Gang Tan (\gäng tan\) [Vita pdf][ Vita html][Contact] Associate Professor James F. Will Career Development Professorship Dept. of Computer Science & Engineering School of Electrical Engineering & Computer Science Penn State University, University Park Affiliated with Institute for Networking and Security Research (video about INSR) and Institute for CyberScience

Research Interests

I lead the Security of Software (SOS) lab at Penn State. In general, I am interested in methodologies that help create reliable and secure software systems:

• Software security
• Programming languages, software engineering

My research group has a postdoc openning: description

Research Projects

• User-space privilege separation
• Binary-level reverse engineering
• GoNative

Some past projects

• Modular Control-Flow Integrity
• Interface Safety in Multilingual Software

News

• (5/2017) ONR project on Semantics-Directed Binary Reverse Engineering and Transformation Validation funded. Thanks to ONR!
• (10/2016) Congratulations to Ben, whose dissertation won ACM SIGSAC Dissertation Award Runner-Up.
• (3/2016) Keynote talk at MASS 2016 about MCFI/RockJIT/PICFI; Title: "Protecting Dynamic Code by Modular Control-Flow Integrity" [slides].
• (12/2015) Congratulations to Ben, who finished his Ph.D. with thesis "Practical Control-Flow Integrity".
• (7/2015) Paper "Per-Input Control-Flow Integrity" accepted at CCS 2015.
• (6/2015) We are glad to release the source code of MCFI and RockJIT and PiCFI . Please see this GitHub page.
• (12/2014) The RockSalt repository has moved to GitHub. The latest version can be found at here.
• (11/2014) Paper "Producing Hook Placements To Enforce Expected Access Control Policies" accepted at ESSOS 15.
• (8/2014) NSF medium project "Retrofitting software for defense-in-depth" funded; in collaboration with Penn State, Rutgers, and U. of Vermont. [Lehigh news release | local WFMZ news release]
• (7/2014) Paper "RockJIT: Securing Just-In-Time Compilation Using Modular Control-Flow Integrity" accepted at CCS 2014.
• (5/2014) Congratulations to Siliang, who finished his Ph.D. with thesis "Improving quality of software with foreign function interfaces using static analysis".
• (5/2014) Paper "NativeGuard: Protecting Android Applications from Third-Party Native Libraries" accepted at WiSec 2014.
• (3/2014) Paper "Finding Reference-Counting Errors in Python/C Programs with Affine Analysis" accepted at ECOOP 2014.
• (2/2014) Paper "Modular Control Flow Integrity" accepted at PLDI 2014.
• (1/2014) Invited talk at PiP 2014 [slides].
• (7/2013) A paper about Monitor Integrity Protection (MIP) accepted by CCS 2013.
• (4/2013) Strato paper accepted by Usenix Security 2013.
• (2/2013) We are glad to release the source code of the second version of Robusta (now dubbed Arabica). Please see this page.
• (1/2013) DuPro paper accepted by AsiaCCS 2013.
• Older news...

Events involved

• Program committee members: Oakland 2018; ECOOP 2018; Oakland 2017; CloudCom 2017; Wisa 2017; ISC 2017; SecDev 2017; Feast 2017; LangSec 2017; CCS 2016; Oakland 2016; ACNS 2016; LangSec 2016; SECURWARE 2016; CCS 2015; APLAS 2015; ASIACCS 2015; CloudCom 2015; SECURWARE 2015; MCS 2015; CCS 2014; ASIACCS 2014; NDSS 2014; SECURWARE 2014; OOPSLA 2013; APLAS 2013; CPP 2013; SPIot 2012; Open 64; WWW 2011 (abuse, security and privacy track); SPIoT 2011; CHINACOM 2010, CHINACOM 2009 (network and information security symposium);
• CPSS 2012: joint summer schools on cryptography and principles of software security
• Security and Programming Language (SePL) seminars at Penn State.

Teaching

• CMPSC 461, Programming Language Concepts, Spring 17
• CSE 597, Special topics on theorem proving and static analysis, Fall 16
• CMPSC 443, Introduction to Computer and Network Security, Spring 16
• CSE 262, Programming Languages, Fall 15, Fall 14, Spring 14, Fall 13, Spring 13, Fall 12, Spring 12, Fall 11, Fall 10
• CSE 411, Advanced Programming Techniques, Fall 15, Fall 14, Fall 13
• CSE 334/434, Software System Security, Fall 12, Fall 10, Fall 08
• CSE 497, Advanced Programming Languages, Fall 11
• CSE 216, Software Engineering, Spring 10, Spring 09
• CSE 397/497, Programming Languages Design & Analysis Fall 09

Some Publications (a more complete list)

