About

I am a researcher in the Microsoft Research RiSE (Research in Software Engineering) group, and also affiliated with the Redmond Security and Privacy Research group. My research interest is mainly on systems security and privacy. My hope is to solve practical security problems using rigorous program analysis technologies.

Bio

Shuo Chen is a senior researcher at Microsoft Research Redmond. His interest is on studying real-world operational systems to understand their security challenges and flaws. Specifically, he spends significant time studying problems about software-as-a-service, browser, web privacy/security and memory-based issues. He served on the program committees for IEEE S&P, USENIX Security, ACM CCS, WWW, etc. Shuo obtained his Ph.D. degree in computer science under the guidance of Prof. Ravi Iyer from University of Illinois at Urbana-Champaign. He obtained his master’s and bachelor’s degree from Tsinghua University and Peking University, both in computer science.

Projects

Certification of Symbolic Transaction

Established: May 6, 2015

Logic flaws are prevalent in multiparty cloud services, which cause serious consequences, e.g., an attacker can make purchases without paying, or gets into other people’s accounts without password. For decades, researchers have been advocating formal verification as a solution, but in the real world developers face many major hurdles to do it. We introduce a technology that significantly lowers these hurdles, and show its effectiveness in real-world deployments. Online services enhanced by CST (Note: SymT-caching…

Publications

2016

2015

2014

2013

2012

2011

2010

2009

2007

2006

2005

2004

2003

2002

2001

Projects

Other

CV

Click here.

Academic Service

Academic Service

  • Program committee member, IEEE Symposium on Security and Privacy 2010, 2011, 2012, 2013, 2015
  • Program committee member, USENIX Security Symposium 2013
  • Program committee member, ACM Conference on Computer and Communications Security 2011, 2012
  • Program committee member, WWW (Security and Privacy Track) 2008, 2009, 2011, 2012
  • Program committee member, SecureComm 2009
  • Program committee member, Web 2.0 Security and Privacy Workshop (W2SP) 2011
  • Program committee member, IEEE DSN 2007
  • Ph.D. thesis committees for
    • Ralf Sasse (former intern, UIUC, advised by Jose Meseguer), defended successfully in 2012
    • Keun Soo Yim (UIUC, advised by Ravi Iyer), defended successfully in 2012
    • Rui Wang (former intern, Indiana U, advised by XiaoFeng Wang), defended successfully in 2013
    • Yuchen Zhou (former intern, UVa, advised by David Evans), defended successfully in 2015
    • Eric Chen (former intern, CMU, advised by Patrick Tague and Collin Jackson), defended successfully in 2015

Awards

Awards

  • Best Practical Paper award, IEEE Symposium on Security and Privacy 2011
  • Microsoft Gold Star award, 2010
  • Microsoft Gold Star award, 2007

 

 

Press Coverage

About our CCS’13 paper
iOS and Android weaknesses allow stealthy pilfering of website credentials, Ars Technica, August 27, 2013

About our Oakland’12 paper
Study Finds Major Weaknesses in Single Sign-on Systems, Network World, March 27, 2012
Flawed sign-in services from Google and Facebook imperil user account, Ars Technica, March 25, 2012
Trial finds EIGHT WAYS to defeat Google, PayPal and other SSOs, The Register, March 20, 2012
Researchers discover flaws in SSO that leave websites vulnerable, Infosecurity, March 20
Web Services Single Sign-On Contain Big Flaws, Dark Reading, March 19, 2012
Researchers discover “worrisome” authentication flaws in many online services, ZDNet, March 16, 2012

About our finding of an OpenID authentication bug
OpenID Warns Of Serious Bug, InformationWeek, May 9, 2011
OpenID warns of ‘psychic paper’ authentication attack, Register, May 9, 2011
OpenID Foundation warns of identity transmission bug, ZDNet UK, May 9, 2011
OpenID Foundation Warns Websites of Authentication Flaw, eWeek, May 9, 2011

About our Oakland’11 paper
How to Shop for Free Online (video interview), Channel 9, May 17, 2011
Vulnerabilities in Online Payment Systems, Schneier on Security, May 9, 2011

(Shaz Qadeer and I didn’t directly participate in the following interviews because of a non-academic reason.)
Researchers find major flaws in online payment systems. CNN, April 13, 2011.
Exploit-wielding boffins go on free online shopping binge — World’s biggest e-commerce sites wide open, Register, April 12, 2011
Could criminals shop for free online? CNET, April 11, 2011
Security Researchers Exploit Logic Flaws to Shop for Free Online, Network World, April 11, 2011

About our finding of a Facebook authentication bug

About our Oakland’10 paper
Side Channel Attacks in SSL, ha.ckers.org, June 21st, 2010
SaaS Apps May Leak Data Even When Encrypted, Study Says, Dark Reading, March 26th, 2010
Side-Channel Attacks on Encrypted Web Traffic, Schneier on Security, March 26th, 2010
Researchers sound alarm on Web app “side channel” data leaks, Network World, March 25th, 2010
Your health, tax, and search data siphoned: Software-as-a-service springs SSL leak, The Register, March 23rd, 2010.
Side-Channel Leaks in Web Applications, Freedom To Tinker, March 23rd, 2010

About our Oakland’09 paper
Browser flaws expose users to man-in-the-middle attacks, ZDNet, August 7th, 2009
Mozilla patches 11 Firefox bugs, six critical. Plugs SSL hole reported by Microsoft researchers, Computer World, June 12, 2009
Breaking Web Browsers’ Trust, Technology Review, May 21st, 2009

Interns

 

Interns

I encourage Ph.D. students to seek opportunities of Microsoft Research internships. I myself was interning here in the summers of 2003 and 2004. MSR internship is interesting, challenging and rewarding. Please ask your advisor to write a reference letter for you as early as you can! Most offers are made in the early spring.

  • Summer 2016: Matt McCutchen (MIT). Project: Self-Verifying Execution.
  • Summer 2015: Peter Chapman (CMU).
  • Summer 2015: Daniel Song (Rice University, co-mentored with Helen Wang). Project: Self-Verifying Execution.
  • Summer 2013: Eric Chen (CMU), expertise: web security. Project: Certification of symbolic transaction, in IEEE Symposium on Security and Privacy 2015.
  • Summer 2012: Yuchen Zhou (University of Virginia), expertise: web security. Project: Implicit security assumptions of SDKs, in USENIX Security Symposium 2013.
  • Summer 2011: Rui Wang (Indiana University), expertise: web security. Project: Web-based single-sign-on systems, in IEEE Symposium on Security and Privacy 2012.
  • Summer 2010: Rui Wang (Indiana University), expertise: web security. Project: How to shop for free online, in IEEE Symposium on Security and Privacy 2011.
  • Summer 2009: Rui Wang (Indiana University), expertise: web security. Project: Side channel leaks in web applications, in IEEE Symposium on Security and Privacy 2010.
  • Summer 2008: Hong Chen (Purdue), expertise: access control. Project: Browser’s residue objects, in EuroSys 2010.
  • Summer 2007: Ziqing Mao (Purdue), expertise: access control. Project: Pretty-Bad-Proxy, in IEEE Symposium on Security and Privacy 2009.
  • Summer 2006: Ralf Sasse (UIUC), expertise: formal methods. Project: GUI logic errors, in IEEE Symposium on Security and Privacy 2007.

 

Other