Shuo Chen
240 Coordinated Science Lab.
University of Illinois
1308 W. Main St., Urbana, IL 61801
http://www.crhc.uiuc.edu/~shuochen/
Office Phone: (217)333-6861
Email: shuochen@crhc.uiuc.edu
RESEARCH INTERESTS
Security and fault tolerance, with an emphasis on systems research related to the analyses of
real-world security vulnerabilities, security attacks, and the impacts of software/hardware
faults on security.
EDUCATION
Ph.D., Computer Science, University of Illinois at Urbana-Champaign,
August 2005, expected (GPA: 3.84/4)
Dissertation: Characterizing and Reasoning about Security Vulnerabilities
Advisor: Ravishankar K. Iyer
M.S., Computer Science, Tsinghua University, China, July 2000 (GPA: 3.85/4)
B.S., Computer Science, Peking University, China, July 1997 (GPA: 3.85/4)
RESEARCH EXPERIENCES
8/00 –
date
Research Assistant, Center for Reliable and High-Performance Computing,
Univ. of Illinois at Urbana-Champaign. Advisor: Ravi Iyer
(1) Analysis and Modeling of the Impacts of Transient Faults on System
Security. Fault injection experiments are conducted on network server
programs and Linux firewall software [6][7]. The results show a nonnegligible conditional probability of transient faults causing security
compromises. A stochastic model is built to quantitatively estimate the
frequency of such security compromises in a real operational environment.
(2) Analysis and Modeling of Real-World Security Vulnerabilities. A finite
state machine model is developed to depict and reason about security
vulnerabilities published on Bugtraq and CERT databases [5]. Many common
types of vulnerabilities are decomposed to simple predicates to show their
root causes. I discovered a new HTTP daemon vulnerability (Bugtraq #6255)
during the analysis.
(3) Analysis of Deficiencies of Current Security Defensive Techniques. We
study many real security vulnerabilities on major network servers and
conclude that it is generally applicable to compromise system security by
corrupting non-control data. Our attacks evade the detections of many current
defensive techniques, such as system call based intrusion detection systems
and control data protection techniques, and thus represent a realistic threat to
software security [1].
(4) New Security Defensive Techniques. On recognition of deficiencies of
current security defensive techniques and the common characteristics of
security vulnerabilities, I propose the notion of pointer taintedness, which
5/04 –
8/04
5/03 –
8/03
5/02 –
8/02
5/01 –
8/01
allows formal reasoning of program vulnerabilities and runtime checking of
security attacks. A theorem proving technique is developed to extract security
specifications from program code [4]. An architecture level defensive
technique is proposed and simulated to defeat real security attacks [2]. Both
techniques are based on pointer taintedness analysis.
Research Intern, Systems and Networking Group, Microsoft Research
A Black-Box Tracing Technique to Identify Causes of Least-Privilege
Incompatibilities. Mentors: John Dunagan, Chad Verbowski and Yi-Min Wang
A novel tracing technique is designed and implemented for identifying the
dependencies of Windows applications on Administrator privileges [3]. The project
requires an extensive work on Windows kernel security subsystem.
Research Intern, Systems and Networking Group, Microsoft Research
Audit-Enhanced Authentication in Kerberos. Mentor: Dan Simon
I extended Windows Kerberos subsystem to allow passing extra information
transparently in multi-tier applications. The project requires modifications of
Kerberos subsystem and Windows kernel security subsystem.
Research Intern, Data Network Research Center, Bell Laboratories
Detection of Network Denial of Service Attacks Based on TCP-Friendly
Characteristics. Mentor: Jose Brustoloni
The protocol stack of access routers is modified to automatically and securely
detect TCP-unfriendly flows, which are then forwarded in a lower class of service in
order to mitigate network congestive denial of service attacks. The project requires
an extensive work on the TCP/IP protocol stack of FreeBSD.
Research Intern, Network Software Group, Avaya Labs
Libsafe for Windows. Mentor: Timothy Tsai
Libsafe is a software package originally invented for Linux to detect and foil
stack-smashing attacks. I implemented it on Windows [10]. The project requires the
function interception technique on Windows, and knowledge about system DLLs.
PUBLICATIONS
PAPERS UNDER REVIEW
[1] S. Chen, J. Xu, E. C. Sezer. “Non-Control-Hijacking Attacks are Realistic Threats”.
Submitted for conference publication.
PAPERS IN REFEREED CONFERENCES
[2] S. Chen, J. Xu, N. Nakka, Z. Kalbarczyk, R. K. Iyer. “Defeating Memory Corruption Attacks
via Pointer Taintedness Detection”. To appear in Proc. of IEEE International Conf. on
Dependable Systems and Networks (DSN), Yokohama, Japan, June 28 - July 1,2005.
[3] S. Chen, J. Dunagan, C. Verbowski and Y.-M. Wang, “A Black-Box Tracing Technique to
Identify Causes of Least-Privilege Incompatibilities,” to appear in Proc. of 12th Network and
Distributed System Security Symposium (NDSS), San Diego, CA, February 3-4, 2005.
