About Me
I am a tenure-track assistant professor in the Department of Computer Science at George Mason University (GMU). Before joining GMU, I spent one year as a postdoc researcher at Georgia Tech, working with Prof. Taesoo Kim. I graduated from The Ohio State University (OSU) with a Ph.D. in Computer Science and Engineering, advised by Prof. Yinqian Zhang. Before coming to OSU, I graduated from Shanghai Jiao Tong University (SJTU) with a Bachelor's degree in Computer Science in 2015.
I am interested in security problems in emerging systems and technologies, with a recent focus on eXtended Reality (XR) and Decentralized Finance (DeFi/Web3). I am also working on projects related to side channels, confidential computing, and mobile security. My work have received an ACM CCS Distinguished Paper Award, an ACM SIGSOFT Distinguished Paper Award and a Springer Cybersecurity Award (Best Practical Research Paper). My papers were selected as the top 10 finalists of NYU Cyber Security Awareness Week (CSAW) best applied security paper in 2016, 2018 and 2022, respectively. I received Ethereum Foundation Academic Grants in 2023 and 2024, and the NortonLifeLock Research Group Graduate Fellowship in 2020.
I am looking for motivated students to work on cutting-edge security problems with me. If you are interested in working with me at GMU as my Ph.D. student, please read this [advice] and this [note] (Chinese version here). If you are already enrolled in the GMU-CS program (undergrad or MS) and want to do research in my lab, please feel free to reach out as well.
Why GMU?
As of October 2024: GMU is 32 (Security: 22) in CSRankings (Top in Virginia)
News
- (10/2024)[Award] Our CCS'24 paper on security problems of web3 authentication has received the ACM CCS Distinguished Paper Award!!! Huge congrats to my student Kailun!
- (10/2024)[Activity] I attended ACM CCS 2024 and served as a session chair. Glad to meet new and old friends at Salt Lake City!
- (09/2024)[Award] Our CCS'23 paper on using electromagnetic signals to recover fingerprints from in-display fingerprint sensors on smartphones has received the Springer Cybersecurity Award (Best Practical Research Paper)!
- (09/2024)[Award] I received an Ecosystem Support Program (ESP) grant from the Ethereum Foundation! Thank you for supporting our web3 security research!
- (09/2024)[Paper] Our paper on enabling secure I/O via isolation on ARM CCA has been accepted to appear in Oakland 2025!
- (08/2024)[Paper] Our paper on feasibility of reorganization attacks on Ethereum private transactions has been accepted to appear in ACSAC 2024!
- (08/2024)[Activity] I am invited to give a talk on XR privacy issues in the NIST Extended Reality (XR) Community of Interest (COI) monthly meeting!
- (07/2024)[Award] I received an Academic Grant from the Ethereum Foundation! Thank you for supporting our web3 security research!
- (07/2024)[Service] I am invited to serve on the program committee of AsiaCCS 2025.
- (07/2024)[Service] I am invited to serve on the program committee of USENIX Security 2025.
- (07/2024)[Paper] Our paper on privacy policies of VR apps has been conditionally accepted to appear in ACM CCS 2024!
- (06/2024)[Paper] Our cross-chain bridge security paper has been accepted to appear in RAID 2024!
- (06/2024)[Activity] I am hosting five high-school students this summer for STEM and cybersecurity education. Welcome to my group!
- (05/2024)[Award] I received a 4-VA Collaborative Research Grant (with Dr. Wenjie Xiong @VT)! Thank you for supporting our VR security research!
- (04/2024)[Service] I am invited to serve on the best paper selection committee of AsiaCCS 2024.
- (04/2024)[Service] I am invited to serve on the program committee of NDSS 2025.
- (04/2024)[Paper] Two papers (one on web3 authentication, one on Android ad fraud) have been conditionally accepted to appear in ACM CCS 2024!
- (03/2024)[Service] I am invited to serve on the program committee of IEEE Global Blockchain Conference (GBC) 2024.
- (03/2024)[Paper] One paper on SGX state continuity has been accepted by IEEE Transactions on Dependable and Secure Computing (TDSC)!
- (03/2024)[Activity] I participated in the first DMV security workshop.
- (02/2024)[Award] Our ICSE'24 paper on Android clipboard security has received the ACM SIGSOFT Distinguished Paper Award!!!
