陈建军副教授
个人介绍

姓名: 陈建军

职称:副教授

邮箱:jianjun@tsinghua.edu.cn

个人主页:https://jianjunchen.com

教育背景

工学博士(计算机科学与技术),清华大学,中国,2013.9-2018.7

工学学士(计算机科学与技术),武汉大学,中国,2009.9-2013.7

工作履历

副教授、博士生导师,清华大学,中国,2024.06-今

助理教授、博士生导师,清华大学,中国,2021.10-2024.06

博士后, 芝加哥大学 (University of Chicago),美国,2021.4-2021.9

博士后,加州大学伯克利分校(UC Berkeley),美国,2018.9-2021.4

学术兼职

期刊编委(Editorial Board), IEEE Transactions on Information Forensics and Security (T-IFS),2024 - 至今

序委员会委员(TPC Member), Network and Distributed System Security Symposium (NDSS),2025

程序委员会委员(TPC Member), IEEE European Symposium on Security and Privacy (Euro S&P),2025

程序委员会委员(TPC Member) IEEE Symposium on Security and Privacy (S&P),2024

程序委员会委员(TPC Member), ACM Conference on Computer and Communications Security (CCS),2024

程序委员会委员(TPC Member), IEEE European Symposium on Security and Privacy (Euro S&P),2024

程序委员会委员(TPC Member), ACM Conference on Computer and Communications Security (CCS),2023

程序委员会委员(TPC Member), ACM Internet Measurement Conference (IMC),2023

程序委员会委员(TPC Member), IEEE European Symposium on Security and Privacy (Euro S&P),2023
ACM SIGSAC China委员会委员 

研究领域

网络安全、协议安全、Web安全

漏洞挖掘、软件测试、系统安全

互联网基础设施安全、大模型安全

研究概况

       长期从事网络安全与协议安全方面的研究,重点关注互联网基础协议安全问题,通过发现和解决互联网核心系统中的安全漏洞,以增强互联网基础设施的安全性。研究成果已发表在网络安全四大顶级学术会议(USENIX Security、NDSS、CCS和Security&Privacy),并两次以第一作者身份获网络安全四大顶会的“杰出论文奖”(USENIX Security 2020和NDSS 2016和),其中NDSS 2016杰出论文奖也是中国学者首次获得四大安全顶会杰出论文奖。研究成果在现实世界产生了重要影响力,促进国际标准组织IETF和W3C制定和修改相关标准(RFC 8586和CORS标准),并推动了许多工业界厂商(如Google、Apple、Akamai、Cloudflare、腾讯、阿里巴巴)的产品安全的升级。
       近年来,在互联网基础协议安全方面的主要成果包括:
1)发现了互联网基础设施 CDN 的转发循环安全问题,影响所有 CDN 厂商,并提出了相应解决方案。研究成果获得网络安全国际顶级会议NDSS 2016 "杰出论文奖",这是中国学者首次在四大网络安全顶会上获最佳论文奖。这一研究引起了国内外 CDN 厂商和组织的积极响应,并促进 IETF 制定了新的 RFC 标准(RFC 8586)。
2)发现了互联网最广泛协议 HTTP 的重大安全漏洞 Host-of-Troubles,影响大量流行HTTP软件,并提出了相应解决方案。成果发表于网络安全顶级会议上,并获Akamai、Squid、Fastly、腾讯、阿里、华为等主流厂商修复与致谢。
3)发现了Web安全机制CORS的重要设计安全问题,并提出解决方案。研究成果推动了国际 Web 标准组织 W3C 对 CORS 协议标准的修订与改进,并获得了 CORS 标准组织和Chrome、Firefox、Safari等主流浏览器厂商的致谢与奖励。
4) 发现了互联网基础应用电子邮件安全协议的一系列安全漏洞,并提出了解决方案。研究推动了主流邮件服务商和客户端如Gmail、iCloud.com、Mail.ru、Protonmail.com和Thunderbird的产品安全改进,被 Wired、CSO Online和Dark Reading 等新闻媒体广泛报道。研究成果获得网络安全国际顶级会议USENIX Security 2020 ”杰出论文奖”。

奖励与荣誉

2023年度 ACM CCS 杰出论文奖 (Distinguished Paper Award)

2022年度 入选国家级高层次青年人才计划

2020年度 USENIX Security 杰出论文奖 (Distinguished Paper Award)

2019年度 ACM 中国 SIGSAC 优博奖

2016年度 NDSS 杰出论文奖 (Distinguished Paper Award, 中国首个四大安全顶会最佳论文奖)

2012年教育部国家奖学金

学术成果

[1] Qi Wang, Jianjun Chen, Zheyu Jiang, Run Guo, Ximeng Liu, Chao Zhang, Haixin Duan. Break the Wall from Bottom: Automated Discovery of Protocol-Level Evasion Vulnerabilities in Web Application Firewalls. 2024 IEEE Symposium on Security and Privacy (IEEE S&P'24,网络安全四大顶会之一).

