Li Juanru (Liarod RomanGol) @ G.O.S.S.I.P

alt text 

Li Juanru 李卷孺 (a.k.a Liarod RomanGol 诺慢)

I am the director of Group of Software Security In Progress (G.O.S.S.I.P).
I am maintaining code-analysis.org and GoSSIP Security Wiki.

My research focuses on software security and cryptology. I work closely with Dr. Siqi Ma.

Email: mail@lijuanru.com

Publications: DBLP

Blog: 锡的心

Page at SJTU: page@SJTU or local copy

Awards

Researches

Security Analysis and Protection of Code

  1. Goshawk: Hunting Memory Corruptions via Structure-Aware and Object-Centric Memory Operation Synopsis​ @ [IEEE S&P’22]
    IEEE Symposium on Security and Privacy, San Francisco CA, United States. May 22-26, 2022.
    [PDF] | [Website]

  2. Annotating, Tracking, and Protecting Cryptographic Secrets with CryptoMPK​ @ [IEEE S&P’22]
    IEEE Symposium on Security and Privacy, San Francisco CA, United States. May 22-26, 2022.
    [PDF] | [Website]

  3. SmartShield: Automatic Smart Contract Protection Made Easy​ @ [SANER’20, Best Paper Award!]
    IEEE International Conference on Software Analysis, Evolution and Reengineering, London, Ontario, Canada. February 18-21, 2020.
    [PDF] | [Website]

  4. EthPloit: From Fuzzing to Efficient Exploit Generation against Smart Contracts​ @ [SANER’20]
    IEEE International Conference on Software Analysis, Evolution and Reengineering, London, Ontario, Canada. February 18-21, 2020.
    [PDF]

  5. NLP-EYE: Detecting Memory Corruptions via Semantic-Aware Memory Operation Function Identification​ @ [RAID’19]
    International Symposium on Research in Attacks, Intrusions and Defenses, Beijing, China. September 23-25, 2019.
    [PDF]

  6. K-Hunt: Pinpointing Insecure Cryptographic Keys in Execution Traces​ @ [CCS’18]
    ACM Conference on Computer and Communications Security, Toronto, Canada. October 15-19, 2018.
    [PDF]

  7. BinMatch: A Semantics-based Hybrid Approach on Binary Code Clone Analysis​ @ [ICSME’18]
    International Conference on Software Maintenance and Evolution, Madrid, Spain. September 23-29, 2018.
    [PDF]

  8. Nightingale: Translating Embedded VM Code in x86 Binary Executables​ @ [ISC’17]
    International Information Security Conference, Ho Chi Minh City, Vietnam, November 22-24, 2017.
    [PDF]

  9. Embroidery: Patching Vulnerable Binary Code of Fragmentized Android Devices​ @ [ICSME’17]
    IEEE International Conference on Software Maintenance and Evolution, Shanghai, China. September 8-October 3, 2017.
    [PDF]

  10. MIRAGE : Randomizing Large Chunk Allocation Via Dynamic Binary Instrumentation​ @ [DSC’17]
    IEEE Conference on Dependable and Secure Computing, Taipei, China. August 7-10, 2017.
    [PDF]

  11. Binary Code Clone Detection across Architecturesand Compiling Configurations​ @ [ICPC’17]
    International Conference on Program Comprehension, Buenos Aires, Argentina. May 22-23, 2017.
    [PDF]

  12. New Exploit Methods against Ptmalloc of Glibc ​ @ [TrustCom’16]
    IEEE International Conference on Trust, Security and Privacy in Computing and Communications , Tianjin, China. August 23-26, 2016.
    [PDF]

  13. Cross-Architecture Binary Semantics Understanding via Similar Code Comparison ​ @ [SANER’16]
    IEEE International Conference on Software Analysis, Evolution, and Reengineering , Osaka, Japan. March 14-18, 2016.
    [PDF]

Mobile Security

  1. Medusa Attack: Exploring Security Hazards of In-App QR Code Scanning​ @ [USENIX Securiyt ’23]
    USENIX Security Symposium (USENIX Security) , Anaheim, CA, USA. August 9-11, 2023.
    [PDF] | [Website]

  2. EvilScreen Attack: Smart TV Hijacking via Multi-channel Remote Control Mimicry​ @ [arXiv’22]
    arXiv:2210.03014 [cs.CR], Submitted on 6 Oct 2022.
    [PDF] | [Website]

  3. SIMulation: Demystifying (Insecure) Cellular Network based One-Tap Authentication Services​ @ [DSN’22]
    IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), Baltimore, Maryland, USA, June 27-30, 2022.
    [PDF] | [Website]

  4. PEDroid: Automatically Extracting Patches from Android App Updates​ @ [ECOOP’22]
    European Conference on Object-Oriented Programming (ECOOP), Berlin, Germany, June 6 - July 7, 2022.
    [PDF]

  5. Fine with "1234"? An Analysis of SMS One-Time Password Randomness in Android Apps​ @ [ICSE’21]
    International Conference on Software Engineering (ICSE), Virtual (originally in Madrid, Spain). May 25-28, 2021.
    [PDF]

