I published 30+ papers in top-tier security venues: IEEE S&P, ACM CCS, Usenix Security, and NDSS.
Most of these papers directly resulted in fixed and changed security design in real-world deployed apps/systems that people use everyday: iOS/MacOS (kernels, drivers, frameworks, system services), Android (frameworks, system services, and APIs), Chrome/Safari/Firefox/Opera browsers, AWS IoT cloud, Azure IoT cloud, IBM IoT cloud, all kinds of CPS/IoT devices, Apple Home (HomeKit), Google Home, SmartThings, Facebook, Twitter, Google Ads, tens of thousands of Android/iOS apps and mobile SDKs, IoT standards such as MQTT and Matter, etc.
I have long been active in the international hacking community, with 7 works presented at Black Hat (the most prestigious security venue in industry).
Black Hat
[7] Black Hat'23. L. Xing, X. Zhou, J. Guan, Z. Qian. "Dilemma in IoT Access Control: Revealing Novel Attacks and Design Challenges in Mobile-as-a-Gateway IoT". Black Hat (Asia), 2023. [link]
[6] Black Hat'22. Z. Jin, Y. Fang, Y. Jia, B. Yuan, Q. Liu, L. Xing. "IoT Manufacturers' New Nightmare: Design Flaws and Deployment Chaos in Cloud-based IoT Access Control Policies." To appear at Black Hat (Europe) 2022. [link] (The first two authors are my students.)
[5] Black Hat'22. Y. Jia, B. Yan, L. Xing. "Codema Attack: Controlling Your Smart Home Through Dangling Management Channels". Black Hat (Asia) 2022. (link)
(The first two authors are my students.)
[4] Black Hat'21. Bin Yuan, Yan Jia, Dongfang Zhao, Luyi Xing. "How I Can Unlock Your Smart Door: Security Pitfalls in Cross-Vendor IoT Access Control". To appear in Black Hat Asia 2021. [link] (The first two authors are my students.)
[3] Black Hat'20. Haoran Lu, Luyi Xing, Xiaojing Liao. "Design Pitfalls in Commercial Mini-Programs on Android and iOS". Black Hat Europe 2020. [link] (The first author is my student.)
[2] Black Hat'19. Yan Jia, Luyi Xing. "Sneak into Your Room: Security Holes in the Integration and Management of Messaging Protocols on Commercial IoT Clouds".
[link] (The first author is my student.)
[1] BlackHat'16. Luyi Xing, Xiaolong Bai. "Discovering and Exploiting Novel Security Vulnerabilities in Apple ZeroConf." [link]
Conferences
2025
[37] USENIX Security '25
B. Shi, W. Li, Y. Wang, X. Bai, L. Xing. "X.509DoS: Exploiting and Detecting Denial-of-Service Vulnerabilities in Cryptographic Libraries using Crafted X.509 Certificates." USENIX Security 2025.
[36] NDSS '25
H. Wang, Y. Fang, Y. Liu, Z. Jin, E. Delph, X. Du, Q. Liu, L. Xing. "Hidden and Lost Control: on Security Design Risks in IoT User-Facing Matter Controller," NDSS 2025. (the first two authors are my students)
[35] NDSS '25
Y. Xiao, D. Kirat, D. Lee, J. Jang, L. Xing, X. Liao. "JBomAudit: Assessing the Landscape, Compliance, and Security Implications of Java SBOMs," NDSS 2025. (the first author is my student)
[34] NDSS '25
J. Yan, S. Liao, M, Aldeen, L. Xing, D. Yan, L, Cheng. "SKILLPoV: Towards Accessible and Effective Privacy Notice for Amazon Alexa Skills," NDSS 2025.
2024
[33] CCS '24
Y. Xiao, C. Zhang, Y. Qin, F. Alharbi, L. Xing, X. Liao. "Measuring Compliance Implications of Third-party Libraries’ Privacy Label Disclosure Guidelines," ACM CCS 2024. (the first author is my student)
[32] USENIX Security '24
Y. Zhang, Z. Hu (co-first author), X. Wang, Y. Hong, Y. Nan, X. Wang, J. Cheng, L. Xing. "Navigating the Privacy Compliance Maze: Understanding Risks with Privacy-Configurable Mobile SDKs." USENIX Security 2024. (the first author Yifan Zhang is my student)
[pdf-preview]
[31] USENIX Security '24
D. Liu, Y. Xiao (co-first author), C. Zhang, K, Xie, X. Bai, S. Zhang, L. Xing. "iHunter: Hunting Privacy Violations at Scale in the Software Supply Chain on iOS." USENIX Security 2024. (the first author Yue Xiao is my student)
[pdf]
[30] USENIX Security '24
H. Lu, Y. Liu, X. Liao, L. Xing. “Towards Privacy-Preserving Social-Media SDKs on Android.” USENIX Security 2024. (the first author is my student)
[pdf]
[29] S&P '24 (Oakland)
B. Yuan, Z. Song, Y. Jia, Z. Lu, D. Zou, H. Jin, L. Xing. "MQTTactic: Security Analysis and Verification for Logic Flaws in MQTT Implementations". IEEE Symposium on Security and Privacy 2024.