[2] Enze Wang, Jianjun Chen, Wei Xie, Chuhan Wang, Yifei Gao, Zhenhua Wang, Haixin Duan, Yang Liu, Baosheng Wang. Where URLs Become Weapons: Automated Discovery of SSRF Vulnerabilities in Web Applications. 2024 IEEE Symposium on Security and Privacy (IEEE S&P'24,网络安全四大顶会之一).

[3] Jiahe Zhang, Jianjun Chen, Qi Wang, Hangyu Zhang, Chuhan Wang, Jianwei Zhuge, Haixin Duan. Inbox Invasion: Exploiting MIME Ambiguities to Evade Email Attachment Detectors. 31th ACM Conference on Computer and Communications Security (CCS'24,网络安全四大顶会之一).

[4] Yuejia Liang, Jianjun Chen, Run Guo, Kaiwen Shen, Hui Jiang, Man Hou, Yue Yu, Haixin Duan. Internet’s Invisible Enemy: Detecting and Measuring Web Cache Poisoning in the Wild. 31th ACM Conference on Computer and Communications Security  (CCS'24,网络安全四大顶会之一).

[5] Ziyu Lin, Zhiwei Lin, Ximeng Liu, Jianjun Chen, Run Guo, Cheng Chen, Shaodong Xiao. CDN Cannon: Exploiting CDN Back-to-Origin Strategies for Amplification Attacks. 33th USENIX Conference on Security Symposium (USENIX Security'24,网络安全四大顶会之一).

[6] Yi He, Ruoyu Lun, Yunchao Guan, Shangru Song, Zhihao Guo, Hetian Shi, Jianwei Zhuge, Jianjun Chen, Qiang We, Zehui Wu, Miao Yu, Qi Li. Demystifying the Security Implications in IoT Device Rental Services. 33th USENIX Conference on Security Symposium (USENIX Security'24,网络安全四大顶会之一).

[7] Chuhan Wang, Yasuhiro Kuranaga, Yihang Wang, Mingming Zhang, Linkai Zheng, Xiang Li, Jianjun Chen, Haixin Duan, Yanzhong Lin, Qingfeng Pan.BreakSPF: How Shared Infrastructures Magnify SPF Vulnerabilities Across the Internet. Proceedings 2024 Network and Distributed System Security Symposium (NDSS'24, 网络安全四大顶会之一)- .  

[8] Linkai Zheng, Xiang Li, Chuhan Wang, Run Guo, Haixin Duan, Jianjun Chen, Kaiwen Shen. ReqsMiner: Automated Discovery of CDN Forwarding Request Inconsistencies with Differential Fuzzing. Proceedings 2024 Network and Distributed System Security Symposium (NDSS'24, 网络安全四大顶会之一).  

[9] Zicong Gao, Chao Zhang , Hangtian Liu, Wenhou Sun, Zhizhuo Tang, Liehui Jiang, Jianjun Chen, Yong Xie. Faster and Better: Detecting Vulnerabilities in Linux-based IoT Firmware with Optimized Reaching Definition Analysis. Proceedings 2024 Network and Distributed System Security Symposium (NDSS'24, 网络安全四大顶会之一).

[10] Run Guo, Jianjun Chen, Yihang Wang, Keran Mu, Baojun Liu, Xiang Li, Chao Zhang, Haixin Duan, Jianping Wu. Temporal CDN-Convex Lens: A CDN-Assisted Practical Pulsing DDoS Attack. 32th USENIX Conference on Security Symposium  (USENIX Security'23,网络安全四大顶会之一).

[11] Wei Xu, Xiang Li, Chaoyi Lu, Baojun Liu, Jia Zhang, Jianjun Chen, Tao Wan, Haixin Duan. TsuKing: Coordinating DNS Resolvers and Queries into Potent DoS Amplifiers. 30th ACM Conference on Computer and Communications Security (CCS'23,网络安全四大顶会之一).

[12] Zhenrui Zhang, Geng Hong, Xiang Li, Zhuoqun Fu, Jia Zhang, Mingxuan Liu, Chuhan Wang, Jianjun Chen, Baojun Liu, Haixin Duan, Chao Zhang, Min Yang. Under the Dark: A Systematical Study of Stealthy Mining Pools (Ab)use in the Wild. 30th ACM Conference on Computer and Communications Security  (CCS'23,网络安全四大顶会之一).

[13] Fenglu Zhang, Baojun Liu, Eihal Alowaisheq, Jianjun Chen, Chaoyi Lu, Linjian Song, Yong Ma, Ying Liu, Haixin Duan, Min Yang. Silence is not Golden: Disrupting the Load Balancing of Authoritative DNS Servers. 30th ACM Conference on Computer and Communications Security. (CCS'23,杰出论文奖,网络安全四大顶会之一).

