News

Our new paper on “Demystifying Progressive Web Application Permission Systems” is going to appear in DSN’26! Progressive Web Applications (PWAs) are web-based applications that bring native-app features such as offline access, notifications, and installability to the browser, making them an increasingly important part of today’s web ecosystem. In this work, we developed Permissioner to systematically analyze permission handling in PWAs and uncovered numerous security issues of inconsistency, incompleteness, and unclear boundaries in permission enforcement, with concrete cases of permission leakage, across browsers and platforms. Our findings have already led to fixes in Firefox and a Chromium patch, highlighting the urgent need for a unified and robust PWA permission model.

Congratulations, Mengxiao & Jianwei!

Our new research CONSET (“Semantics Over Syntax: Uncovering Pre-Authentication 5G Baseband Vulnerabilities”) will appear in USENIX Security’26. This work leverages LLM and builds a new framework CONSET, which systematically extracts specification-level constraints and turns them into semantic violations for testing 5G UE implementations. On commercial smartphones, it confirms 6 device-level flaws through responsible disclosure, including 3 high-severity CVEs. These vulnerabilities affect 41 chipset models and over 466 commercially available smartphones.

This is joint work with researchers (Prof. Hongxin Hu and his students) at University of Buffalo. Congratulations on the amazing work, Qiqing!

Our new research Heracles (“𝑶𝒏 𝒕𝒉𝒆 𝑺𝒆𝒄𝒖𝒓𝒊𝒕𝒚 𝑹𝒊𝒔𝒌𝒔 𝒐𝒇 𝑴𝒆𝒎𝒐𝒓𝒚 𝑨𝒅𝒂𝒑𝒕𝒂𝒕𝒊𝒐𝒏 𝒂𝒏𝒅 𝑨𝒖𝒈𝒎𝒆𝒏𝒕𝒂𝒕𝒊𝒐𝒏 𝒊𝒏 𝑫𝒂𝒕𝒂-𝒑𝒍𝒂𝒏𝒆 𝑫𝒐𝑺 𝑴𝒊𝒕𝒊𝒈𝒂𝒕𝒊𝒐𝒏”) will appear in NDSS’26. This work examines emerging security risks in modern programmable network infrastructures and highlights how design choices for efficiency can introduce new attack surfaces. We further propose Shield , a multi-layered mitigation scheme that successfully mitigates the Heracles attack while preserving line-rate performance and adaptive detection accuracy.

This is joint work with researchers (Prof. Min Suk Kang and his students) at KAIST. Congratulations on the amazing work, Hocheol! And thank you for spending time with us at the SUCCESS Lab as a visiting student in 2025!

Our DSN’15 paper “FloodGuard: A DoS Attack Prevention Extension in Software-Defined Networks” (by Haopei Wang, Lei Xu, Guofei Gu) received the Test of Time Award at this year’s DSN conference (2025 Annual IEEE/IFIP International Conference on Dependable Systems and Networks)! We are so honored and humbled to receive this recognition for our SDN security research in 2015! Congratulations again, Haopei & Lei!

Some background information about this award: “The Test-of-Time Award recognizes two outstanding papers published 10 years ago at DSN, in the DSN proceedings (research track, practical experience report or tool papers), that have had a sustained and important impact on the theory and/or practice of dependable systems and networks computing research. DSN has several areas under its umbrella and with two awards there are conditions to recognize more than one area. In exceptional situations (not enough nominations), the time frame for awards can be extended to 10-12 years, and only one paper can be awarded, in this order.”

Our new paper on understanding the risks of dynamic content in the Alexa skill ecosystem is going to appear in ACM WiSec’25! Congratulations, Nathan!

Shreyas has two papers on human-centered security research to appear in Euro S&P’25! They are “Demystifying the Perceptions Gap Between Designers and Practitioners in Two Security Standards” and “Incentivizing Security Excellence in Cyber Liability Insurance”. Congratulations, Shreyas!

Our paper “Beyond Visual Confusion: Understanding How Inconsistencies in ENS Normalization Facilitate Homoglyph Attacks” is accepted to WWW’25. Congratulations, Jianwei!