Shuo Chen at Microsoft Research

I am a researcher in the Microsoft Research RiSE (Research in Software Engineering) group, and also affiliated with the Redmond Security and Privacy Research group. My research interest is mainly on systems security and privacy. My hope is to solve practical security problems using rigorous program analysis technologies.

Certification of Symbolic Transaction

Established: May 6, 2015

Logic flaws are prevalent in multiparty cloud services, which cause serious consequences, e.g., an attacker can make purchases without paying, or gets into other people’s accounts without password. For decades, researchers have been advocating formal verification as a solution, but in the real world developers face many major hurdles to do it. We introduce a technology that significantly lowers these hurdles, and show its effectiveness in real-world deployments. Online services enhanced by…

Swords and Shields – A Study of Mobile Game Hacks and Existing Defenses

Yuan Tian, Eric Chen, Xiaojun Ma, Shuo Chen, Xiao Wang, Patrick Tague, in Annual Computer Security Applications Conference (ACSAC) 2016, December 5, 2016, View abstract, Download PDF

Self-Verifying Execution (Position Paper)

Matt McCutchen, Daniel Song, Shuo Chen, Shaz Qadeer, in Proceedings of the IEEE Cybersecurity Development Conference (SecDev), IEEE – Institute of Electrical and Electronics Engineers, November 3, 2016, View abstract, Download PDF

The “Web/Local” Boundary Is Fuzzy: A Security Study of Chrome’s Process-based Sandboxing

Yaoqi Jia, Zheng Leong Chua, Hong Hu, Shuo Chen, Prateek Saxena, Zhenkai Liang, in Proceedings of the ACM Conference on Computer and Communications Security (CCS), ACM – Association for Computing Machinery, October 24, 2016, View abstract, Download PDF

Uncovering Bugs in Distributed Storage Systems during Testing (not in Production!)

Pantazis Deligiannis, Matt McCutchen, Paul Thomson, Shuo Chen, Alastair F. Donaldson, John Erickson, Cheng Huang, Akash Lal, Rashmi Mudduluru, Shaz Qadeer, Wolfram Schulte, in 14th USENIX Conference on File and Storage Technologies (FAST), February 1, 2016, View abstract, Download PDF

Enlightening Ph.D. Students with the Elegance of Logic — My personal memory about Prof. José Meseguer

Shuo Chen, in Proceedings of the Festschrift Symposium in Honor of Jose Meseguer (LNCS 9200), Springer, September 1, 2015, View abstract, Download PDF

Cookies Lack Integrity: Real-World Implications

Xiaofeng Zheng, Jian Jiang, Jinjin Liang, Haixin Duan, Shuo Chen, Tao Wan, in Proceedings of USENIX Security, August 12, 2015, View abstract, Download PDF

Securing Multiparty Online Services via Certification of Symbolic Transactions

Eric Chen, Shuo Chen, Shaz Qadeer, Rui Wang, in Proceedings of the IEEE Symposium on Security and Privacy (Oakland), IEEE – Institute of Electrical and Electronics Engineers, May 1, 2015, View abstract, Download PDF

OAuth Demystified for Mobile Application Developers

Eric Chen, Yutong Pei, Shuo Chen, Yuan Tian, Robert Kotcher, Patrick Tague, in Proceedings of the ACM Conference on Computer and Communications Security (CCS), ACM – Association for Computing Machinery, November 1, 2014, View abstract, Download PDF

Brahmastra: Driving Apps to Test the Security of Third-Party Components

Ravi Bhoraskar, Seungyeop Han, Jinseong Jeon, Tanzirul Azim, Shuo Chen, Suman Nath, Rui Wang, David Wetherall, Jaeyeon Jung, in USENIX Security Symposium, USENIX – Advanced Computing Systems Association, August 1, 2014, View abstract, Download PDF

Unauthorized Origin Crossing on Mobile Platforms: Threats and Mitigation

Rui Wang, Shuo Chen, in Proceedings of the ACM Conference on Computer and Communications Security (CCS), ACM – Association for Computing Machinery, November 4, 2013, View abstract, Download PDF

Explicating SDKs: Uncovering Assumptions Underlying Secure Authentication and Authorization

