Zhiyun Qian

 Email: zhiyunq(a_t)cs.ucr.edu
Office: Winston Chung Hall 334
Phone number: 951-827-6438

University of California Riverside

Computer Science and Engineering
  • Home
  • Publications
  • Teaching
Photo Zhiyun Qian is the Everett and Imogene Ross professor in Computer Science and Engineering department at University of California Riverside.

He has a broad interest in system/network security, with the general theme of vulnerability discovery and analysis, system building, and measurement. He has a well-rounded understanding of computer systems including operating systems, software, network protocols, architecture, and their interactions. The techniques he applies include program analysis, reverse engineering, fuzzing, model checking, and AI / machine learning. More recently he is most passionate about building impactful systems and tools.
  • Group Github page: https://github.com/seclab-ucr ★ Star

    • Besides research, he has also successfully competed with his students in various hacking competitions such as Pwn2Own and GeekPwn.

    To prospective students:  I'm looking for students with a strong interest in security. Experiences in hacking, CTF, program analysis, testing, or machine learning/AI would be advantageous. If you are interested, feel free to drop me an email and introduce yourself!

    Selected research threads:

    • Network security

    Keywords: discovering and modeling novel threats, cross-layer analysis, applied formal methods

    - TCP side channels, allowing the hijack of arbitrary connections on the Internet: CVE-2016-5696, GeekPwn 2016 most creative idea award, Geekpwn 2017 winner award (unfixable flaw), applied networking research prize

    - Multi-Path TCP flaws: [Safer than TCP?] [IETF discussion & patch]

    - Firewall Testing and Evasion: [Reverse Engineering Firewall Behaviors] [Automated Evasion Attemp Generation]

    - Reviving DNS cache poisoning attacks  [Against DNS forwarders] [Against DNS resolvers and others]

    • System security

    Keywords: bridging the gap between the hacking community and academia, automation, applied formal methods

    - Automated cyber attacks and defenses: [Exploitability analysis of kernel heap OOB write bugs]

    - Systems/Tools for better security analysis: [Automatic patch presence test in binaries] [Dynamic analysis support of Android device drivers]

    - Vulnerability discovery and analysis across Android software stack: [Android root] [ION driver] [Permission inconsistency] [Inherited IPC interface from Linux] [Input validation flaws]

    Selected publications:
    ACM CCS 20 DNS Cache Poisoning Attack Reloaded: Revolutions with Side Channels [PDF] [Slides]
    Keyu Man, Zhiyun Qian, Zhongjie Wang, Xiaofeng Zheng, Youjun Huang, Haixin Duan
    In Proceedings of ACM Conference on Computer and Communications Security (CCS) 2020.
     [Distinguished Paper Award] [CVE-2020-25705]
    Media coverage: [Ars Technica] [ZDNet] [TechRepublic] [The Hacker News]
    ACM CCS 21 DNS Cache Poisoning Attack: Resurrections with Side Channels [PDF]
    Keyu Man, Xinan Zhou, and Zhiyun Qian
    In Proceedings of ACM CCS 2021.
    Media coverage: [Ars Technica] [TechTarget] [The Hacker News]
    ACM CCS 21 Statically Discovering High-Order Taint Style Vulnerabilities in OS Kernels [PDF] [Source]
    Hang Zhang, Weiteng Chen, Yu Hao, Guoren Li, Yizhuo Zhai, Xiaochen Zou, and Zhiyun Qian
    In Proceedings of ACM CCS 2021.
    ACM CCS 21 Themis: Ambiguity-Aware Network Intrusion Detection based on Symbolic Model Comparison [PDF] [Source]
    Zhongjie Wang, Shitong Zhu, Keyu Man, Pengxiong Zhu, Yu Hao, Zhiyun Qian, Srikanth V. Krishnamurthy, Tom La Porta, and Michael J. De Lucia
    In Proceedings of ACM CCS 2021.
    ACM CCS 21 SyzGen: Automated Generation of Syscall Specification of Closed-Source macOS Drivers [PDF] [Source]
    Weiteng Chen, Yu Wang, Zheng Zhang, and Zhiyun Qian
    In Proceedings of ACM CCS 2021.
    USENIX Security 21 SyzVegas: Beating Kernel Fuzzing Odds with Reinforcement Learning [PDF] [Source]
    Daimeng Wang, Zheng Zhang, Hang Zhang, Zhiyun Qian, Srikanth V. Krishnamurthy, and Nael Abu-Ghazaleh
    In Proceedings of USENIX Security 2021.
    USENIX Security 21 PolyScope: Multi-Policy Access Control Analysis to Compute Authorized Attack Operations in Android Systems [PDF]
    Yu-Tsung Lee, William Enck, Haining Chen, Hayawardh Vijayakumar, Ninghui Li, Zhiyun Qian, Daimeng Wang, Giuseppe Petracca, and Trent Jaeger
    In Proceedings of USENIX Security 2021.
    USENIX Security 21 Undo Workarounds for Kernel Bugs [PDF] [Source]
    Seyed Mohammadjavad Seyed Talebi, Zhihao Yao, Ardalan Amiri Sani, Zhiyun Qian, and Daniel Austin
    In Proceedings of USENIX Security 2021.
    USENIX Security 21 An Investigation of the Android Kernel Patch Ecosystem [PDF] [Source]
    Zheng Zhang, Hang Zhang, Zhiyun Qian, and Billy Lau
    In Proceedings of USENIX Security 2021.

    Selected professional activities:

    • Program Committee, IEEE Security and Privacy (Oakland) 2021, 2020, 2019
    • Program Committee, ACM Conference on Computer and Communications Security (CCS) 2019, 2018, 2017, 2016, 2014
    • Program Committee, USENIX Security 2021
    • Program Committee, Network & Distributed System Security (NDSS) 2021, 2020, 2019, 2013
    • Program Committee, ACM Internet Measurement Conference (IMC) 2018, 2017
    • Program Committee, AsiaCCS 2016, 2014
    • Program Committee, Mobisys 2014