I am a system security researcher. I develop program analysis techniques to tackle security threats in systems.
My research is best represented by my extensive work on robotic vehicles (RVs).
I was working on automatically finding logic bugs, patching them, and verifying the patches in RV control software.
Currently, my efforts are dedicated to uncovering the root causes and formulating countermeasures against physical sensor attacks that target RVs.
I will start an Assistant Professor position in the CS Department at Indiana University, Bloomington in Fall 2024!
I’m looking for highly-motivated students. If you are interested in working with me, drop me an email.
(info This website doesn't track any visitors, which means that you don't need to worry about disclosing your identity.)
Recent News
[April 2024] I'm a program committee member of NDSS 2025. (Please consider submitting your great work)
[Feb 26, 2024] I got Outstanding Reviewer Award from VehicleSec'24.
[Feb 2024] I'm a program committee member of RAID 2024. (Please consider submitting your great work)
[December 17, 2023] I officially got my PhD (link).
[October 27, 2023] My paper has been accepted to S&P'24. Here is the paper.
[October 19, 2023] It is my pleasure to be mentioned as one of the noteworthy reviewers at RAID’23.
[September 2023] It's my pleasure to serve VehicleSec 2024 as a travel grant chair.
[September 2023] I'm a program committee member of EuroS&P 2024. (Please consider submitting your great work)
[May 2023] I'm a program committee member of ASIACCS 2024. (Please consider submitting your great work)
[April 20, 2023] I have been selected as a CPS (Cyber-Physical Systems) Rising Star, CPS-VO@NSF, 2023.
[Feb 27, 2023] I got Outstanding Reviewer Award from VehicleSec'23.
A Systematic Study of Physical Sensor Attack Hardness [pdf] [demo video] [github] Hyungsub Kim, Rwitam Bandyopadhyay, Muslum Ozgur Ozmen, Z. Berkay Celik, Antonio Bianchi, Yongdae Kim, Dongyan Xu 45th IEEE Symposium on Security and Privacy (Oakland) (S&P 2024), San Francisco, California, USA, May 20-23, 2024.
(acceptance rate: TBA)
Discovering Adversarial Driving Maneuvers against Autonomous Vehicles [pdf] [slide] [video] [github]
Ruoyu Song, Muslum Ozgur Ozmen, Hyungsub Kim, Raymond Muller, Z. Berkay Celik, Antonio Bianchi 32nd USENIX Security Symposium (USENIX 2023), Anaheim, California, USA, August 9-11, 2023.
(acceptance rate: 442/1444=29.2%)
PatchVerif: Discovering Faulty Patches in Robotic Vehicles [pdf] [slide] [demo videos] [video] [github] Hyungsub Kim, Muslum Ozgur Ozmen, Z. Berkay Celik, Antonio Bianchi, Dongyan Xu 32nd USENIX Security Symposium (USENIX 2023), Anaheim, California, USA, August 9-11, 2023.
(acceptance rate: 442/1444=29.2%)
PGPATCH: Policy-Guided Logic Bug Patching for Robotic Vehicles [pdf] [slide] [teaser video] [video] [github] Hyungsub Kim, Muslum Ozgur Ozmen, Z. Berkay Celik, Antonio Bianchi, Dongyan Xu 43rd IEEE Symposium on Security and Privacy (Oakland) (S&P 2022), San Francisco, California, USA, May 23-26, 2022.
(acceptance rate: 147/1012=14.5%)
M2MON: Building an MMIO-based Security Reference Monitor for Unmanned Vehicles [pdf] [slide] [video] [github]
Arslan Khan, Hyungsub Kim, Byoungyoung Lee, Dongyan Xu, Antonio Bianchi, Dave (Jing) Tian 30th USENIX Security Symposium (USENIX 2021), Vancouver, British Columbia, Canada, August 11-13, 2021.
(acceptance rate: 246/1316=18.7%)
PGFUZZ: Policy-Guided Fuzzing for Robotic Vehicles [pdf] [slide] [video] [github] Hyungsub Kim, Muslum Ozgur Ozmen, Antonio Bianchi, Z. Berkay Celik, Dongyan Xu 28th Network and Distributed System Security Symposium (NDSS 2021), San Diego, California, USA, February 21-24, 2021.
