Kangjie Lu

Research

My research aims to secure widely used systems and foundational software, such as OS kernels and compilers, in a principled and practical manner---to discover new classes of vulnerabilities and threats, to detect security bugs, and to protect software systems from attacks. While actively discovering security issues with empirical analysis, I strive to ensure that the proposed detection and defense techniques are sharp and generic. My work has resulted in many updates in popular systems such as the Linux kernel, the Android OS, and Apple’s iOS. Specifically, I have been working towards my research goals in the following directions.

• Building-block development for software security
  • Program analysis: Indirect-call analysis, alias analysis
  • Defense: Intra-process isolation, control- and data-flow integrity
• Whole-kernel analysis for detecting security bugs
  • Cross-checking, rule inference, staged symbolic execution, security-check identification, error-handling analysis
• Multi-dimensional and semantic-informed fuzzing
  • Timing/concurrency mutation, context-sensitive fault injection (for fuzzing error handling)
• Compiler-bug discovery and secure compilation
  • Concurrency bugs, memory disclosures, and side channels
• System hardening against runtime attacks
  • Memory safety, control-flow integrity, (re-)randomization, execute-only memory (in SGX)

Publications

2022

• Semantic-Informed Driver Fuzzing Without Both the Hardware Devices and the Emulators
  Wenjia Zhao, Kangjie Lu, Qiushi Wu, and Yong Qi.
  To appear in Proceedings of the 2022 Annual Network and Distributed System Security Symposium (NDSS'22). San Diego, CA, February 2022.
• EMS: History-Driven Mutation for Coverage-based Fuzzing
  Chenyang Lyu, Shouling Ji, Xuhong Zhang, Hong Liang, Kangjie Lu, Binbin Zhao, and Raheem Beyah.
  To appear in Proceedings of the 2022 Annual Network and Distributed System Security Symposium (NDSS'22). San Diego, CA, February 2022.