• Bidirectional Grammars for Machine-Code Decoding and Encoding. G. Tan and G. Morrisett. In 8th Working Conference on Verified Software: Theories, Tools, and Experiments (VSTTE), 2016. [paper]
• Languages Must Expose Memory Heterogeneity. X. Guo, A.Shrivastava, M. Spear, and G. Tan. In the Second International Symposium on Memory Systems (MemSys), 2016. [paper]
• Analysis of Code Heterogeneity for High-Precision Classification of Repackaged Malware. K. Tian, D. Yao, B. Ryder, and G. Tan. In Proceedings of Mobile Security Technologies (MoST), 2016. [paper]
• Per-Input Control-Flow Integrity. B. Niu and G. Tan. In 22nd ACM Conference on Computer and Communication Security (CCS '15), Oct. 2015. [paper]
• Producing Hook Placements To Enforce Expected Access Control Policies. D. Muthukumaran, N. Talele, T. Jaeger, and G. Tan. In International Symposium on Engineering Secure Software and Systems (ESSOS '15), Mar. 2015. [paper]
• RockJIT: Securing Just-In-Time Compilation Using Modular Control-Flow Integrity. B. Niu and G. Tan. In 21st ACM Conference on Computer and Communication Security (CCS '14), Nov. 2014. [paper]
• NativeGuard: Protecting Android Applications from Third-Party Native Libraries. M. Sun and G. Tan. Proceedings of the 7th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec '14), Oxford, United Kingdom, Jul 2014. [paper]
• Finding Reference-Counting Errors in Python/C Programs with Affine Analysis. S. Li and G. Tan. Proceedings of the 27th European Conference on Object-Oriented Programming (ECOOP '14), Uppsala, Sweden, July 2014. [paper]
• Modular Control Flow Integrity. B. Niu and G. Tan. In ACM Conference on Programming Language Design and Implementation (PLDI '14), 2014. [paper]
• Exception Analysis in the Java Native Interface. S. Li and G. Tan. Science of Computer Programming (SCP), 2014. [paper]
• Bringing Java's Wild Native World under Control.. M. Sun, G. Tan, J. Siefers, B. Zeng, and G. Morrisett. In ACM Transactions on Information and System Security (TISSEC). Nov. 2013. [paper]
• Monitor Integrity Protection with Space Efficiency and Separate Compilation. B. Niu and G. Tan. In 20th ACM Conference on Computer and Communication Security (CCS '13), Nov. 2013. [paper]
• Strato: A Retargetable Framework for Low-Level Inlined-Reference Monitors. B. Zeng, G. Tan, U. Erlingsson. In 22nd Usenix Security Symposium, Aug 2013. [paper]
• Efficient User-Space Information Flow Control. B. Niu and G. Tan. In the 8th ACM Symposium on Information, Computer and Communications Security (ASIACCS), May 2013. [paper]
• Enforcing User-Space Privilege Separation with Declarative Architectures. B. Niu and G. Tan. In The Seventh ACM Workshop on Scalable Trusted Computing (STC), 2012. [paper]
• JVM-Portable Sandboxing of Java's Native Libraries. M. Sun and G. Tan. In the 17th European Symposium on Research in Computer Security (ESORICS), Sept. 2012. [paper]
• RockSalt: Better, Faster, Stronger SFI for the x86. G. Morrisett, G. Tan, J. Tassarotti, J.B. Tristan, and E. Gan. In ACM Conference on Programming Language Design and Implementation (PLDI '12), Jun. 2012. [paper]
• Combining Control-Flow Integrity and Static Analysis for Efficient and Validated Data Sandboxing. B. Zeng and G. Tan and G. Morrisett. In 18th ACM Conference on Computer and Communication Security (CCS '11), Oct. 2011. [paper]
• JET: Exception checking in the Java Native Interface. S. Li and G. Tan. In ACM SIGPLAN International conference on Object-Oriented Programming, Systems, Languages & Applications (OOPSLA '11), Oct 2011. [paper]
• Robusta: Taming the Native Beast of the JVM. J. Siefers, G. Tan, and G. Morrisett. In the 17th ACM Conference on Computer and Communication Security (CCS '10), Oct. 2010. [paper | presentation ]
• Finding bugs in exceptional situations of JNI programs. S. Li and G. Tan. In the 16th ACM Conference on Computer and Communication Security (CCS '09), Nov. 2009. [paper]
• Semantic Foundations for Typed Assembly Languages. A. Ahmed, A. W. Appel, C. D. Richards, G. Tan, and D. C. Wang. ACM Transactions on Programming Languages and Systems (TOPLAS), March 2010. [paper]
• An Empirical Security Study of the Native Code in the JDK. G. Tan and J. Croft. In USENIX Security 2008, San Jose, California, USA, July 2008. [paper | technical report | presentation]
• ILEA: Inter-Language Analysis across Java and C. G. Tan and G. Morrisett. In ACM SIGPLAN International conference on Object-Oriented Programming, Systems, Languages & Applications (OOPSLA '07), Montreal, Canada, Oct 2007. [paper | presentation]