I published more than 20 papers in top-tier security conferences: IEEE S&P, ACM CCS, Usenix Security, and NDSS.
I have long been an active speaker and participant in the international hacking community, with 6 works presented at Black Hat (the most prestigious security conference in the hacking community and industry).
Conferences:
[30] Usenix Security'23
Y. Nan, X., Wang, L. Xing, X. Liao, R. Wu, J. W, Y. Zhang, X. Wang. ''Are You Spying on Me? Large-Scale Analysis on IoT Data Exposure through Companion Apps.'' To appear in the proceedings of Usenix Security 2023.
[29] CCS'22
Luyi Xing, Ze Jin (co-first author), Y. Fang, Y. Jia, B. Yuan, Q. Liu. "Understanding and Mitigating Security Risks in Cloud-based IoT Access Policies." To appear at ACM CCS 2022.
[pdf-preview]
[28] CCS'22
X. Zhou, J. Guan, L. Xing, Z. Qian. "Perils and Mitigation of Security Risks of Cooperation in Mobile-as-a-Gateway IoT." To appear at ACM CCS 2022.
[pdf]
[27] Usenix Security'22
Y. Liu, Y. Jia, Q. Tan, Z. Liu, L. Xing. ''How Are Your Zoombie Accounts? Understanding Users’ Practices and Expectations on Mobile App Account Deletion.'' To appear in the proceedings of Usenix Security 2022.
[pdf]
[26] S&P'22 (Oakland)
Z. Li, W. Liu, H. Chen, X. Wang, X. Liao, L. Xing, M. Zha, H. Jin, D. Zou. "Robbery on DevOps: Understanding and Mitigating Illicit Cryptomining on Continuous Integration Service Platforms." To appear in IEEE Symposium on Security and Privacy (Oakland), 2022.
(The first author was my visiting student.)
[25] Black Hat'22
Z. Jin, Y. Fang, Y. Jia, B. Yuan, Q. Liu, L. Xing. "IoT Manufacturers' New Nightmare: Design Flaws and Deployment Chaos in Cloud-based IoT Access Control Policies." To appear at Black Hat (Europe) 2022.
(The first author is my student) [link]
[24] Black Hat'22
Y. Jia, B. Yan, L. Xing. "Codema Attack: Controlling Your Smart Home Through Dangling Management Channels". Black Hat (Asia) 2022. (link)
(The first two authors are my students.)
[23] CCS'21
Y. Jia, B. Yan, L. Xing, D. Zhao, X. Wang, Y. Zhang, Y. Liu, K. Zheng, Y. Zhang, D. Zou, H. Jin. "Who's In Control? On Security Risks of Disjointed IoT Device Management Channels". To appear in ACM CCS 2021.
[pdf][attack video demos][CGuard source code]
(The first two authors are my students.)
[22] Black Hat'21
Bin Yuan, Yan Jia, Dongfang Zhao, Luyi Xing. "How I Can Unlock Your Smart Door: Security Pitfalls in Cross-Vendor IoT Access Control". To appear in Black Hat Asia 2021.
(The first two authors are my students.)
[21] Usenix Security'21
Liya Su, Xinyue Shen, Xiangyu Du, Xiaojing Liao, XiaoFeng Wang, Luyi Xing, Baoxu Liu. "Evil Under the Sun: Understanding and Discovering Attacks on Ethereum Decentralized Applications". To appear in the proceedings of Usenix Security 2021.
[20] Usenix Security'21
Jice Wang, Yue Xiao (co-first author), Xueqiang Wang, Yuhong Nan, Luyi Xing*, Xiaojing Liao*, JinWei Dong, Nicolas Serrano, Haoran Lu, XiaoFeng Wang, Yuqing Zhang. "Understanding Malicious Cross-library Data Harvesting on Android." To appear in the Proceeding of USENIX Security Symposium (Security), 2021.
[pdf][open-source NLP tool to analyze Terms of Service of top 40 mobile SDK vendors]
(The first two authors are my students.)