(acceptance rate: 87/573=15.2%)
Inferring Browser Activity and Status Through Remote Monitoring of Storage Usage [pdf] [slide] [web page] [passive attack video] [active attack video] Hyungsub Kim, Sangho Lee, and Jong Kim 32nd Annual Computer Security Applications Conference (ACSAC 2016), Los Angeles, California, USA, December 5-9, 2016.
(acceptance rate: 48/210=22.8%)
Identifying Cross-origin Resource Status Using Application Cache [pdf] [slide] [demo video]
Sangho Lee, Hyungsub Kim, and Jong Kim 22nd Network and Distributed System Security Symposium (NDSS 2015), San Diego, California, USA, February 8-11, 2015.
(acceptance rate: 50/302=16.6%)
Exploring and Mitigating Privacy Threats of HTML5 Geolocation API [pdf] [slide] [demo video] Hyungsub Kim, Sangho Lee, and Jong Kim 30th Annual Computer Security Applications Conference (ACSAC 2014), New Orleans, Louisiana, USA, December 8-12, 2014.
(acceptance rate: 47/236=19.9%)
Short Paper
Short: Rethinking Secure Pairing in Drone Swarms [pdf] [video]
Muslum Ozgur Ozmen, Habiba Farrukh, Hyungsub Kim, Antonio Bianchi, Z. Berkay Celik The Inaugural ISOC Symposium on Vehicle Security and Privacy (VehicleSec 2023), San Diego, California, USA, February 27, 2023.
Workshop/Demo Papers
Demo: Discovering Faulty Patches in Robotic Vehicle Control Software [pdf] [demo video 1] [demo video 2] Hyungsub Kim, Muslum Ozgur Ozmen, Z. Berkay Celik, Antonio Bianchi, Dongyan Xu The Inaugural ISOC Symposium on Vehicle Security and Privacy (VehicleSec 2023), San Diego, California, USA, February 27, 2023.
Demo: Policy-based Discovery and Patching of Logic Bugs in Robotic Vehicles [pdf] [demo video] [github] Hyungsub Kim, Muslum Ozgur Ozmen, Antonio Bianchi, Z. Berkay Celik, Dongyan Xu 4th International Workshop on Automotive and Autonomous Vehicle Security (AutoSec 2022), San Diego, California, USA, April 24, 2022.
Dissertation/Thesis
Defeating Cyber and Physical Attacks in Robotic Vehicles
PhD dissertation, Department of Computer Science, Purdue University, 2023.
Privacy Threats in HTML5 Geolocation API: Case Studies and Countermeasures [pdf]
Master's Thesis, Department of Computer Science and Engineering, POSTECH, 2015.
Interdisciplinary Work
Community-based death preparation and education: A scoping review [pdf]
Sungwon Park, Hyungkyung Kim, Min Kyeong Jang, Hyungsub Kim, Rebecca Raszewski & Ardith Z. Doorenbos Death Studies, March 11, 2022.
Talks
Defeating Cyber and Physical Attacks in Robotic Vehicles
Purdue University, IN, USA, November 28, 2023 (PhD dissertation defense).
PatchVerif: Discovering Faulty Patches in Robotic Vehicles [video]
32nd USENIX Security Symposium (USENIX security 2023), Anaheim, CA, USA, August 10, 2023.
Defeating Logic Bugs in Robotic Vehicles
POSTECH, Pohang, Korea, June 1, 2023.
UNIST, Ulsan, Korea, May 31, 2023.
Ohio State University, OH, USA, February 17, 2023 (link).
Purdue University, IN, USA, November 18, 2022 (preliminary examination).
New York University Abu Dhabi, UAE, November 10, 2022.
Logic Bug-Finding and Patching Tools
2nd Technology Innovation Institute (TII) Annual SSRC Research Partners Summit, Abu Dhabi, UAE, November 8, 2022.
PGPATCH: Policy-Guided Logic Bug Patching for Robotic Vehicles [video]
43rd IEEE Symposium on Security and Privacy (S&P), San Francisco, CA, USA, May 25, 2022.
PGFUZZ: Policy-Guided Fuzzing for Robotic Vehicles [video]
28th Network and Distributed System Security Symposium (NDSS), San Diego, CA, USA, Feb 24, 2021.
Inferring Browser Activity and Status Through Remote Monitoring of Storage Usage
32nd Annual Computer Security Applications Conference (ACSAC), Los Angeles, CA, USA, Dec 8, 2016.
Exploring and Mitigating Privacy Threats of HTML5 Geolocation API
30th Annual Computer Security Applications Conference (ACSAC), New Orleans, LA, USA, Dec 11, 2014.
