Yu Wang
Research Interests My research interests always lie in the field of Security. I was a master's student advised by Professor Fengwei Zhang in the COMPASS(COMputer And System Security) Lab at SUSTech. My past projects focus on utilizing hardware-software codesign to enhance the effectiveness and efficiency of software security mechanisms. Looking forward, I am particularly interested in exploring software and system security, such as program analysis and reverse engineering.
Education
Southern University of Science and Technology (SUSTech)
Shenzhen, China
Sept. 2020 - June 2023
M.Eng., Department of Computer Science and Engineering
Zhongnan University of Economics and Law (ZUEL)
Wuhan, China
Sept. 2016 - June 2020
B.E., Department of Computer Science and Technology
Publications
Raft: Hardware-assisted Dynamic Information Flow Tracking for Runtime Protection on RISC-V
[paper] [slides] [github]
Yu Wang, Jinting Wu, Haodong Zheng, Zhenyu Ning, Boyuan He, Fengwei Zhang*
In Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses (RAID'23), Hong Kong, October, 2023.
Introduction

Dynamic Information Flow Tracking (DIFT) is a fundamental computer security technique that tracks the data flow of interest at runtime, overcoming the limitations of discovering data dependencies statically at compilation time. However, software-based DIFT tools often suffer from unbearably high runtime overhead due to dynamic binary instrumentation or virtual machine, limiting the usefulness of DIFT. Even though hardware-assisted DIFT frameworks cut down the performance overhead effectively, it is still unacceptable for applications under rigorous time constraints.

Architecture overview of Raft
Architecture overview of Raft

This paper presents Raft, a flexible hardware-assisted DIFT framework that provides runtime protection for embedded applications without delay to the programs. Our framework is designed as a coprocessor for a RISC-V Rocket Core, introducing minimally-invasive changes to the main processor. In Raft, we apply a novel storage mechanism with hybrid byte/variable granularity to reduce the size of tag storage and provide fine-grained protection. We deploy Raft on the Rocket emulator and FPGA development board to evaluate its effectiveness and efficiency. The experiment results show that, compared to previous approaches, Raft cuts down the performance overhead from more than 20% to less than 0.1% on NBench and CoreMark microbenchmarks. The performance overhead of Raft on SPEC CINT 2006 benchmarks is negligible (0.13%). We also utilize a customized program to demonstrate its functionality and conduct a detailed evaluation with a real-world embedded medical application and known CVEs.

RetTag: Hardware-assisted Return Address Integrity on RISC-V
[paper] [slides] [github]
Yu Wang, Jinting Wu, Tai Yue, Zhenyu Ning*, and Fengwei Zhang
In Proceedings of the 15th European Workshop on Systems Security (EuroSec'22), in conjunction with the European Conference on Computer Systems (EuroSys'22), Rennes, France, April 2022.
Introduction

Memory-corruption-based return address hijacking, such as Return-oriented Programming (ROP), is a prevalent attack technique that compromises the program's control flow integrity. So far, software-based defenses against these attacks either introduce heavy performance overhead or trade-off security for performance. Meanwhile, some hardware-assisted defense mechanisms are not practical for large-scale deployment due to additional requirements of hardware features and flaws caused by complicated design.

Generation and storage of PAC
Generation and storage of PAC
Instrumented assembly instructions by RetTag
Instrumented assembly instructions by RetTag

In this paper, we present RetTag, a hardware-assisted and crypto-based defense scheme on RISC-V architecture that leverages Pointer Authentication Code (PAC) embedded into the unused bits of function return address to ensure return address integrity. We extend RISC-V ISA with Return Address Authentication (RAA) instructions to generate the PAC efficiently. We integrate RetTag into the mainstream compilers GCC and LLVM to help developers transparently employ the defense and implement a prototype of RetTag on the Rocket emulator and FPGA development board to demonstrate its effectiveness by detecting various ROP attacks. Moreover, the performance evaluation shows that RetTag only introduces 0.11% performance overhead on NBench and 7.69% on Coremark.

Honors & Awards
Excellent Graduate with a Postgraduate Degree
Excellent Graduate with a Bachelor Degree
Distinguished Bachelor's Thesis at ZUEL
2023
2020
2020