- (02/2024)[Service] I am invited to serve as the Web Chair of Information Security Conference (ISC) 2024. It will be held in the DC area. Consider submitting your best work!
- (02/2024)[Activity] I participated in the Hackfax Hackathon (organized by the GMU CS Club) as a judge.
- (02/2024)[Service] I am invited to serve on the program committee of ACSAC 2024.
- (01/2024)[Activity] I participated in the Thomas Jefferson High School for Science and Technology (TJHSST) Science and Engineering Fair as a judge.
- (01/2024)[Paper] One paper on VR privacy issues has been accepted to appear in USENIX Security 2024!
- (12/2023)[Award] I received a grant from the Commonwealth Cyber Initiative (CCI) (with Dr. Ziyu Yao)! Thank you for supporting our research!
- (12/2023)[Service] I am invited to serve on the program committee of ACM CCS 2024.
- (11/2023)[Paper] One paper on SGX side-channel defenses has been accepted to appear in NDSS 2024! Congrats to Fan!
- (09/2023)[Paper] One paper on EM side-channel attacks has been accepted to appear in ACM CCS 2023! Congrats to Tao!
- (08/2023)[Paper] One paper on Confidential Virtual Machines has been accepted to appear in ASPLOS 2023! Congrats to Adil!
- (08/2023)[Paper] One paper on Android clipboard security has been accepted to appear in ICSE 2024! Congrats to Yongliang!
- (08/2023)[Award] I received a seed grant from the CAHMP center at GMU! Thank you for supporting my XR security research!
- (08/2023)[Service] I am invited to serve on the program committee of the 2023 ACM Cloud Computing Security Workshop (CCSW).
- (06/2023)[Paper] One paper has been conditionally accepted to appear in ACM Mobicom 2023! Congrats to Tao!
- (05/2023)[Service] I am invited to serve on the program committee of USENIX Security 2024.
- (05/2023)[Award] I received two Academic Grants from the Ethereum Foundation! Thank you for supporting our smart contract research!
- (05/2023)[Service] I am invited to serve on the program committee of the 2024 ASIA Conference on Computer and Communications Security (AsiaCCS).
- (05/2023)[Activity] I attended the 2023 NSF SaTC Aspiring PI Workshop; glad to meet old and new friends there!
- (03/2023)[Paper] One paper has been accepted by IEEE Transactions on Dependable and Secure Computing (TDSC)!
- (02/2023)[Service] I am invited to serve on the program committee of the 2023 IEEE International Conference on Cloud Computing Technology and Science (CloudCom).
- (01/2023)[Service] I am invited to serve on the program committee of the 2023 EAI International Conference on Security and Privacy in Communication Networks (SecureComm).
- (12/2022)[Paper] Our paper, "Uncovering User Interactions on Smartphones via Contactless Wireless Charging Side Channels", has been accepted to appear in IEEE Security & Privacy (Oakland) 2023! Congrats to Tao from City University of Hong Kong, and my collaborators!
- (10/2022)[Paper] Our paper, "POLICYCOMP: Counterpart Comparison of Privacy Policies Uncovers Overbroad Personal Data Collection Practices", has been accepted to appear in USENIX Security 2023! Congrats to Lu from SJTU, and my collaborators!
- (08/2022)[Paper] Our paper, "Narrator: Secure and Practical State Continuity for Trusted Execution in the Cloud", has been accepted to appear in ACM CCS 2022! Congrats to Jianyu from SusTech, and my collaborators!
- (08/2022)[Activity] I officially joined George Mason as an Assistant Professor.
- (07/2022)[Service] I am invited to serve on the program committee of the 2023 International Conference on Applied Cryptography and Network Security (ACNS).
- (06/2022)[Service] I am invited to serve on the program committee of the 2022 ACM Cloud Computing Security Workshop (CCSW).
- (04/2022)[Paper] Our paper, "PRIDWEN: Universally Hardening SGX Programs via Load-Time Synthesis", has been accepted to appear in USENIX ATC 2022! Congrats to Fan from Gatech, and my collaborators!
- (12/2021)[Service] I am invited to serve on the program committee of the 18th EAI International Conference on Security and Privacy in Communication Networks (SecureComm 2022).