I Know the Shortened URLs You Clicked on Twitter: Inference Attack using Public Click Analytics and Twitter Metadata
Workshop among Asian Information Security Labs (WAIS), Shanghai, China, Jan 10, 2014.
Fellowships, Awards, and Honors
Outstanding Reviewer Award, ISOC Symposium on Vehicle Security and Privacy (VehicleSec) 2024.
Noteworthy Reviewer, International Symposium on Research in Attacks, Intrusions and Defenses (RAID) 2023 (link).
European Symposium on Research in Computer Security (ESORICS) 2021
ACM ASIA Conference on Computer and Communications Security (ASIACCS) 2021, 2022
Dependable Systems and Networks (DSN) 2020
Security and Privacy in Communication Networks (SecureComm) 2020, 2023
Workshop on Automotive and Autonomous Vehicle Security (AutoSec) 2022
World Conference on Information Security Applications (WISA) 2014
Session Chair
"Side and Covert Channels" Session, IEEE/ACM Workshop on the Internet of Safe Things (SafeThings 2024)
"Firewall and IDS" Session, Symposium on Vehicle Security and Privacy (VehicleSec 2024)
"Autonomous Driving Security" Session, Symposium on Vehicle Security and Privacy (VehicleSec 2023)
"Robotic Vehicles Security" Session, Workshop on Automotive and Autonomous Vehicle Security (AutoSec 2022)
Volunteering participating in the international World Wide Web Conference 2014, April, 7-11, Seoul, Korea.
University Services
Services for Department
"Discovering Faulty Patches in Robotic Vehicles", Prospective PhD Visit Day Poster Session, March 23, 2023.
Teaching Experience
Guest Lecturer
Topic: Defeating Logic bugs in Robotic Vehicles, Software Security (CS 490) Purdue University, West Lafayette, IN, USA, Fall 2023. [slide]
Topic: Static Analysis, Software Security (CS 490) Purdue University, West Lafayette, IN, USA, Fall 2022. [slide]
Topic: Program Analysis for IoT/CPS (Dynamic, Static Analysis, and Symbolic Execution), IoT/CPS Security (CS 590) Purdue University, West Lafayette, IN, USA, Spring 2022. [slide]
Teaching Assistant (TA)
TA, Project Development (CS180 and CS251), Purdue University, West Lafayette, IN, USA, Fall 2019.
TA, Software Design Methods (CSED332), POSTECH, Pohang, Republic of Korea, Fall 2014.
Mentoring Experience
Ruoyu Song (Ph.D. Student at Purdue University)
Project: Discovering Adversarial Driving Maneuvers against Autonomous Vehicles (paper published at USENIX Security'23 [pdf])
2021 - Now
Faaiz Masood Memon (Undergraduate Student at Purdue University)
Project: Drone fail-safe algorithms (ongoing)
2023 - Now
Rwitam Bandyopadhyay (Amazon)
Project: A Systematic Study of Physical Sensor Attack Hardness (paper published at IEEE S&P'24[pdf])
2023 - Now
Reported Vulnerabilities/bugs
115 bugs in ArduPilot and PX4, discoverd by PatchVerif, 2023. (link)
207 bugs in ArduPilot, PX4, and Paparazzi, discoverd by PGFuzz, 2021. (link)
The places I have visited: China (Beijing and Shanghai), Japan (Tokyo and Fukuoka), Canada (Vancouver), the U.S. (New Orleans, Orlando, Denver, Seattle, Los Angeles, Las Vegas, Kansas City, Chicago, Indianapolis, Bloomington, New York, Louisville, San Diego, San Francisco, Washington DC, Ann Arbor, Anaheim, Irvine, Atlanta, Urbana–Champaign, St. Louis, Gainesville, Santa Barbara, and Newark), UAE (Abu Dhabi), Germany (Saarbrücken)
(The cities in each country are listed in the order I visited)
The universities I have visited: China (Peking University, Tsinghua University, and Fudan University), Japan (Tokyo Institute of Technology), the U.S. (University of Washington, University of Chicago, University of Illinois Chicago, Indiana University, Georgetown University, University of Michigan, Georgia Institute of Technology, University of Illinois Urbana-Champaign, Washington University in St. Louis, University of Florida, UC Santa Barbara, and NJIT), UAE (New York University Abu Dhabi), Germany (Saarland University)
(The universities in each country are listed in the order I visited)