[19] Black Hat'20
Haoran Lu, Luyi Xing, Xiaojing Liao. "Design Pitfalls in Commercial Mini-Programs on Android and iOS". Black Hat Europe 2020.
[18] CCS'20
Xiaolong Bai, Luyi Xing*, Min Zheng, Fuping Qu. "iDEA: Towards Static Analysis on the Security of Apple Kernel Drivers". To appear in the ACM Conference on Computer and Communications Security (CCS), 2020.
[pdf] [source code -- 15K lines of code for the static analysis of Apple driver binaries]
(* Corresponding author.)
[17] CCS'20
Tao Lv, Ruishi Li, Yi Yang, Kai Chen, Xiaojing Liao, XiaoFeng Wang, Peiwei Hu, Luyi Xing. "RTFM! Automatic Assumption Discovery and Verification Derivation from Library Document for API Misuse Detection". To appear in the ACM Conference on Computer and Communications Security (CCS), 2020.
[pdf]
[16] CCS'20
Haoran Lu, Luyi Xing*,
Yue Xiao, Yifan Zhang, Xiaojing Liao, Xiaofeng Wang, Xueqiang Wang.
"Demystifying Resource Management Risks in Emerging Mobile App-in-App Ecosystems." To appear in the ACM Conference on Computer and Communications Security (CCS), 2020.
[pdf, attack demos, source code]
(* Corresponding author.)
(The first author is my student co-advised by Xiaojing.)
[15] Usenix Security'20
Bin Yuan, Yan Jia, Luyi Xing*,
Dongfang Zhao, Xiaofeng Wang, Deqing Zou, Hai Jin, Yuqing Zhang.
"Shattered Chain of Trust: Understanding Security Risks in Cross-Cloud IoT Access Delegation." The 28th USENIX Security Symposium, 2020.
[pdf, attack demos, source code]
(* Corresponding author)
(The first two authors are my students.)
[14] S&P'20 (Oakland)
Yan Jia, Luyi Xing,
Yuhang Mao, Dongfang Zhao, Xiaofeng Wang, Shangru Zhao, Yuqing Zhang.
"Burglars’ IoT Paradise: Understanding and Mitigating Security Risks of General Messaging Protocols on IoT Clouds". The 41st IEEE Symposium on Security and Privacy (Oakland), 2020.
[pdf, attack demos, source code]
(The first author is my student.)
[13] Usenix Security'19
Yi Chen, Luyi Xing,
Yue Qin, Xiaojing Liao, XiaoFeng Wang, Kai Chen, Wei Zou.
"Devils in the Guidance: Predicting Logic Vulnerabilities in Payment Syndication Services through Automated Documentation Analysis". The 28th USENIX Security Symposium, 2019.
[pdf, bibtex, attack demos, source code]
(This paper was done mainly under my supervision (attack part) and Xiaojing's supervision (NLP part).)
[12] Black Hat'19
Yan Jia, Luyi Xing.
"Sneak into Your Room: Security Holes in the Integration and Management of Messaging Protocols on Commercial IoT Clouds".
(The first author is my student.)
Research Gap:
From Nov., 2015 to Jun., 2018, I was away from academia, focusing on engineering large commercial systems at AWS and Amazon.com.
[11] CCS'17
Tongxin Li, Xueqiang Wang, Mingming Zha, Kai Chen, XiaoFeng Wang, Luyi Xing, Xiaolong Bai, Nan Zhang, Xinhui Han. "Unleashing the Walking Dead: Understanding Cross-App Remote Infections on Mobile WebViews."
The ACM Conference on Computer and Communications Security (CCS), 2017.
[pdf, bibtex, attack demos]
[10] BlackHat'16
Luyi Xing, Xiaolong Bai.
"Discovering and Exploiting Novel Security Vulnerabilities in Apple ZeroConf."
[9] CCS'16
Xiaojing Liao, Sumach Alrwais, Kan Yuan, Luyi Xing, XiaoFeng Wang, Shuang Hao, and Raheem Beyah.
