Yonghwi Kwon, the University of Virginia

I am the John Knight Career Enhancement Assistant Professor in the Department of Computer Science at the University of Virginia. I received my Ph.D. in Computer Science at Purdue University. My research interests include, but not limited to, software systems security (particularly leveraging compiler-based techniques), cyber forensics (i.e., cyber attack investigation), and software engineering (particularly software testing and reverse-engineering). My research aims to provide fundamental and platform agnostic solutions, making them applicable to any systems including recent IoT platforms.

I have been honored with NSF CRII Award (2019), ASE Best Paper Award (ASE'13), ACM SIGSOFT Distinguished Paper Award (ASE'13), Maurice H. Halstead Memorial Award (2017), and Microsoft Most Valuable Professional Award (2008 ~ 2012).


Email: yongkwon /at/ virginia.edu (Preferred), yongkwon.cs /at/ gmail.com (Alternative)


I am actively looking for students who are interested in systems security research and/or building systems.
If you are interested in (1) building secure systems, (2) preventing real-world attacks and exploits, (3) reverse-engineering up-to-date malware, or making programs secure via compiler based techniques (e.g., LLVM and gcc), we should chat (Multiple RA positions).


Mar 30, 2019: Our UVa CCDC (Collegiate Cyber Defense Competition) team won the Mid-Atlantic regional final competition, and will defend their national title! Go Team!! (Detail)
Mar 7, 2019: I am a program committee member of ACSAC'19. Consider submitting your awesome papers!
Feb 11, 2019: NSF Proposal Awarded: Secure and Comprehensive Forensic Audit Infrastructure for Transparent Heterogeneous Computing. Thanks NSF for support!

Research Focus (Details)

Active Defense against Cyber Attacks

Vulnerable programs are targeted by cyber attackers. Manually patching the vulnerabilities cannot keep up with the fast growing cyber attack trend. We develop automated techniques that analyze insecure programs and make them secure [NDSS'17][ASE'17] leveraging compiler-based infrastructure (e.g., LLVM).

Cyber Forensic against Cyber Attacks

After systems are hacked, understanding the details of attack such as how it happened (i.e., the initial compromise), what is the intention, and who is behind the attack is important. We develop precise information-flow tracking techniques for forensic analysis [ASPLOS'16][NDSS'18] to uncover such details.

Advanced Malware Analysis

Malware has become incredibly sophisticated and evasive, laying low without being detected for a long period of time. We develop automated malware analysis techniques that reveal hidden behaviors of such advanced malware including those on IoT and web [NDSS'15][WWW'17].

Cross-Platform Binary Analysis

Analyzing software on various platform is challenging as new platforms often lack mature program analysis/debugging tools. We develop cross-platform binary analysis techniques that make advanced program analysis techniques applicable to any preferred platforms including Sensors, IoT, Drones, etc. [ASE'13][ISSTA'17][ACSAC'17]

Resume

Appointments

Aug 2018 - Present

Assistant Professor, University of Virginia, USA

John Knight Career Enhancement Assistant Professor

Education

May 2012 - Aug 2018

Ph.D. in Computer Science, Purdue University, USA

Advisors: Professor Xiangyu Zhang and Professor Dongyan Xu.
Research Focus: Software Security, Systems, and Software Engineering.

March 2004 - July 2011

Bachelor in Computer Engineering, Konkuk University, Seoul, South Korea

Summa Cum Laude. (Includes 3 years of military service at a software company for developing system security products)

Professional Experience

Sep 2011 - Dec 2011

Part-Time Developer, National Forensic Service, Seoul, South Korea

I developed digitizers that extract important evidences from dash-cam videos for forensic analysis.

July 2006 - July 2009

Researcher, SETTEC Inc., Seoul, South Korea

I developed security solutions such as DRM (Digital Rights Management) systems, on-the-fly binary protection techniques which encrypt and decrypt executable code at runtime to prevent reverse-engineering attempts. Also, I have developed anti-malware software in both kernel and user-mode.

Aug 2004 - June 2006
Samsung Software Membership Program

Student Researcher, Samsung, Seoul, South Korea

I developed and led many commercial projects including system utilities, network firewalls, file-filter drivers, and image processing applications. I also have developed programs on various platforms including x86, MIPS, and ARM.

