I am a graduating senior in Computer Science at UC Santa Barbara. I have both research and industrial experience in modern application security and data science. I am now open for job opportunities where I can apply my skills.
Worked on an AWS EMR metrics collection library that publishes metrics to internal monitoring frameworks and helped instrumenting exisiting Hadoop/Spark jobs with it.
Analyzed metrics from 127 Spark clusters and located 21 under-provisioned / over-provisioned jobs.
Created dashboards on Grafana & Splunk to provide detailed information regarding Spark job optimization.
Located and patched a race-condition issue in Redshift metrics collection library that caused failures over AWS data pipelines.
Rewrote Redshift SQL of a daily-executed data pipeline to support a specific change in logic.
Provided information security consulting including security assessment, conducted 2 pentests, and identified 8+ risks.
Bug Bounty Programs
External Pentestor
Netease: Discovered 2 severe XSS & CSRF vulnerabilities that could lead to 1.1 billion accounts takeover.
PingAn Insurance: Discovered 1 severe code injection vulnerability that leaks millions of lines of personal information.
International Baccalaureate (IBO): Discovered 1 access control risk that leads to admin accounts takeover.
Shanghai Government: Discovered 50+ access control, LFI, SQL Injection, XSS, etc. vulnerabilities over government infrastructures.
Research Experience
UCSB Verification Lab
10/2019 - Present
Worked on hybrid fuzzing and implemented a probablistic concolic execution scheduler.
Worked on researches related to browser side-channel mitigation bypasses and improving existing browser security policies.
Conducted analysis on websites of medical industry and discovered 2 network side-channel vulnerabilities with the team, which lead to leakage of users' medical data and credentials.
Publication:
C. Shou, I.B. Kadron, Q. Su, T. Bultan, CorbFuzz: Checking Browser Security Policies with Fuzzing (Accepted to ASE 2021)
C. Shou, PorkFuzz: Testing Stateful Software-Defined Network Applications with Property Graphs (Accepted to ESEC/FSE 2021 SRC)
Two more papers in review.
UCSB System & Network Lab
03/2021 - Present
Contributed to researches on software-defined network based telemetry system for network security analysis.
cpp-httplib client has been discovered a Header Injection vulnerability, which allows attackers to conduct code execution on users of websites built on this library.
An official Redis client that is deployed to millions of servers has been discovered a null-pointer-dereferencing vulnerability, which allows attackers to conduct denial-of-service attack easily.
[Undisclosed] This vulnerability allows attackers to visit CVS internal network, which has potential to leak users (patients) personal information.
Competitions
CTF (Capture the Flags)
Cybersecurity Competitions
I usually work on CTFs with two of my classmates who are both undergraduates. Our team is called by7ch. I mainly take care of challenges related to web applications and forensic.
- Ranked 23rd globally and 3rd among US teams.
- Ranked 6th as a team and first individually.
- Ranked 45th globally and 7th among US teams.
- Ranked 53rd globally and 6th among US teams.
- Ranked 78th globally and 6th among US teams.
- Ranked 86th globally and 14th among US teams.
- I am the lead organizer, DevOps engineer, and author of the challenges. The event has attracted more than 700 teams from all over the world and been rated as one of the best web security oriented CTFs.
DAudit provides Ops team an easier interface to evaluate risks in configuration of databases and big data toolkits.
Stack Used: Python, MySQL, Redis, ELK, Hadoop, Spark, MongoDB
IBKiller is a web platform for highschool students to share notes and videos, as well as practicing exam-style questions.
The DAUs have once reached 800+. I prototyped the website with Laravel then refactored it to microservices and splitted frontend and backend.
This leads to 92.8% reduction in average response time and 21.4% reduction in server load.
I have contributed fuzzing test harness for facebook/yoga (layout engine) and facebook/hermes (JavaScript engine). The harness for facebook/hermes is based on Fuzzilli and has discovered two memory-related vulnerabilities.