- (11/2021)[Service] I am invited to serve on the program committee of the 15th International Conference on Knowledge Science, Engineering and Management (KSEM 2022).
- (11/2021)[Paper] Our paper, "Defeating Traffic Analysis via Differential Privacy: A Case Study on Streaming Traffic", has been accepted by International Journal of Information Security (IJIS)! A big THANK YOU to my advisor Yinqian, and my collaborators Jihun and Mike for their continuous support on this paper!
- (08/2021)[Activity] I have successfully defended my Ph.D. and graduated from OSU. I will first join the group of Prof. Taesoo Kim at Gatech as a Postdoc, then join George Mason University as an assistant professor in Aug. 2022.
- (07/2021)[Service] I am invited to be a Qualification Round program committee member for NYU’s CSAW’21 Cyber Security Applied Research Paper Competition.
- (05/2021)[Service] I am invited to serve on the program committee of the 2021 ACM Cloud Computing Security Workshop (CCSW).
- (05/2021)[Paper] Our paper, "Understanding and Detecting Mobile Ad Fraud Through the Lens of Invalid Traffic", has been accepted to appear in ACM CCS 2021! Congrats to Suibin/Le from SJTU, and my collaborators!
- (04/2021)[Paper] Our paper, "Dissecting Click Fraud Autonomy in the Wild", has been accepted to appear in ACM CCS 2021! Congrats to Tong/Yan from SJTU, and my collaborators!
- (09/2020)[Service] I am invited to be a Qualification Round program committee member for NYU’s CSAW’20 Cyber Security Applied Research Paper Competition.
- (07/2020)[Paper] Our paper, "SurfaceFleet: Exploring Distributed Interactions Unbounded from Device, Application, User, and Time", has been accepted to appear in ACM UIST 2020! Congrats to my colleagues in the EPIC group at MSR!
- (06/2020)[Paper] Our paper, "TXSPECTOR: Uncovering Attacks in Ethereum from Transactions", has been accepted to appear in USENIX Security 2020!
- (05/2020)[Service] I am invited to serve on the program committee of the 2020 ACM Cloud Computing Security Workshop (CCSW).
- (04/2020)[Award] I am honored to receive the Graduate Research Award from our CSE department!
- (03/2020)[Award] I am thrilled to be one of three students worldwide to receive the NortonLifeLock Research Group Graduate Fellowship!
- (03/2020)[Service] I am invited to serve on the program committee of the 2020 IEEE International Conference on Cloud Computing Technology and Science (CloudCom).
Awards & Honors
- ACM CCS Distinguished Paper Award 2024
- Springer Cybersecurity Award (Best Practical Research Paper) 2024
- ACM SIGSOFT Distinguished Paper Award 2024
- Ethereum Foundation Academic Grant 2023(x2), 2024
- Top 10 Finalists of NYU CSAW Applied Security Research Competition2016, 2018, 2022
- NortonLifeLock Research Group (Symantec Research Labs) Graduate Fellowship (three awardees worldwide) 2020
- Graduate Research Award, CSE Department, Ohio State University 2020
- Nomination for Google Ph.D. Fellowship, CSE Department, Ohio State University 2019
- Outstanding Graduate, Shanghai Jiao Tong University2015
- Academic Excellence Scholarship of Shanghai Jiao Tong University2014
- Outstanding Student Cadre of Shanghai Jiao Tong University2013
- Academic Excellence Scholarship of Shanghai Jiao Tong University2012
- National Olympiad in Informatics in Provinces (NOIP), First Prize in Fujian Province2010
Publications
2025-
