Li Juanru 李卷孺 (a.k.a Liarod RomanGol 诺慢) I am the director of Group of Software Security In Progress (G.O.S.S.I.P). I am maintaining code-analysis.org and GoSSIP Security Wiki. My research focuses on software security and cryptology. I work closely with Dr. Siqi Ma. Email: mail@lijuanru.com Publications: DBLP Blog: 锡的心 Page at SJTU: page@SJTU or local copy

Awards

• 2023: 华为火花奖 -- 华为云难题第三期难题3

• 2022: 移动互联网APP产品安全漏洞治理优秀案例（CSTC-APP-0004）-- 移动APP二维码扫码安全漏洞发现与修复

• 2020: Best Paper Award of SANER '20 -- SmartShield: Automatic Smart Contract Protection Made Easy

• 2018: 上海市科技进步奖一等奖，第三完成人

• 2017: 上海市计算机学会信息安全杰出论文奖 -- From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities in Linux Kernel

• 2014: Hack.lu CTF -- 2nd place

• 2011: Forensic Challenge 9 - "Mobile Malware", 2nd place.

• 2010: Best student paper award -- E-Forensics 2010

Researches

Security Analysis and Protection of Code

1. Goshawk: Hunting Memory Corruptions via Structure-Aware and Object-Centric Memory Operation Synopsis​ @ [IEEE S&P’22]
   IEEE Symposium on Security and Privacy, San Francisco CA, United States. May 22-26, 2022.
   [PDF] | [Website]

2. Annotating, Tracking, and Protecting Cryptographic Secrets with CryptoMPK​ @ [IEEE S&P’22]
   IEEE Symposium on Security and Privacy, San Francisco CA, United States. May 22-26, 2022.
   [PDF] | [Website]

3. SmartShield: Automatic Smart Contract Protection Made Easy​ @ [SANER’20, Best Paper Award!]
   IEEE International Conference on Software Analysis, Evolution and Reengineering, London, Ontario, Canada. February 18-21, 2020.
   [PDF] | [Website]

4. EthPloit: From Fuzzing to Efficient Exploit Generation against Smart Contracts​ @ [SANER’20]
   IEEE International Conference on Software Analysis, Evolution and Reengineering, London, Ontario, Canada. February 18-21, 2020.
   [PDF]

5. NLP-EYE: Detecting Memory Corruptions via Semantic-Aware Memory Operation Function Identification​ @ [RAID’19]
   International Symposium on Research in Attacks, Intrusions and Defenses, Beijing, China. September 23-25, 2019.
   [PDF]

6. K-Hunt: Pinpointing Insecure Cryptographic Keys in Execution Traces​ @ [CCS’18]
   ACM Conference on Computer and Communications Security, Toronto, Canada. October 15-19, 2018.
   [PDF]

7. BinMatch: A Semantics-based Hybrid Approach on Binary Code Clone Analysis​ @ [ICSME’18]
   International Conference on Software Maintenance and Evolution, Madrid, Spain. September 23-29, 2018.
   [PDF]

8. Nightingale: Translating Embedded VM Code in x86 Binary Executables​ @ [ISC’17]
   International Information Security Conference, Ho Chi Minh City, Vietnam, November 22-24, 2017.
   [PDF]

9. Embroidery: Patching Vulnerable Binary Code of Fragmentized Android Devices​ @ [ICSME’17]
   IEEE International Conference on Software Maintenance and Evolution, Shanghai, China. September 8-October 3, 2017.
   [PDF]

10. MIRAGE : Randomizing Large Chunk Allocation Via Dynamic Binary Instrumentation​ @ [DSC’17]
    IEEE Conference on Dependable and Secure Computing, Taipei, China. August 7-10, 2017.
    [PDF]

11. Binary Code Clone Detection across Architecturesand Compiling Configurations​ @ [ICPC’17]
    International Conference on Program Comprehension, Buenos Aires, Argentina. May 22-23, 2017.
    [PDF]

12. New Exploit Methods against Ptmalloc of Glibc ​ @ [TrustCom’16]
    IEEE International Conference on Trust, Security and Privacy in Computing and Communications , Tianjin, China. August 23-26, 2016.
    [PDF]