2021

• Detecting Missed Security Operations Through Differential Checking of Object-based Similar Paths [PDF]
  Dinghao Liu, Qiushi Wu, Shouling Ji, Kangjie Lu, Zhenguang Liu, Jianhai Chen, and Qinming He.
  In Proceedings of the 28th ACM Conference on Computer and Communications Security (CCS'21). Virtual Conference, November 2021.
• CPscan: Detecting Bugs Caused by Code Pruning in IoT Kernels [PDF]
  Lirong Fu, Shouling Ji, Kangjie Lu, Peiyu Liu, Xuhong Zhang, Yuxuan Duan, Zihui Zhang, Wenzhi Chen, and Yanjun Wu.
  In Proceedings of the 28th ACM Conference on Computer and Communications Security (CCS'21). Virtual Conference, November 2021.
• Demons in the Shared Kernel: Abstract Resource Attacks Against OS-level Virtualization [PDF]
  Nanzi Yang, Wenbo Shen, Jinku Li, Yutian Yang, Kangjie Lu, Jietao Xiao, Tianyu Zhou, Chenggang Qin, Wang Yu, Jianfeng Ma, and Kui Ren.
  In Proceedings of the 28th ACM Conference on Computer and Communications Security (CCS'21). Virtual Conference, November 2021.
• iFIZZ: Deep-State and Efficient Fault-Scenario Generation to Test IoT Firmware [PDF]
  Peiyu Liu, Shouling Ji, Xuhong Zhang, Qinming Dai, Kangjie Lu, Lirong Fu, Wenzhi Chen, Peng Cheng, Wenhai Wang, and Raheem Beyah.
  In Proceedings of the 36th IEEE/ACM International Conference on Automated Software Engineering (ASE'21). Virtual conference, November 2021.
• Understanding and Detecting Disordered Error Handling with Precise Function Pairing [PDF]
  Qiushi Wu, Aditya Pakki, Navid Emamdoost, Stephen McCamant, and Kangjie Lu.
  In Proceedings of the 30th USENIX Security Symposium (Security'21). Vancouver, Canada, August 2021.
• Static Detection of Unsafe DMA Accesses in Device Drivers [PDF]
  Jia-Ju Bai, Tuo Li, Kangjie Lu, and Shi-Min Hu.
  In Proceedings of the 30th USENIX Security Symposium (Security'21). Vancouver, Canada, August 2021.
• Detecting Kernel Refcount Bugs with Two-Dimensional Consistency Checking [PDF]
  Xin Tan, Yuan Zhang, Xiyu Yang, Kangjie Lu, and Min Yang.
  In Proceedings of the 30th USENIX Security Symposium (Security'21). Vancouver, Canada, August 2021.
• UNIFUZZ: A Holistic and Pragmatic Metrics-Driven Platform for Evaluating Fuzzers [PDF]
  Yuwei Li, Shouling Ji, Yuan Chen, Sizhuang Liang, Wei-Han Lee, Yueyao Chen, Chenyang Lyu, Chunming Wu, Raheem Beyah, Peng Cheng, Kangjie Lu, and Ting Wang.
  In Proceedings of the 30th USENIX Security Symposium (Security'21). Vancouver, Canada, August 2021.
• Unleashing Fuzzing Through Comprehensive, Efficient, and Faithful Exploitable-Bug Exposing [PDF | Link]
  Bowen Wang*, Kangjie Lu*, Qiushi Wu, and Aditya Pakki.
  IEEE Transactions on Dependable and Secure Computing (TDSC'21), May 2021.
  *Co-first authors
• On the Feasibility of Automated Built-in Function Modeling for PHP Symbolic Execution [PDF]
  Penghui Li, Wei Meng, Kangjie Lu, and Changhua Luo.
  In Proceedings of the 30th International World Wide Web Conference (WWW'21). Virtual conference, April 2021.
• Detecting Kernel Memory Leaks in Specialized Modules with Ownership Reasoning [PDF]
  Navid Emamdoost, Qiushi Wu, Kangjie Lu, and Stephen McCamant.
  In Proceedings of the 2021 Annual Network and Distributed System Security Symposium (NDSS'21). San Diego, CA, February 2021.
• Cross-Architecture Testing for Compiler-Introduced Security Bugs [Link]
  Jianhao Xu, Kangjie Lu, and Bing Mao.
  In the 5th Workshop on Principles of Secure Compilation (PriSC'21), co-located with POPL'21. Online, January 2021.

2020

• Exaggerated Error Handling Hurts! An In-Depth Study and Context-Aware Detection [PDF | Code]
  Aditya Pakki, and Kangjie Lu.
  In Proceedings of the 27th ACM Conference on Computer and Communications Security (CCS'20). Orlando, FL, November 2020.
• Understanding the Security Risks of Docker Hub [PDF]
  Peiyu Liu, Shouling Ji, Lirong Fu, Kangjie Lu, Xuhong Zhang, Wei-Han Lee, Tao Lu, Wenzhi Chen, and Raheem Beyah.
  In Proceedings of the 25th European Symposium on Research in Computer Security (ESORICS'20). Guildford, UK, September 2020.
• Fuzzing Error Handling Code using Context-Sensitive Software Fault Injection [PDF]
  Zu-Ming Jiang, Jia-Ju Bai, Kangjie Lu, and Shi-Min Hu.
  In Proceedings of the 29th USENIX Security Symposium (Security'20). Boston, MA, August 2020.
• SEIMI: Efficient and Secure SMAP-Enabled Intra-process Memory Isolation [PDF]
  Zhe Wang, Chenggang Wu, Mengyao Xie, Yinqian Zhang, Kangjie Lu, Xiaofeng Zhang, Yuanming Lai, Yan Kang, and Min Yang.
  In Proceedings of the 41st IEEE Symposium on Security and Privacy (Oakland'20). San Francisco, CA, May 2020.
• MPTEE: Bringing Flexible and Efficient Memory Protection to Intel SGX [PDF]
  Wenjia Zhao, Kangjie Lu, and Yong Qi.
  In Proceedings of the 15th European Conference on Computer Systems (EuroSys'20). Crete, Greece, April 2020.
• Precisely Characterizing Security Impact in a Flood of Patches via Symbolic Rule Comparison [PDF]
  Qiushi Wu, Yang He, Stephen McCamant, and Kangjie Lu.
  In Proceedings of the 2020 Annual Network and Distributed System Security Symposium (NDSS'20). San Diego, CA, February 2020.