"Lurking Malice in the Cloud: Understanding and Detecting Cloud Repository as a Malicious Service.”
The ACM Conference on Computer and Communications Security (CCS), 2016.
[pdf, bibtex]
[8] CCS'16
Xiaojing Liao, Kan Yuan, XiaoFeng Wang, Zhou Li, Luyi Xing, and Raheem Beyah.
"Acing the IOC Game: Toward Automatic Discovery and Analysis of Open-Source Cyber Threat Intelligence.”
The ACM Conference on Computer and Communications Security (CCS), 2016.
[pdf, bibtex]
[7] S&P'16 (Oakland)
Luyi Xing, Xiaolong Bai (co-first author), Nan Zhang, XiaoFeng Wang, Xiaojing Liao, Tongxin Li and Shi-min Hu.
“Staying Secure and Unprepared: Understanding and Mitigating the Security Risks of Apple ZeroConf."
The 37th IEEE Symposium on Security and Privacy (IEEE S&P) 2016.
[pdf, bibtex, attack demos]
[6] S&P'16 (Oakland)
Xiaojing Liao, K. Yuan, X. Wang, Z. Pei, H. Yang, J. Chen, H. Duan, K. Du, E. Alowaisheq, S. Alrwais,
Luyi Xing and R. Beyah.
“Seeking Nonsense, Looking for Trouble: Efficient Promotional-Infection Detection through Semantic Inconsistency Search”.
The 37th IEEE Symposium on Security and Privacy (IEEE S&P) 2016.
[pdf, bibtex]
[5] CCS'15.
Luyi Xing, Xiaolong Bai, Tongxin Li, XiaoFeng Wang, Kai Chen, Xiaojing Liao, Shi-min Hu, Xinhui Han.
"Cracking App Isolation on Apple: Unauthorized Cross-App Resource Access on MAC OS X and iOS."
The 22nd ACM Conference on Computer and Communications Security (CCS) 2015.
[pdf, bibtex, attack demos]
[4] CCS'14.
Tongxin Li, Xiaoyong Zhou, Luyi Xing, Yeonjoon Lee, Muhammad Naveed, XiaoFeng Wang and Xinhui Han.
"Mayhem in the Push Clouds: Understanding and Mitigating Security Hazards in Mobile Push-Messaging Services."
The 21st ACM Conference on Computer and Communications Security (CCS) 2014.
[pdf, bibtex, attack demos]
[3] S&P'14 (Oakland)
Luyi Xing, Xiaorui Pan, Rui Wang, Kan Yuan, XiaoFeng Wang.
"Upgrading Your Android, Elevating My Malware: Privilege Escalation Through Mobile OS Updating."
The 35th IEEE Symposium on Security and Privacy (IEEE S&P) 2014.
[pdf, bibtex, attack demos]
[2] CCS'13.
Rui Wang, Luyi Xing, XiaoFeng Wang, Shuo Chen.
"Unauthorized Origin Crossing on Mobile Platforms: Threats and Mitigation."
The 20th ACM Conference on Computer and Communications Security (CCS) 2013.
[pdf, bibtex, attack demos]
[1] NDSS'13.
Luyi Xing, Yangyi Chen, XiaoFeng Wang, Shuo Chen.
"InteGuard: Toward Automatic Protection of Third-Party Web Service Integrations."
The 20th Annual Network &Distributed System Security Symposium (NDSS) 2013.
[pdf, bibtex, demo]
Journals
[2] TDSC
B. Yuan, Y. Wu, M. Yang, L. Xing, X. Wang, D. Zou, H. Jin. "SmartPatch: Verifying the Authenticity of the Trigger-Event in the IoT Platform." Transactions on Dependable and Secure Computing, 2022.
[1] IEEE Security & Privacy (Invited)
Luyi Xing, Xiaolong Bai (co-first author), Nan Zhang, XiaoFeng Wang, Xiaojing Liao, Tongxin Li, and Shi-min Hu.
"Apple ZeroConf Holes: How Hackers Can Steal iPhone Photos."