(The first author was my student at the time of work; now a faculty member.)
[pdf]
[28] NDSS '24
J. Wu, Y. Nan, L. Xing, J. Cheng, Z. Lin, Z. Zheng, M. Yang. “Leaking the Privacy of Groups and More: Understanding Privacy Risks of Cross-App Content Sharing in Mobile Ecosystem.” Network and Distributed System Security (NDSS) Symposium 2024.
[pdf]
2023
[27] CCS '23
Z. Wang, J. Guan, X. Wang, W. Wang, L. Xing, F. Alharbi. "The Danger of Minimum Exposures: Understanding Cross-App Information Leaks on iOS through Multi-Side-Channel Learning." ACM CCS 2023. (the first author Jiale Guan is my student)
[pdf]
[26] USENIX Security '23
X. Wang. Y. Zhang (co-first author), X. Wang, Y. Jia, Luyi Xing. "Union under Duress: Understanding Hazards of Duplicate Resource Mismediation in Android Software Supply Chain." Usenix Security 2023. (the first author Yifan Zhang is my student)
[pdf]
[25] USENIX Security '23
Y. Xiao, Z. Li, Y. Qin, X. Bai, J. Guan, X. Liao, Luyi Xing. "Lalaine: Measuring and Characterizing Non-Compliance of Apple Privacy Labels at Scale." Usenix Security 2023. (the first author is my student)
[pdf]
[24] USENIX Security '23
Y. Nan, X., Wang, L. Xing, X. Liao, R. Wu, J. W, Y. Zhang, X. Wang. ''Are You Spying on Me? Large-Scale Analysis on IoT Data Exposure through Companion Apps.'' Usenix Security 2023.
[pdf]
2022
[23] CCS '22
Luyi Xing, Ze Jin (co-first author), Y. Fang, Y. Jia, B. Yuan, Q. Liu. "Understanding and Mitigating Security Risks in Cloud-based IoT Access Policies." To appear at ACM CCS 2022.
[pdf] [Impact: The formal verification tool called P-Verifier is adopted by AWS (in IoT Device Defender to help IoT manufacturers verify access control polices.]
[22] CCS '22
X. Zhou, J. Guan, L. Xing, Z. Qian. "Perils and Mitigation of Security Risks of Cooperation in Mobile-as-a-Gateway IoT." To appear at ACM CCS 2022.
[pdf] [Impact: research results (new access control design and patches) were implemented by popular IoT manufacturers in their products, including Honeywell, August, Level, Yale, Ultralog, Kwikset Aura, Schlage, etc.]
[21] USENIX Security '22
Y. Liu, Y. Jia, Q. Tan, Z. Liu, L. Xing. ''How Are Your Zoombie Accounts? Understanding Users’ Practices and Expectations on Mobile App Account Deletion.'' To appear in the proceedings of Usenix Security 2022.
[pdf] [Impact: we show that a privacy right defined in privacy laws (i.e., right to be forgotten) is difficult to be implemented in mobile apps properly.]
[20] S&P '22 (Oakland)
Z. Li, W. Liu, H. Chen, X. Wang, X. Liao, L. Xing, M. Zha, H. Jin, D. Zou. "Robbery on DevOps: Understanding and Mitigating Illicit Cryptomining on Continuous Integration Service Platforms." To appear in IEEE Symposium on Security and Privacy (Oakland), 2022.
[pdf] (The first author was my visiting student.) [Impact: we understand and discover real cybercrimes, i.e., cryptomining, on real commercial systems in the wild.]
2021
[19] CCS '21
Y. Jia, B. Yan, L. Xing, D. Zhao, X. Wang, Y. Zhang, Y. Liu, K. Zheng, Y. Zhang, D. Zou, H. Jin. "Who's In Control? On Security Risks of Disjointed IoT Device Management Channels". To appear in ACM CCS 2021.
[pdf][attack video demos][CGuard source code]
(The first two authors are my students.)
[Impact: research results (new access control design) were implemented by popular IoT products of Philips, August, LIFX, Meross, Abode, etc.]
