Brief Bio I received my B.E. in
Computer Science from Tsinghua University, and my Ph.D. in Computer Science from
Princeton University. I am
a recipient of an NSF Career award.
I lead the Security of Software (SOS) lab at Penn State.
In general, I am interested in methodologies that
help create reliable and secure software systems:
In 2016, I am organizing the Security and Programming Language (SePL) seminars at Penn State.
- Software security
- Programming languages, software engineering
- (3/14/16) Keynote talk at MASS 2016 on "Protecting Dynamic Code by Modular Control-Flow Integrity"
- (12/5/15) Congratulations to Ben, who finished his Ph.D. with
"Practical Control-Flow Integrity".
- (7/22/15) Paper "Per-Input Control-Flow Integrity" accepted at CCS 2015.
- (6/1/15) We are glad to release the source code of MCFI and RockJIT and PiCFI .
Please see this GitHub page.
- (12/15/2014) The RockSalt repository has moved to GitHub. The latest version can be found at here.
- (11/16/14) Paper "Producing Hook Placements To Enforce Expected Access Control Policies" accepted at ESSOS 15.
- (8/20/14) NSF medium project "Retrofitting software for
defense-in-depth" funded; in collaboration with Penn State, Rutgers,
and U. of Vermont.
[Lehigh news release | local WFMZ news release]
- (7/23/14) Paper "RockJIT: Securing Just-In-Time Compilation Using Modular Control-Flow Integrity" accepted at CCS 2014.
- (5/15/14) Congratulations to Siliang, who finished his Ph.D. with
"Improving quality of software with foreign function interfaces
using static analysis".
- (5/7/14) Paper "NativeGuard: Protecting Android Applications from Third-Party Native Libraries"
accepted at WiSec 2014.
- (3/3/14) Paper "Finding Reference-Counting Errors in Python/C Programs with Affine Analysis" accepted at ECOOP 2014.
- (2/2/14) Paper "Modular Control Flow Integrity" accepted at PLDI 2014.
- (1/25/14) Invited talk at PiP 2014 [slides].
- (7/19/13) A paper about Monitor Integrity Protection (MIP) accepted by CCS 2013.
- (4/30/13) Strato paper accepted by Usenix Security 2013.
- (2/26/13) We are glad to release the source code of the second version of Robusta (now dubbed Arabica).
Please see this page.
- (1/23/13) DuPro paper accepted by AsiaCCS 2013.
- (9/1/12) The GoNative project received a Google Research Award.
- (8/20/12) The GoNative project has an openning for a full-time postdoc position. Details are in this page.
- (6/11/12) Arabica paper accepted by ESORICS 12.
- (1/31/12) RockSalt paper accepted by PLDI 2012.
- (1/17/12) We are glad to open source RockSalt 1.0, which includes a high-fidelity model of a subset of x86 in Coq. See this page.
- (1/1/12) I received the NSF Faculty Early Career Development (CAREER) award with the project "User-Space Protection Domains for Compositional Information Security".
- Older news...
- CSE 597, Special topics on theorem proving and static analysis, Fall 16
- CMPSC 443, Introduction to Computer and Network Security, Spring 16
- CSE 262, Programming Languages, Fall 15, Fall 14, Spring 14, Fall 13, Spring 13, Fall 12, Spring 12, Fall 11, Fall 10
- CSE 411, Advanced Programming Techniques, Fall 15, Fall 14, Fall 13
- CSE 334/434, Software System Security, Fall 12, Fall 10, Fall 08
- CSE 497, Advanced Programming Languages, Fall 11
- CSE 216, Software Engineering, Spring 10, Spring 09
- CSE 397/497, Programming Languages Design & Analysis Fall 09
- Bidirectional Grammars for Machine-Code Decoding and Encoding. G. Tan and G. Morrisett.
In 8th Working Conference on Verified Software: Theories, Tools, and Experiments (VSTTE), 2016.
- Analysis of Code Heterogeneity for High-Precision Classification of Repackaged Malware. K. Tian, D. Yao, B. Ryder, and G. Tan.
In Proceedings of Mobile Security Technologies (MoST), 2016.
- Per-Input Control-Flow Integrity. B. Niu and G. Tan. In
22nd ACM Conference on Computer and Communication Security
(CCS '15), Oct. 2015.
- Producing Hook Placements To Enforce Expected Access Control Policies.
D. Muthukumaran, N. Talele, T. Jaeger, and G. Tan. In
International Symposium on Engineering Secure Software and Systems (ESSOS '15), Mar. 2015.