Rui Wang, Yuchen Zhou, Shuo Chen, Shaz Qadeer, David Evans, Yuri Gurevich, , in Proceedings of the USENIX Security Symposium, USENIX, August 1, 2013, View abstract, Download PDF

InteGuard: Toward Automatic Protection of Third-Party Web Service Integrations

Luyi Xing, Yangyi Chen, XiaoFeng Wang, Shuo Chen, in Network & Distributed System Security Symposium (NDSS), February 1, 2013, View abstract, Download PDF, View external link

Signing Me onto Your Accounts through Facebook and Google: a Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services

Rui Wang, Shuo Chen, XiaoFeng Wang, in Proceedings of the IEEE Symposium on Security and Privacy (Oakland), IEEE Computer Society, May 1, 2012, View abstract, Download PDF

How to Shop for Free Online – Security Analysis of Cashier-as-a-Service Based Web Stores

Rui Wang, Shuo Chen, XiaoFeng Wang, Shaz Qadeer, in Proceedings of the IEEE Symposium on Security and Privacy (Oakland) (Best Practical Paper award), IEEE Computer Society, May 1, 2011, View abstract, Download PDF

Sidebuster: Automated Detection and Quantification of Side-Channel Leaks in Web Application Development

Kehuan Zhang, Zhou Li, Rui Wang, XiaoFeng Wang, Shuo Chen, in Proceedings of the ACM Conference on Computer and Communications Security (CCS), Association for Computing Machinery, Inc., October 1, 2010, View abstract, View external link

Side-Channel Leaks in Web Applications: a Reality Today, a Challenge Tomorrow

Shuo Chen, Rui Wang, XiaoFeng Wang, Kehuan Zhang, in Proceedings of the IEEE Symposium on Security and Privacy (Oakland), IEEE Computer Society, May 1, 2010, View abstract, Download PDF

Residue Objects: A Challenge to Web Browser Security

Shuo Chen, Hong Chen, Manuel Caballero, in Proceedings of EuroSys, Association for Computing Machinery, Inc., April 1, 2010, View abstract, Download PDF

How to share your favourite search results while preserving privacy and quality

George Danezis, Tuomas Aura, Shuo Chen, Emre Kiciman, Microsoft Research, February 15, 2010, View abstract, Download PDF

Pretty-Bad-Proxy: An Overlooked Adversary in Browsers’ HTTPS Deployments

Shuo Chen, Ziqing Mao, Yi-Min Wang, Ming Zhang, in Proceedings of the IEEE Symposium on Security and Privacy (Oakland), IEEE Computer Society, May 1, 2009, View abstract, Download PDF

An Analysis of Browser Domain-Isolation Bugs and A Light-Weight Transparent Defense Mechanism

Shuo Chen, David Ross, Yi-Min Wang, in Proceedings of the ACM Conference on Computer and Communications Security (CCS), Association for Computing Machinery, Inc., October 31, 2007, View abstract, Download PDF

Automatically Segregating Greedy and Malicious Internet Flows

Jose Carlos Brustoloni, Shuo Chen, in Proceedings of IEEE International Conference on Communications, IEEE Computer Society, June 1, 2007, View abstract, Download PDF

A Systematic Approach to Uncover Security Flaws in GUI Logic

Shuo Chen, Ralf Sasse, Jose Meseguer, Helen Wang, Yi-Min Wang, in Proceedings of the IEEE Symposium on Security and Privacy (Oakland), IEEE Computer Society, May 1, 2007, View abstract, Download PDF

Design for Security: Measurement, Analysis and Mitigation Techniques

Shuo Chen, in UIUCDCS-R-2005-2607, December 1, 2005, View abstract, Download PDF

Non-Control-Data Attacks Are Realistic Threats

Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar, Ravishankar K. Iyer, in Proceedings of USENIX Security Symposium, USENIX, August 1, 2005, View abstract, Download PDF

Defeating Memory Corruption Attacks via Pointer Taintedness Detection

Shuo Chen, Jun Xu, Nithin Nakka, Zbigniew Kalbarczyk, Ravishankar K. Iyer, in Proceedings of IEEE International Conference on Dependable Systems and Networks, IEEE Computer Society, June 1, 2005, View abstract, Download PDF

A Black-Box Tracing Technique to Identify Causes of Least-Privilege Incompatibilities

