Zhiyun Qian |
Email: zhiyunq Office: Winston Chung Hall 334 Phone number: 951-827-6438 |
|
![]() |
Zhiyun Qian is the
Everett and Imogene Ross professor
in Computer Science and Engineering
department at University of California
Riverside.
He has a broad interest in system/network security, with the general theme of vulnerability discovery and analysis, system building, and measurement. He has a well-rounded understanding of computer systems including operating systems, software, network protocols, architecture, and their interactions. The techniques he applies include program analysis, reverse engineering, fuzzing, model checking, and AI / machine learning. More recently he is most passionate about building impactful systems and tools. Besides research, he has also successfully competed with his students in various hacking competitions such as Pwn2Own and GeekPwn. |
Selected research threads:
• Network security |
Keywords: discovering and modeling novel threats, cross-layer analysis, applied formal methods - TCP side channels, allowing the hijack of arbitrary connections on the Internet: CVE-2016-5696, GeekPwn 2016 most creative idea award, Geekpwn 2017 winner award (unfixable flaw), applied networking research prize - Multi-Path TCP flaws: [Safer than TCP?] [IETF discussion & patch] - Firewall Testing and Evasion: [Reverse Engineering Firewall Behaviors] [Automated Evasion Attemp Generation] - Reviving DNS cache poisoning attacks [Against DNS forwarders] [Against DNS resolvers and others] |
• System security |
Keywords: bridging the gap between the hacking community and academia, automation, applied formal methods - Automated cyber attacks and defenses: [Exploitability analysis of kernel heap OOB write bugs] - Systems/Tools for better security analysis: [Automatic patch presence test in binaries] [Dynamic analysis support of Android device drivers] - Vulnerability discovery and analysis across Android software stack: [Android root] [ION driver] [Permission inconsistency] [Inherited IPC interface from Linux] [Input validation flaws] |
Selected publications:
ACM CCS 20 |
DNS Cache Poisoning Attack Reloaded: Revolutions with Side Channels
[PDF]
[Slides]
Keyu Man, Zhiyun Qian, Zhongjie Wang, Xiaofeng Zheng, Youjun Huang, Haixin Duan In Proceedings of ACM Conference on Computer and Communications Security (CCS) 2020. [Distinguished Paper Award] [CVE-2020-25705] Media coverage: [Ars Technica] [ZDNet] [TechRepublic] [The Hacker News] |
ACM CCS 21 | DNS Cache Poisoning Attack: Resurrections with Side Channels
[PDF] Keyu Man, Xinan Zhou, and Zhiyun Qian In Proceedings of ACM CCS 2021. Media coverage: [Ars Technica] [TechTarget] [The Hacker News] |
ACM CCS 21 | Statically Discovering High-Order Taint Style Vulnerabilities in OS Kernels
[PDF] [Source] Hang Zhang, Weiteng Chen, Yu Hao, Guoren Li, Yizhuo Zhai, Xiaochen Zou, and Zhiyun Qian In Proceedings of ACM CCS 2021. |
ACM CCS 21 | Themis: Ambiguity-Aware Network Intrusion Detection based on Symbolic Model Comparison
[PDF] [Source] Zhongjie Wang, Shitong Zhu, Keyu Man, Pengxiong Zhu, Yu Hao, Zhiyun Qian, Srikanth V. Krishnamurthy, Tom La Porta, and Michael J. De Lucia In Proceedings of ACM CCS 2021. |
ACM CCS 21 | SyzGen: Automated Generation of Syscall Specification of Closed-Source macOS Drivers
[PDF] [Source] Weiteng Chen, Yu Wang, Zheng Zhang, and Zhiyun Qian In Proceedings of ACM CCS 2021. |
USENIX Security 21 | SyzVegas: Beating Kernel Fuzzing Odds with Reinforcement Learning
[PDF] [Source] Daimeng Wang, Zheng Zhang, Hang Zhang, Zhiyun Qian, Srikanth V. Krishnamurthy, and Nael Abu-Ghazaleh In Proceedings of USENIX Security 2021. |
USENIX Security 21 | PolyScope: Multi-Policy Access Control Analysis to Compute
Authorized Attack Operations in Android Systems
[PDF] Yu-Tsung Lee, William Enck, Haining Chen, Hayawardh Vijayakumar, Ninghui Li, Zhiyun Qian, Daimeng Wang, Giuseppe Petracca, and Trent Jaeger In Proceedings of USENIX Security 2021. |
USENIX Security 21 | Undo Workarounds for Kernel Bugs
[PDF] [Source] Seyed Mohammadjavad Seyed Talebi, Zhihao Yao, Ardalan Amiri Sani, Zhiyun Qian, and Daniel Austin In Proceedings of USENIX Security 2021. |
USENIX Security 21 | An Investigation of the Android Kernel
Patch Ecosystem
[PDF] [Source] Zheng Zhang, Hang Zhang, Zhiyun Qian, and Billy Lau In Proceedings of USENIX Security 2021. |
Selected professional activities: