Research Overview

Work

Yuchen presenting a poster (with Longze Chen) at Oakland 13'

My name is Yuchen Zhou, and I currently work at Palo Alto Networks as a security researcher. I earned my Doctoral degree at University of Virginia, under advisor Prof. David Evans, with dissertation titled: Improving Security and Privacy of Integrated Web Applications.

Most of my Ph.D work are focused on improving the security and privacy of web application/third-party service. My internship mentor at Microsoft Research is Dr. Shuo Chen. I have so far published five first-author papers, four of which in top-tier conferences such as IEEE S&P (Oakland) and USENIX. For more details, please click on individual projects on the left side, or browse down the page for a brief introduction on each project.

Understanding and Monitoring Embedded Web Scripts

Overview

ScriptInspector workflow overview

The ScriptInspector project helps web developers understand and monitor the behavior of embedded third-party JavaScripts on their websites.

Our paper is to appear at Oakland (IEEE S&P) 2015', and more information can be found here.

SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities

Systemstructure

SSOScan workflow overview

SSOScan is an automated scanner of web applications for Single Sign-On vulnerabilities. Our paper is published at the 23rd USENIX Security Symoposium (2014), and more details can be found here.

Explicating SDKs: Uncovering Assumptions Underlying Secure Authentication and Authorization

Generalapproach

Explication process overview

The goal of Explicating SDKs project is to systematically uncover implicit assumptions that are important to applications' security properties, this work is published at the 22nd USENIX Security Symposium (2013). I did this project while I interned at Microsoft Research, and I had the great honor to work with two excellent researchers Shuo Chen (my mentor) and Rui Wang (my co-first author). For more information, please click here.

DOMinator: Protecting Private Web Content from Embedded Scripts

Dom

DOMinator workflow overview

The goal of DOMinator is to build a browser that can enforce fine-grained access control policies for third-party JavaScripts. This work is published at ESORICS 11'.

Find more about this project here.

Why Aren't HTTP-only Cookies More Widely Deployed?

Http only

HTTP-only Cookies deployment chronology

This short paper is presented at W2SP 10' (co-hosted with Oakland 10'), and I looked at the history and current status of how well HTTP-only cookies are deployed, and give some suggestions about how future security works can improve themselves to achieve a higher deploy rate.

Find more about this project here.

[Poster] RedactDOM: Preventing Sensitive Data Leaking through Embedded Scripts

Redactdom

RedactDOM workflow

The goal of RedactDOM project is to prevent sensitive data leaking through embedded scripts, and we (with Longze Chen) presented the poster in IEEE S&P (Oakland) 13'.

Find more about this project here.

[Poster] Unifying Data Policies Across the Client and Server

Unifying policies

Poster Snapshot

Jonathan Burket and I presented this poster at USENIX 11'; the idea is to generate annotated privacy policies automatically from server-side using GuardRails, and enforce the access control policies at client side using the DOMinator.

Find more about this project here.