[14] Songtao Yang, Yubo He, Kaixiang Chen, Zheyu Ma, Xiapu Luo, Yong Xie, Jianjun Chen, Chao Zhang. 1dFuzz: Reproduce 1-day Vulnerabilities with Directed Differential Fuzzing. 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA'23, 软件工程顶会之一)

[15] Mingming Zhang, Xiang Li, Baojun Liu, Jianyu Lu, Yiming Zhang, Jianjun Chen, Haixin Duan, Shuang Hao, Xiaofeng Zheng. DareShark: Detecting and Measuring Security Risks of Hosting-Based Dangling Domains. ACM SIGMETRICS 2023 (SIGMETRICS'23, 网络测量顶会之一)

[16] Zihao Jin, Shuo Chen, Yang Chen, Haixin Duan, Jianjun Chen, Jianping Wu. A Security Study about Electron Applications and a Programming Methodology to Tame DOM Functionalities. Proceedings 2023 Network and Distributed System Security Symposium (NDSS'23,网络安全四大顶会之一).

[17] Wenyu Zhu, Zhiyao Feng, Zihan Zhang, Jianjun Chen, Zhijian Ou, Min Yang, Chao Zhang. Callee: Recovering Call Graphs for Binaries with Transfer and Contrastive Learning. 2023 IEEE Symposium on Security and Privacy (S&P'23, 网络安全四大顶会之一)

[18] Chuhan Wang, Kaiwen Shen, Minglei Guo, Yuxuan Zhao, Mingming Zhang, Jianjun Chen, Baojun Liu, Xiaofeng Zheng, Haixin Duan, Yanzhong Lin, Qingfeng Pan. A Large-scale and Longitudinal Measurement Study of DKIM Deployment. 31th USENIX Conference on Security Symposium (USENIX Security'22,网络安全四大顶会之一).

[19] Kaiwen Shen, Jianyu Lu, Yaru Yang, Jianjun Chen, Mingming Zhang, Haixin Duan, Jia Zhang, Xiaofeng Zheng. HDiff: A Semi-automatic Framework for Discovering Semantic Gap Attack in HTTP Implementations. 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks. (DSN'22, Best Paper Award Runners Up)

[20] Jianjun Chen; Vern Paxson; Jian Jiang; Composition Kills: A Case Study of Email Sender Authentication, 29th USENIX Conference on Security Symposium (USENIX Security’20,杰出论文奖,网络安全四大顶会之一).  

[21] Run Guo; Weizhong Li; Baojun Liu; Shuang Hao; Jia Zhang; Haixin Duan; Kaiwen Sheng; Jianjun Chen; Ying Liu; CDN Judo: Breaking the CDN DoS Protection with Itself, Proceedings 2020 Network and Distributed System Security Symposium (NDSS'20, 网络安全四大顶会之一).

[22] Jianjun Chen; Jian Jiang; Haixin Duan; Tao Wan; Shuo Chen; Vern Paxson; Min Yang; We Still Don’t Have Secure Cross-Domain Requests: an Empirical Study of CORS, 27th USENIX Conference on Security Symposium (USENIX Security'18, 网络安全四大顶会之一).

[23] Run Guo; Jianjun Chen; Baojun Liu; Jia Zhang; Chao Zhang; Haixin Duan; Tao Wan; Jian Jiang; Shuang Hao; Yaoqi Jia; Abusing CDNs for Fun and Profit: Security Issues in CDNs' Origin Validation, IEEE 37th Symposium on Reliable Distributed Systems (SRDS'18, CCF B类).

[24] Xiaojing Liao; Kan Yuan; XiaoFeng Wang; Zhongyu Pei; Hao Yang; Jianjun Chen; Haixin Duan; Kun Du; Eihal Alowaisheq; Sumayah Alrwais; Luyi Xing; Raheem Beyah; Seeking Nonsense, Looking for Trouble: Efficient Promotional-Infection Detection through Semantic Inconsistency Search, 2016 IEEE Symposium on Security and Privacy (SP'16, 网络安全四大顶会之一).

[25] Jianjun Chen; Jian Jiang; Haixin Duan; Nicholas Weaver; Tao Wan; Vern Paxson; Host of Troubles: Multiple Host Ambiguities in HTTP Implementations, 23rd ACM SIGSAC Conference on Computer and Communications Security (CCS’16, 网络安全四大顶会之一).

[26] Jianjun Chen; Jian Jiang; Xiaofeng Zheng; Haixin Duan; Jinjin Liang; Kang Li; Tao Wan; Vern Paxson; Forwarding Loop Attacks in Content Delivery Networks, Proceedings 2016 Network and Distributed System Security Symposium (NDSS'16, 中国首个四大安全顶会杰出论文奖, 网络安全四大顶会之一).