Curriculum Vitae

Download CV

Timeline

2018

Joined the University of Virginia

2017
Grad School

Received the Maurice H. Halstead Memorial Award

2013
Grad School

Received the ACM SIGSOFT Distinguished Paper Award and the ASE Best Paper Award

2010
University
2008 - 2012
University

Received the Microsoft Most Valuable Professional Award (5 Time Awardee: 2008~2012)

2000
Middle school

Wrote my first popular program which now has millions of users (Click To Tweak)

Research

Solving System Security Problems via Fundamental Program Analysis

I build systems that can analyze and prevent sophisticated cyber attacks such as Advanced Persistent Threats (e.g., Stuxnet).

Specifically, (1) I build systems that harden existing programs to prevent advanced attacks (e.g., zero-day exploits). (2) I build reverse-engineering techniques that uncover malicious behaviors (e.g., compromising systems and data leak) of sophisticated malware on various architectures (e.g., x86, ARM, MIPS) with little to no knowledge of the malware. (3) my research recovers forensic evidence of sophisticated attacks to reveal attack paths (e.g., how an attack happened, who are the attackers, and what are the ramifications of the attack).


Preventing Malicious Payload Injection Attacks
Malicious attackers (remotely) inject malicious payloads into the victim systems in order to achieve their goals such as disrupting systems and exfiltrating secret information.
My research aims to proactively prevent them regardless of attack methods and vectors to protect various systems from even unknown zero-day exploits.
To do so, we develop automated techniques that can analyze programs (in both binaries and source code) leveraging compiler-based techniques (e.g., LLVM) and reverse engineering (e.g., IDA), and secure the software by elliminating vulnerabilities from programs via instrumentations (e.g., binary rewriting [ACSAC'17]) [NDSS'17][ASE'17]. We also leverage SAT solvers (e.g., Z3 solver) to understand malicious payload and break them [NDSS'17].
Examples include (1) preventing zero-day attacks such as WannaCry without knowing the attack vector [NDSS'17], (2) protecting web users from malvertising attacks that exploit vulnerabilities in JavaScript/ActionScript engines [ASE'17].


Reconstructing Attack Paths of Advanced Cyberattacks (e.g., Advanced Persistent Threats)
Recent cyber attacks become more and more sophisticated. In particular, advanced persistent threat or APT is a special kind of attack that leverages most advanced stealthy attack methods. They lurk in systems for a long time (e.g., weeks or months), infecting other systems through complex and large programs such as web-browsers.
My research aims to precisely uncover attack paths of such advanced cyber attacks. I proposed a novel causal analysis technique [ASPLOS'16] which precisely infers causality between system events (e.g., system calls) via input perturbation. The key insight of the technique is that rather than tracking information flow through instructions which often cause significant overhead and false positives/negatives, we run two executions of a program and perturb inputs that we want to track causality in one of the executions. Except those inputs, we maintain two executions identical. Hence, any output differences between two executions are caused by the perturbation, meaning that those differences and perturbations are causally related [ASPLOS'16].
Moreover, we develop a practical causality inference system for enterprise environment without any instrumentation requirements [NDSS'18].
Examples include (1) identifying information leak from malicious web-extensions [ASPLOS'16] [Demo Video], (2) reconstructing the entire attack story from the initial compromise and system disruptions in enterprise environments [NDSS'18], (3) understanding and revealing details of library hijacking attacks [ACSAC'18].


Analyzing Malicious Binaries via Binary Analysis and Reverse-Engineering (across Multiple Platforms)
Analyzing malicious binary programs is difficult because, in part, these binaries are obfuscated and/or input/environment sensitive. Moreover, recent attacks happen across multiple platforms while tools that can analyze malicious binaries often do not support such new platforms.
My research aims to analyze malicious binaries via dynamic analysis and program transformation. we proposed a novel program transformation technique which can transform a platform-dependent program execution (e.g., an IoT malware execution) into a platform-independent program so that it can be analyzed by existing program analysis tools [ASE'13]. Also, we reverse engineer malicious binaries to discover message/file formats of various malicious software such as botnets [NDSS'15].
Also, we develop binary rewriting infrastructures [ACSAC'17] which can insert/remove functionalities in existing binary programs without access to source code.
Examples include (1) analyzing vulnerabilities on a sensor platforms via x86 Linux program analysis tools (e.g., program slicing tools) [ASE'13], (2) reverse-engineering Command and Control protocol of a botnet and data leaked by the botnet with no prior knowledge on the botnet [NDSS'15], (3) adding various protections (e.g., Control Flow Integrity, Buffer overrun protection) to existing ARM binaries and reducing unnecessary binary code from the binary program directly without source code [ACSAC'17].