  6. Orchestration or Automation: Authentication Flaw Detection in Android Apps​ @ [TDSC]
    Transactions on Dependable and Secure Computing
    [PDF]

  7. Certified Copy? Understanding Security Risks of Wi-Fi Hotspot based Android Data Clone Services​ @ [ACSAC’20]
    2020 Annual Computer Security Applications Conference, Austin, Texas, USA, December 7-11, 2020.
    [PDF]

  8. An Empirical Study of the SMS One-Time Password Authentication in Android Apps​ @ [ACSAC’19]
    2019 Annual Computer Security Applications Conference, San Juan, December 9-13, 2019.
    [PDF]

  9. Security analysis of third-party in-app payment in mobile applications​ @ [JISA]
    Journal of Information Security and Applications, Volume 48, October 2019.
    [PDF]

  10. Finding Flaws from Password Authentication Code in Android Apps​ @ [ESORICS’19]
    The European Symposium on Research in Computer Security, Luxembourg. September 23-27, 2019.
    [PDF]

  11. AppCommune: Automated Third-Party Libraries De-duplicating and Updating for Android Apps.​ @ [SANER’19]
    IEEE International Conference on Software Analysis, Evolution and Reengineering, Hangzhou, China. Februray 24-27, 2019.
    [PDF]

  12. An Empirical Study of SDK Credential Misuse in iOS Apps​ @ [APSEC’18]
    Asia-Pacific Software Engineering Conference, Nara, Japan. December 4-7, 2018.
    [PDF]

  13. Burn After Reading: Expunging Execution Footprints of Android Apps​ @ [NSS’18]
    International Conference on Network and System Security, Hong Kong, China. August 27-29, 2018.
    [PDF]

  14. AppSpear: Automating the Hidden-Code Extraction and Reassembling of Packed Android Malware @ [JSS]
    Journal of Systems and Software. 140: 3-16 (2018).
    [PDF]

  15. Oh-Pwn_VPN! Security Analysis of OpenVPN-based Android Apps ​ @ [CANS’17]
    International Conference on Cryptology And Network Security , Hong Kong, China. November 29-December 2, 2017.
    [PDF]

  16. NativeSpeaker: Identifying Crypto Misuses in Android Native Code Libraries ​ @ [Inscrypt’17]
    International Conference on Information Security and Cryptology , Xi'an, China. November 3-5, 2017.
    [PDF]

  17. Show Me the Money! Finding Flawed Implementations of Third-party In-app Payment in Android Apps ​ @ [NDSS’17]
    Network and Distributed System Security Symposium , San Diego, CA, USA. February 26-March 1, 2017.
    [PDF]

  18. The Achilles' Heel of OAuth: A Multi-Platform Study of OAuth-based Authentication ​ @ [ACSAC’16]
    Annual Computer Security Applications Conference , Los Angeles, CA, USA. December 5-9, 2016.
    [PDF]

  19. An Empirical Study of Insecure Communication in Android Apps ​ @ [Inscrypt’16]
    China International Conference on Information Security and Cryptology , Beijing, China, November 4-6, 2016.
    [PDF]

  20. Open Sesame! Web Authentication Cracking via Mobile app Analysis ​ @ [APWeb’16]
    Asia Pacific Web Conference , Suzhou, China. September 23-25, 2016.
    [PDF]

  21. Vulnerability Assessment of OAuth Implementations in Android Applications ​ @ [ACSAC’15]
    Annual Computer Security Applications Conference , Los Angeles, California, USA. December 7-11, 2015.
    [PDF]

  22. SSG: Sensor Security Guard for Android Smartphones ​ @ [CollaborateCom’15]
    EAI International Conference on Collaborative Computing: Networking, Applications and Worksharing , Wuhan, China. November 10-11, 2015.
    [PDF]

  23. AppSpear: Bytecode Decrypting and DEX Reassembling for Packed Android Malware ​ @ [RAID’15]
    International Symposium on Research in Attacks, Intrusions and Defenses , Kyoto, Japan. November 2–4, 2015.
    [PDF]

  24. APKLancet: Tumor Payload Diagnosis and Purification for Android Applications ​ @ [AsiaCCS’14]
    ACM Symposium on Information, Computer and Communications Security , Kyoto, Japan. June 4–6, 2014
    [PDF]

IoT Security

  1. EvilScreen Attack: Smart TV Hijacking via Multi-channel Remote Control Mimicry​ @ [arXiv’22]
    arXiv:2210.03014 [cs.CR], Submitted on 6 Oct 2022.
    [PDF] | [Website]

  2. KingFisher: Unveiling Insecurely Used Credentials in IoT-to-Mobile Communications​ @ [DSN’22]
    IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), Baltimore, Maryland, USA, June 27-30, 2022.
    [PDF] | [Website]

