savior utilizes software sanitizer instrumentations to construct bug triggering constraints, and uses guided fuzzing to reach these instrumentations. While the fuzzing inputs cannot trigger the bugs in most cases, with the modeled triggering constraints, savior can easily solve the bug triggering conditions. More details can be found in our paper and code.

Fudge automatically synthesizes libfuzzer style fuzz drivers for libaries by "learning" from the consumers code of these libraies. 200+ Fudge-generated drivers have been integrated to date and are being continuously fuzzed with OSS-fuzz framework. Over 600 bugs have been discovered by fuzzing these targets and more than 150 likely exploitable security bugs (e.g., buffer overflows) have already been fixed.

PTrix can fuzz binary-only programs with native speed using Intel-PT as its backend to collect coverage infomation. Using special and efficient encoding, the new coverage feedback is path-sensitive and able to detect very deep and subtle bugs. In addition to AsiaCCS'19, Ptrix was also demoed at DEFCON China 2019. More details can be found here and in code.

CCR enables basic-block level code randomization using the minimum required infomation collected during compilation. Its randomization scheme is fully compatible with existing software distribution model such as CDN, and the randomization is reliable and reversable (useful for crash reporting). For more detials please check out our paper and prototype.

As a building stone to break code-reuse exploitations, NORAX retrofits ARM64 Android binaries to enable execute-only memory protection. NORAX won the third place of best applied research papers in CSAW 2017.

InstaGuard automatically generates SEAndroid-style hot patches to quickly block exploitations against Android system programs, which usually take monthes to receive official patch.

Shreds are new execution units developers can create to securely access secrete data and private APIs. Shreds creates efficient in-process memory isolation using a widely available but unused hardware feature. For better usability, we also developed a compiler pass to facilitate the usage of shred APIs.

Wireframe protects the sensitive embeded web contents from malicious Apps by rehosting the embeded web in a separete process. This design was adopted in Android O. In addition, we also introduce WIRE (Web Isolation Rewriting Engine), an offline app rewriting tool that allows app users to inject WIREframe protections into existing apps.