[18] USENIX Security '21
Liya Su, Xinyue Shen, Xiangyu Du, Xiaojing Liao, XiaoFeng Wang, Luyi Xing, Baoxu Liu. "Evil Under the Sun: Understanding and Discovering Attacks on Ethereum Decentralized Applications". To appear in the proceedings of Usenix Security 2021.
[link]
[17] USENIX Security '21
Jice Wang, Yue Xiao (co-first author), Xueqiang Wang, Yuhong Nan, Luyi Xing*, Xiaojing Liao*, JinWei Dong, Nicolas Serrano, Haoran Lu, XiaoFeng Wang, Yuqing Zhang. "Understanding Malicious Cross-library Data Harvesting on Android." To appear in the Proceeding of USENIX Security Symposium (Security), 2021.
[pdf][open-source NLP tool to analyze Terms of Service of top 40 mobile SDK vendors]
(The first two authors are my students.)
[Impact: research results (new attack vector of data harvesting and privacy non-compliance) were incorporated/implemented into app vetting of Google Play and Facebook; Facebook and Twitter sued the cyber-criminals we found.] [See news: CNBC, Forbes, Wired, Facebook, The Register]
2020
[16] CCS '20
Xiaolong Bai, Luyi Xing*, Min Zheng, Fuping Qu. "iDEA: Towards Static Analysis on the Security of Apple Kernel Drivers". To appear in the ACM Conference on Computer and Communications Security (CCS), 2020.
[pdf] [source code -- 15K lines of code for the static analysis of Apple driver binaries]
(* Corresponding author.)
[Impact: research results (security patches) were implemented in iOS/macOS/iPadOS/watchOS kernels by Apple. Apple adopted our tool iDEA for kernel vulnerability detection.]
[15] CCS '20
Tao Lv, Ruishi Li, Yi Yang, Kai Chen, Xiaojing Liao, XiaoFeng Wang, Peiwei Hu, Luyi Xing. "RTFM! Automatic Assumption Discovery and Verification Derivation from Library Document for API Misuse Detection". To appear in the ACM Conference on Computer and Communications Security (CCS), 2020.
[pdf]
[14] CCS '20
Haoran Lu, Luyi Xing*,
Yue Xiao, Yifan Zhang, Xiaojing Liao, Xiaofeng Wang, Xueqiang Wang.
"Demystifying Resource Management Risks in Emerging Mobile App-in-App Ecosystems." To appear in the ACM Conference on Computer and Communications Security (CCS), 2020.
[pdf, attack demos, source code]
(* Corresponding author.)
(The first author is my student co-advised by Xiaojing.)
[Impact: research results (enhanced security design including isolation and access control) were implemented by Chrome, Firefox, Safari, Wechat, Alipay.]
[13] USENIX Security '20
Bin Yuan, Yan Jia, Luyi Xing*,
Dongfang Zhao, Xiaofeng Wang, Deqing Zou, Hai Jin, Yuqing Zhang.
"Shattered Chain of Trust: Understanding Security Risks in Cross-Cloud IoT Access Delegation." The 28th USENIX Security Symposium, 2020.
[pdf, attack demos, source code] (* Corresponding author)
(The first two authors are my students.)
[Impact: research results (access-control design and patches) were implemented by IoT products of Samsung SmartThings, Philips Hue, IFTTT, Tuya, Google.]
[12] S&P '20 (Oakland)
Yan Jia, Luyi Xing,
Yuhang Mao, Dongfang Zhao, Xiaofeng Wang, Shangru Zhao, Yuqing Zhang.
"Burglars’ IoT Paradise: Understanding and Mitigating Security Risks of General Messaging Protocols on IoT Clouds". The 41st IEEE Symposium on Security and Privacy (Oakland), 2020.
[pdf, attack demos, source code]
(The first author is my student.)
[Impact: research results (access-control design and patches) were implemented by IoT clouds of AWS, Microsoft, Alibaba, Google, IBM, Tuya, Suning, Baidu and open-source IoT-broker Eclipse Mosquitto.]
2019
[11] USENIX Security '19
Yi Chen, Luyi Xing,
Yue Qin, Xiaojing Liao, XiaoFeng Wang, Kai Chen, Wei Zou.
"Devils in the Guidance: Predicting Logic Vulnerabilities in Payment Syndication Services through Automated Documentation Analysis". The 28th USENIX Security Symposium, 2019.
[pdf, bibtex, attack demos, source code]
(This paper was done mainly under my supervision (attack part) and Xiaojing's supervision (NLP part).)
[Impact: research results (security design and patches) were implemented by online payment services Fuqianla, BeeCloud, etc.]
Research Gap
From Nov., 2015 to Jun., 2018, I was away from academia, focusing on engineering large commercial systems at AWS and Amazon.com.