  3. Control Parameters Considered Harmful: Detecting Range Specification Bugs in Drone Configuration Modules via Learning-Guided Search​ @ [ICSE ’22]
    International Conference on Software Engineering, Pittsburgh, PA, United States. May 22-27, 2022.
    [PDF]

  4. Rethinking the Security of IoT From the Perspective of Developer Customized Device-cloud Interaction ​ @ [SAC’22]
    ACM/SIGAPP Symposium on Applied Computing , Virtual Event. April 25-29, 2022.
    [PDF]

  5. Understanding the security of app-in-the-middle IoT ​ @ [CS]
    Computers & Security , Volume 97, October 2020, 102000.
    [PDF]

  6. Passwords in the Air: Harvesting Wi-Fi Credentials from SmartCfg Provisioning​ @ [Wisec’18]
    ACM Conference on Security and Privacy in Wireless and Mobile Networks, Stockholm, Sweden. June 18-20, 2018.
    [PDF]

  7. Smart Solution, Poor Protection: An Empirical Study of Security and Privacy Issues in Developing and Deploying Smart Home Devices ​ @ [CCSW-IoT S&P’17]
    ACM CCS Workshop on Internet of Things Security and Privacy , Dallas, TX, USA, November 3, 2017.
    [PDF]

  8. Security Testing of Software on Embedded Devices Using x86 Platform ​ @ [CollaborateComm’16]
    EAI International Conference on Collaborative Computing: Networking, Applications and Worksharing , Beijing, China, November 12-13, 2016.
    [PDF]

  9. Security Analysis of Vendor Customized Code in Firmware of Embedded Device ​ @ [SecureComm’16]
    EAI International Conference on Security and Privacy in Communication Networks , Guangzhou, China, October 10-12, 2016.
    [PDF]

Real-world Crypto Security

  1. Annotating, Tracking, and Protecting Cryptographic Secrets with CryptoMPK​ @ [IEEE S&P’22]
    IEEE Symposium on Security and Privacy, San Francisco CA, United States. May 22-26, 2022.
    [PDF]

  2. Re-check Your Certificates! Experiences and Lessons Learnt from Real-world HTTPS Certificate Deployments ​ @ [NSS’21]
    International Conference on Network and System Security , Tianjin, China. October 23, 2021.
    [PDF]

  3. Accelerating SM2 Digital Signature Algorithm using Modern Processor Features ​ @ [ICICS’19]
    International Conference on Information and Communications Security , Beijing, China. December 15-17, 2019.
    [PDF]

  4. K-Hunt: Pinpointing Insecure Cryptographic Keys in Execution Traces ​ @ [CCS’18]
    ACM Conference on Computer and Communications Security , Toronto, Canada. October 15-19, 2018.
    [PDF]

  5. Oh-Pwn_VPN! Security Analysis of OpenVPN-based Android Apps ​ @ [CANS’17]
    International Conference on Cryptology And Network Security , Hong Kong, China. November 29-December 2, 2017.
    [PDF]

  6. NativeSpeaker: Identifying Crypto Misuses in Android Native Code Libraries ​ @ [Inscrypt’17]
    International Conference on Information Security and Cryptology , Xi'an, China. November 3-5, 2017.
    [PDF]

  7. Open Sesame! Web Authentication Cracking via Mobile app Analysis ​ @ [APWeb’16]
    Asia Pacific Web Conference , Suzhou, China. September 23-25, 2016.
    [PDF]

  8. TagDroid: Hybrid SSL Certificate Verification in Android ​ @ [ICICS’14]
    International Conference on Information and Communications Security , Hong Kong, China. December 16–17, 2014.
    [PDF]

  9. iCryptoTracer: Dynamic Analysis on Misuse of Cryptography Functions in iOS Applications ​ @ [NSS’14]
    International Conference on Network and System Security , Xi'an, China. October 15-17, 2014.
    [PDF]

  10. Automatic Detection and Analysis of Encrypted Messages in Malware ​ @ [Inscrypt’13]
    China International Conference on Information Security and Cryptology , Guangzhou, China, November 27-30, 2013.
    [PDF]

  11. Detecting Encryption Functions via Process Emulation and IL-Based Program Analysis ​ @ [ICICS’12]
    International Conference on Information Security and Cryptology , Hong Kong, China. October 29-31, 2012.
    [PDF]

  12. Detection and Analysis of Cryptographic Data Inside Software ​ @ [ISC’11]
    International Conference on Information Security , Xi'an, China, October 26-29, 2011.
    [PDF]

Network Security

  1. Re-check Your Certificates! Experiences and Lessons Learnt from Real-world HTTPS Certificate Deployments ​ @ [NSS’21]
    International Conference on Network and System Security , Tianjin, China. October 23, 2021.
    [PDF]

  2. Yet Another Traffic Black Hole: Amplifying CDN Fetching Traffic with RangeFragAmp Attacks ​ @ [CollaborateCom’21]
    EAI International Conference on Collaborative Computing , Suzhou, China. October 15-17, 2021.
    [PDF]

Professional Activities

PC Member:

Reviewer:

Links