Shuo   Chen

 

Microsoft Research

One Microsoft Way
Redmond, WA 98052

Office Phone: (425)722-8238      

http://research.microsoft.com/en-us/people/shuochen/

 

RESEARCH INTERESTS

Systems security. Also interested in formal method, fault tolerance, web programming.

 

EDUCATION

Ph.D., Computer Science, University of Illinois at Urbana-Champaign

Dissertation: Design for Security: Measurement, Analysis and Mitigation Techniques

Advisor: Ravishankar K. Iyer

M.S., Computer Science, Tsinghua University

B.S., Computer Science, Peking University

 

RESEARCH EXPERIENCES

3/14

 

Senior Researcher, Internet Services Research Center,

Microsoft Research

Security and privacy of deployed online services, formal verification

 

7/05

2/14

Researcher, Cybersecurity and Systems Management Group,

Microsoft Research

Web and browser security issues.

 

8/00 – 7/05

Research Assistant, Center for Reliable and High-Performance Computing, Univ. of Illinois at Urbana-Champaign. Advisor: Ravi Iyer

Memory corruption attacks and defenses; fault tolerance.

 

5/04 – 8/04

Research Intern, Systems and Networking Group, Microsoft Research

A Black-Box Tracing Technique to Identify Causes of Least-Privilege Incompatibilities. Mentors: John Dunagan, Chad Verbowski and Yi-Min Wang

 

5/03 – 8/03

Research Intern, Systems and Networking Group, Microsoft Research

Audit-Enhanced Authentication in Kerberos. Mentors: Dan Simon and Chad Verbowski

 

5/02 – 8/02

Research Intern, Data Network Research Center, Bell Laboratories

Detection of Network Denial of Service Attacks Based on TCP-Friendly Characteristics. Mentor: Jose Brustoloni

 

5/01 – 8/01

Research Intern, Network Software Group, Avaya Labs

Libsafe for Windows. Mentor: Timothy Tsai

 

PUBLICATIONS

 

PAPERS IN REFEREED CONFERENCES

[1]   Rui Wang, Luyi Xing, XiaoFeng Wang, and Shuo Chen, “Unauthorized Origin Crossing on Mobile Platforms: Threats and Mitigation”, ACM Conference on Computer and Communications Security (ACM CCS), 4 November 2013

 

[2]   Rui Wang, Yuchen Zhou, Shuo Chen, Shaz Qadeer, David Evans, and Yuri Gurevich, “Explicating SDKs: Uncovering Assumptions Underlying Secure Authentication and Authorization”, in Proceedings of the USENIX Security Symposium, USENIX, August 2013

 

[3]   Luyi Xing, Yangyi Chen, XiaoFeng Wang, and Shuo Chen, “InteGuard: Toward Automatic Protection of Third-Party Web Service Integrations”, in Network & Distributed System Security Symposium (NDSS), February 2013

 

[4]   Rui Wang, Shuo Chen, and XiaoFeng Wang, “Signing Me onto Your Accounts through Facebook and Google: a Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services”, in Proceedings of the IEEE Symposium on Security and Privacy (S&P), IEEE Computer Society, May 2012

 

[5]   Rui Wang, Shuo Chen, XiaoFeng Wang, and Shaz Qadeer, How to Shop for Free Online – Security Analysis of Cashier-as-a-Service Based Web Stores, in Proceedings of the IEEE Symposium on Security and Privacy (Oakland) (Best Practical Paper award), IEEE Computer Society, May 2011

 

[6]   Kehuan Zhang, Zhou Li, Rui Wang, XiaoFeng Wang, and Shuo Chen, Sidebuster: Automated Detection and Quantification of Side-Channel Leaks in Web Application Development, in Proceedings of the ACM Conference on Computer and Communications Security (CCS), Association for Computing Machinery, Inc., October 2010

 

[7]   Shuo Chen, Rui Wang, Xiaofeng Wang, and Kehuan Zhang, “Side-Channel Leaks in Web Applications: a Reality Today, a Challenge Tomorrow,” in IEEE Symposium on Security and Privacy (S&P), IEEE Computer Society, May 2010

 

[8]   Shuo Chen, Hong Chen, and Manuel Caballero, “Residue Objects: A Challenge to Web Browser Security,” in ACM EuroSys, Association for Computing Machinery, Inc., April 2010

 

[9]   Shuo Chen, Ziqing Mao, Yi-Min Wang, Ming Zhang, “Pretty-Bad-Proxy: An Overlooked Adversary in Browsers’ HTTPS Deployments,” in IEEE Symposium on Security and Privacy (S&P), Oakland, California, May 2009

 

[10]           Shuo Chen, David Ross, Yi-Min Wang, “An Analysis of Browser Domain-Isolation Bugs and A Light-Weight Transparent Defense Mechanism,” in ACM Conference on Computer and Communications Security (CCS), Alexandria, VA, Oct-Nov 2007.