[pdf, bibtex]
I have long been an active speaker and participant in the international hacking community, with 6 works presented at Black Hat (the most prestigious security conference in the hacking community and industry).
Conferences:
[30] Usenix Security'23
Y. Nan, X., Wang, L. Xing, X. Liao, R. Wu, J. W, Y. Zhang, X. Wang. ''Are You Spying on Me? Large-Scale Analysis on IoT Data Exposure through Companion Apps.'' To appear in the proceedings of Usenix Security 2023.
[29] CCS'22
Luyi Xing, Ze Jin (co-first author), Y. Fang, Y. Jia, B. Yuan, Q. Liu. "Understanding and Mitigating Security Risks in Cloud-based IoT Access Policies." To appear at ACM CCS 2022.
[pdf-preview]
[28] CCS'22
X. Zhou, J. Guan, L. Xing, Z. Qian. "Perils and Mitigation of Security Risks of Cooperation in Mobile-as-a-Gateway IoT." To appear at ACM CCS 2022.
[pdf]
[27] Usenix Security'22
Y. Liu, Y. Jia, Q. Tan, Z. Liu, L. Xing. ''How Are Your Zoombie Accounts? Understanding Users’ Practices and Expectations on Mobile App Account Deletion.'' To appear in the proceedings of Usenix Security 2022.
[pdf]
[26] S&P'22 (Oakland)
Z. Li, W. Liu, H. Chen, X. Wang, X. Liao, L. Xing, M. Zha, H. Jin, D. Zou. "Robbery on DevOps: Understanding and Mitigating Illicit Cryptomining on Continuous Integration Service Platforms." To appear in IEEE Symposium on Security and Privacy (Oakland), 2022.
(The first author was my visiting student.)
[25] Black Hat'22
Z. Jin, Y. Fang, Y. Jia, B. Yuan, Q. Liu, L. Xing. "IoT Manufacturers' New Nightmare: Design Flaws and Deployment Chaos in Cloud-based IoT Access Control Policies." To appear at Black Hat (Europe) 2022.
(The first author is my student) [link]
[24] Black Hat'22
Y. Jia, B. Yan, L. Xing. "Codema Attack: Controlling Your Smart Home Through Dangling Management Channels". Black Hat (Asia) 2022. (link)
(The first two authors are my students.)
[23] CCS'21
Y. Jia, B. Yan, L. Xing, D. Zhao, X. Wang, Y. Zhang, Y. Liu, K. Zheng, Y. Zhang, D. Zou, H. Jin. "Who's In Control? On Security Risks of Disjointed IoT Device Management Channels". To appear in ACM CCS 2021.
[pdf][attack video demos][CGuard source code]
(The first two authors are my students.)
[22] Black Hat'21
Bin Yuan, Yan Jia, Dongfang Zhao, Luyi Xing. "How I Can Unlock Your Smart Door: Security Pitfalls in Cross-Vendor IoT Access Control". To appear in Black Hat Asia 2021.
(The first two authors are my students.)
[21] Usenix Security'21
Liya Su, Xinyue Shen, Xiangyu Du, Xiaojing Liao, XiaoFeng Wang, Luyi Xing, Baoxu Liu. "Evil Under the Sun: Understanding and Discovering Attacks on Ethereum Decentralized Applications". To appear in the proceedings of Usenix Security 2021.
[20] Usenix Security'21
Jice Wang, Yue Xiao (co-first author), Xueqiang Wang, Yuhong Nan, Luyi Xing*, Xiaojing Liao*, JinWei Dong, Nicolas Serrano, Haoran Lu, XiaoFeng Wang, Yuqing Zhang. "Understanding Malicious Cross-library Data Harvesting on Android." To appear in the Proceeding of USENIX Security Symposium (Security), 2021.
[pdf][open-source NLP tool to analyze Terms of Service of top 40 mobile SDK vendors]
(The first two authors are my students.)