- RockJIT: Securing Just-In-Time Compilation Using
Modular Control-Flow Integrity. B. Niu and G. Tan. In
21st ACM Conference on Computer and Communication Security
(CCS '14), Nov. 2014.
- NativeGuard: Protecting Android Applications from Third-Party Native Libraries.
M. Sun and G. Tan. Proceedings of the 7th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec '14), Oxford, United Kingdom, Jul 2014.
- Finding Reference-Counting Errors in Python/C Programs with Affine Analysis. S.
Li and G. Tan. Proceedings of the 27th European Conference on Object-Oriented Programming (ECOOP '14), Uppsala, Sweden, July 2014.
- Modular Control Flow Integrity. B. Niu and G. Tan. In ACM Conference on Programming Language Design and Implementation (PLDI '14), 2014.
- Exception Analysis in the Java Native Interface. S.
Li and G. Tan. Science of Computer Programming (SCP), 2014.
- Bringing Java's Wild Native World under Control.. M. Sun, G. Tan, J. Siefers, B. Zeng, and G. Morrisett. In ACM Transactions on Information and System Security (TISSEC). Nov. 2013.
- Monitor Integrity Protection with Space Efficiency and Separate Compilation. B. Niu and G. Tan. In 20th ACM Conference on Computer and Communication Security (CCS '13), Nov. 2013.
- Strato: A Retargetable Framework for Low-Level Inlined-Reference Monitors. B. Zeng, G. Tan, U. Erlingsson. In 22nd Usenix Security Symposium, Aug 2013.
- Efficient User-Space Information Flow Control. B. Niu and G. Tan. In the
8th ACM Symposium on Information, Computer and Communications Security (ASIACCS), May 2013.
- JNI Light: An Operational Model for the Core JNI. G. Tan. To appear
in Mathematical Structures in Computer Science. Accepted. 2012.
- JATO: Native Code Atomicity for Java. S. Li, Y. Liu and G. Tan. In the 10th Asian Symposium on Programming Languages and Systems (APLAS), Dec 2012.
- Enforcing User-Space Privilege Separation with Declarative Architectures. B. Niu and G. Tan. In The Seventh ACM Workshop on Scalable Trusted Computing (STC), 2012.
- JVM-Portable Sandboxing of Java's Native Libraries. M. Sun and G. Tan. In the 17th European Symposium on Research in Computer Security (ESORICS), Sept. 2012.
- RockSalt: Better, Faster, Stronger SFI for the x86. G. Morrisett, G. Tan, J. Tassarotti, J.B. Tristan, and E. Gan. In ACM Conference on Programming Language Design and Implementation (PLDI '12), Jun. 2012.
- Combining Control-Flow Integrity and Static Analysis for Efficient and Validated Data Sandboxing. B. Zeng and G. Tan and G. Morrisett. In 18th ACM Conference on Computer and Communication Security (CCS '11), Oct. 2011.
- JET: Exception checking in the Java Native Interface. S. Li and G. Tan. In ACM SIGPLAN International conference on Object-Oriented Programming, Systems, Languages & Applications (OOPSLA '11), Oct 2011.
- Robusta: Taming the Native Beast of the JVM. J. Siefers, G. Tan, and G. Morrisett. In the 17th ACM Conference on Computer and Communication Security (CCS '10), Oct. 2010.
- Finding bugs in exceptional situations of JNI programs. S. Li and G. Tan. In the 16th ACM Conference on Computer and Communication Security (CCS '09), Nov. 2009.
- Semantic Foundations for Typed Assembly Languages.
A. Ahmed, A. W. Appel, C. D. Richards, G. Tan, and D. C. Wang.
ACM Transactions on Programming Languages and Systems (TOPLAS), March 2010.
- The New Jersey Voting-machine Lawsuit and the AVC Advantage DRE Voting Machine.
A. W. Appel, M. Ginsburg, H. Hursti, B. W. Kernighan, C. D. Richards, G. Tan, and P. Venetis.
In 2009 Electronic Voting Workshop/Workshop on Trustworthy Elections (EVT/WOTE '09), Aug. 2009.
| full report
- An Empirical Security Study of the Native Code in the JDK.
G. Tan and J. Croft. In USENIX Security 2008,
San Jose, California, USA, July 2008.
| technical report
- ILEA: Inter-Language Analysis across Java and C.
G. Tan and G. Morrisett.
In ACM SIGPLAN International conference on Object-Oriented Programming, Systems, Languages & Applications (OOPSLA '07), Montreal, Canada, Oct 2007.