.
- (9/8/2020) Our paper that introduces the first systematic, automatic analysis on Apple kernel drivers is accepted to CCS 2020.
- (9/8/2020) Our paper that detects API misuses based on automatic NLP-based document analysis is accepted to CCS 2020.
- (6/15/2020) Our work that sheds lights on new security risks in IoT access delegation will appear in Usenix Security 2020.
- (6/5/2020) Congrats to our student Haoran Lu (co-advised with Prof. Xiaojing Liao), who publishes his first paper (as the first author) at CCS (2020).
- (3/29/2020) Apple acknowledged two macOS kernel vulnerabilities we found, with new CVE-2020-3851. See Apple security updates.
- (2/7/2020) Wired reported my recent work that caught a real-world cybercrime of Facebook data stealing.
- (2/7/2020) Facebook Bug Bounty Program highlighted the work of my team in its official 2019 (annual) review report.
- (1/27/2020) Apple assigned two CVEs for kernel vulnerabilities we discovered, which allow user-space applications on iOS/iPadOS/tvOS to execute arbitrary code with kernel privileges: CVE-2020-3834, CVE-2020-3858.
- (1/1/2020) My group received a total of $44,000+ bug bounties in 2019.
- (12/30/2019) Google awarded us $5,000 bug bounty for discovering malicious SDKs.
- (12/29/2019) Samsung awarded us another $1,000 bug bounty for discovering security flaws in its IoT cloud platform, Samsung SmartThings.
- (12/10/2019) Apple acknowledged kernel bug (CVE-2019-8836) we discovered, which affects iOS/iPadOS/watchOS/tvOS (see Apple security updates for iOS/iPadOS, tvOS/watchOS).
- (12/6/2019) I will serve on the Program Committee of ACM CCS 2020.
- (12/5/2019) Facebook awarded my group $30,000 as bug bounty, for our report of real-world cyber crime that steals Facebook user OAuth token/PII.
- (11/26/2019) Samsung awarded us $1,000 for discovering security flaws in its IoT cloud platform, Samsung SmartThings.
- (11/26/2019) Microsoft acknowledged me and my students on its monthly Online Service Acknowledgements for finding security flaws in Azure IoT cloud.
- (11/19/2019) Twitter awarded us $560 for discovering new attacks against Twitter users in the wild.
- (10/22/2019) Microsoft awarded us $4000 for discovering security flaw in Azure IoT Hub.
- (10/1/2019) The paper I advised, that discovers new design flaws in IoT messaging protocol is accepted by IEEE S&P (Oakland) 2020.
- (9/25/2019) Our IoT security research is accepted by Black Hat (Europe) 2019. See the presentation.
- (8/14/2019) Apple acknowledged our reported vulnerability on Safari.
- (8/2/2019) Tencent acknowledged our reported vulnerability on Wechat.
- (8/2/2019) Opera puts my students and my names on its hall of fame for our vulnerability finding.
- (7/11/2019) Philips acknowledged our reported vulnerability on HUE, their IoT platform.
- (6/20/2019) Chrome acknowledged our reported vulnerability with CVE-2019-5767. Also see the chromium bug page.
- (6/20/2019) Samsung acknowledged our reported vulnerability on SmartThings, their IoT platform.
- (6/1/2019) Microsoft awarded us $2500 for discovering security flaw in Azure IoT.
- (6/1/2019) Suning awarded us $300 for discovering security flaw in Suning IoT cloud.
- (6/1/2019) The first paper I advised after 3 years in industry, to automatically discover logic flaws in online payment services, will appear in Usenix Security 2019.
- (5/29/2019) Will serve on the Program Committee of NDSS 2020.
- (5/20/2019) I am awarded by Faculty Research Support Program of Indiana University for IoT logic flaw research.
- (12/1/2018) My students and I are awarded by Chrome for new logic flaw discovery.
- (11/12/2018) Will serve on the Program Committee of ACM CCS 2019.
- (7/1/2018) Will serve on the Program Committee of NDSS 2019.
- (6/18/2018) Joined Indiana University Bloomington as Assistant Professor of Computer Science.
- (9/18/2017) Transferred to AWS Security, Amazon, Inc.
- (7/30/16) Forbes reported our attack on Apple airdrop.
- (7/2/16) Will speak at Blackhat 2016!
- (2/9/16) We have two papers accepted by Oakland 2016.
- (12/8/15) Apple acknowledged our security reports with CVE-2015-7045.
- (11/23/15) Start to work at Information Security, Amazon, Inc..
- (10/25/15) Our Apple attack paper is among top 10 finalists of CSAW Best Paper Award.
- (10/6/15) I will serve on the Student PC of Oakland 2016.
- (9/30/15) Forbes, Threatpost, appleinsider follow up with our discovered XARA vulnerabilities.
- (9/29/15) Apple acknowledged our security report with CVE-2015-5836.
- (9/16/15) Apple acknowledged our security report with CVE-2015-5835.
- (8/28/15) Our System Security Lab is among top 5 in the world.
- (8/13/15) Apple acknowledged our security report with CVE-2015-3786.
- (8/10/15) Our attack paper on OSX and iOS (XARA vulnerabilities) will appear in CCS 2015.
- (7/16/15) Evernote acknowledged our names on their Security Hall of Fame.
- (7/1/15) Android/Google acknowledged our names on their Android Security Acknowledgements.
- (10/24/14) Our attack paper on Android Push messaging will appear in CCS 2014.
- (4/25/14) Got the third place in National Security Innovation Competition 2014 after competing with teams from 112 universities/organizations.
- (3/20/14) Forbes.com, Yahoo and many other news agencies reported our research on Android update vulnerabilities.
- (2/03/14) Our attack paper on Android OS update is accepted by IEEE Symposium on Security and Privacy 2014.