[19] Black Hat'20
Haoran Lu, Luyi Xing, Xiaojing Liao. "Design Pitfalls in Commercial Mini-Programs on Android and iOS". Black Hat Europe 2020.
[18] CCS'20
Xiaolong Bai, Luyi Xing*, Min Zheng, Fuping Qu. "iDEA: Towards Static Analysis on the Security of Apple Kernel Drivers". To appear in the ACM Conference on Computer and Communications Security (CCS), 2020.
[pdf] [source code -- 15K lines of code for the static analysis of Apple driver binaries]
(* Corresponding author.)
[17] CCS'20
Tao Lv, Ruishi Li, Yi Yang, Kai Chen, Xiaojing Liao, XiaoFeng Wang, Peiwei Hu, Luyi Xing. "RTFM! Automatic Assumption Discovery and Verification Derivation from Library Document for API Misuse Detection". To appear in the ACM Conference on Computer and Communications Security (CCS), 2020.
[pdf]
[16] CCS'20
Haoran Lu, Luyi Xing*,
Yue Xiao, Yifan Zhang, Xiaojing Liao, Xiaofeng Wang, Xueqiang Wang.
"Demystifying Resource Management Risks in Emerging Mobile App-in-App Ecosystems." To appear in the ACM Conference on Computer and Communications Security (CCS), 2020.
[pdf, attack demos, source code]
(* Corresponding author.)
(The first author is my student co-advised by Xiaojing.)
[15] Usenix Security'20
Bin Yuan, Yan Jia, Luyi Xing*,
Dongfang Zhao, Xiaofeng Wang, Deqing Zou, Hai Jin, Yuqing Zhang.
"Shattered Chain of Trust: Understanding Security Risks in Cross-Cloud IoT Access Delegation." The 28th USENIX Security Symposium, 2020.
[pdf, attack demos, source code]
(* Corresponding author)
(The first two authors are my students.)
[14] S&P'20 (Oakland)
Yan Jia, Luyi Xing,
Yuhang Mao, Dongfang Zhao, Xiaofeng Wang, Shangru Zhao, Yuqing Zhang.
"Burglars’ IoT Paradise: Understanding and Mitigating Security Risks of General Messaging Protocols on IoT Clouds". The 41st IEEE Symposium on Security and Privacy (Oakland), 2020.
[pdf, attack demos, source code]
(The first author is my student.)
[13] Usenix Security'19
Yi Chen, Luyi Xing,
Yue Qin, Xiaojing Liao, XiaoFeng Wang, Kai Chen, Wei Zou.
"Devils in the Guidance: Predicting Logic Vulnerabilities in Payment Syndication Services through Automated Documentation Analysis". The 28th USENIX Security Symposium, 2019.
[pdf, bibtex, attack demos, source code]
(This paper was done mainly under my supervision (attack part) and Xiaojing's supervision (NLP part).)
[12] Black Hat'19
Yan Jia, Luyi Xing.
"Sneak into Your Room: Security Holes in the Integration and Management of Messaging Protocols on Commercial IoT Clouds".
(The first author is my student.)
Research Gap:
From Nov., 2015 to Jun., 2018, I was away from academia, focusing on engineering large commercial systems at AWS and Amazon.com.
[11] CCS'17
Tongxin Li, Xueqiang Wang, Mingming Zha, Kai Chen, XiaoFeng Wang, Luyi Xing, Xiaolong Bai, Nan Zhang, Xinhui Han. "Unleashing the Walking Dead: Understanding Cross-App Remote Infections on Mobile WebViews."
The ACM Conference on Computer and Communications Security (CCS), 2017.
[pdf, bibtex, attack demos]
[10] BlackHat'16
Luyi Xing, Xiaolong Bai.
"Discovering and Exploiting Novel Security Vulnerabilities in Apple ZeroConf."
[9] CCS'16
Xiaojing Liao, Sumach Alrwais, Kan Yuan, Luyi Xing, XiaoFeng Wang, Shuang Hao, and Raheem Beyah.
"Lurking Malice in the Cloud: Understanding and Detecting Cloud Repository as a Malicious Service.”