Shuo Chen, John Dunagan, Chad Verbowski, Yi-Min Wang, in Proceedings of Network and Distributed System Security Symposium (NDSS), Internet Society, February 1, 2005, View abstract, Download PDF

Formal Reasoning of Various Categories of Widely Exploited Security Vulnerabilities Using Pointer Taintedness Semantics

Shuo Chen, Karthik Pattabiraman, Zbigniew Kalbarczyk, Ravishankar K. Iyer, in Proceedings of IFIP International Information Security Conference, August 1, 2004, View abstract, Download PDF

A Data-Driven Finite State Machine Model for Analyzing Security Vulnerabilities

Shuo Chen, Zbigniew Kalbarczyk, Jun Xu, Ravishankar K. Iyer, in IEEE International Conference on Dependable Systems and Networks, IEEE Computer Society, June 1, 2003, View abstract, Download PDF

How to Shop for Free Online

September 9, 2011

Speakers

Shaz Qadeer and Shuo Chen

Enhancing Security of Real-World Systems with a Better Understanding of the Threats

March 14, 2005

Speakers

Shuo Chen

Affiliation

University of Illinois

CV

Click here.

Bio

Shuo Chen is a senior researcher at Microsoft Research Redmond. His interest is on studying real-world operational systems to understand their security challenges and flaws. Specifically, he spends significant time studying problems about software-as-a-service, browser, web privacy/security and memory-based issues. He served on the program committees for IEEE S&P, USENIX Security, ACM CCS, WWW, etc. Shuo obtained his Ph.D. degree in computer science under the guidance of Prof. Ravi Iyer from University of Illinois at Urbana-Champaign. He obtained his master’s and bachelor’s degree from Tsinghua University and Peking University, both in computer science.

Academic Service

Program committee member, IEEE Symposium on Security and Privacy 2010, 2011, 2012, 2013, 2015
Program committee member, USENIX Security Symposium 2013
Program committee member, ACM Conference on Computer and Communications Security 2011, 2012
Program committee member, WWW (Security and Privacy Track) 2008, 2009, 2011, 2012
Program committee member, SecureComm 2009
Program committee member, Web 2.0 Security and Privacy Workshop (W2SP) 2011
Program committee member, IEEE DSN 2007
Ph.D. thesis committees for
- Ralf Sasse (former intern, UIUC, advised by Jose Meseguer), defended successfully in 2012
- Keun Soo Yim (UIUC, advised by Ravi Iyer), defended successfully in 2012
- Rui Wang (former intern, Indiana U, advised by XiaoFeng Wang), defended successfully in 2013
- Yuchen Zhou (former intern, UVa, advised by David Evans), defended successfully in 2015
- Eric Chen (former intern, CMU, advised by Patrick Tague and Collin Jackson), defended successfully in 2015

Awards

Best Practical Paper award, IEEE Symposium on Security and Privacy 2011
Microsoft Gold Star award, 2010
Microsoft Gold Star award, 2007

About our CCS’13 paper
• iOS and Android weaknesses allow stealthy pilfering of website credentials, Ars Technica, August 27, 2013

About our Oakland’12 paper
• Study Finds Major Weaknesses in Single Sign-on Systems, Network World, March 27, 2012
• Flawed sign-in services from Google and Facebook imperil user account, Ars Technica, March 25, 2012
• Trial finds EIGHT WAYS to defeat Google, PayPal and other SSOs, The Register, March 20, 2012
• Researchers discover flaws in SSO that leave websites vulnerable, Infosecurity, March 20
• Web Services Single Sign-On Contain Big Flaws, Dark Reading, March 19, 2012
• Researchers discover “worrisome” authentication flaws in many online services, ZDNet, March 16, 2012

About our finding of an OpenID authentication bug
• OpenID Warns Of Serious Bug, InformationWeek, May 9, 2011
• OpenID warns of ‘psychic paper’ authentication attack, Register, May 9, 2011
• OpenID Foundation warns of identity transmission bug, ZDNet UK, May 9, 2011
• OpenID Foundation Warns Websites of Authentication Flaw, eWeek, May 9, 2011

About our Oakland’11 paper
• How to Shop for Free Online (video interview), Channel 9, May 17, 2011
• Vulnerabilities in Online Payment Systems, Schneier on Security, May 9, 2011

(Shaz Qadeer and I didn’t directly participate in the following interviews because of a non-academic reason.)
• Researchers find major flaws in online payment systems. CNN, April 13, 2011.
• Exploit-wielding boffins go on free online shopping binge — World’s biggest e-commerce sites wide open, Register, April 12, 2011
• Could criminals shop for free online? CNET, April 11, 2011
• Security Researchers Exploit Logic Flaws to Shop for Free Online, Network World, April 11, 2011

About our finding of a Facebook authentication bug

Informatics students discover, alert Facebook to threat allowing access to private data, PhysOrg, ‎Feb 3, 2011
• New Facebook vulnerability patched, ComputerWorld, Feb 2, 2011
• Facebook Fixes Security Vulnerability,eWeek, Feb 2, 2011
• Facebook plugs gnarly authentication flaw, Register, ‎Feb 2, 2011‎
• Facebook flaw allowed websites to steal users’ personal data without consent, Graham Cluley’s blog, ‎Feb 2, 2011‎

About our Oakland’10 paper
• Side Channel Attacks in SSL, ha.ckers.org, June 21st, 2010
• SaaS Apps May Leak Data Even When Encrypted, Study Says, Dark Reading, March 26th, 2010
• Side-Channel Attacks on Encrypted Web Traffic, Schneier on Security, March 26th, 2010
• Researchers sound alarm on Web app “side channel” data leaks, Network World, March 25th, 2010
• Your health, tax, and search data siphoned: Software-as-a-service springs SSL leak, The Register, March 23rd, 2010.
• Side-Channel Leaks in Web Applications, Freedom To Tinker, March 23rd, 2010

About our Oakland’09 paper
• Browser flaws expose users to man-in-the-middle attacks, ZDNet, August 7th, 2009
• Mozilla patches 11 Firefox bugs, six critical. Plugs SSL hole reported by Microsoft researchers, Computer World, June 12, 2009
• Breaking Web Browsers’ Trust, Technology Review, May 21st, 2009

Interns

I encourage Ph.D. students to seek opportunities of Microsoft Research internships. I myself was interning here in the summers of 2003 and 2004. MSR internship is interesting, challenging and rewarding. Please ask your advisor to write a reference letter for you as early as you can! Most offers are made in the early spring.

Summer 2016: Matt McCutchen (MIT). Project: Self-Verifying Execution.
Summer 2015: Peter Chapman (CMU).
Summer 2015: Daniel Song (Rice University, co-mentored with Helen Wang). Project: Self-Verifying Execution.
Summer 2013: Eric Chen (CMU), expertise: web security. Project: Certification of symbolic transaction, in IEEE Symposium on Security and Privacy 2015.
Summer 2012: Yuchen Zhou (University of Virginia), expertise: web security. Project: Implicit security assumptions of SDKs, in USENIX Security Symposium 2013.
Summer 2011: Rui Wang (Indiana University), expertise: web security. Project: Web-based single-sign-on systems, in IEEE Symposium on Security and Privacy 2012.
Summer 2010: Rui Wang (Indiana University), expertise: web security. Project: How to shop for free online, in IEEE Symposium on Security and Privacy 2011.
Summer 2009: Rui Wang (Indiana University), expertise: web security. Project: Side channel leaks in web applications, in IEEE Symposium on Security and Privacy 2010.
Summer 2008: Hong Chen (Purdue), expertise: access control. Project: Browser’s residue objects, in EuroSys 2010.
Summer 2007: Ziqing Mao (Purdue), expertise: access control. Project: Pretty-Bad-Proxy, in IEEE Symposium on Security and Privacy 2009.
Summer 2006: Ralf Sasse (UIUC), expertise: formal methods. Project: GUI logic errors, in IEEE Symposium on Security and Privacy 2007.

My family site (We have two lovely daughters).
Table tennis is my hobby.
我的博客

About

Projects

Publications

2016

2015

2014

2013

2012

2011

2010

2009

2007

2005

2004

2003

Projects

Date

Speakers

Date

Speakers

Affiliation

Other

CV

Bio

Academic Service

Academic Service

Awards

Awards

Press Coverage

Interns

Interns

Other

Follow Microsoft Research

Share this page