Yiwen(Elowen) Xu

EPFL › IC › HEXHIVE

Lausanne, Switzerland

I’m a first-year PhD student (yes, still in the “figuring-things-out” phase) at EPFL’s IC faculty, where I hang out in the HexHive lab—a wonderfully diverse, collaborative, and forward-looking group tackling system security.

Before this academic adventure, I worked as a Software Engineer at Alibaba Cloud (Aliyun) from mid-2023 to mid-2025. I got my Master’s degree at Tsinghua University, where I was lucky to be supervised by Prof. Yu Jiang in the Software System Security Assurance Group.

Research Interests: Picking apart malicious code (Malware Analysis & Mitigation), poking firmware until it breaks (Firmware Fuzzing), and currently shifting to Kernel Security.

News

Feb 26, 2024	Our research on protecting deserialization procedures of Java applications is accepted by NDSS‘24.
Oct 16, 2023	Our significant work on sandboxing program with dynamic syscall policies is accepted by OOPSLA‘23.
Jul 21, 2022	Our empirical study about system resources abused by IoT attackers is accepted by ASE‘22.
Jul 06, 2022	Midas, a lightweight on-device safeguard framework for IoT, is published by EMSOFT‘22.
Feb 03, 2022	Scanner++, a proxy-based ensemble web scanning , is accepted by TOSEM‘21.
Jul 07, 2020	EM-Fuzz, a firmware fuzzing with memory checking , is accepted by EMSOFT’20 (Best Paper Candidate)

Selected Publications

Midas

MIDAS: safeguarding iot devices against malware via real-time behavior auditing

Yiwen Xu^*, Zijing Yin^*, Yiwei Hou, and 2 more authors

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems (TCAD), 2022

DOI
HoneyAsclepius

Empirical Study of System Resources Abused by IoT Attackers

Zijing Yin^*, Yiwen Xu^*, Chijin Zhou, and 1 more author

In Proceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering (ASE), Rochester, MI, USA, 2023

Abs DOI

IoT devices have been under frequent attacks in recent years, causing severe impacts. Previous research has shown the evolution and features of some specific IoT malware families or stages of IoT attacks through offline sample analysis. However, we still lack a systematic observation of various system resources abused by active attackers and the malicious intentions behind these behaviors. This makes it difficult to design appropriate protection strategies to defend against existing attacks and possible future variants. In this paper, we fill this gap by analyzing 117,862 valid attack sessions captured by our dedicated high-interaction IoT honeypot, HoneyAsclepius, and further discover the intentions in our designed workflow. HoneyAsclepius enables high capture capability as well as continuous behavior monitoring during active attack sessions in real-time. Through a large-scale deployment, we collected 11,301,239 malicious behaviors originating from 50,594 different attackers. Based on this information, we further separate the behaviors in different attack sessions targeting distinct categories of system resources, estimate the temporal relations and summarize their malicious intentions behind. Inspired by such investigations, we present several key insights about abusive behaviors of the file, network, process, and special capability resources, and further propose practical defense strategies to better protect IoT devices.
DeseriGuard

Automatic policy synthesis and enforcement for protecting untrusted deserialization

Quan Zhang, Yiwen Xu, Zijing Yin, and 2 more authors

In The Network and Distributed System Security Symposium (NDSS) Symposium, Feb 2024

Abs HTML

Java deserialization vulnerabilities have long been a grave security concern for Java applications. By injecting malicious objects with carefully crafted structures, attackers can reuse a series of existing methods during deserialization to achieve diverse attacks like remote code execution. To mitigate such attacks, developers are encouraged to implement policies restricting the object types that applications can deserialize. However, the design of precise policies requires expertise and significant manual effort, often leading to either the absence of policy or the implementation of inadequate ones. In this paper, we propose DeseriGuard, a tool designed to assist developers in securing their applications seamlessly against deserialization attacks. It can automatically formulate a policy based on the application’s semantics and then enforce it to restrict illegal deserialization attempts. First, DeseriGuard utilizes dataflow analysis to construct a semantic-aware property tree, which records the potential structures of deserialized objects. Based on the tree, DeseriGuard identifies the types of objects that can be safely deserialized and synthesizes an allowlist policy. Then, with the Java agent, DeseriGuard can seamlessly enforce the policy during runtime to protect various deserialization procedures. In evaluation, DeseriGuard successfully blocks all deserialization attacks on 12 real-world vulnerabilities. In addition, we compare DeseriGuard’s automatically synthesized policies with 109 developer-designed policies. The results demonstrate that DeseriGuard effectively restricts 99.12% more classes. Meanwhile, we test the policy-enhanced applications with their unit tests and integration tests, which demonstrate that DeseriGuard’s policies will not interfere with applications’ execution and induce a negligible time overhead of 2.17%.
Dynbox

Building Dynamic System Call Sandbox with Partial Order Analysis

Quan Zhang, Chijin Zhou, Yiwen Xu, and 6 more authors

ACM SIGPLAN International Conference on Object-Oriented Programming Systems, Languages, and Applications (OOPSLA), Oct 2023

Abs DOI

Attack surface reduction is a security technique that secures the operating system by removing the unnecessary code or features of a program. By restricting the system calls that programs can use, the system call sandbox is able to reduce the exposed attack surface of the operating system and prevent attackers from damaging it through vulnerable programs. Ideally, programs should only retain access to system calls they require for normal execution. Many researchers focus on adopting static analysis to automatically restrict the system calls for each program. However, these methods do not adjust the restriction policy along with program execution. Thus, they need to permit all system calls required for program functionalities. We observe that some system calls, especially security-sensitive ones, are used a few times in certain stages of a program’s execution and then never used again. This motivates us to minimize the set of required system calls dynamically. In this paper, we propose , which gradually disables access to unnecessary system calls throughout the program’s execution. To accomplish this, we utilize partial order analysis to transform the program into a partially ordered graph, which enables efficient identification of the necessary system calls at any given point during program execution. Once a system call is no longer required by the program, can restrict it immediately. To evaluate , we applied it to seven widely-used programs with an average of 615 KLOC, including web servers and databases. With partial order analysis, restricts an average of 23.50, 16.86, and 15.89 more system calls than the state-of-the-art Chestnut, Temporal Specialization, and the configuration-aware sandbox, C2C, respectively. For mitigating malicious exploitations, on average, defeats 83.42% of 1726 exploitation payloads with only a 5.07% overhead.