(Acceptance rate = 16/124 = 12.9%)
[4] S. Chen, K. Pattabiraman, Z. Kalbarczyk, R. K. Iyer, “Formal Reasoning of Various
Categories of Widely Exploited Security Vulnerabilities Using Pointer Taintedness
Semantics”, Proc. of 19th IFIP International Information Security Conference, Toulouse,
France, August 23-26, 2004. (Acceptance rate < 35/160 = 21.9%)
[5] S. Chen, Z. Kalbarczyk, J. Xu, R. K. Iyer, “Data Driven Finite State Machine Model for
Analyzing Security Vulnerabilities”, in Proc. of IEEE International Conf. on Dependable
Systems and Networks (DSN), San Francesco, CA, June 22-25, 2003.
[6] S. Chen, J. Xu, R. K. Iyer, K. Whisnant. “Modeling and Analyzing the Security Threat of
Firewall Data Corruption Caused by Instruction Transient Errors”, in Proc. of IEEE
International Conf. on Dependable Systems and Networks (DSN), Washington D.C., June 2326, 2002.
[7] J. Xu, S. Chen, Z. Kalbarczyk, R. K. Iyer, “An Experimental Study of Security
Vulnerabilities Caused by Errors”, in Proc. of IEEE International Conf. on Dependable
Systems and Networks (DSN), Göteborg, Sweden, July 01-04, 2001.
JOURNAL PUBLICATIONS
[8] S. Chen, J. Xu, Z. Kalbarczyk, R. K. Iyer. “Security Vulnerabilities: From Analysis to
Detection and Masking Techniques”. To appear in Proceedings of the IEEE, Special Issue on
Security and Cryptography, 2005.
[9] S. Chen, J. Xu, Z. Kalbarczyk, R. K. Iyer and K. Whisnant. “Modeling and Evaluating the
Security Threats of Transient Errors in Firewall Software”, in International Journal of
Performance Evaluation, Volume 56, Issues 1-4, pp. 53-72, March 2004.
TECHNICAL REPORT
[10]
S. Chen, T. K. Tsai, N. Singh. “Libsafe for Windows NT/2000”. Avaya Labs Research
Technical Report ALR-2001-018, August 2001
PRESENTATIONS
1. “A Black-Box Tracing Technique to Identify Causes of Least-Privilege Incompatibilities”.
 Presented in 12th Network and Distributed System Security Symposium (NDSS), San
Diego, CA, 2/4/2005.
 Also presented in the Systems & Networking Group, Microsoft Research, Redmond,
Washington. 7/27/2004.
2. "Formal Reasoning of Security Vulnerabilities by Pointer Taintedness Semantics".
 Presented in Computer Engineering Seminar, Coordinated Science Lab, UIUC,
10/12/2004.
3. "A Finite State Machine Methodology for Analyzing Security Vulnerabilities".
 Presented in IEEE International Conference on Dependable Systems and Networks, San
Francisco, 6/2003.
 Also presented in Computer Engineering Seminar, Coordinated Science Lab, UIUC,
4/15/2003.
4. "Secure Detection and Isolation of TCP-unfriendly Flows".
 Presented in the Data Network Research Center, Bell Laboratories, Holmdel, New Jersey,
8/2002.
5. "Evaluating the Security Threat of Instruction Corruptions in Firewalls".

Presented in IEEE International Conference on Dependable Systems and Networks,
Washington D.C., 6/2002.
6. "Libsafe for Windows".
 Presented in the Network Software Research Department, Avaya Laboratories, Basking
Ridge, New Jersey, 8/16/2001.
COMPUTER SKILLS
Language
Systems
Proficient in C, Pascal and BASIC. Fluent in x86 assembly
Have experience on Linux kernel, FreeBSD kernel, Windows kernel and
system DLLs.
Networking Have experience on modifying TCP/IP protocol implementations.
AWARDS and PROFESSIONAL SERVICES
1.
2.
3.
4.
5.
6.
Reviewer for IEEE Transactions on Dependable and Secure Computing (TDSC)
Reviewer for 2004 IEEE INFOCOM
Student Travel Grant for 2003 IEEE Intl’ Conf. on Dependable Systems and Networks
Reviewer for 2003, 2004 IEEE Intl’ Conf. on Dependable Systems and Networks
LEGEND Excellent Student Scholarship
Peking University
1996
SAMSUNG Excellent Student Scholarship
Peking University
1995
PERSONAL
Citizen of China, currently on F-1 visa.
References
Dr. Ravishankar K. Iyer
Professor, ECE Department
Director, Coordinated Science Lab
University of Illinois
1308 W. Main St., Urbana, IL 61801
Phone: 217-333-7774
Email: iyer@crhc.uiuc.edu
Advisor
Dr. Zbigniew Kalbarczyk
Principal Research Scientist
Coordinated Science Lab
University of Illinois
1308 W. Main St., Urbana, IL 61801
Phone: 217-244-7110
Email: kalbar@crhc.uiuc.edu
Co-advisor
Dr. Yi-Min Wang
Group Manager, Systems Management Research
Senior Researcher, Systems and Networking Research
Microsoft Research
One Microsoft Way, Redmond, WA 98052
Phone: 425-706-3467
Email: ymwang@microsoft.com
Internship Mentor
Dr. Timothy K. Tsai
Sun Microsystems, SunCARE
4140 Network Circle, Mailstop USCA14301, Santa Clara, CA 95054
Phone: 408-276-7186
Email: timothy.tsai@sun.com
Internship Mentor