I am a second-year Ph.D. student at Penn State University, advised by Prof. Hong Hu. Before joining Penn State University, I obtained my Bachelor’s degree from Xiamen University and worked at QI-ANXIN Technology Research Institute for three years. My research interests include Software and System Security.
News
Jun 13, 2023
Our paper “VIPER: Spotting Syscall-Guard Variables for Data-Only Attacks” has been accepted by USENIX 2023.
May 9, 2023
Our paper “Can We Trust the Phone Vendors? Comprehensive Security Measurements on the Android Firmware Ecosystem” has been accepted by TSE 2023.
May 3, 2022
Our paper “Detecting Logical Bugs of DBMS with Coverage-based Guidance” has been accepted by USENIX 2022.
Dec 3, 2021
Our paper “Large-scale Security Measurements on the Android Firmware Ecosystem” has been accepted by ICSE 2022.
As control-flow protection techniques are widely deployed, it is difficult for attackers to modify control data, like function pointers, to hijack program control flow. Instead, data-only attacks corrupt security-critical non-control data (critical data), and can bypass all control-flow protections to revive severe attacks. Previous works have explored various methods to help construct or prevent data-only attacks. However, no solution can automatically detect program-specific critical data.
In this paper, we identify an important category of critical data, syscall-guard variables, and propose a set of solutions to automatically detect such variables in a scalable manner. Syscall-guard variables determine to invoke security-related system calls (syscalls), and altering them will allow attackers to request extra privileges from the operating system. We propose branch force, which intentionally flips every conditional branch during the execution and checks whether new security-related syscalls are invoked. If so, we conduct data-flow analysis to estimate the feasibility to flip such branches through common memory errors. We build a tool, VIPER, to implement our ideas. VIPER successfully detects 34 previously unknown syscall-guard variables from 13 programs. We build four new data-only attacks on sqlite and v8, which execute arbitrary command or delete arbitrary file. VIPER completes its analysis within five minutes for most programs, showing its practicality for spotting syscall-guard variables.
@inproceedings{ye:viper,title={{VIPER: Spotting Syscall-Guard Variables for Data-Only Attacks}},author={Ye, Hengkai and Liu, Song and Zhang, Zhechang and Hu, Hong},booktitle={Proceedings of the 32nd USENIX Security Symposium (USENIX)},month=aug,year={2023},address={Anaheim, CA},}
Android is the most popular smartphone platform with over 85% market share. Its success is built on openness, and phone vendors can utilize the Android source code to make customized products with unique software/hardware features. On the other hand, the fragmentation and customization of Android also bring many security risks that have attracted the attention of researchers. Many efforts were put in to investigate the security of customized Android firmware. However, most of the previous works focus on designing efficient analysis tools or analyzing particular aspects of the firmware. There still lacks a panoramic view of Android firmware ecosystem security and the corresponding understandings based on large-scale firmware datasets.
In this work, we made a large-scale comprehensive measurement of the Android firmware ecosystem security. Our study is based on 8,325 firmware images from 153 vendors and 813 Android-related CVEs, which is the largest Android firmware dataset ever used for security measurements. In particular, our study followed a series of research questions, covering vulnerabilities, patches, security updates, and pre-installed apps. To automate the analysis process, we designed a framework, AndScanner+, to complete firmware crawling, firmware parsing, patch analysis, and app analysis. Through massive data analysis and case explorations, several interesting findings are obtained. For example, the patch delay and missing issues are widespread in Android firmware images, say 31.4% and 5.6% of all images, respectively. The latest images of several phones still contain vulnerable pre-installed apps, and even the corresponding vulnerabilities have been publicly disclosed. In addition to data measurements, we also explore the causes behind these security threats through case studies and demonstrate that the discovered security threats can be converted into exploitable vulnerabilities. There are 46 new vulnerabilities found by AndScanner+, 36 of which have been assigned CVE/CNVD IDs. This study provides much new knowledge of the Android firmware ecosystem with a deep understanding of software engineering security practices.
