Zhiyun Qian's homepage

Zhiyun Qian is the Everett and Imogene Ross associate professor in Computer Science and Engineering department at University of California Riverside. He is a recipient of the NSF CAREER Award for 2017.

He has a broad interest in system/network security, with the general theme of vulnerability discovery and analysis, system building, and measurement. He has a well-rounded understanding of the computer systems including operating systems, software, network protocols, architecture, and their interactions. The techniques he applies include program analysis, reverse engineering, fuzzing, model checking, and machine learning. Problem domains that he has worked on include, but not limited to, protocol security, operating system security, Android security, network infrastructure security, censorship evasion, and web privacy. More recently he is passionate about building systems and tools that will result in long-lasting real-world impact.

To prospective students: I'm looking for students who have strong interests in computer systems, security, or networking, especially the ones with hacking skills or desires. If you are interested, feel free to drop me an email and introduce yourself!

Selected research threads:

• Network security

Keywords: discovering and modeling novel threats, cross-layer analysis, applied formal methods

- TCP side channels, allowing the hijack of arbitrary connections on the Internet: CVE-2016-5696, GeekPwn 2016 most creative idea award, Geekpwn 2017 winner award (unfixable flaw), applied networking research prize

- Multi-Path TCP flaws: [Safer than TCP?] [IETF discussion & patch]

- Firewall Testing and Evasion: [Reverse Engineering Firewall Behaviors] [Automated Evasion Attemp Generation]

- Reviving DNS cache poisoning attacks [Against DNS forwarders] [Against DNS resolvers and others]

• System security

Keywords: bridging the gap between the hacking community and academia, automation, applied formal methods

- Automated cyber attacks and defenses: [Exploitability analysis of kernel heap OOB write bugs]

- Systems/Tools for better security analysis: [Automatic patch presence test in binaries] [Dynamic analysis support of Android device drivers]

- Vulnerability discovery and analysis across Android software stack: [Android root] [ION driver] [Permission inconsistency] [Inherited IPC interface from Linux] [Input validation flaws]

Selected publications:

CCS 20 DNS Cache Poisoning Attack Reloaded: Revolutions with Side Channels [PDF] [Slides]
Keyu Man, Zhiyun Qian, Zhongjie Wang, Xiaofeng Zheng, Youjun Huang, Haixin Duan
In Proceedings of ACM Conference on Computer and Communications Security (CCS) 2020.
[Distinguished Paper Award] [CVE-2020-25705]
Media coverage: [Ars Technica] [ZDNet] [TechRepublic] [The Hacker News]

FSE 20 UBITect: A Precise and Scalable Method to Detect Use-Before-Initialization bugs in Linux Kernel [PDF] [Source]
Yizhuo Zhai, Yu Hao, Hang Zhang, Daimeng Wang, Chengyu Song, Zhiyun Qian, Mohsen Lesani, Srikanth V. Krishnamurthy, Paul Yu
In Proceedings of the 2020 ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (FSE'20), Sacramento, CA.

USENIX Security 20 Poison Over Troubled Forwarders: A Cache Poisoning Attack Targeting DNS Forwarding Devices [PDF]
Xiaofeng Zheng, Chaoyi Lu, Jian Peng, Qiushi Yang, Dongjie Zhou, Baojun Liu, Keyu Man, Shuang Hao, Haixin Duan, Zhiyun Qian
In Proceedings of USENIX Security 2020, Boston MA.

USENIX Security 20 KOOBE: Towards Facilitating Exploit Generation of Kernel Out-Of-Bounds Write Vulnerabilities [PDF] [Source]
Weiteng Chen, Xiaochen Zou, Guoren Li, Zhiyun Qian
In Proceedings of USENIX Security 2020, Boston MA.

Eurosys 20 Experiences of Landing Machine Learning onto Market-Scale Mobile Malware Detection [PDF]
Liangyi Gong, Zhenhua Li, Feng Qian, Zifan Zhang, Qi Alfred Chen, Zhiyun Qian, Hao Lin, Yunhao Liu
In Proceedings of Eurosys 2020, Dresden, Germany.

Sigmetrics 20 Characterizing Transnational Internet Performanceand the Great Bottleneck of China [PDF]
Pengxiong Zhu, Keyu Man, Zhongjie Wang, Zhiyun Qian, Roya Ensafi, J. Alex Halderman, Haixin Duan
In Proceedings of ACM SIGMETRICS 2020, Boston, MA.

