Jianjun Chen

Postdoctoral fellow

International Computer Science Institute (ICSI)

Email: jianjun[AT]icsi.berkeley.edu

Jianjun Chen is a postdoc supervised by Prof. Vern Paxson at International Computer Science Institute, an independent non-profit research institute affiliated with UC Berkeley. He was a Ph.D. student at Tsinghua University advised by Prof. Haixin Duan.

His research focuses on studying real-world systems to understand their security challenges and develop mitigation solutions. He worked in the areas of CDN security, HTTP implementations, web browsers, and email systems. His previous research was published on top-tier security conferences (NDSS, ACM CCS, USENIX Security), and led to some real-world security pushes, such as patches in popular HTTP implementations (e.g., Squid ^[1]^[2], Chrome ^[1], Firefox ^[1]), security advisories by industrial companies (e.g., Akamai ^[1], Cloudflare ^[1], Apple ^[1]), web standard change ^[1], and a new IETF RFC ^[1].

Recent News

[Apr, 20] Our paper on email security was accepted by USENIX security 2020.
[Apr, 19] Our CDN paper leads to a new Internet standard (RFC 8586).

Selected Publications

More publications

Jianjun Chen, Vern Paxson, Jian Jiang. Composition Kills: A Case Study of Email Sender Authentication. In USENIX Security 2020. (To appear)

PDF Code

Jianjun Chen, J. Jiang, H. Duan, T. Wan, S. Chen, V. Paxson, M. Yang. We Still Don’t Have Secure Cross-Domain Requests: an Empirical Study of CORS. In USENIX Security 2018.

PDF Code Slides Video

Jianjun Chen, J. Jiang, H. Duan, N. Weaver, T. Wan, and V. Paxson. Host of Troubles: Multiple Host Ambiguities in HTTP Implementations. In CCS 2016. (Best Paper Nominee)

PDF Slides Video

Jianjun Chen, J. Jiang, X. Zheng, H. Duan, J. Liang, K. Li, T. Wan, and V. Paxson. Forwarding Loop Attacks in Content Delivery Networks. In NDSS 2016. (Distinguished Paper Award)

PDF Slides

Activities

Talks:

You have No Idea Who Sent that Email: 18 Attacks on Email Sender Authentication, Black Hat USA 2020, (To appear).
Hacking Intranet from outside: security problems of Cross Origin Resource Sharing (CORS), DEF CON China, 2018, Beijing.
Host of Troubles attack, The 2th China Cyber Security summit(CSS) 2016, Beijing.
Improving IPv6 Attack Detector, Free and Open Source Software conference (FOSSAISA) 2014, Cambodia.

Selected vulnerabilities:

CVE-2016-4553, Squid team evaluated it as a highest level(blocker) security vulnerability, which allowed an attacker to remotely poison the cache of any HTTP website with arbitrary content.
CVE-2016-4554, A critical security vulnerability in Squid, which was introduced to version 1.0 in 1996.
VU#938151, A new type of DoS attacks affecting all 16 CDNs we tested.

I am serving as an reviewer for IEEE/ACM Transactions on Networking(ToN).

Contact

jianjun[AT]icsi[DOT]berkeley[DOT]edu
Suite 600, 1947 Center Street, Berkeley, CA, USA