2019

• Where Does It Go? Refining Indirect-Call Targets with Multi-Layer Type Analysis [PDF]
  Kangjie Lu, and Hong Hu.
  In Proceedings of the 26th ACM Conference on Computer and Communications Security (CCS'19). London, UK, November 2019.
  ★ Best Paper Award (1/947)
• Automatically Identifying Security Checks for Detecting Kernel Semantic Bugs [PDF | Code]
  Kangjie Lu, Aditya Pakki, and Qiushi Wu.
  In Proceedings of the 24th European Symposium on Research in Computer Security (ESORICS'19). Luxembourg, September 2019.
• Detecting Missing-Check Bugs via Semantic- and Context-Aware Criticalness and Constraints Inferences [PDF | Code]
  Kangjie Lu, Aditya Pakki, and Qiushi Wu.
  In Proceedings of the 28th USENIX Security Symposium (Security'19). Santa Clara, CA, August 2019.

2018

• Stopping Memory Disclosures via Diversification and Replicated Execution [PDF]
  Kangjie Lu, Meng Xu, Chengyu Song, Taesoo Kim, and Wenke Lee.
  IEEE Transactions on Dependable and Secure Computing (TDSC'18), October 2018.
• Check it Again: Detecting Lacking-Recheck Bugs in OS Kernels [PDF | Code]
  Wenwen Wang, Kangjie Lu, and Pen-Chung Yew.
  In Proceedings of the 25th ACM Conference on Computer and Communications Security (CCS'18). Toronto, Canada, October 2018.
• Precise and Scalable Detection of Double-Fetch Bugs in OS Kernels [PDF]
  Meng Xu, Chenxiong Qian, Kangjie Lu, Michael Backes, and Taesoo Kim.
  In Proceedings of the 39th IEEE Symposium on Security and Privacy (Oakland'18). San Francisco, CA, May 2018.

2017

• Bunshin: Compositing Security Mechanisms through Diversification [PDF]
  Meng Xu, Kangjie Lu, Taesoo Kim, and Wenke Lee.
  In Proceedings of the 2017 USENIX Annual Technical Conference (ATC'17). Santa Clara, CA, July 2017.
• Unleashing Use-Before-Initialization Vulnerabilities in the Linux Kernel Using Targeted Stack Spraying [PDF]
  Kangjie Lu, Marie-Therese Walter, David Pfaff, Stefan Nürnberger, Wenke Lee, and Michael Backes.
  In Proceedings of the 2017 Annual Network and Distributed System Security Symposium (NDSS'17). San Diego, CA, February 2017.

2016

• UniSan: Proactive Kernel Memory Initialization to Eliminate Data Leakages [PDF | Page | Code]
  Kangjie Lu, Chengyu Song, Taesoo Kim, and Wenke Lee.
  In Proceedings of the 23rd ACM Conference on Computer and Communications Security (CCS'16). Vienna, Austria, October 2016.
• Toward Engineering a Secure Android Ecosystem: A Survey of Existing Techniques [PDF]
  Meng Xu, Chengyu Song, Yang ji, Ming-Wei Shih, Kangjie Lu, Cong Zheng, Ruian Duan, Yeongjin Jang, Byoungyoung Lee, Chenxiong Qian, Sangho Lee, , and Taesoo Kim.
  ACM Computing Surveys (CSUR'16) 49(2), August 2016.
• How to Make ASLR Win the Clone Wars: Runtime Re-Randomization [PDF | Code | Demo]
  Kangjie Lu, Stefan Nürnberger, Michael Backes, and Wenke Lee.
  In Proceedings of the 2016 Annual Network and Distributed System Security Symposium (NDSS'16). San Diego, CA, February 2016.
• Enforcing Kernel Security Invariants with Data Flow Integrity [PDF]
  Chengyu Song, Byoungyoung Lee, Kangjie Lu, William R. Harris, Taesoo Kim, and Wenke Lee.
  In Proceedings of the 2016 Annual Network and Distributed System Security Symposium (NDSS'16). San Diego, CA, February 2016.