The ACM Conference on Computer and Communications Security (CCS), 2016.
[pdf, bibtex]
[8] CCS'16
Xiaojing Liao, Kan Yuan, XiaoFeng Wang, Zhou Li, Luyi Xing, and Raheem Beyah.
"Acing the IOC Game: Toward Automatic Discovery and Analysis of Open-Source Cyber Threat Intelligence.”
The ACM Conference on Computer and Communications Security (CCS), 2016.
[pdf, bibtex]
[7] S&P'16 (Oakland)
Luyi Xing, Xiaolong Bai (co-first author), Nan Zhang, XiaoFeng Wang, Xiaojing Liao, Tongxin Li and Shi-min Hu.
“Staying Secure and Unprepared: Understanding and Mitigating the Security Risks of Apple ZeroConf."
The 37th IEEE Symposium on Security and Privacy (IEEE S&P) 2016.
[pdf, bibtex, attack demos]
[6] S&P'16 (Oakland)
Xiaojing Liao, K. Yuan, X. Wang, Z. Pei, H. Yang, J. Chen, H. Duan, K. Du, E. Alowaisheq, S. Alrwais,
Luyi Xing and R. Beyah.
“Seeking Nonsense, Looking for Trouble: Efficient Promotional-Infection Detection through Semantic Inconsistency Search”.
The 37th IEEE Symposium on Security and Privacy (IEEE S&P) 2016.
[pdf, bibtex]
[5] CCS'15.
Luyi Xing, Xiaolong Bai, Tongxin Li, XiaoFeng Wang, Kai Chen, Xiaojing Liao, Shi-min Hu, Xinhui Han.
"Cracking App Isolation on Apple: Unauthorized Cross-App Resource Access on MAC OS X and iOS."
The 22nd ACM Conference on Computer and Communications Security (CCS) 2015.
[pdf, bibtex, attack demos]
[4] CCS'14.
Tongxin Li, Xiaoyong Zhou, Luyi Xing, Yeonjoon Lee, Muhammad Naveed, XiaoFeng Wang and Xinhui Han.
"Mayhem in the Push Clouds: Understanding and Mitigating Security Hazards in Mobile Push-Messaging Services."
The 21st ACM Conference on Computer and Communications Security (CCS) 2014.
[pdf, bibtex, attack demos]
[3] S&P'14 (Oakland)
Luyi Xing, Xiaorui Pan, Rui Wang, Kan Yuan, XiaoFeng Wang.
"Upgrading Your Android, Elevating My Malware: Privilege Escalation Through Mobile OS Updating."
The 35th IEEE Symposium on Security and Privacy (IEEE S&P) 2014.
[pdf, bibtex, attack demos]
[2] CCS'13.
Rui Wang, Luyi Xing, XiaoFeng Wang, Shuo Chen.
"Unauthorized Origin Crossing on Mobile Platforms: Threats and Mitigation."
The 20th ACM Conference on Computer and Communications Security (CCS) 2013.
[pdf, bibtex, attack demos]
[1] NDSS'13.
Luyi Xing, Yangyi Chen, XiaoFeng Wang, Shuo Chen.
"InteGuard: Toward Automatic Protection of Third-Party Web Service Integrations."
The 20th Annual Network &Distributed System Security Symposium (NDSS) 2013.
[pdf, bibtex, demo]
Journals
[2] TDSC
B. Yuan, Y. Wu, M. Yang, L. Xing, X. Wang, D. Zou, H. Jin. "SmartPatch: Verifying the Authenticity of the Trigger-Event in the IoT Platform." Transactions on Dependable and Secure Computing, 2022.
[1] IEEE Security & Privacy (Invited)
Luyi Xing, Xiaolong Bai (co-first author), Nan Zhang, XiaoFeng Wang, Xiaojing Liao, Tongxin Li, and Shi-min Hu.
"Apple ZeroConf Holes: How Hackers Can Steal iPhone Photos."
[pdf, bibtex]
