Shuo Chen
|
Microsoft
Research |
Office Phone:
(425)722-8238 Email: shuochen@microsoft.com |
|
http://research.microsoft.com/en-us/people/shuochen/ |
|
RESEARCH
INTERESTS
Systems security. Also interested in formal method, fault
tolerance, operating systems and networking.
EDUCATION
Ph.D., Computer Science,
Dissertation: Design for Security: Measurement, Analysis
and Mitigation Techniques
Advisor:
Ravishankar K. Iyer
M.S., Computer Science,
B.S., Computer Science,
RESEARCH
EXPERIENCES
|
7/05 – |
Researcher, Cybersecurity
and Systems Management Group, Microsoft Research My
research is focused on web and browser security issues. |
|
8/00 – 7/05 |
Research Assistant, Center for
Reliable and High-Performance Computing, Memory
corruption attacks and defenses; fault tolerance. |
|
5/04 – 8/04 |
Research Intern, Systems and
Networking Group, Microsoft Research
A Black-Box
Tracing Technique to Identify Causes of Least-Privilege Incompatibilities. Mentors: John |
|
5/03 – 8/03 |
Research Intern, Systems and
Networking Group, Microsoft Research
Audit-Enhanced Authentication in Kerberos. Mentors: Dan Simon and
Chad Verbowski |
|
5/02 – 8/02 |
Research Intern, Detection of Network Denial of Service Attacks
Based on TCP-Friendly Characteristics. |
|
5/01 – 8/01 |
Research Intern, Network Software
Group, Avaya Labs Libsafe for Windows. |
PUBLICATIONS
PAPERS IN
REFEREED CONFERENCES
[1] Rui Wang, Shuo Chen, XiaoFeng
Wang, and Shaz Qadeer, How to Shop for Free Online –
Security Analysis of Cashier-as-a-Service Based Web Stores, in Proceedings of
the IEEE Symposium on Security and Privacy (Oakland) (Best Practical Paper
award), IEEE Computer Society, May 2011
[2] Kehuan Zhang, Zhou Li, Rui Wang, XiaoFeng
Wang, and Shuo Chen, Sidebuster: Automated Detection
and Quantification of Side-Channel Leaks in Web Application Development, in Proceedings
of the ACM Conference on Computer and Communications Security (CCS),
Association for Computing Machinery, Inc., October 2010
[3] Shuo Chen, Rui Wang, Xiaofeng Wang, and Kehuan Zhang,
“Side-Channel Leaks in Web Applications: a Reality Today, a Challenge
Tomorrow,” in IEEE Symposium on Security
and Privacy (S&P), IEEE Computer Society, May 2010
[4] Shuo Chen, Hong Chen, and Manuel Caballero, “Residue
Objects: A Challenge to Web Browser Security,” in ACM EuroSys, Association for Computing
Machinery, Inc., April 2010
[5] Shuo Chen, Ziqing Mao, Yi-Min Wang, Ming Zhang,
“Pretty-Bad-Proxy: An Overlooked Adversary in Browsers’ HTTPS Deployments,” in IEEE Symposium on Security and Privacy
(S&P), Oakland, California, May 2009
[6] Shuo Chen, David Ross, Yi-Min Wang, “An Analysis of
Browser Domain-Isolation Bugs and A Light-Weight Transparent Defense
Mechanism,” in ACM Conference on Computer
and Communications Security (CCS), Alexandria, VA, Oct-Nov 2007.
[9] Yi-Min Wang, Doug Beck, Xuxian
Jiang, Roussi Roussev, Chad
Verbowski, Shuo Chen, and Sam King, “Automated Web
Patrol with Strider HoneyMonkeys: Finding Web Sites
That Exploit Browser Vulnerabilities,” in Network
and Distributed System Security (NDSS) Symposium, San Diego, CA, February
2006.
[10]
Shuo Chen, Jun
Xu, Emre C. Sezer, Prachi
Gauriar and Ravishankar K. Iyer.
"Non-Control-Data Attacks Are Realistic Threats," in USENIX Security Symposium, Baltimore,
MD, August 2005.
[11]
Shuo Chen, Jun
Xu, N. Nakka, Zbigniew Kalbarczyk, Ravishankar K. Iyer. “Defeating Memory
Corruption Attacks via Pointer Taintedness Detection,”
in IEEE International Conf. on Dependable
Systems and Networks (DSN), Yokohama, Japan, June 28 - July 1, 2005.
[12]
Shuo Chen, John
Dunagan, Chad Verbowski and Yi-Min Wang, “A Black-Box Tracing Technique to
Identify Causes of Least-Privilege Incompatibilities,” in Network and Distributed System Security (NDSS) Symposium, San
Diego, CA, February 3-4, 2005.