13. Cross-Architecture Binary Semantics Understanding via Similar Code Comparison ​ @ [SANER’16]
    IEEE International Conference on Software Analysis, Evolution, and Reengineering , Osaka, Japan. March 14-18, 2016.
    [PDF]

Mobile Security

1. Medusa Attack: Exploring Security Hazards of In-App QR Code Scanning​ @ [USENIX Securiyt ’23]
   USENIX Security Symposium (USENIX Security) , Anaheim, CA, USA. August 9-11, 2023.
   [PDF] | [Website]

2. EvilScreen Attack: Smart TV Hijacking via Multi-channel Remote Control Mimicry​ @ [arXiv’22]
   arXiv:2210.03014 [cs.CR], Submitted on 6 Oct 2022.
   [PDF] | [Website]

3. SIMulation: Demystifying (Insecure) Cellular Network based One-Tap Authentication Services​ @ [DSN’22]
   IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), Baltimore, Maryland, USA, June 27-30, 2022.
   [PDF] | [Website]

4. PEDroid: Automatically Extracting Patches from Android App Updates​ @ [ECOOP’22]
   European Conference on Object-Oriented Programming (ECOOP), Berlin, Germany, June 6 - July 7, 2022.
   [PDF]

5. Fine with "1234"? An Analysis of SMS One-Time Password Randomness in Android Apps​ @ [ICSE’21]
   International Conference on Software Engineering (ICSE), Virtual (originally in Madrid, Spain). May 25-28, 2021.
   [PDF]

6. Orchestration or Automation: Authentication Flaw Detection in Android Apps​ @ [TDSC]
   Transactions on Dependable and Secure Computing
   [PDF]

7. Certified Copy? Understanding Security Risks of Wi-Fi Hotspot based Android Data Clone Services​ @ [ACSAC’20]
   2020 Annual Computer Security Applications Conference, Austin, Texas, USA, December 7-11, 2020.
   [PDF]

8. An Empirical Study of the SMS One-Time Password Authentication in Android Apps​ @ [ACSAC’19]
   2019 Annual Computer Security Applications Conference, San Juan, December 9-13, 2019.
   [PDF]

9. Security analysis of third-party in-app payment in mobile applications​ @ [JISA]
   Journal of Information Security and Applications, Volume 48, October 2019.
   [PDF]

10. Finding Flaws from Password Authentication Code in Android Apps​ @ [ESORICS’19]
    The European Symposium on Research in Computer Security, Luxembourg. September 23-27, 2019.
    [PDF]

11. AppCommune: Automated Third-Party Libraries De-duplicating and Updating for Android Apps.​ @ [SANER’19]
    IEEE International Conference on Software Analysis, Evolution and Reengineering, Hangzhou, China. Februray 24-27, 2019.
    [PDF]

12. An Empirical Study of SDK Credential Misuse in iOS Apps​ @ [APSEC’18]
    Asia-Pacific Software Engineering Conference, Nara, Japan. December 4-7, 2018.
    [PDF]

13. Burn After Reading: Expunging Execution Footprints of Android Apps​ @ [NSS’18]
    International Conference on Network and System Security, Hong Kong, China. August 27-29, 2018.
    [PDF]

14. AppSpear: Automating the Hidden-Code Extraction and Reassembling of Packed Android Malware @ [JSS]
    Journal of Systems and Software. 140: 3-16 (2018).
    [PDF]

15. Oh-Pwn_VPN! Security Analysis of OpenVPN-based Android Apps ​ @ [CANS’17]
    International Conference on Cryptology And Network Security , Hong Kong, China. November 29-December 2, 2017.
    [PDF]

16. NativeSpeaker: Identifying Crypto Misuses in Android Native Code Libraries ​ @ [Inscrypt’17]
    International Conference on Information Security and Cryptology , Xi'an, China. November 3-5, 2017.
    [PDF]

17. Show Me the Money! Finding Flawed Implementations of Third-party In-app Payment in Android Apps ​ @ [NDSS’17]
    Network and Distributed System Security Symposium , San Diego, CA, USA. February 26-March 1, 2017.
    [PDF]

