Senior Ph.D. student working with Prof. David Evans

Computer Engineering
University of Virginia

I am graduating soon and looking for a job.

Resume for Research positions

and Developer/Industry positions.

Research Statement can be found here.

Linkedin profile

My Github Repo ("Treeeater")


Understanding and Monitoring Embedded Web Scripts

This project helps web developers understand and monitor the behavior of embedded third-party JavaScripts on their websites.
Our paper is accepted at Oakland (IEEE S&P) 2015', and more information can be found here.

SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities

SSOScan is an automated scanner of web applications for Single Sign-On vulnerabilities. Our paper is published at the 23rd USENIX Security Symoposium (2014), and more details can be found here.

Explicating SDKs: Uncovering Assumptions Underlying Secure Authentication and Authorization
with Rui Wang, Shuo Chen at Microsoft Research Redmond

The goal of Explicating SDKs project is to systematically uncover implicit assumptions that are important to applications' security properties, this work is published at the 22nd USENIX Security Symposium (2013).

DOMinator: confine the behaviors of third-party JavaScripts

The goal of DOMinator is to build a browser that can enforce fine-grained access control policies for third-party JavaScripts. This work is published at ESORICS 11'.

Why Aren't HTTP-only Cookies More Widely Deployed?

This short paper is presented at W2SP 10' (co-hosted with Oakland 10'), we looked at the history and current status of how well HTTP-only cookies are deployed, and give some suggestions about how future security works can improve themselves to achieve a higher deploy rate.

Poster: RedactDOM
with Longze Chen

The goal of RedactDOM project is to prevent sensitive data leaking through embedded scripts, and our poster appeared in IEEE S&P(Oakland) 13'.

Poster: Unifying Data Policies Across the Client and Server
with Jonathan Burket et al.

This poster is presented at USENIX 11', the idea is to generate annotated policies automatically from server-side using GuardRails, and enforce the access control policies at client side using DOMinator.