 

[11]           Shuo Chen, Jose Meseguer, Ralf Sasse, Helen J. Wang, Yi-Min Wang, “A Systematic Approach to Uncover Security Flaws in GUI Logic,” in IEEE Symposium on Security and Privacy (S&P), Oakland, California, May 2007.

 

[12]           Jose Carlos Brustoloni and Shuo Chen, “Automatically Segregating Greedy and Malicious Internet Flows,” in IEEE International Conference on Communications, Glasgow, UK, June 2007.

 

[13]           Yi-Min Wang, Doug Beck, Xuxian Jiang, Roussi Roussev, Chad Verbowski, Shuo Chen, and Sam King, “Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities,” in Network and Distributed System Security (NDSS) Symposium, San Diego, CA, February 2006.

 

[14]           Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar and Ravishankar K. Iyer. "Non-Control-Data Attacks Are Realistic Threats," in USENIX Security Symposium, Baltimore, MD, August 2005.

 

[15]           Shuo Chen, Jun Xu, N. Nakka, Zbigniew Kalbarczyk, Ravishankar K. Iyer. “Defeating Memory Corruption Attacks via Pointer Taintedness Detection,” in IEEE International Conf. on Dependable Systems and Networks (DSN), Yokohama, Japan, June 28 - July 1, 2005.

 

[16]           Shuo Chen, John Dunagan, Chad Verbowski and Yi-Min Wang, “A Black-Box Tracing Technique to Identify Causes of Least-Privilege Incompatibilities,” in Network and Distributed System Security (NDSS) Symposium, San Diego, CA, February 3-4, 2005.

 

[17]           Shuo Chen, Karthik Pattabiraman, Zbigniew Kalbarczyk, Ravishankar K. Iyer, "Formal Reasoning of Various Categories of Widely Exploited Security Vulnerabilities Using Pointer Taintedness Semantics," in 19th IFIP International Information Security Conference, Toulouse, France, August 23-26, 2004

 

[18]           Shuo Chen, Zbigniew Kalbarczyk, Jun Xu, Ravishankar K. Iyer. "A Data-Driven Finite State Machine Model for Analyzing Security Vulnerabilities," in IEEE International Conf. on Dependable Systems and Networks (DSN), San Francesco, CA, June 22-25, 2003.

 

[19]           Shuo Chen, Jun Xu, Ravishankar K. Iyer, Keith Whisnant. "Modeling and Analyzing the Security Threat of Firewall Data Corruption Caused by Instruction Transient Errors," in IEEE International Conf. on Dependable Systems and Networks (DSN), Washington D.C., June 23-26, 2002.

 

[20]           Jun Xu, Shuo Chen, Zbigniew Kalbarczyk, Ravishankar K. Iyer. "An Experimental Study of Security Vulnerabilities Caused by Errors," in IEEE International Conf. on Dependable Systems and Networks (DSN), Göteborg, Sweden, July 01-04, 2001.

 

JOURNAL PUBLICATIONS

[21]           Shuo Chen, Jun Xu, Zbigniew Kalbarczyk, Ravishankar K. Iyer. “Security Vulnerabilities: From Analysis to Detection and Masking Techniques” (invited paper), in Proceedings of the IEEE, Volume 94, Issue 2, February 2006.

 

[22]           Shuo Chen, Jun Xu, Zbigniew Kalbarczyk, Ravishankar K. Iyer and Keith Whisnant. “Modeling and Evaluating the Security Threats of Transient Errors in Firewall Software,” Performance Evaluation, Volume 56, Issues 1-4, pp. 53-72, March 2004.

 

TECHNICAL REPORT

[23]           Shuo Chen, Tim K. Tsai, Navjot Singh. “Libsafe for Windows NT/2000”. Avaya Labs Research Technical Report ALR-2001-018, August 2001

 

PRESENTATIONS

1.      “Security and privacy implications of the multi-component nature of Software-as-a-Service,” Stanford Security Seminar, Stanford, CA, April 4th, 2011

 

2.      “Side-Channel-Leaks in Web Applications: A Reality Today, A Challenge Tomorrow,” IEEE Symposium on Security and Privacy, Oakland, CA, May 17th, 2010

 

3.      “Residue Objects: A Challenge to Web Browser Security,” ACM EuroSys, Paris, France, April 15th, 2010

 

4.      浏览器逻辑正确性是个艰巨的安全课题,”  2009/12/28 福州大学数计学院;2010/1/6 清华大学网络中心

 

5.      “Pretty-Bad-Proxy: An Overlooked Adversary in Browsers’ HTTPS Deployments,” Presented in IEEE Symposium on Security and Privacy, Oakland, WA, May 20th, 2009.