Portal: Fast and Secure Device Access with Arm CCA for Modern Arm Mobile System-on-Chips (SoCs)
Fan Sang, Jaehyuk Lee, Xiaokuan Zhang, Taesoo Kim
S&P(Oakland)'25 (Acceptance rate: 106/739=14.3% (cycle 1))
-
Breaking the Privacy Barrier: On the Feasibility of Reorganization Attacks on Ethereum Private Transactions
Mengya Zhang, Xingyu Lyu, Jianyu Niu, Xiaokuan Zhang, Yinqian Zhang, Zhiqiang Lin
ACSAC'24 (Acceptance rate: 83/421=19.7%) -
VPVet: Vetting Privacy Policies of Virtual Reality Apps
[pdf]
Yuxia Zhan, Yan Meng, Lu Zhou, Yichang Xiong, Xiaokuan Zhang, Lichuan Ma, Guoxing Chen, Qingqi Pei, Haojin Zhu
CCS'24 (Acceptance rate: 331/1964=16.9%) -
Stealing Trust: Unraveling Blind Message Attacks in Web3 Authentication
[pdf]
Kailun Yan, Xiaokuan Zhang, Wenrui Diao
CCS'24 (Acceptance rate: 331/1964=16.9%)
ACM CCS Distinguished Paper Award -
Unveiling Collusion-Based Ad Attribution Laundering Fraud: Detection, Analysis, and Security Implications
[pdf]
Tong Zhu, Chaofan Shou, Zhen Huang, Guoxing Chen, Xiaokuan Zhang, Yan Meng, Shuang Hao, Haojin Zhu
CCS'24 (Acceptance rate: 331/1964=16.9%) -
Security of Cross-chain Bridges: Attack Surfaces, Defenses, and Open Problems
[pdf]
Mengya Zhang, Xiaokuan Zhang, Yinqian Zhang, Zhiqiang Lin
RAID'24 (Acceptance rate: 43/172=24.4%) -
Penetration Vision through Virtual Reality Headsets: Identifying 360-degree Videos from Head Movements
[pdf]
Anh Nguyen, Xiaokuan Zhang, Zhisheng Yan
Security'24 (Acceptance rate: 417/2276=18.3%) -
Attention! Your Copied Data is Under Monitoring: A Systematic Study of Clipboard Usage in Android Apps
[pdf]
Yongliang Chen, Ruoqin Tang, Chaoshun Zuo, Xiaokuan Zhang, Lei Xue, Xiapu Luo, Qingchuan Zhao
ICSE'24 (Acceptance rate: 234/1051=22.3%)
ACM SIGSOFT Distinguished Paper Award -
SENSE: Enhancing Microarchitectural Awareness for TEEs via Subscription-Based Notification
[pdf]
Fan Sang, Jaehyuk Lee, Xiaokuan Zhang, Meng Xu, Scott Constable, Yuan Xiao, Michael Steiner, Mona Vij, Taesoo Kim
NDSS'24 (Acceptance rate: 104/694=15.0%) -
Ensuring State Continuity for Confidential Computing: A Blockchain-based Approach
[link]
Wei Peng, Xiang Li, Jianyu Niu, Xiaokuan Zhang, Yinqian Zhang
TDSC'24. (journal paper)
-
Veil: A Protected Services Framework for Confidential Virtual Machines
[pdf]
Adil Ahmad, Botong Ou, Congyu Liu, Xiaokuan Zhang, Pedro Fonseca
ASPLOS'23 (Acceptance rate: 151/600=25.1%) -
Recovering Fingerprints from In-Display Fingerprint Sensors via Electromagnetic Side Channel
[pdf]
Tao Ni, Xiaokuan Zhang, Qingchuan Zhao
CCS'23 (Acceptance rate: 235/1222=19.2%)
Springer Cybersecurity Award (Best Practical Research Paper) -
Exploiting Contactless Side Channels in Wireless Charging Power Banks for User Privacy Inference via Few-shot Learning
[pdf]
Tao Ni, Jianfeng Li, Xiaokuan Zhang, Chaoshun Zuo, Wubing Wang, Weitao Xu, Xiapu Luo, Qingchuan Zhao
Mobicom'23 (Acceptance rate: 92/377=24.4%) -
POLICYCOMP: Counterpart Comparison of Privacy Policies Uncovers Overbroad Personal Data Collection Practices
[pdf]
Lu Zhou, Chengyongxiao Wei, Tong Zhu, Guoxing Chen, Xiaokuan Zhang, Suguo Du, Hui Cao, Haojin Zhu
Security'23 (Acceptance rate: 422/1444=29.2%) -
Uncovering User Interactions on Smartphones via Contactless Wireless Charging Side Channels
[pdf]
Tao Ni, Xiaokuan Zhang, Chaoshun Zuo, Jianfeng Li, Zhenyu Yan, Wubing Wang, Weitao Xu, Xiapu Luo, Qingchuan Zhao
S&P(Oakland)'23 (Acceptance rate: 195/1147=17.0%) -