Before 2018
[10] CCS '17
Tongxin Li, Xueqiang Wang, Mingming Zha, Kai Chen, XiaoFeng Wang, Luyi Xing, Xiaolong Bai, Nan Zhang, Xinhui Han. "Unleashing the Walking Dead: Understanding Cross-App Remote Infections on Mobile WebViews."
The ACM Conference on Computer and Communications Security (CCS), 2017.
[pdf, bibtex, attack demos]
[9] CCS '16
Xiaojing Liao, Sumach Alrwais, Kan Yuan, Luyi Xing, XiaoFeng Wang, Shuang Hao, and Raheem Beyah.
"Lurking Malice in the Cloud: Understanding and Detecting Cloud Repository as a Malicious Service.”
The ACM Conference on Computer and Communications Security (CCS), 2016.
[pdf, bibtex]
[8] CCS '16
Xiaojing Liao, Kan Yuan, XiaoFeng Wang, Zhou Li, Luyi Xing, and Raheem Beyah.
"Acing the IOC Game: Toward Automatic Discovery and Analysis of Open-Source Cyber Threat Intelligence.”
The ACM Conference on Computer and Communications Security (CCS), 2016.
[pdf, bibtex]
[7] S&P '16 (Oakland)
Luyi Xing, Xiaolong Bai (co-first author), Nan Zhang, XiaoFeng Wang, Xiaojing Liao, Tongxin Li and Shi-min Hu.
“Staying Secure and Unprepared: Understanding and Mitigating the Security Risks of Apple ZeroConf."
The 37th IEEE Symposium on Security and Privacy (IEEE S&P) 2016.
[pdf, bibtex, attack demos]
[6] S&P '16 (Oakland)
Xiaojing Liao, K. Yuan, X. Wang, Z. Pei, H. Yang, J. Chen, H. Duan, K. Du, E. Alowaisheq, S. Alrwais,
Luyi Xing and R. Beyah.
“Seeking Nonsense, Looking for Trouble: Efficient Promotional-Infection Detection through Semantic Inconsistency Search”.
The 37th IEEE Symposium on Security and Privacy (IEEE S&P) 2016.
[pdf, bibtex]
[5] CCS '15.
Luyi Xing, Xiaolong Bai, Tongxin Li, XiaoFeng Wang, Kai Chen, Xiaojing Liao, Shi-min Hu, Xinhui Han.
"Cracking App Isolation on Apple: Unauthorized Cross-App Resource Access on MAC OS X and iOS."
The 22nd ACM Conference on Computer and Communications Security (CCS) 2015.
[pdf, bibtex, attack demos]
[4] CCS '14.
Tongxin Li, Xiaoyong Zhou, Luyi Xing, Yeonjoon Lee, Muhammad Naveed, XiaoFeng Wang and Xinhui Han.
"Mayhem in the Push Clouds: Understanding and Mitigating Security Hazards in Mobile Push-Messaging Services."
The 21st ACM Conference on Computer and Communications Security (CCS) 2014.
[pdf, bibtex, attack demos]
[3] S&P '14 (Oakland)
Luyi Xing, Xiaorui Pan, Rui Wang, Kan Yuan, XiaoFeng Wang.
"Upgrading Your Android, Elevating My Malware: Privilege Escalation Through Mobile OS Updating."
The 35th IEEE Symposium on Security and Privacy (IEEE S&P) 2014.
[pdf, bibtex, attack demos]
[2] CCS '13.
Rui Wang, Luyi Xing, XiaoFeng Wang, Shuo Chen.
"Unauthorized Origin Crossing on Mobile Platforms: Threats and Mitigation."
The 20th ACM Conference on Computer and Communications Security (CCS) 2013.
[pdf, bibtex, attack demos]
[1] NDSS '13.
Luyi Xing, Yangyi Chen, XiaoFeng Wang, Shuo Chen.
"InteGuard: Toward Automatic Protection of Third-Party Web Service Integrations."
The 20th Annual Network &Distributed System Security Symposium (NDSS) 2013.
[pdf, bibtex, demo]
Journals
TDSC '2022
B. Yuan, Y. Wu, M. Yang, L. Xing, X. Wang, D. Zou, H. Jin. "SmartPatch: Verifying the Authenticity of the Trigger-Event in the IoT Platform." IEEE Transactions on Dependable and Secure Computing, 2022.
IEEE Security & Privacy Magazine 2017 (Invited)
Luyi Xing, Xiaolong Bai (co-first author), Nan Zhang, XiaoFeng Wang, Xiaojing Liao, Tongxin Li, and Shi-min Hu.
"Apple ZeroConf Holes: How Hackers Can Steal iPhone Photos."