NDSS 20 SymTCP: Eluding Stateful Deep Packet Inspection with Automated Discrepancy Discovery [PDF] [Source]
Zhongjie Wang, Shitong Zhu, Yue Cao, Zhiyun Qian, Chengyu Song, Srikanth Krishnamurthy, Tracy D. Braun, Kevin S. Chan
In Proceedings of the Network & Distributed System Security Symposium (NDSS) 2020, San Diego, CA.

S&P 20 AdGraph: A Graph-Based Approach to Ad and Tracker Blocking [PDF]
Umar Iqbal, Peter Snyder, Shitong Zhu, Benjamin Livshits, Zhiyun Qian, Zubair Shafiq
In Proceedings of IEEE Symposium on Security & Privacy (Oakland), 2020, San Francisco CA.

Selected professional activities:

Program Committee, IEEE Security and Privacy (Oakland) 2021, 2020, 2019
Program Committee, ACM Conference on Computer and Communications Security (CCS) 2019, 2018, 2017, 2016, 2014
Program Committee, USENIX Security 2021
Program Committee, Network & Distributed System Security (NDSS) 2021, 2020, 2019, 2013
Program Committee, ACM Internet Measurement Conference (IMC) 2018, 2017
Program Committee, AsiaCCS 2016, 2014
Program Committee, Mobisys 2014

CCS 20	DNS Cache Poisoning Attack Reloaded: Revolutions with Side Channels [PDF] [Slides] Keyu Man, Zhiyun Qian, Zhongjie Wang, Xiaofeng Zheng, Youjun Huang, Haixin Duan In Proceedings of ACM Conference on Computer and Communications Security (CCS) 2020. [Distinguished Paper Award] [CVE-2020-25705] Media coverage: [Ars Technica] [ZDNet] [TechRepublic] [The Hacker News]
FSE 20	UBITect: A Precise and Scalable Method to Detect Use-Before-Initialization bugs in Linux Kernel [PDF] [Source] Yizhuo Zhai, Yu Hao, Hang Zhang, Daimeng Wang, Chengyu Song, Zhiyun Qian, Mohsen Lesani, Srikanth V. Krishnamurthy, Paul Yu In Proceedings of the 2020 ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (FSE'20), Sacramento, CA.
USENIX Security 20	Poison Over Troubled Forwarders: A Cache Poisoning Attack Targeting DNS Forwarding Devices [PDF] Xiaofeng Zheng, Chaoyi Lu, Jian Peng, Qiushi Yang, Dongjie Zhou, Baojun Liu, Keyu Man, Shuang Hao, Haixin Duan, Zhiyun Qian In Proceedings of USENIX Security 2020, Boston MA.
USENIX Security 20	KOOBE: Towards Facilitating Exploit Generation of Kernel Out-Of-Bounds Write Vulnerabilities [PDF] [Source] Weiteng Chen, Xiaochen Zou, Guoren Li, Zhiyun Qian In Proceedings of USENIX Security 2020, Boston MA.
Eurosys 20	Experiences of Landing Machine Learning onto Market-Scale Mobile Malware Detection [PDF] Liangyi Gong, Zhenhua Li, Feng Qian, Zifan Zhang, Qi Alfred Chen, Zhiyun Qian, Hao Lin, Yunhao Liu In Proceedings of Eurosys 2020, Dresden, Germany.
Sigmetrics 20	Characterizing Transnational Internet Performanceand the Great Bottleneck of China [PDF] Pengxiong Zhu, Keyu Man, Zhongjie Wang, Zhiyun Qian, Roya Ensafi, J. Alex Halderman, Haixin Duan In Proceedings of ACM SIGMETRICS 2020, Boston, MA.
NDSS 20	SymTCP: Eluding Stateful Deep Packet Inspection with Automated Discrepancy Discovery [PDF] [Source] Zhongjie Wang, Shitong Zhu, Yue Cao, Zhiyun Qian, Chengyu Song, Srikanth Krishnamurthy, Tracy D. Braun, Kevin S. Chan In Proceedings of the Network & Distributed System Security Symposium (NDSS) 2020, San Diego, CA.
S&P 20	AdGraph: A Graph-Based Approach to Ad and Tracker Blocking [PDF] Umar Iqbal, Peter Snyder, Shitong Zhu, Benjamin Livshits, Zhiyun Qian, Zubair Shafiq In Proceedings of IEEE Symposium on Security & Privacy (Oakland), 2020, San Francisco CA.