I’m a system security researcher at ETH Zurich, focusing on operating system kernels, with an emphasis on Linux. The fundamental goal of my research is to improve the correctness of OS kernels, one of the most complicated software, via finding and eliminating the bugs with the approaches called fuzz testing and symbolic execution.
I designed and implemented a kernel fuzzer called Healer, which is open-sourced and has found more than 100 bugs in Linux. This work was accepted by SOSP ‘21. My recent work KSG, a kernel specification generator, has led to the discovery of 23 bugs in Linux and was accepted by ATC ‘22. Besides, I’m also interested in system works and the idea of redesigning the software stack with current security and privacy concerns in mind is fascinating to me.
|Jul 6, 2022||Tardis, a coverage-guided Embedded OS fuzzer, is accepted by EMSOFT ‘22.|
|May 20, 2022||Will be working as a RA at City University of Hong Kong for 6 months.|
|Apr 30, 2022||KSG, a kernel specification generator, is accepted to ATC ‘22.|
|Aug 7, 2021||Healer, a kernel fuzzer written in rust, is accepted to SOSP ‘21.|
- ATC ’22KSG: Augmenting Kernel Fuzzing with System Call Specification GenerationIn 2022 USENIX Annual Technical Conference (USENIX ATC 22) Jul 2022
- SOSP ’21HEALER: Relation Learning Guided Kernel FuzzingIn Proceedings of the ACM SIGOPS 28th Symposium on Operating Systems Principles Jul 2021
- EMSOFT ’21Rtkaller: State-Aware Task Generation for RTOS FuzzingACM Trans. Embed. Comput. Syst. Sep 2021
- ISSRE ’19Go-Sanitizer: Bug-Oriented Assertion Generation for GolangIn 2019 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW) Sep 2019
Healer, kernel fuzzer inspired by Syzkaller
Healer is an automated kernel bug finding tool, written in 17,000+ lines of Rust. It utilizes specifications that encode input information to generate system call sequences, and detects kernel bugs via triggering kernel crashes with generated sequences. While the idea behind Healer is relatively straightforward, it incorporates many tricks and techniques for efficient runtime behavior… more
KEY RESULTS: 100+ reported and fixed Linux bugs, 10+ CVEs assigned, 199 stars on github.
KSG, kernel syscall specification generator
Writting system call specifications for kernel fuzzers requires significant amount of domain knowledge while being laborious. To address this, I designed and implemented a kernel specification generator (KSG) with 7000+ lines of C++ code based on Clang Static Analyzer. KSG utilizes a probe-based tracing and a symbolic execution-based type propagation algorithm…more
KEY RESULTS: 2433 automatically generated specifications and 23 bugs.
UFUZZ, OSEK/VDX RTOS kernel fuzzer
UFUZZ is an automated bug discovery tool, designed for embedded RTOS kernels that conform to the OSEK/VDX specification. It generates test cases with the awareness of the application model, e.g., prioritized tasks, and transfers inputs via directly accessing the memory of guest VM. UFUZZ has been adopted and deployed in a private organization.