[pdf, bibtex]
Most of these papers directly resulted in fixed and changed security design in real-world deployed apps/systems that people use everyday: iOS/MacOS (kernels, drivers, frameworks, system services), Android (frameworks, system services, and APIs), Chrome/Safari/Firefox/Opera browsers, AWS IoT cloud, Azure IoT cloud, IBM IoT cloud, all kinds of CPS/IoT devices, Apple Home (HomeKit), Google Home, SmartThings, Facebook, Twitter, Google Ads, tens of thousands of Android/iOS apps and mobile SDKs, IoT standards such as MQTT and Matter, etc.
I have long been active in the international hacking community, with 7 works presented at Black Hat (the most prestigious security venue in industry).
Black Hat
[7] Black Hat'23. L. Xing, X. Zhou, J. Guan, Z. Qian. "Dilemma in IoT Access Control: Revealing Novel Attacks and Design Challenges in Mobile-as-a-Gateway IoT". Black Hat (Asia), 2023. [link]
[6] Black Hat'22. Z. Jin, Y. Fang, Y. Jia, B. Yuan, Q. Liu, L. Xing. "IoT Manufacturers' New Nightmare: Design Flaws and Deployment Chaos in Cloud-based IoT Access Control Policies." To appear at Black Hat (Europe) 2022. [link] (The first two authors are my students.)
[5] Black Hat'22. Y. Jia, B. Yan, L. Xing. "Codema Attack: Controlling Your Smart Home Through Dangling Management Channels". Black Hat (Asia) 2022. (link)
(The first two authors are my students.)
[4] Black Hat'21. Bin Yuan, Yan Jia, Dongfang Zhao, Luyi Xing. "How I Can Unlock Your Smart Door: Security Pitfalls in Cross-Vendor IoT Access Control". To appear in Black Hat Asia 2021. [link] (The first two authors are my students.)
[3] Black Hat'20. Haoran Lu, Luyi Xing, Xiaojing Liao. "Design Pitfalls in Commercial Mini-Programs on Android and iOS". Black Hat Europe 2020. [link] (The first author is my student.)
[2] Black Hat'19. Yan Jia, Luyi Xing. "Sneak into Your Room: Security Holes in the Integration and Management of Messaging Protocols on Commercial IoT Clouds".
[link] (The first author is my student.)
[1] BlackHat'16. Luyi Xing, Xiaolong Bai. "Discovering and Exploiting Novel Security Vulnerabilities in Apple ZeroConf." [link]
Conferences
2025
[37] USENIX Security '25
B. Shi, W. Li, Y. Wang, X. Bai, L. Xing. "X.509DoS: Exploiting and Detecting Denial-of-Service Vulnerabilities in Cryptographic Libraries using Crafted X.509 Certificates." USENIX Security 2025.
[36] NDSS '25
H. Wang, Y. Fang, Y. Liu, Z. Jin, E. Delph, X. Du, Q. Liu, L. Xing. "Hidden and Lost Control: on Security Design Risks in IoT User-Facing Matter Controller," NDSS 2025. (the first two authors are my students)
[35] NDSS '25
Y. Xiao, D. Kirat, D. Lee, J. Jang, L. Xing, X. Liao. "JBomAudit: Assessing the Landscape, Compliance, and Security Implications of Java SBOMs," NDSS 2025. (the first author is my student)
[34] NDSS '25
J. Yan, S. Liao, M, Aldeen, L. Xing, D. Yan, L, Cheng. "SKILLPoV: Towards Accessible and Effective Privacy Notice for Amazon Alexa Skills," NDSS 2025.
2024
[33] CCS '24
Y. Xiao, C. Zhang, Y. Qin, F. Alharbi, L. Xing, X. Liao. "Measuring Compliance Implications of Third-party Libraries’ Privacy Label Disclosure Guidelines," ACM CCS 2024. (the first author is my student)
[32] USENIX Security '24
Y. Zhang, Z. Hu (co-first author), X. Wang, Y. Hong, Y. Nan, X. Wang, J. Cheng, L. Xing. "Navigating the Privacy Compliance Maze: Understanding Risks with Privacy-Configurable Mobile SDKs." USENIX Security 2024. (the first author Yifan Zhang is my student)
[pdf-preview]
[31] USENIX Security '24
D. Liu, Y. Xiao (co-first author), C. Zhang, K, Xie, X. Bai, S. Zhang, L. Xing. "iHunter: Hunting Privacy Violations at Scale in the Software Supply Chain on iOS." USENIX Security 2024. (the first author Yue Xiao is my student)
[pdf]
[30] USENIX Security '24
H. Lu, Y. Liu, X. Liao, L. Xing. “Towards Privacy-Preserving Social-Media SDKs on Android.” USENIX Security 2024. (the first author is my student)
[pdf]
[29] S&P '24 (Oakland)
B. Yuan, Z. Song, Y. Jia, Z. Lu, D. Zou, H. Jin, L. Xing. "MQTTactic: Security Analysis and Verification for Logic Flaws in MQTT Implementations". IEEE Symposium on Security and Privacy 2024.
