Zhechang Zhang

Ph.D. Student
College of Information Sciences and Technology
The Pennsylvania State University

E-mail: zbz5352 at psu dot edu

Short Bio: I am a first-year Ph.D. student at Penn State University, advised by Prof. Hong Hu. Before joining Penn State University, I obtained my Bachelor's degree and Master's degree from Huazhong University of Science and Technology, advised by Prof. Deqing Zou and Prof. Bin Yuan. My research interests include software and system security.


  1. VIPER: Spotting Syscall-Guard Variables for Data-Only Attacks
    Hengkai Ye, Song Liu, Zhechang Zhang and Hong Hu
    In Proceedings of the 32nd USENIX Security Symposium (USENIX 2023). [Acc Rate: 29%]
  2. As control-flow protection techniques are widely deployed, it is difficult for attackers to modify control data, like function pointers, to hijack program control flow. Instead, data-only attacks corrupt security-critical non-control data (critical data), and can bypass all control-flow protections to revive severe attacks. Previous works have explored various methods to help construct or prevent data-only attacks. However, no solution can automatically detect program-specific critical data. In this paper, we identify an important category of critical data, syscall-guard variables, and propose a set of solutions to automatically detect such variables in a scalable manner. Syscall-guard variables determine to invoke security-related system calls (syscalls), and altering them will allow attackers to request extra privileges from the operating system. We propose branch force, which intentionally flips every conditional branch during the execution and checks whether new security-related syscalls are invoked. If so, we conduct dataflow analysis to estimate the feasibility to flip such branches through common memory errors. We build a tool, VIPER, to implement our ideas. VIPER successfully detects 34 previously unknown syscall-guard variables from 13 programs. We build four new data-only attacks on sqlite and v8, which execute arbitrary command or delete arbitrary file. VIPER completes its analysis within five minutes for most programs, showing its practicality for spotting syscall-guard variables.

  3. StateDiver: Testing Deep Packet Inspection Systems with State-Discrepancy Guidance
    Zhechang Zhang, Bin Yuan, Kehan Yang, Deqing Zou and Hai Jin
    In Proceedings of the 38th Annual Computer Security Applications Conference (ACSAC 2022). [Acc Rate: 24.1%]
  4. Deep Packet Inspection (DPI) systems are essential for securing modern networks (e.g., blocking or logging abnormal network con- nections). However, DPI systems are known to be vulnerable in their implementations, which could be exploited for evasion attacks. Due to the critical role DPI systems play, many efforts have been made to detect vulnerabilities in the DPI systems through manual inspection, symbolic execution, and fuzzing, which suffer from either poor scalability, path explosion, or inappropriate feedback. In this paper, based on our observation that a DPI system usually reaches an abnormal internal state before a forbidden packet passes through it, we propose a fuzzing framework that prioritizes inputs/mutations which could trigger the DPI system’s abnormal internal states. Further, to avoid deep understanding of the DPI systems under inspection (e.g., to identify the abnormal states), we feed one pair of inputs to multiple DPI systems and check whether the state changes of these DPI systems are consistent — an inconsistent internal state change/transference in one of the DPI systems indicates a new abnormal state is reached in the corresponding DPI system. Naturally, inputs that trigger new abnormal states are preferentially selected for mutations to generate new inputs. Following this idea, we develop StateDiver, the first fuzzing framework that uses the state discrepancy between different DPI systems as feedback to find more bypassing strategies. We make StateDiver publicly available online. With the help of StateDiver, we tested 3 famous open-source DPI systems (Snort, Snort++, and Suricata) and discovered 16 bypass strategies (8 new and 8 previously known). We have reported all the vulnerabilities to the vendors and received one CVE by the time of paper writing. We also compared State- Diver with Geneva, the state-of-the-art fuzzing tool for detecting DPI bugs. Results showed that StateDiver outperformed Geneva at the number and speed of finding vulnerabilities, indicating the ability of StateDiver to detect strategies bypassing DPI systems effectively.