Pengfei Wang (王鹏飞) @NUDT

Assistant Professor of Department of Network and Cyber Security, National University of Defense Technology.

Researcher of Intelligent and Parallel Analysis of Software Security Key Lab (iPASS) of Hunan Province.

Member of Hunter Security Group.

Contact：

pfwang'at'nudt.edu.cn , wpengfeinudt'at'gmail.com
No.109 Deya Road, Kaifu District, Changsha, Hunan, 410073, P.R.China.

Research Interests:

System security
Program analysis
Concurrency bugs
Inter-domain bugs
Fuzzing

Research Experience:

2018.06 - now, Assistant professor of Department of Network and Cyber Security, National University of Defense Technology.
2014.02 - 2018.06, Ph.D. student at College of Computer, National University of Defense Technology, China, supervised by Prof. Kai Lu.
2015.10 - 2016.10, Visiting scholar at CREST, University College London, UK, supervised by Dr. Jens Krinke.

Research Service:

2014/2015, reviewer of MDPI Entropy (ISSN 1099-4300)
2018, reviewer of Software Quality Journal (ISSN 1573-1367)

Publications

[2020-03] Sabotaging the System Boundary: A Study of the Inter-boundary Vulnerability

Pengfei Wang*, Xu Zhou, Kai Lu
To appear in Journal of Information Security and Applications (ISSN:2214-2126). (CCF Rank: C)

[2020-03] EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit

Tai Yue, Pengfei Wang, Yong Tang*, Enze Wang, Bo Yu, Kai Lu, Xu Zhou
To appear in the proceeding of the 29th USENIX Security Symposium (USENIX Scurity '20). Boston, Aug.12-14, 2020. (CCF Rank: A)

[2019-09] Poster: Fuzzing IoT Firmware via Multi-stage Message Generation

Bo Yu, Pengfei Wang, Tai Yue, Yong Tang
In the proceeding of the 26th ACM Conference on Computer and Communications Security (CCS' 19). London, Nov.11-15, 2019. (CCF Rank: A)
(DOI: 10.1145/3319535.3363247) (WOS:000509760700152)

[2018-12] AVPredictor: Comprehensive Prediction and Detection of Atomicity Violations

Pengfei Wang*, Jens Krinke, Xu Zhou, Kai Lu.
In Concurrency and Computation: Practice and Experience 31(15), Aug.10th, 2019. (ISSN: 1532-0634). (CCF Rank: C)
(DOI 10.1002/cpe.5160)(WOS:000474661300011)

[2018-05] DFTinker: Detecting and Fixing Double-fetch Bugs in an Automated Way

Yingqi Luo*, Pengfei Wang, Xu Zhou and Kai Lu
In proceeding of the 13th International Conference on Wireless Algorithms, Systems, and Applications (WASA 2018) pp 780-785. Tianjin China, Jun.20-22, 2018. (CCF Rank: C)

[2018-03] Untrusted Hardware Causes Double-fetch Problems in the I/O Memory [Poster at USENIX Security '17]

Kai Lu, Pengfei Wang*, Gen Li, Xu Zhou.
In Journal of Computer Science and Technology (ISSN: 1000-9000), 33(3): 587–602, May.11th, 2018. (CCF Rank: B)
(DOI 10.1007/s11390-018-1842-3) （WOS:000432141000015）

[2017-09] A Survey of the Double-Fetch Vulnerabilities

Pengfei Wang*, Kai Lu, Gen Li, Xu Zhou.
In Concurrency and Computation: Practice and Experience (ISSN: 1532-0634), 30(6), Mar.25th. 2018. (CCF Rank: C)
(DOI 10.1002/cpe.4345)（WOS:000425460100002）

[2017-05] How Double-Fetch Situations turn into Double-Fetch Vulnerabilities: A Study of Double Fetches in the Linux Kernel [Slides]

Pengfei Wang*, Jens Krinke, Kai Lu, Gen Li, Steve Dodier-Lazaro.
In proceedings of the 26th USENIX Security Symposium (USENIX Security '17). Vancouver, Aug. 16-18, 2017. (CCF Rank: A)
（WOS:000428763700001）

[2016-12] DFTracker: Detecting Double-Fetch Bugs by Multi-Taints Parallel Tracking

Pengfei Wang*, Kai Lu, Gen Li, Xu Zhou.
In Frontier of Computer Science 13(2), pp:247–263. April 11th, 2019. (ISSN: 2095-2236) (CCF Rank: C)
(DOI 10.1007/s11704-016-6383-8) (WOS:000464846400004)

Reported Vulnerabilities

CVE-2016-5728	A "double-fetch" vulnerability in the Linux kernel. Race condition in the vop_ioctl function allows local users to obtain sensitive information from kernel memory or cause a denial of service (memory corruption and system crash) by changing a certain header.
CVE-2016-6130	A "double-fetch" vulnerability in the Linux kernel. Race condition in the sclp_ctl_ioctl_sccb function allows local users to obtain sensitive information from kernel memory by changing a certain length value.
CVE-2016-6136	A "double-fetch" vulnerability in the Linux kernel. Race condition in the audit_log_single_ execve_arg function allows local users to bypass intended character-set restrictions or disrupt system-call auditing by changing a certain string.
CVE-2016-6156	A "double-fetch" vulnerability in the Linux kernel. Race condition in the ec_device_ioctl_xcmd function allows local users to cause a denial of service (out-of-bounds array access) by changing a certain size value.
CVE-2016-6480	A "double-fetch" vulnerability in the Linux kernel. Race condition in the ioctl_send_fib function allows local users to cause a denial of service (out-of-bounds access or system crash) by changing a certain size value.
CVE-2017-8831	A "hardware double-fetch" vulnerability in the Linux kernel. Function saa7164_bus_get() allows local users to cause a denial of service (out-of-bounds array access) by changing a certain sequence-number value from the hardware.
CVE-2017-9984	A "hardware double-fetch" vulnerability in the Linux kernel. Function snd_msnd_interrupt() allows local users to cause a denial of service (over-boundary access) by changing the value of a message queue head pointer.
CVE-2017-9985	A "hardware double-fetch" vulnerability in the Linux kernel. Function snd_msndmidi_input_read() allows local users to cause a denial of service (over-boundary access) by changing the value of a message queue head pointer.
CVE-2017-9986	A "hardware double-fetch" vulnerability in the Linux kernel. Function intr() allows local users to cause a denial of service (over-boundary access) by changing the value of a message queue head pointer.

(Last update: 2020-3-8)