[13]
Shuo Chen,
Karthik Pattabiraman, Zbigniew Kalbarczyk, Ravishankar K. Iyer, "Formal
Reasoning of Various Categories of Widely Exploited Security Vulnerabilities
Using Pointer Taintedness
Semantics," in 19th IFIP
International Information Security Conference, Toulouse, France, August
23-26, 2004
[15]
Shuo Chen, Jun
Xu, Ravishankar K. Iyer, Keith Whisnant. "Modeling and Analyzing the Security Threat
of Firewall Data Corruption Caused by Instruction Transient Errors," in IEEE International Conf. on Dependable
Systems and Networks (DSN), Washington D.C., June 23-26, 2002.
[16]
Jun Xu, Shuo
Chen, Zbigniew Kalbarczyk, Ravishankar K. Iyer. "An Experimental Study of
Security Vulnerabilities Caused by Errors," in IEEE International Conf. on Dependable Systems and Networks (DSN), Göteborg, Sweden, July 01-04, 2001.
JOURNAL
PUBLICATIONS
[17]
Shuo Chen, Jun Xu, Zbigniew Kalbarczyk,
Ravishankar K. Iyer. “Security Vulnerabilities: From Analysis to Detection and
Masking Techniques” (invited paper), in Proceedings
of the IEEE, Volume 94, Issue 2, February 2006.
[18]
Shuo Chen, Jun
Xu, Zbigniew Kalbarczyk, Ravishankar K. Iyer and
Keith Whisnant. “Modeling and Evaluating the Security
Threats of Transient Errors in Firewall Software,” Performance Evaluation, Volume 56, Issues 1-4, pp. 53-72, March
2004.
TECHNICAL REPORT
[19]
Shuo Chen, Tim K. Tsai, Navjot Singh. “Libsafe
for Windows NT/2000”. Avaya Labs Research Technical Report ALR-2001-018,
August 2001
PRESENTATIONS
1. “Security and privacy
implications of the multi-component nature of Software-as-a-Service,” Stanford
Security Seminar, Stanford, CA, April 4th, 2011
2. “Side-Channel-Leaks in Web
Applications: A Reality Today, A Challenge Tomorrow,” IEEE Symposium on
Security and Privacy, Oakland, CA, May 17th, 2010
3. “Residue Objects: A
Challenge to Web Browser Security,” ACM EuroSys,
Paris, France, April 15th, 2010
4. “浏览器逻辑正确性是个艰巨的安全课题,” 2009/12/28 福州大学数计学院;2010/1/6 清华大学网络中心
5. “Pretty-Bad-Proxy: An
Overlooked Adversary in Browsers’ HTTPS Deployments,” Presented in IEEE Symposium
on Security and Privacy, Oakland, WA, May 20th, 2009.
6. “Understanding the
Challenges in Browser Logic Correctness,” Stanford Security Seminar, Stanford,
CA, March 13th, 2008.
7. “An Analysis of Browser
Domain-Isolation Bugs and A Light-Weight Transparent
Defense Mechanism,” in ACM Conference on Computer and Communications Security,
Alexandria, VA, Oct 30th, 2007.
8. “A Systematic Approach to
Uncover Security Flaws in GUI Logic” in IEEE Symposium on Security and Privacy,
Oakland, WA, May 21st, 2007
9. “Browser Security: A New
Research Territory,” CS seminars in Purdue University and University of
Illinois at Urbana-Champaign, April, 2007
10. “Non-Control-Data Attacks
Are Realistic Threats,” in 14th USENIX Security Symposium, Baltimore, MD, Aug.
4th, 2005.
11. “A Black-Box Tracing Technique to Identify
Causes of Least-Privilege Incompatibilities”. in 12th
Network and Distributed System Security Symposium (NDSS), San Diego, CA,
2/4/2005.
12. "Formal Reasoning of
Security Vulnerabilities by Pointer Taintedness Semantics,"
in Computer Engineering Seminar, Coordinated Science Lab, UIUC, 10/12/2004.
13. "A Finite State Machine
Methodology for Analyzing Security Vulnerabilities,” in IEEE International
Conference on Dependable Systems and Networks, San Francisco, 6/2003.
14. "Secure Detection and
Isolation of TCP-unfriendly Flows," in the Data Network Research Center,
Bell Laboratories, Holmdel, New Jersey, 8/2002.
15. "Evaluating the
Security Threat of Instruction Corruptions in Firewalls," in IEEE
International Conference on Dependable Systems and Networks, Washington D.C.,
6/2002.
16. "Libsafe
for Windows," in the Network Software Research Department, Avaya
Laboratories, Basking Ridge, New Jersey, 8/16/2001.
PATENTS
PROFESSIONAL SERVICES
THESIS
COMMITTEES