(The first author was my student at the time of work; now a faculty member.)
[pdf]
[28] NDSS '24
J. Wu, Y. Nan, L. Xing, J. Cheng, Z. Lin, Z. Zheng, M. Yang. “Leaking the Privacy of Groups and More: Understanding Privacy Risks of Cross-App Content Sharing in Mobile Ecosystem.” Network and Distributed System Security (NDSS) Symposium 2024.
[pdf]
2023
[27] CCS '23
Z. Wang, J. Guan, X. Wang, W. Wang, L. Xing, F. Alharbi. "The Danger of Minimum Exposures: Understanding Cross-App Information Leaks on iOS through Multi-Side-Channel Learning." ACM CCS 2023. (the first author Jiale Guan is my student)
[pdf]
[26] USENIX Security '23
X. Wang. Y. Zhang (co-first author), X. Wang, Y. Jia, Luyi Xing. "Union under Duress: Understanding Hazards of Duplicate Resource Mismediation in Android Software Supply Chain." Usenix Security 2023. (the first author Yifan Zhang is my student)
[pdf]
[25] USENIX Security '23
Y. Xiao, Z. Li, Y. Qin, X. Bai, J. Guan, X. Liao, Luyi Xing. "Lalaine: Measuring and Characterizing Non-Compliance of Apple Privacy Labels at Scale." Usenix Security 2023. (the first author is my student)
[pdf]
[24] USENIX Security '23
Y. Nan, X., Wang, L. Xing, X. Liao, R. Wu, J. W, Y. Zhang, X. Wang. ''Are You Spying on Me? Large-Scale Analysis on IoT Data Exposure through Companion Apps.'' Usenix Security 2023.
[pdf]
2022
[23] CCS '22
Luyi Xing, Ze Jin (co-first author), Y. Fang, Y. Jia, B. Yuan, Q. Liu. "Understanding and Mitigating Security Risks in Cloud-based IoT Access Policies." To appear at ACM CCS 2022.
[pdf] [Impact: The formal verification tool called P-Verifier is adopted by AWS (in IoT Device Defender to help IoT manufacturers verify access control polices.]
[22] CCS '22
X. Zhou, J. Guan, L. Xing, Z. Qian. "Perils and Mitigation of Security Risks of Cooperation in Mobile-as-a-Gateway IoT." To appear at ACM CCS 2022.
[pdf] [Impact: research results (new access control design and patches) were implemented by popular IoT manufacturers in their products, including Honeywell, August, Level, Yale, Ultralog, Kwikset Aura, Schlage, etc.]
[21] USENIX Security '22
Y. Liu, Y. Jia, Q. Tan, Z. Liu, L. Xing. ''How Are Your Zoombie Accounts? Understanding Users’ Practices and Expectations on Mobile App Account Deletion.'' To appear in the proceedings of Usenix Security 2022.
[pdf] [Impact: we show that a privacy right defined in privacy laws (i.e., right to be forgotten) is difficult to be implemented in mobile apps properly.]
[20] S&P '22 (Oakland)
Z. Li, W. Liu, H. Chen, X. Wang, X. Liao, L. Xing, M. Zha, H. Jin, D. Zou. "Robbery on DevOps: Understanding and Mitigating Illicit Cryptomining on Continuous Integration Service Platforms." To appear in IEEE Symposium on Security and Privacy (Oakland), 2022.
[pdf] (The first author was my visiting student.) [Impact: we understand and discover real cybercrimes, i.e., cryptomining, on real commercial systems in the wild.]
2021
[19] CCS '21
Y. Jia, B. Yan, L. Xing, D. Zhao, X. Wang, Y. Zhang, Y. Liu, K. Zheng, Y. Zhang, D. Zou, H. Jin. "Who's In Control? On Security Risks of Disjointed IoT Device Management Channels". To appear in ACM CCS 2021.
[pdf][attack video demos][CGuard source code]
(The first two authors are my students.)
[Impact: research results (new access control design) were implemented by popular IoT products of Philips, August, LIFX, Meross, Abode, etc.]
[18] USENIX Security '21
Liya Su, Xinyue Shen, Xiangyu Du, Xiaojing Liao, XiaoFeng Wang, Luyi Xing, Baoxu Liu. "Evil Under the Sun: Understanding and Discovering Attacks on Ethereum Decentralized Applications". To appear in the proceedings of Usenix Security 2021.
[link]
[17] USENIX Security '21
Jice Wang, Yue Xiao (co-first author), Xueqiang Wang, Yuhong Nan, Luyi Xing*, Xiaojing Liao*, JinWei Dong, Nicolas Serrano, Haoran Lu, XiaoFeng Wang, Yuqing Zhang. "Understanding Malicious Cross-library Data Harvesting on Android." To appear in the Proceeding of USENIX Security Symposium (Security), 2021.
[pdf][open-source NLP tool to analyze Terms of Service of top 40 mobile SDK vendors]
(The first two authors are my students.)
[Impact: research results (new attack vector of data harvesting and privacy non-compliance) were incorporated/implemented into app vetting of Google Play and Facebook; Facebook and Twitter sued the cyber-criminals we found.] [See news: CNBC, Forbes, Wired, Facebook, The Register]
2020
[16] CCS '20
Xiaolong Bai, Luyi Xing*, Min Zheng, Fuping Qu. "iDEA: Towards Static Analysis on the Security of Apple Kernel Drivers". To appear in the ACM Conference on Computer and Communications Security (CCS), 2020.
[pdf] [source code -- 15K lines of code for the static analysis of Apple driver binaries]
(* Corresponding author.)
[Impact: research results (security patches) were implemented in iOS/macOS/iPadOS/watchOS kernels by Apple. Apple adopted our tool iDEA for kernel vulnerability detection.]
[15] CCS '20
Tao Lv, Ruishi Li, Yi Yang, Kai Chen, Xiaojing Liao, XiaoFeng Wang, Peiwei Hu, Luyi Xing. "RTFM! Automatic Assumption Discovery and Verification Derivation from Library Document for API Misuse Detection". To appear in the ACM Conference on Computer and Communications Security (CCS), 2020.
[pdf]
[14] CCS '20
Haoran Lu, Luyi Xing*,
Yue Xiao, Yifan Zhang, Xiaojing Liao, Xiaofeng Wang, Xueqiang Wang.
"Demystifying Resource Management Risks in Emerging Mobile App-in-App Ecosystems." To appear in the ACM Conference on Computer and Communications Security (CCS), 2020.
[pdf, attack demos, source code]
(* Corresponding author.)
(The first author is my student co-advised by Xiaojing.)
[Impact: research results (enhanced security design including isolation and access control) were implemented by Chrome, Firefox, Safari, Wechat, Alipay.]
[13] USENIX Security '20
Bin Yuan, Yan Jia, Luyi Xing*,
Dongfang Zhao, Xiaofeng Wang, Deqing Zou, Hai Jin, Yuqing Zhang.
"Shattered Chain of Trust: Understanding Security Risks in Cross-Cloud IoT Access Delegation." The 28th USENIX Security Symposium, 2020.
[pdf, attack demos, source code] (* Corresponding author)
(The first two authors are my students.)
[Impact: research results (access-control design and patches) were implemented by IoT products of Samsung SmartThings, Philips Hue, IFTTT, Tuya, Google.]
[12] S&P '20 (Oakland)
Yan Jia, Luyi Xing,
Yuhang Mao, Dongfang Zhao, Xiaofeng Wang, Shangru Zhao, Yuqing Zhang.
"Burglars’ IoT Paradise: Understanding and Mitigating Security Risks of General Messaging Protocols on IoT Clouds". The 41st IEEE Symposium on Security and Privacy (Oakland), 2020.
[pdf, attack demos, source code]
(The first author is my student.)
[Impact: research results (access-control design and patches) were implemented by IoT clouds of AWS, Microsoft, Alibaba, Google, IBM, Tuya, Suning, Baidu and open-source IoT-broker Eclipse Mosquitto.]
2019
[11] USENIX Security '19
Yi Chen, Luyi Xing,
Yue Qin, Xiaojing Liao, XiaoFeng Wang, Kai Chen, Wei Zou.
"Devils in the Guidance: Predicting Logic Vulnerabilities in Payment Syndication Services through Automated Documentation Analysis". The 28th USENIX Security Symposium, 2019.
[pdf, bibtex, attack demos, source code]
(This paper was done mainly under my supervision (attack part) and Xiaojing's supervision (NLP part).)
[Impact: research results (security design and patches) were implemented by online payment services Fuqianla, BeeCloud, etc.]
Research Gap
From Nov., 2015 to Jun., 2018, I was away from academia, focusing on engineering large commercial systems at AWS and Amazon.com.