18. The Achilles' Heel of OAuth: A Multi-Platform Study of OAuth-based Authentication ​ @ [ACSAC’16]
    Annual Computer Security Applications Conference , Los Angeles, CA, USA. December 5-9, 2016.
    [PDF]

19. An Empirical Study of Insecure Communication in Android Apps ​ @ [Inscrypt’16]
    China International Conference on Information Security and Cryptology , Beijing, China, November 4-6, 2016.
    [PDF]

20. Open Sesame! Web Authentication Cracking via Mobile app Analysis ​ @ [APWeb’16]
    Asia Pacific Web Conference , Suzhou, China. September 23-25, 2016.
    [PDF]

21. Vulnerability Assessment of OAuth Implementations in Android Applications ​ @ [ACSAC’15]
    Annual Computer Security Applications Conference , Los Angeles, California, USA. December 7-11, 2015.
    [PDF]

22. SSG: Sensor Security Guard for Android Smartphones ​ @ [CollaborateCom’15]
    EAI International Conference on Collaborative Computing: Networking, Applications and Worksharing , Wuhan, China. November 10-11, 2015.
    [PDF]

23. AppSpear: Bytecode Decrypting and DEX Reassembling for Packed Android Malware ​ @ [RAID’15]
    International Symposium on Research in Attacks, Intrusions and Defenses , Kyoto, Japan. November 2–4, 2015.
    [PDF]

24. APKLancet: Tumor Payload Diagnosis and Purification for Android Applications ​ @ [AsiaCCS’14]
    ACM Symposium on Information, Computer and Communications Security , Kyoto, Japan. June 4–6, 2014
    [PDF]

IoT Security

1. EvilScreen Attack: Smart TV Hijacking via Multi-channel Remote Control Mimicry​ @ [arXiv’22]
   arXiv:2210.03014 [cs.CR], Submitted on 6 Oct 2022.
   [PDF] | [Website]

2. KingFisher: Unveiling Insecurely Used Credentials in IoT-to-Mobile Communications​ @ [DSN’22]
   IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), Baltimore, Maryland, USA, June 27-30, 2022.
   [PDF] | [Website]

3. Control Parameters Considered Harmful: Detecting Range Specification Bugs in Drone Configuration Modules via Learning-Guided Search​ @ [ICSE ’22]
   International Conference on Software Engineering, Pittsburgh, PA, United States. May 22-27, 2022.
   [PDF]

4. Rethinking the Security of IoT From the Perspective of Developer Customized Device-cloud Interaction ​ @ [SAC’22]
   ACM/SIGAPP Symposium on Applied Computing , Virtual Event. April 25-29, 2022.
   [PDF]

5. Understanding the security of app-in-the-middle IoT ​ @ [CS]
   Computers & Security , Volume 97, October 2020, 102000.
   [PDF]

6. Passwords in the Air: Harvesting Wi-Fi Credentials from SmartCfg Provisioning​ @ [Wisec’18]
   ACM Conference on Security and Privacy in Wireless and Mobile Networks, Stockholm, Sweden. June 18-20, 2018.
   [PDF]

7. Smart Solution, Poor Protection: An Empirical Study of Security and Privacy Issues in Developing and Deploying Smart Home Devices ​ @ [CCSW-IoT S&P’17]
   ACM CCS Workshop on Internet of Things Security and Privacy , Dallas, TX, USA, November 3, 2017.
   [PDF]

8. Security Testing of Software on Embedded Devices Using x86 Platform ​ @ [CollaborateComm’16]
   EAI International Conference on Collaborative Computing: Networking, Applications and Worksharing , Beijing, China, November 12-13, 2016.
   [PDF]

9. Security Analysis of Vendor Customized Code in Firmware of Embedded Device ​ @ [SecureComm’16]
   EAI International Conference on Security and Privacy in Communication Networks , Guangzhou, China, October 10-12, 2016.
   [PDF]

Real-world Crypto Security

1. Annotating, Tracking, and Protecting Cryptographic Secrets with CryptoMPK​ @ [IEEE S&P’22]
   IEEE Symposium on Security and Privacy, San Francisco CA, United States. May 22-26, 2022.
   [PDF]