Publications

List of Publications

2019

Probabilistic Disassembly, Kenneth Adam Miller, Yonghwi Kwon, Xiangyu Zhang, and Zhiqiang Lin, In Proc. of the 41st International Conference on Software Engineering (ICSE'19), Paper


2018

Lprov: Practical Library-aware Provenance Tracing, Fei Wang, Yonghwi Kwon, Shiqing Ma, Xiangyu Zhang, and Dongyan Xu, In Proc. of the 34th Annual Conference on Computer Security Applications (ACSAC'18), Paper | BibTex

Kernel-Supported Cost-Eective Audit Logging for Causality Tracking, Shiqing Ma, Jun Zhai, Yonghwi Kwon, Kyu Hyung Lee, Xiangyu Zhang, Gabriela Ciocarlie, Ashish Gehani, Vinod Yegneswaran, Dongyan Xu, and Somesh Jha, In Proc. of the 2018 USENIX Annual Technical Conference (ATC'18), Paper | BibTex

AdBudgetKiller: Online Advertising Budget Draining Attack, I Luk Kim, Weihang Wang, Yonghwi Kwon, Yunhui Zheng, Yousra Aafer, Weijie Meng, and Xiangyu Zhang, In Proc. of the 27th International World Wide Web Conference (WWW'18), Paper | BibTex

MCI: Modeling-based Causality Inference in Audit Logging for Attack Investigation, Yonghwi Kwon, Fei Wang, Weihang Wang, Kyu Hyung Lee, Wen-Chuan Lee, Shiqing Ma, Xiangyu Zhang, Dongyan Xu, Somesh Jha, Gabriela Ciocarlie, Ashish Gehani, and Vinod Yegneswaran, In Proc. of the 25th Network and Distributed System Security Symposium (NDSS'18), Paper | Slides | BibTex


2017

RevARM: A Platform-Agnostic ARM Binary Rewriter for Security Applications, Taegyu Kim, Chung Hwan Kim, Hongjun Choi, Yonghwi Kwon, Brendan Saltaformaggio, Xiangyu Zhang, and Dongyan Xu, In Proc. of the 33rd Annual Conference on Computer Security Applications (ACSAC'17), Paper | BibTex

PAD: Programming Third-party Web Advertisement Censorship, Weihang Wang, Yonghwi Kwon, Yunhui Zheng, Yousra Aafer, I Luk Kim, Wen-Chuan Lee, Yingqi Liu, Weijie Meng, Xiangyu Zhang, Patrick Eugster, In Proc. of the 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE'17), Paper | BibTex

CPR: Cross Platform Binary Code Reuse via Platform Independent Trace Program, Yonghwi Kwon, Weihang Wang, Yunhui Zheng, Xiangyu Zhang, and Dongyan Xu, In Proc. of the 26th ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA'17) Paper | Slides | BibTex

J-Force: Forced Execution on JavaScript, Kyungtae Kim, I Luk Kim, Chung Hwan Kim, Yonghwi Kwon, Yunhui Zheng, Xiangyu Zhang, and Dongyan Xu, In Proc. of the 26th International World Wide Web Conference (WWW'17), Paper | BibTex

A2C: Self Destructing Exploit Executions via Input Perturbation, Yonghwi Kwon, Brendan Saltaformaggio, I Luk Kim, Kyu Hyung Lee, Xiangyu Zhang, and Dongyan Xu, In Proc. of the 24th Network and Distributed System Security Symposium (NDSS'17), Paper | Slides | BibTex


2016

Apex: Automatic Programming Assignment Error Explanation, Dohyeong Kim, Yonghwi Kwon, Peng Liu, I Luk Kim, David Mitchel Perry, Xiangyu Zhang, and Gustavo Rodriguez-Rivera, In Proc. of the 2016 ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA'16), Paper | Website | BibTex

WebRanz: Web Page Randomization For Better Advertisement Delivery and Web-Bot Prevention, Weihang Wang, Yunhui Zheng, Xinyu Xing, Yonghwi Kwon, Xiangyu Zhang, and Patrick Eugster, In Proc. of the 24th ACM SIGSOFT International Symposium on the Foundations of Software Engineering (FSE'16), Paper | Website | BibTex

Eavesdropping on Fine-Grained User Activities Within Smartphone Apps Over Encrypted Network Traffic, Brendan Saltaformaggio, Hongjun Choi, Kristen Johnson, Yonghwi Kwon, Qi Zhang, Xiangyu Zhang, Dongyan Xu, John Qian, In Proc. of the 10th USENIX Workshop on Offensive Technologies (WOOT'16) Paper | BibTex