Before 2018
[10] CCS '17
Tongxin Li, Xueqiang Wang, Mingming Zha, Kai Chen, XiaoFeng Wang, Luyi Xing, Xiaolong Bai, Nan Zhang, Xinhui Han. "Unleashing the Walking Dead: Understanding Cross-App Remote Infections on Mobile WebViews."
The ACM Conference on Computer and Communications Security (CCS), 2017.
[pdf, bibtex, attack demos]
[9] CCS '16
Xiaojing Liao, Sumach Alrwais, Kan Yuan, Luyi Xing, XiaoFeng Wang, Shuang Hao, and Raheem Beyah.
"Lurking Malice in the Cloud: Understanding and Detecting Cloud Repository as a Malicious Service.”
The ACM Conference on Computer and Communications Security (CCS), 2016.
[pdf, bibtex]
[8] CCS '16
Xiaojing Liao, Kan Yuan, XiaoFeng Wang, Zhou Li, Luyi Xing, and Raheem Beyah.
"Acing the IOC Game: Toward Automatic Discovery and Analysis of Open-Source Cyber Threat Intelligence.”
The ACM Conference on Computer and Communications Security (CCS), 2016.
[pdf, bibtex]
[7] S&P '16 (Oakland)
Luyi Xing, Xiaolong Bai (co-first author), Nan Zhang, XiaoFeng Wang, Xiaojing Liao, Tongxin Li and Shi-min Hu.
“Staying Secure and Unprepared: Understanding and Mitigating the Security Risks of Apple ZeroConf."
The 37th IEEE Symposium on Security and Privacy (IEEE S&P) 2016.
[pdf, bibtex, attack demos]
[6] S&P '16 (Oakland)
Xiaojing Liao, K. Yuan, X. Wang, Z. Pei, H. Yang, J. Chen, H. Duan, K. Du, E. Alowaisheq, S. Alrwais,
Luyi Xing and R. Beyah.
“Seeking Nonsense, Looking for Trouble: Efficient Promotional-Infection Detection through Semantic Inconsistency Search”.
The 37th IEEE Symposium on Security and Privacy (IEEE S&P) 2016.
[pdf, bibtex]
[5] CCS '15.
Luyi Xing, Xiaolong Bai, Tongxin Li, XiaoFeng Wang, Kai Chen, Xiaojing Liao, Shi-min Hu, Xinhui Han.
"Cracking App Isolation on Apple: Unauthorized Cross-App Resource Access on MAC OS X and iOS."
The 22nd ACM Conference on Computer and Communications Security (CCS) 2015.
[pdf, bibtex, attack demos]
[4] CCS '14.
Tongxin Li, Xiaoyong Zhou, Luyi Xing, Yeonjoon Lee, Muhammad Naveed, XiaoFeng Wang and Xinhui Han.
"Mayhem in the Push Clouds: Understanding and Mitigating Security Hazards in Mobile Push-Messaging Services."
The 21st ACM Conference on Computer and Communications Security (CCS) 2014.
[pdf, bibtex, attack demos]
[3] S&P '14 (Oakland)
Luyi Xing, Xiaorui Pan, Rui Wang, Kan Yuan, XiaoFeng Wang.
"Upgrading Your Android, Elevating My Malware: Privilege Escalation Through Mobile OS Updating."
The 35th IEEE Symposium on Security and Privacy (IEEE S&P) 2014.
[pdf, bibtex, attack demos]
[2] CCS '13.
Rui Wang, Luyi Xing, XiaoFeng Wang, Shuo Chen.
"Unauthorized Origin Crossing on Mobile Platforms: Threats and Mitigation."
The 20th ACM Conference on Computer and Communications Security (CCS) 2013.
[pdf, bibtex, attack demos]
[1] NDSS '13.
Luyi Xing, Yangyi Chen, XiaoFeng Wang, Shuo Chen.
"InteGuard: Toward Automatic Protection of Third-Party Web Service Integrations."
The 20th Annual Network &Distributed System Security Symposium (NDSS) 2013.
[pdf, bibtex, demo]
Journals
TDSC '2022
B. Yuan, Y. Wu, M. Yang, L. Xing, X. Wang, D. Zou, H. Jin. "SmartPatch: Verifying the Authenticity of the Trigger-Event in the IoT Platform." IEEE Transactions on Dependable and Secure Computing, 2022.
IEEE Security & Privacy Magazine 2017 (Invited)
Luyi Xing, Xiaolong Bai (co-first author), Nan Zhang, XiaoFeng Wang, Xiaojing Liao, Tongxin Li, and Shi-min Hu.
"Apple ZeroConf Holes: How Hackers Can Steal iPhone Photos."
[pdf, bibtex]
