Kangjie Lu

175 件のツイート

フォロー

Kangjie Lu

@kengiter

Assistant Professor at UMN, working on Systems Security

Minneapolis, MNwww-users.cs.umn.edu/~kjlu2012年10月からTwitterを利用しています

247 フォロー中

609 フォロワー

Kangjie Luさんのツイート

固定されたツイート

Kangjie Lu

@kengiter

2020年12月12日

We've prepared a document to clarify what we did and confusions about the "hypocrite commit" work: www-users.cs.umn.edu/~kjlu/papers/c. We apologize for the confusions. Please directly email us at <kjlu at umn.edu> for further concerns.

返信先:

さん,

さん

and

, I am sorry for the concerns. I understand why the community is upset. The project about hypocrite commits has completely finished in November 2020. Aditya is working on a new project that finds bugs in patches. He didn't intend to make the mistakes.

返信先:

さん

Might be risky when compilers also think those are strange.

返信先:

さん,

さん

Thank you Omar

@ochowdhu

for the invite. I look forward to sharing our research at UIowa.

Sazzadur Rahaman and I are going to co-chair

@NDSSSymposium

session 6A (fuzzing) at 9:10am PST today. We have four papers about fuzz-testing new targets, new seed scheduling, etc. Welcome to join.

I hope everyone enjoyed their holidays! For me, other than having fun, I also spent time writing a blog post about "how to look for ideas in computer science research": zhiyunq.medium.com/how-to-look-fo Originally motivated to help my own students, but it might also help others too :)

How to Look for Ideas in Computer Science Research

Over the years, I have mentored and collaborated with over a dozen Ph.D. students and found a set of challenges that prevent them from…

medium.com

111

338

Carousel

スライド1/10 - カルーセル

アニメ・漫画
ウマ娘プリティーダービー
コミック
バーチャルYouTuber
ビューティー
エーペックスレジェンズ
ファッション
新世紀エヴァンゲリオン
シリーズ作品
ゲーム
イラストレーション
メイク

返信先:

さん,

さん

LLVM is a revolutionary miracle in CS. Congrats!

Kangjie Lu

@kengiter

2020年11月23日

I recently shared the abstract of our paper on the feasibility of vulnerability-introducing patches. Since it created many confusions, I chose to delete the tweet for now, but will provide more details and clarification.

返信先:

さん

We told the maintainers that a bug was introduced and urged them to apply both or to discard patch A.

Kangjie Lu

@kengiter

2020年11月22日

5. The goal of this research is to improve the patching process by raising the awareness of the issue, so to motivate people to develop automated patch testing/verification tools.

So we also submitted patch B to also fix bug B before B was merged. In other words, we fix bug A with two steps. 3. The findings were reported to Linux maintainers before the submission. 4 No Linux user was hurt. We actually fixed three bugs.

Clarification: 1. No bug was ever merged into code. The paper is demonstrating the possibility of such an issue. 2. This is how it was done: we first found a real bug A, we then submitted patch A to fix bug A, which would introduce bug B.

返信先:

さん

We did not. It just shows, be careful, malicious committers can potentially do this.

返信先:

さん

Jeff, no bug was ever merged at all.

返信先:

さん

Linux is open and encourages people to fix bugs. We followed the patching process and fixed three real bugs.

返信先:

さん,

さん

This is also a message to both industry and academia that we need better automated tools for testing/verifying patches. Sure, thanks for the point. We will mention the point in the paper.

返信先:

さん,

さん

Yes, no actual harm. We actually fixed three real bugs. This research is really just to raise the awareness of this issue, so that in the future, more techniques can be developed to verify the patches.

返信先:

さん

The goal of this research is to improve the patching process. By publishing, we hope the findings can raise the awareness of the issues. Before submitting the paper, we also reported the findings to maintainers.

返信先:

さん,

さん

We realized this potential concern, so we ensured several things in the experiments: none of the introduced vulnerabilities was ever merged into the code; the minor patches indeed fixed some issues; and we reported our findings to maintainers before the submission.

返信先:

さん,

さん

Yes, and directed fuzzing is particularly important in this scenario.

返信先:

さん,

さん

Thanks. This paper just got accepted, but I am asking Qiushi to prepare a preprint as soon as possible.

返信先:

さん,

さん

Why is it fast? Summary: 1. The symbolic constraints collection is done at a native speed; it is not interoperation-based. 2. It is built upon the highly optimized sanitizer infrastructure.

Kangjie Lu

@kengiter

2020年11月9日

UMN CS is hiring!

引用ツイート

UMNComputerScience

@UMNComputerSci

· 2020年11月9日

Now hiring! Apply to join the computer science faculty at the University of Minnesota. We're looking for outstanding candidates with research & teaching interests in machine learning and its applications. Learn more: cse.umn.edu/cs/faculty-rec Apply online: z.umn.edu/cs-fac-search

We're hiring faculty!

Now accepting applications for multiple tenure-track positions at the assistant professor level

返信先:

さん、

さん、他4人

I also like the geo-mean-based metrics! Hope to see it updated to include more recent data. Also, in the security area, why are some conferences like ACSAC and AsiaCCS not included? They have higher citation than the included SEC and Securecomm.

Kangjie Lu

@kengiter

2020年10月25日

Yes, we should keep advocating for #PositiveReviewing, which is important to maintain a healthy community. In my (limited) cases, I did feel that the system security community is more positive than before: more constructive reviews and opportunities for fixing issues, etc.

引用ツイート

Mathias Payer

@gannimo

· 2020年10月25日

返信先: @thorstenholzさん

This sucks. Reviewing is not perfect and making sure that reviews and author responses are discussed in sufficient detail is a tough job for the chairs (and maybe RTF). This is why we need to argue for more #PositiveReviewing. Think about the merits, not the downsides of a paper

Kangjie Lu

@kengiter

2020年10月21日

BTW, it is in system security.

While NDSS chairs are trying to accept more papers, I am glad to find that 7 out of 18 papers (39% vs. overall 16%) I reviewed got minor/major revisions. Each paper has its own strengths. We should accept papers as long as the strengths are significant enough. #PositiveReviewing

返信先:

さん

To draw the conclusion, we should instead investigate the unfixed/unreported vulnerabilities, which is unfortunately hard.

返信先:

さん

However, I found it hard to draw the conclusion, based on the findings, that the overall security of an SW is not increasing. All the findings could be a result of the recent advances in bug finding especially fuzzing.

返信先:

さん

Some interesting findings: 1. The total number of reported vulnerabilities is increasing. 2. The rate of vulnerability finding in stable SW is relatively stable. 3. Memory errors dominate the landscape.

返信先:

さん

Congrats. Well deserved!

返信先:

さん,

さん,

さん

Congrats to the team!

返信先:

さん,

さん,

さん

Congrats!

返信先:

さん、

さん、他3人

Wow, big congrats. Sad news for us :) We will miss you!

Kangjie Lu

@kengiter

2020年7月31日

Sometimes we expect an EH function to not return, but it does; sometimes compilers expect an EH function to return, but it doesn't. Both cases would cause serious issues.

引用ツイート

Farce Majeure

@vathpela

· 2020年7月30日

Seriously though how was this 105 days ago? github.com/rhboot/grub2/c

このスレッドを表示

Kangjie Luさんがリツイート

Open Source Security Inc.

@opensrcsec

2020年7月2日

A recording of today's presentation of "10 Years of Linux Security - A Report Card" is now available to view here: youtu.be/F_Kza6fdkSU PDF: grsecurity.net/10_years_of_li PPT: grsecurity.net/10_years_of_li