 

6.      “Understanding the Challenges in Browser Logic Correctness,” Stanford Security Seminar, Stanford, CA, March 13th, 2008.

 

7.      “An Analysis of Browser Domain-Isolation Bugs and A Light-Weight Transparent Defense Mechanism,” in ACM Conference on Computer and Communications Security, Alexandria, VA, Oct 30th, 2007.

 

8.      “A Systematic Approach to Uncover Security Flaws in GUI Logic” in IEEE Symposium on Security and Privacy, Oakland, WA, May 21st, 2007

 

9.      “Browser Security: A New Research Territory,” CS seminars in Purdue University and University of Illinois at Urbana-Champaign, April, 2007

 

10.  “Non-Control-Data Attacks Are Realistic Threats,” in 14th USENIX Security Symposium, Baltimore, MD, Aug. 4th, 2005.

 

11.   “A Black-Box Tracing Technique to Identify Causes of Least-Privilege Incompatibilities”. in 12th Network and Distributed System Security Symposium (NDSS), San Diego, CA, 2/4/2005.

 

12.  "Formal Reasoning of Security Vulnerabilities by Pointer Taintedness Semantics," in Computer Engineering Seminar, Coordinated Science Lab, UIUC, 10/12/2004.

 

13.  "A Finite State Machine Methodology for Analyzing Security Vulnerabilities,” in IEEE International Conference on Dependable Systems and Networks, San Francisco, 6/2003.

 

14.  "Secure Detection and Isolation of TCP-unfriendly Flows," in the Data Network Research Center, Bell Laboratories, Holmdel, New Jersey, 8/2002.

 

15.  "Evaluating the Security Threat of Instruction Corruptions in Firewalls," in IEEE International Conference on Dependable Systems and Networks, Washington D.C., 6/2002.

 

16.  "Libsafe for Windows," in the Network Software Research Department, Avaya Laboratories, Basking Ridge, New Jersey, 8/16/2001.

 

PATENTS

  • Identifying Dependencies of an Application Upon a Given Security Context. Chad Verbowski, John Dunagan, Shuo Chen and Yi-Min Wang. Filed on 8/29/2005 by Microsoft Corporation
  • A Systematic Approach to Uncover GUI Logic Flaws for Web Security.  Shuo Chen, Jose Meseguer, Ralf Sasse, Helen J. Wang, Yi-Min Wang. Filed on 11/30/2006 by Microsoft Corporation
  • Lockbox for Mitigating Same-Origin Policy Failures. Helen J. Wang, Xiaofeng Fan, Shuo Chen. Filed on July 18, 2008 by Microsoft Corporation
  • Customizing Search Results. Emre Kiciman, Shuo Chen. Filed in June 2008 by Microsoft Corporation
  • Identifying Implicit Assumptions Associated with a Software Product, Rui Wang, Yuchen Zhou, Shuo Chen, Shaz Qadeer, Yuri Gurevich. Filed in March 2013 by Microsoft Corporation
  • Anonymous Server Based User Settings Protection, Shuo Chen, Zhenbin Xu, Boxin Li. Filed in April 2013 by Microsoft Corporation

 

AWARDS

  • Best Practical Paper award, IEEE Symposium on Security and Privacy 2011
  • Microsoft Gold Star award, 2010
  • Microsoft Gold Star award, 2007

 

PROFESSIONAL SERVICES

  • TPC member, IEEE Symposium on Security and Privacy 2010, 2011, 2012, 2013
  • TPC member, USENIX Security Symposium 2013
  • TPC member, ACM Conference on Computer and Communications Security 2011, 2012
  • TPC member, Web 2.0 Security and Privacy Workshop (W2SP) 2011
  • TPC member, WWW (Security and Privacy Track) 2008, 2009, 2011, 2012
  • TPC member, SecureComm 2009
  • Co-Chair, IEEE DSN/CATARS Workshop, 2008
  • TPC member, IEEE DSN (PDS Track) 2007

 

THESIS COMMITTEES

  • Committee member for Yuchen Zhou, University of Virginia
  • Co-advisor and committee member for Rui Wang, Indiana University at Bloomington
  • Committee member for Keun Soo Yim, University of Illinois at Urbana-Champaign
  • Committee member for Ralf Sasse, University of Illinois at Urbana-Champaign