2. Re-check Your Certificates! Experiences and Lessons Learnt from Real-world HTTPS Certificate Deployments ​ @ [NSS’21]
   International Conference on Network and System Security , Tianjin, China. October 23, 2021.
   [PDF]

3. Accelerating SM2 Digital Signature Algorithm using Modern Processor Features ​ @ [ICICS’19]
   International Conference on Information and Communications Security , Beijing, China. December 15-17, 2019.
   [PDF]

4. K-Hunt: Pinpointing Insecure Cryptographic Keys in Execution Traces ​ @ [CCS’18]
   ACM Conference on Computer and Communications Security , Toronto, Canada. October 15-19, 2018.
   [PDF]

5. Oh-Pwn_VPN! Security Analysis of OpenVPN-based Android Apps ​ @ [CANS’17]
   International Conference on Cryptology And Network Security , Hong Kong, China. November 29-December 2, 2017.
   [PDF]

6. NativeSpeaker: Identifying Crypto Misuses in Android Native Code Libraries ​ @ [Inscrypt’17]
   International Conference on Information Security and Cryptology , Xi'an, China. November 3-5, 2017.
   [PDF]

7. Open Sesame! Web Authentication Cracking via Mobile app Analysis ​ @ [APWeb’16]
   Asia Pacific Web Conference , Suzhou, China. September 23-25, 2016.
   [PDF]

8. TagDroid: Hybrid SSL Certificate Verification in Android ​ @ [ICICS’14]
   International Conference on Information and Communications Security , Hong Kong, China. December 16–17, 2014.
   [PDF]

9. iCryptoTracer: Dynamic Analysis on Misuse of Cryptography Functions in iOS Applications ​ @ [NSS’14]
   International Conference on Network and System Security , Xi'an, China. October 15-17, 2014.
   [PDF]

10. Automatic Detection and Analysis of Encrypted Messages in Malware ​ @ [Inscrypt’13]
    China International Conference on Information Security and Cryptology , Guangzhou, China, November 27-30, 2013.
    [PDF]

11. Detecting Encryption Functions via Process Emulation and IL-Based Program Analysis ​ @ [ICICS’12]
    International Conference on Information Security and Cryptology , Hong Kong, China. October 29-31, 2012.
    [PDF]

12. Detection and Analysis of Cryptographic Data Inside Software ​ @ [ISC’11]
    International Conference on Information Security , Xi'an, China, October 26-29, 2011.
    [PDF]

Network Security

1. Re-check Your Certificates! Experiences and Lessons Learnt from Real-world HTTPS Certificate Deployments ​ @ [NSS’21]
   International Conference on Network and System Security , Tianjin, China. October 23, 2021.
   [PDF]

2. Yet Another Traffic Black Hole: Amplifying CDN Fetching Traffic with RangeFragAmp Attacks ​ @ [CollaborateCom’21]
   EAI International Conference on Collaborative Computing , Suzhou, China. October 15-17, 2021.
   [PDF]

Professional Activities

PC Member:

• 19th ACM ASIA Conference on Computer and Communications Security (ACM ASIACCS 2024)

• 18th ACM ASIA Conference on Computer and Communications Security (ACM ASIACCS 2023)

• 20th EAI International Conference on Security and Privacy in Communication Networks (SecureComm 2024)

• 19th EAI International Conference on Security and Privacy in Communication Networks (SecureComm 2023)

• 18th EAI International Conference on Security and Privacy in Communication Networks (SecureComm 2022)

• 17th International Conference on Information Security and Cryptology (Inscrypt 2021)

• 22nd Information Security Conference (ISC 2019)

Reviewer:

• IEEE Transactions on Information Forensics and Security

• IEEE Transactions on Dependable and Secure Computing

• Network and Distributed System Security Symposium (NDSS): 2019

• ACM Conference on Computer and Communications Security (CCS): 2018

• ACM Asia Conference on Computer and Communications Security (ASIACCS): 2018

• EAI International Conference on Security and Privacy in Communication Networks (SecureComm): 2018

• Information Security Conference (ISC): 2018

Links

• Reading List

• GoSSIP Wiki

• An overview of the Systems Circus by HexHive

• System Security Circus by Davide Balzarotti