@article{hou:andscannertse,author={Hou, Qinsheng and Diao, Wenrui and Wang, Yanhao and Mao, Chenglin and Ying, Lingyun and Liu, Song and Liu, Xiaofeng and Li, Yuanzhi and Guo, Shanqing and Nie, Meining and Duan, Haixin},journal={IEEE Transactions on Software Engineering},title={Can We Trust the Phone Vendors? Comprehensive Security Measurements on the Android Firmware Ecosystem},year={2023},volume={},number={},pages={1-20},doi={10.1109/TSE.2023.3275655},}
Database management system (DBMS) is a critical component of modern data-intensive applications. Developers adopt many testing techniques to detect and fix DBMS bugs such as crashes and assertion failures. However, most of the previous efforts cannot detect logical bugs that render the DBMS returns incorrect results. Recent work proposed several oracles to identify incorrect results, but they rely on rule-based expression generation to synthesize queries without any guidance.
In this paper, we propose to combine coverage-based guidance, validity-oriented mutations and oracles to detect logical bugs for DBMS systems. To achieve our goal, we first design a set of general APIs to decouple the logic of fuzzers and oracles, so that developers can easily port fuzzing tools to test DBMSs and write new oracles for existing fuzzers. We further provide validity-oriented mutations to generate high-quality query statements so as to find more logical bugs. Our prototype, SQLRight, outperforms existing tools that only rely on oracles or code coverage. It in total detects 18 logical bugs from three well-tested DBMSs, SQLite, PostgreSQL and MySQL. At the time of paper writing, all bugs have been confirmed and 13 of them are fixed.
@inproceedings{liang:sqlright,title={Detecting Logical Bugs of DBMS with Coverage-based Guidance},author={Liang, Yu and Liu, Song and Hu, Hong},year={2022},month=aug,address={Boston, MA},booktitle={Proceedings of the 31st USENIX Security Symposium (USENIX)},}
Android is the most popular smartphone platform with over 85% market share. Its success is built on openness, and phone vendors can utilize the Android source code to make products with unique software/hardware features. On the other hand, the fragmentation and customization of Android also bring many security risks that have attracted the attention of researchers. Many efforts were put in to investigate the security of customized Android firmware. However, most of the previous work focuses on designing efficient analysis tools or analyzing particular aspects of the firmware. There still lacks a panoramic view of Android firmware ecosystem security and the corresponding understandings based on large-scale firmware datasets. In this work, we made a large-scale comprehensive measurement of the Android firmware ecosystem security. Our study is based on 6,261 firmware images from 153 vendors and 602 Android-related CVEs, which is the largest Android firmware dataset ever used for security measurements. In particular, our study followed a series of research questions, covering vulnerabilities, patches, security updates, and pre-installed apps. To automate the analysis process, we designed a framework, AndScanner, to complete ROM crawling, ROM parsing, patch analysis, and app analysis. Through massive data analysis and case explorations, several interesting findings are obtained. For example, the patch delay and missing issues are widespread in Android images, say 24.2% and 6.1% of all images, respectively. The latest images of several phones still contain vulnerable pre-installed apps, and even the corresponding vulnerabilities have been publicly disclosed. In addition to data measurements, we also explore the causes behind these security threats through case studies and demonstrate that the discovered security threats can be converted into exploitable vulnerabilities via 38 newfound vulnerabilities by our framework, 32 of which have been assigned CVE/CNVD numbers. This study provides much new knowledge of the Android firmware ecosystem with deep understanding of software engineering security practices
@inproceedings{hou:andscanner,title={Large-scale Security Measurements on the Android Firmware Ecosystem},author={Hou, Qinsheng and Diao, Wenrui and Wang, Yanhao and Liu, Xiaofeng and Liu, Song and Ying, Lingyun and Guo, Shanqing and Li, Yuanzhi and Nie, Meining and Duan, Haixin},year={2022},month=may,address={Pittsburgh, PA},booktitle={The 44th IEEE/ACM International Conference on Software Engineering (ICSE)},}
Our paper “VIPER: Spotting Syscall-Guard Variables for Data-Only Attacks” has been accepted by USENIX 2023. 
