Gang Tan, Department of Computer Science and Engineering- Penn State University

Gang Tan (\gäng tan\) [Vita pdf][ Vita html][Contact]

Associate Professor
James F. Will Career Development Professorship
Dept. of Computer Science & Engineering
School of Electrical Engineering & Computer Science
Penn State University, University Park

Affiliated with Institute for Networking and Security Research (video about INSR)
and Institute for CyberScience

Brief Bio I received my B.E. in Computer Science from Tsinghua University, and my Ph.D. in Computer Science from Princeton University. I am a recipient of an NSF Career award.

Research Interests

I lead the Security of Software (SOS) lab at Penn State. In general, I am interested in methodologies that help create reliable and secure software systems:

Software security
Programming languages, software engineering

In 2016, I am organizing the Security and Programming Language (SePL) seminars at Penn State.

Research Projects

News

(10/25/16) Congratulations to Ben, whose dissertation won ACM SIGSAC Dissertation Award Runner-Up.
(3/14/16) Keynote talk at MASS 2016 on "Protecting Dynamic Code by Modular Control-Flow Integrity" [slides].
(12/5/15) Congratulations to Ben, who finished his Ph.D. with thesis "Practical Control-Flow Integrity".
(7/22/15) Paper "Per-Input Control-Flow Integrity" accepted at CCS 2015.
(6/1/15) We are glad to release the source code of MCFI and RockJIT and PiCFI . Please see this GitHub page.
(12/15/2014) The RockSalt repository has moved to GitHub. The latest version can be found at here.
(11/16/14) Paper "Producing Hook Placements To Enforce Expected Access Control Policies" accepted at ESSOS 15.
(8/20/14) NSF medium project "Retrofitting software for defense-in-depth" funded; in collaboration with Penn State, Rutgers, and U. of Vermont. [Lehigh news release | local WFMZ news release]
(7/23/14) Paper "RockJIT: Securing Just-In-Time Compilation Using Modular Control-Flow Integrity" accepted at CCS 2014.
(5/15/14) Congratulations to Siliang, who finished his Ph.D. with thesis "Improving quality of software with foreign function interfaces using static analysis".
(5/7/14) Paper "NativeGuard: Protecting Android Applications from Third-Party Native Libraries" accepted at WiSec 2014.
(3/3/14) Paper "Finding Reference-Counting Errors in Python/C Programs with Affine Analysis" accepted at ECOOP 2014.
(2/2/14) Paper "Modular Control Flow Integrity" accepted at PLDI 2014.
(1/25/14) Invited talk at PiP 2014 [slides].
(7/19/13) A paper about Monitor Integrity Protection (MIP) accepted by CCS 2013.
(4/30/13) Strato paper accepted by Usenix Security 2013.
(2/26/13) We are glad to release the source code of the second version of Robusta (now dubbed Arabica). Please see this page.
(1/23/13) DuPro paper accepted by AsiaCCS 2013.
(9/1/12) The GoNative project received a Google Research Award.
(8/20/12) The GoNative project has an openning for a full-time postdoc position. Details are in this page.
(6/11/12) Arabica paper accepted by ESORICS 12.
(1/31/12) RockSalt paper accepted by PLDI 2012.
(1/17/12) We are glad to open source RockSalt 1.0, which includes a high-fidelity model of a subset of x86 in Coq. See this page.
(1/1/12) I received the NSF Faculty Early Career Development (CAREER) award with the project "User-Space Protection Domains for Compositional Information Security".
Older news...

Events involved

Program committee members: Oakland 2017; CCS 2016; Oakland 2016; ACNS 2016; LangSec 2016; SECURWARE 2016; CCS 2015; APLAS 2015; ASIACCS 2015; CloudCom 2015; SECURWARE 2015; MCS 2015; CCS 2014; ASIACCS 2014; NDSS 2014; SECURWARE 2014; OOPSLA 2013; APLAS 2013; CPP 2013; SPIot 2012; Open 64; WWW 2011 (abuse, security and privacy track); SPIoT 2011; CHINACOM 2010, CHINACOM 2009 (network and information security symposium);
CPSS 2012: joint summer schools on cryptography and principles of software security

Teaching

CMPSC 461, Programming Language Concepts, Spring 17
CSE 597, Special topics on theorem proving and static analysis, Fall 16
CMPSC 443, Introduction to Computer and Network Security, Spring 16
CSE 262, Programming Languages, Fall 15, Fall 14, Spring 14, Fall 13, Spring 13, Fall 12, Spring 12, Fall 11, Fall 10
CSE 411, Advanced Programming Techniques, Fall 15, Fall 14, Fall 13
CSE 334/434, Software System Security, Fall 12, Fall 10, Fall 08
CSE 497, Advanced Programming Languages, Fall 11
CSE 216, Software Engineering, Spring 10, Spring 09
CSE 397/497, Programming Languages Design & Analysis Fall 09

Recent Publications (a more complete list)