VERITRAIN: Validating MLaaS Training Efforts via Anomaly Detection
[link]
Xiaokuan Zhang, Yang Zhang, Yinqian Zhang
TDSC'23. (journal paper)
-
An Empirical Study on Ethereum Private Transactions and the Security Implications
[pdf]
Xingyu Lyu, Mengya Zhang, Xiaokuan Zhang, Jianyu Niu, Yinqian Zhang, Zhiqiang Lin
arXiv preprint arXiv:2208.02858 -
Narrator: Secure and Practical State Continuity for Trusted Execution in the Cloud
[pdf]
Jianyu Niu, Wei Peng, Xiaokuan Zhang, Yinqian Zhang
CCS'22, Los Angeles, CA, USA, Nov. 2022. (Acceptance rate: 218/971=22.5%) -
PRIDWEN: Universally Hardening SGX Programs via Load-Time Synthesis
[pdf]
Fan Sang, Ming-Wei Shih, Sangho Lee, Xiaokuan Zhang, Michael Steiner, Mona Vij, Taesoo Kim
ATC'22, Carlsbad, CA, USA, July 2022. (Acceptance rate: 64/393=16.3%) -
Defeating Traffic Analysis via Differential Privacy: A Case Study on Streaming Traffic [link]
Xiaokuan Zhang, Jihun Hamm, Michael K. Reiter, Yinqian Zhang
IJIS'22. (journal paper)
-
SoK: On the Analysis of Web Browser Security
[pdf]
Jungwon Lim, Yonghwi Jin, Mansour Alharthi, Xiaokuan Zhang, Jinho Jung, Rajat Gupta, Kuilin Li, Daehee Jang, Taesoo Kim
arXiv preprint arXiv:2112.15561 -
Understanding and Detecting Mobile Ad Fraud Through the Lens of Invalid Traffic
[pdf]
Suibin Sun, Le Yu, Xiaokuan Zhang, Minhui Xue, Ren Zhou, Haojin Zhu, Shuang Hao, Xiaodong Lin
CCS'21, Virtual Event, Nov. 2021. (Acceptance rate: 196/879=22.3%)
Top 10 Finalists of NYU CSAW'22 Applied Research Competition -
Dissecting Click Fraud Autonomy in the Wild
[pdf]
Tong Zhu, Yan Meng, Haotian Hu, Xiaokuan Zhang, Minhui Xue, Haojin Zhu
CCS'21, Virtual Event, Nov. 2021. (Acceptance rate: 196/879=22.3%) -
SurfaceFleet: Exploring Distributed Interactions Unbounded from Device, Application, User, and Time [pdf]
[link]
Frederik Brudy, David Ledo, Michel Pahud, Nathalie Henry Riche, Christian Holz, Anand Waghmare, Hemant Surale, Marcus Peinado, Xiaokuan Zhang, Shannon Joyner, Badrish Chandramouli, Umar Farooq Minhas, Jonathan Goldstein, Bill Buxton, Ken Hinckley
UIST'20, Virtual Event, Oct. 2020. (Acceptance rate: 97/450=21.5%) -
TXSPECTOR: Uncovering Attacks in Ethereum from Transactions [pdf]
Mengya Zhang*, Xiaokuan Zhang*, Yinqian Zhang, Zhiqiang Lin (*equal contribution)
Security'20, Virtual Event, Aug. 2020. (Acceptance rate: 157/977=16.1%) -
Statistical Privacy for Streaming Traffic [pdf]
[slides]
Xiaokuan Zhang, Jihun Hamm, Michael K. Reiter, Yinqian Zhang
NDSS'19, San Diego, CA, USA, Feb. 2019. (Acceptance rate: 89/521=17.1%) -
A Measurement Study of Authentication Rate-Limiting Mechanisms of Modern Websites [pdf]
[slides]
Bo Lu*, Xiaokuan Zhang*, Ziman Ling, Yinqian Zhang, Zhiqiang Lin (*equal contribution)
ACSAC'18, San Juan, Puerto Rico, USA, Dec. 2018. (Acceptance rate: 60/299=20.1%) -
HoMonit: Monitoring Smart Home Apps from Encrypted Traffic [pdf]
Wei Zhang, Yan Meng, Yugeng Liu, Xiaokuan Zhang, Yinqian Zhang, Haojin Zhu
CCS'18, Toronto, Canada, Oct. 2018. (Acceptance rate: 134/809=16.6%) -
OS-level Side Channels without Procfs: Exploring Cross-App Information Leakage on iOS [pdf]
[slides]
Xiaokuan Zhang, Xueqiang Wang, Xiaolong Bai, Yinqian Zhang, XiaoFeng Wang
NDSS'18, San Diego, CA, USA, Feb. 2018. (Acceptance rate: 71/331=21.5%)
The issues identified in the paper have been acknowledged by Apple in CVE-2017-13852, CVE-2017-13873, CVE-2017-13877.