2015

• ASLR-Guard: Stopping Address Space Leakage for Code Reuse Attacks [PDF | Page | Code]
  Kangjie Lu, Chengyu Song, Byoungyoung Lee, Simon P. Chung, Taesoo Kim, and Wenke Lee.
  In Proceedings of the 22nd ACM Conference on Computer and Communications Security (CCS'15). Denver, Colorado, October 2015.
• SUPOR: Precise and Scalable Sensitive User Input Detection for Android Apps [PDF]
  Jianjun Huang, Zhichun Li, Xusheng Xiao, Zhenyu Wu, Kangjie Lu, Xiangyu Zhang, and Guofei Jiang.
  In Proceedings of the 24th USENIX Security Symposium (Security'15). Washington, DC, August 2015.
• Software Watermarking using Return-Oriented Programming [PDF]
  Haoyu Ma, Kangjie Lu, Xinjie Ma, Haining Zhang, Chunfu Jia, and Debin Gao.
  In Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security (ASIACCS'15). Singapore, April–June 2015.
• Checking more and alerting less: Detecting privacy leakages via enhanced data-flow analysis and peer voting [PDF]
  Kangjie Lu, Zhichun Li, Vasileios Kemerlis, Zhenyu Wu, Long Lu, Cong Zheng, Zhiyun Qian, Wenke Lee, and Guofei Jiang.
  In Proceedings of the 2015 Annual Network and Distributed System Security Symposium (NDSS'15). San Diego, CA, February 2015.

2014

• RopSteg: Program Steganography with Return Oriented Programming [PDF]
  Kangjie Lu, Siyang Xiong, and Debin Gao.
  In Proceedings of the 4th ACM Conference on Data and Application Security and Privacy (CODASPY'14). San Antonio, Texas, USA, March 2014.

2013

• Jekyll on iOS: When Benign Apps Become Evil [PDF]
  Tielei Wang, Kangjie Lu, Long Lu, Simon Chung, and Wenke Lee.
  In Proceedings of the 22th USENIX Security Symposium (Security'13). Washington, DC, August 2013.

2011

• deRop: Removing Return-Oriented Programming from Malware [PDF]
  Kangjie Lu, Dabi Zou, Weiping Wen, and Debin Gao.
  In Proceedings of the 27th Annual Computer Security Applications Conference (ACSAC'11). Orlando, Florida, USA, December 2011.
• Packed, Printable, and Polymorphic Return-Oriented Programming [PDF]
  Kangjie Lu, Dabi Zou, Weiping Wen, and Debin Gao.
  In Proceedings of the 14th International Symposium on Recent Advances in Intrusion Detection (RAID'11). Menlo Park, California, USA, September 2011.

Teaching

• Fall 2021: CSCI 4061: Introduction to Operating Systems
• Spring 2021: CSCI 5271: Introduction to Computer Security
• Fall 2020: CSCI 8271: Security and Privacy in Computing
• Spring 2020: CSCI 4061: Introduction to Operating Systems
• Fall 2019: CSCI 8271: Security and Privacy in Computing
• Spring 2019: CSCI 4061: Introduction to Operating Systems
• Fall 2018: CSCI 5271: Introduction to Computer Security
• Spring 2018: CSCI 8980: Topics in Systems Security

Advising

• PhD students
  • Aditya Pakki
  • Qiushi Wu
  • Qingyang Zhou
  • Dong Bao
  • Weiheng Bai
  • Kefu Wu
  • Wenjia Zhao (visiting student from Xi'an Jiaotong)
  • Dipanjan Das (visiting student from UCSB)
• Master's students
  • Zhengwen Jiang
  • Tanglin Zhou
• Undergraduate students
  • Yuchen Meng
• Alumni
  • Yang He (MS'21, TuSimple)
  • Joe Numainville (MS'21)

Professional Experience

Professional Services