Bidirectional Grammars for Machine-Code Decoding and Encoding. G. Tan and G. Morrisett. In 8th Working Conference on Verified Software: Theories, Tools, and Experiments (VSTTE), 2016. [paper]
Languages Must Expose Memory Heterogeneity. X. Guo, A.Shrivastava, M. Spear, and G. Tan. In the Second International Symposium on Memory Systems (MemSys), 2016. [paper]
Analysis of Code Heterogeneity for High-Precision Classification of Repackaged Malware. K. Tian, D. Yao, B. Ryder, and G. Tan. In Proceedings of Mobile Security Technologies (MoST), 2016. [paper]
Per-Input Control-Flow Integrity. B. Niu and G. Tan. In 22nd ACM Conference on Computer and Communication Security (CCS '15), Oct. 2015. [paper]
Producing Hook Placements To Enforce Expected Access Control Policies. D. Muthukumaran, N. Talele, T. Jaeger, and G. Tan. In International Symposium on Engineering Secure Software and Systems (ESSOS '15), Mar. 2015. [paper]
RockJIT: Securing Just-In-Time Compilation Using Modular Control-Flow Integrity. B. Niu and G. Tan. In 21st ACM Conference on Computer and Communication Security (CCS '14), Nov. 2014. [paper]
NativeGuard: Protecting Android Applications from Third-Party Native Libraries. M. Sun and G. Tan. Proceedings of the 7th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec '14), Oxford, United Kingdom, Jul 2014. [paper]
Finding Reference-Counting Errors in Python/C Programs with Affine Analysis. S. Li and G. Tan. Proceedings of the 27th European Conference on Object-Oriented Programming (ECOOP '14), Uppsala, Sweden, July 2014. [paper]
Modular Control Flow Integrity. B. Niu and G. Tan. In ACM Conference on Programming Language Design and Implementation (PLDI '14), 2014. [paper]
Exception Analysis in the Java Native Interface. S. Li and G. Tan. Science of Computer Programming (SCP), 2014. [paper]
Bringing Java's Wild Native World under Control.. M. Sun, G. Tan, J. Siefers, B. Zeng, and G. Morrisett. In ACM Transactions on Information and System Security (TISSEC). Nov. 2013. [paper]
Monitor Integrity Protection with Space Efficiency and Separate Compilation. B. Niu and G. Tan. In 20th ACM Conference on Computer and Communication Security (CCS '13), Nov. 2013. [paper]
Strato: A Retargetable Framework for Low-Level Inlined-Reference Monitors. B. Zeng, G. Tan, U. Erlingsson. In 22nd Usenix Security Symposium, Aug 2013. [paper]
Efficient User-Space Information Flow Control. B. Niu and G. Tan. In the 8th ACM Symposium on Information, Computer and Communications Security (ASIACCS), May 2013. [paper]
JNI Light: An Operational Model for the Core JNI. G. Tan. To appear in Mathematical Structures in Computer Science. Accepted. 2012. [paper]
JATO: Native Code Atomicity for Java. S. Li, Y. Liu and G. Tan. In the 10th Asian Symposium on Programming Languages and Systems (APLAS), Dec 2012. [paper]
Enforcing User-Space Privilege Separation with Declarative Architectures. B. Niu and G. Tan. In The Seventh ACM Workshop on Scalable Trusted Computing (STC), 2012. [paper]
JVM-Portable Sandboxing of Java's Native Libraries. M. Sun and G. Tan. In the 17th European Symposium on Research in Computer Security (ESORICS), Sept. 2012. [paper]
RockSalt: Better, Faster, Stronger SFI for the x86. G. Morrisett, G. Tan, J. Tassarotti, J.B. Tristan, and E. Gan. In ACM Conference on Programming Language Design and Implementation (PLDI '12), Jun. 2012. [paper]
Combining Control-Flow Integrity and Static Analysis for Efficient and Validated Data Sandboxing. B. Zeng and G. Tan and G. Morrisett. In 18th ACM Conference on Computer and Communication Security (CCS '11), Oct. 2011. [paper]
JET: Exception checking in the Java Native Interface. S. Li and G. Tan. In ACM SIGPLAN International conference on Object-Oriented Programming, Systems, Languages & Applications (OOPSLA '11), Oct 2011. [paper]
Robusta: Taming the Native Beast of the JVM. J. Siefers, G. Tan, and G. Morrisett. In the 17th ACM Conference on Computer and Communication Security (CCS '10), Oct. 2010. [paper | presentation ]
Finding bugs in exceptional situations of JNI programs. S. Li and G. Tan. In the 16th ACM Conference on Computer and Communication Security (CCS '09), Nov. 2009. [paper]
Semantic Foundations for Typed Assembly Languages. A. Ahmed, A. W. Appel, C. D. Richards, G. Tan, and D. C. Wang. ACM Transactions on Programming Languages and Systems (TOPLAS), March 2010. [paper]
The New Jersey Voting-machine Lawsuit and the AVC Advantage DRE Voting Machine. A. W. Appel, M. Ginsburg, H. Hursti, B. W. Kernighan, C. D. Richards, G. Tan, and P. Venetis. In 2009 Electronic Voting Workshop/Workshop on Trustworthy Elections (EVT/WOTE '09), Aug. 2009. [paper | full report | slashdot | video | presentation]
An Empirical Security Study of the Native Code in the JDK. G. Tan and J. Croft. In USENIX Security 2008, San Jose, California, USA, July 2008. [paper | technical report | presentation]
ILEA: Inter-Language Analysis across Java and C. G. Tan and G. Morrisett. In ACM SIGPLAN International conference on Object-Oriented Programming, Systems, Languages & Applications (OOPSLA '07), Montreal, Canada, Oct 2007. [paper | presentation]

Links