LDX: Causality Inference by Lightweight Dual Execution, Yonghwi Kwon, Dohyeong Kim, William N. Sumner, Kyungtae Kim, Brendan Saltaformaggio, Xiangyu Zhang, and Dongyan Xu, In Proc. of the 21st International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS'16), Paper | Slides | Demo Video | BibTex


2015

Dual Execution for On the Fly Fine Grained Execution Comparison, Dohyeong Kim, Yonghwi Kwon, William N. Sumner, Xiangyu Zhang, and Dongyan Xu, In Proc. of the 20th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS'15), Paper | BibTex

P2C: Understanding Output Data Files via On-the-Fly Transformation from Producer to Consumer Executions, Yonghwi Kwon, Fei Peng, Dohyeong Kim, Kyungtae Kim, Xiangyu Zhang, Dongyan Xu, Vinod Yegneswaran, and John Qian, In Proc. of the 22nd Network and Distributed System Security Symposium (NDSS'15), Paper | Slides | BibTex


2013

PIEtrace: Platform Independent Executable Trace, Yonghwi Kwon, Xiangyu Zhang, and Dongyan Xu, In Proc. of the 28th IEEE/ACM International Conference on Automated Software Engineering (ASE'13), Best Paper Award, ACM SIGSOFT Distinguished Paper Award, Paper | Slides | Website | BibTex

Miscellaneous

Teaching, Advising, Fun, etc

Advising

Discussing research projects and solving cool problems with students is one of my favorite parts of my life. I love and enjoy closely working with students. Now I have a few students I cloely work with:
Jiahao Cai (PhD, UVa)
Rajiv Sarvepalli (BS, UVa) -- (Part of JUMP URI (Undergraduate Research Initiative) Program)


Participation

I have been participating in several projects/activities including:
1. DARPA P-CORE (Privacy Enhanced Coordinated Enterprise Defense via Temporal and Topological Representation Learning)
2. I am a faculty mentor of the UVa CCDC (Collegiate Cyber Defense Competition) Team.
      - March 30, 2018: We won the regional final!
3. I am actively supporting undergraduate research programs: JUMP URI (Undergraduate Research Initiative) Program


Services

I serve as a program committee member (PC member) for the following academic conferences:
ACSAC'19, NDSS'19, ACSAC'18, TaPP'17


Suggestions

This is a list of general suggestions for reading/reviewing/writing academic papers.
1. How to Read a Paper (by Srinivasan Keshav, University of Waterloo)
2. Reviewing Research Papers Efficiently (by John Regehr, University of Utah)
3. How to Write a Security Paper (by Patrick McDaniel, Pennsylvania State University)

From the Advice for researchers and students compiled by Michael Ernst:
1. Writing a progress/status report
2. How to write a technical paper

There are some great and fun (and also educational) TED talks you can watch when you are bored:
1. Grit: the power of passion and perseverance (Grit is very important for being a good researcher)
2. Inside the mind of a master procrastinator (Let's not be a procrastinator)
3. How to speak so that people want to listen
4. This is what happens when you reply to spam email

There are some ways to systematically generate good ideas:
1. TRIZ is "theory of the resolution of invention-related tasks"


Technical Articles

I enjoy coding and writing technical articles. Here are some of my articles explaining details about coding, debugging, and reverse-engineering. I also wrote lots of technical articles in Microsoftware, a monthly managine for Korean developers. I authored a book which is a collection of those articles (revised) in the magazine.

1. Hooking the Real COM Objects: Intercepting IHTMLDocument3 Functions, Dec 2011 (#reverse-engineering, #debugging)
2. Phishing applications: Security threats regarding the SetParent function, Nov 2011 (#security, #OS, #GUI)
3. How to Find a COM Object Connected to Internet Explorer, Jan 2008 (#reverse-engineering, #debugging)
4. Get interrupt vector information in Windows, July 2007 (#assembly, #system programming)


Writing Programs

I love writing code. I have been writing code since 2000 in C/C++, Pascal (Delphi), Visual Basic, Assembly, Java, JavaScript, and so on. I personally like C most, and often prefer it over Python and even Shell Script.


Things Keep Me Alive

Coffee

I am a coffee addict. I love dark roasted coffee beans from Ethiopia and Indonesia.

Dark beers

I love dark beers, my favorites are Murphy's and Rogue HazelNut.

QuakeLive

I am a big fan of Quake3 and Rocket Arena since 2000. Now I play quakelive.

Louis CK

Louis CK is my favorite. Click this to my favorite clip.