Our proposed solutions have been integrated in recent versions of iOS/MacOS/watchOS/tvOS.
Top 10 Finalists of NYU CSAW'18 Applied Research Competition -
Detecting Privileged Side-Channel Attacks in Shielded Execution with DEJA VU [pdf]
Sanchuan Chen, Xiaokuan Zhang, Michael K. Reiter, Yinqian Zhang
AsiaCCS'17, Abu Dhabi, UAE, Apr. 2017. (Acceptance rate: 73/359=20.3%) -
Return-Oriented Flush-Reload Side Channels on ARM and Their Implications for Android Devices [pdf]
[slides]
Xiaokuan Zhang, Yuan Xiao, Yinqian Zhang
CCS'16, Vienna, Austria, Oct. 2016. (Acceptance rate: 137/831=16.5%) -
One Bit Flips, One Cloud Flops: Cross-VM Row Hammer Attacks and Privilege Escalation [pdf]
[slides]
Yuan Xiao, Xiaokuan Zhang, Yinqian Zhang, Mircea-Radu Teodorescu
Security'16, Austin, TX, USA, Aug. 2016. (Acceptance rate: 72/463=15.6%)
Top 10 Finalists of NYU CSAW'16 Applied Research Competition
Professional Services
Organizing Committee
- Web Chair, Information Security Conference (ISC) 2024
Program Committee
- ISOC Network and Distributed System Security Symposium (NDSS) 2025
- Annual Computer Security Applications Conference (ACSAC) 2024
- ACM Conference on Computer and Communications Security (CCS) 2024
- USENIX Security Symposium (Security) 2024, 2025
- ACM Asia Conference on Computer and Communications Security (AsiaCCS) 2024, 2025
- IEEE Global Blockchain Conference (GBC) 2024
- International Conference on Mobile Ad-Hoc and Smart Systems (MASS) 2024
- International Conference on Applied Cryptography and Network Security (ACNS) 2023
- EAI International Conference on Security and Privacy in Communication Networks (SecureComm) 2022, 2023
- International Conference on Knowledge Science, Engineering and Management (KSEM) 2022
- ACM Cloud Computing Security Workshop (CCSW) 2020 - 2023
- NYU CSAW Cyber Security Applied Research Paper Competition 2020, 2021
- IEEE International Conference on Cloud Computing Technology and Science (CloudCom) 2020, 2023
Reviewer
- IEEE Transactions on Dependable and Secure Computing (TDSC) 2019, 2022 - 2024
- IEEE Transactions on Mobile Computing (TMC) 2021, 2022
External Reviewer
- IEEE Symposium on Security and Privacy (Oakland) 2016 - 2018, 2020, 2022
- ACM Conference on Computer and Communications Security (CCS) 2016 - 2020
- USENIX Security Symposium (Security) 2017, 2022
- ISOC Network and Distributed System Security Symposium (NDSS) 2018, 2020
- ACM Asia Conference on Computer and Communications Security (AsiaCCS) 2018, 2020
Teaching Experience
- (GMU) Instructor for CS 499: Foundations and Advances of Cybersecurity Fall 2024
- (GMU) Instructor for CS 692: Linux Kernel Internals Spring 2024
- (GMU) Instructor for CS 795: Security Issues in Emerging Computer Systems Fall 2023
- (GMU) Instructor for CS 471: Operating Systems Fall 2022, Spring 2023
- (OSU) Graduate Teaching Assistant for CSE 3341: Principles of Programming Languages Spring 2016
- (OSU) Graduate Teaching Assistant for CSE 5461: Computer Networking and Internet TechnologiesFall 2015