I am a system security researcher. I develop program analysis and formal method techniques to tackle security threats in systems.
My research is best represented by my extensive work on robotic vehicles (RVs).
I was working on automatically finding logic bugs, patching them, and verifying the patches in RV control software.
In addition, I was uncovering the root causes and formulating countermeasures against physical sensor attacks that target RVs.
Currently, my efforts are dedicated to developing formal methods to address cyber and physical attacks against various cyber-physical systems, including satellites, autonomous vehicles, and industrial control systems.
I’m looking for highly motivated and ambitious students/postdocs. If you are interested in working with me, please fill out this form.
(info This website doesn't track any visitors, which means that you don't need to worry about disclosing your identity.)
Recent News
[August 2025] I'll be teaching "Cyber-Physical System Security" for Fall 2025 at IU. The main topic is robotic vehicles security. Check out the syllabus for more details! [syllabus]
[Mar 2025] I'm a program committee member of NDSS 2026. (Please consider submitting your great work)
[Mar 2025] I'm a program committee member of IEEE S&P 2026. (Please consider submitting your great work)
[Mar 2025] I'm a program committee member of ACSAC 2025. (Please consider submitting your great work)
[Mar 2025] I'm a program committee member of RAID 2025. (Please consider submitting your great work)
[Feb 26, 2025] I got Distinguished Reviewer Award from NDSS'25.
[November 2024] It's my pleasure to serve MSW 2025 as a chair. All IU faculties are very excited to host Midwest Security Workshop (MSW) 2025 in Bloomington, IN.
[November 2024] It's my pleasure to serve NDSS 2025 as a publication chair.
[November 2024] It's my pleasure to serve VehicleSec 2025 as a publicity chair.
[Feb 26, 2024] I got Outstanding Reviewer Award from VehicleSec'24.
[October 19, 2023] It is my pleasure to be mentioned as one of the noteworthy reviewers at RAID’23.
[April 20, 2023] I have been selected as a CPS (Cyber-Physical Systems) Rising Star, CPS-VO@NSF, 2023.
[Feb 27, 2023] I got Outstanding Reviewer Award from VehicleSec'23.
Automated Discovery of Semantic Attacks in Multi-Robot Navigation Systems
Doguhan Yeke, Kartik Anand Pant, Muslum Ozgur Ozmen, Hyungsub Kim, James Goppert, Inseok Hwang, Antonio Bianchi, Z. Berkay Celik 34th USENIX Security Symposium (USENIX 2025), Seattle, Washington, USA, August 13-15, 2025.
(acceptance rate: TBA)
Intent-aware Fuzzing for Android Hardened Application
Seongyun Jeong, Minseong Choi, Haehyun Cho, Seokwoo Choi, Hyungsub Kim, Yuseok Jeon 32nd ACM Conference on Computer and Communications Security (CCS 2025), Taipei, Taiwan, October 13-17, 2025.
(acceptance rate: TBA)
A Systematic Study of Physical Sensor Attack Hardness [pdf] [demo video] [talk] [github] Hyungsub Kim, Rwitam Bandyopadhyay, Muslum Ozgur Ozmen, Z. Berkay Celik, Antonio Bianchi, Yongdae Kim, Dongyan Xu 45th IEEE Symposium on Security and Privacy (Oakland) (S&P 2024), San Francisco, California, USA, May 20-23, 2024.
(acceptance rate: 261/1463=17.8%)
Discovering Adversarial Driving Maneuvers against Autonomous Vehicles [pdf] [slide] [talk] [github]
Ruoyu Song, Muslum Ozgur Ozmen, Hyungsub Kim, Raymond Muller, Z. Berkay Celik, Antonio Bianchi 32nd USENIX Security Symposium (USENIX 2023), Anaheim, California, USA, August 9-11, 2023.
(acceptance rate: 442/1444=29.2%)
PatchVerif: Discovering Faulty Patches in Robotic Vehicles [pdf] [slide] [demo videos] [talk] [github] Hyungsub Kim, Muslum Ozgur Ozmen, Z. Berkay Celik, Antonio Bianchi, Dongyan Xu 32nd USENIX Security Symposium (USENIX 2023), Anaheim, California, USA, August 9-11, 2023.
(acceptance rate: 442/1444=29.2%)
PGPATCH: Policy-Guided Logic Bug Patching for Robotic Vehicles [pdf] [slide] [teaser video] [talk] [github] Hyungsub Kim, Muslum Ozgur Ozmen, Z. Berkay Celik, Antonio Bianchi, Dongyan Xu 43rd IEEE Symposium on Security and Privacy (Oakland) (S&P 2022), San Francisco, California, USA, May 23-26, 2022.
(acceptance rate: 147/1012=14.5%)
M2MON: Building an MMIO-based Security Reference Monitor for Unmanned Vehicles [pdf] [slide] [talk] [github]
Arslan Khan, Hyungsub Kim, Byoungyoung Lee, Dongyan Xu, Antonio Bianchi, Dave (Jing) Tian 30th USENIX Security Symposium (USENIX 2021), Vancouver, British Columbia, Canada, August 11-13, 2021.
(acceptance rate: 246/1316=18.7%)
PGFUZZ: Policy-Guided Fuzzing for Robotic Vehicles [pdf] [slide] [talk] [github] Hyungsub Kim, Muslum Ozgur Ozmen, Antonio Bianchi, Z. Berkay Celik, Dongyan Xu 28th Network and Distributed System Security Symposium (NDSS 2021), San Diego, California, USA, February 21-24, 2021.
(acceptance rate: 87/573=15.2%)
Inferring Browser Activity and Status Through Remote Monitoring of Storage Usage [pdf] [slide] [web page] [passive attack video] [active attack video] Hyungsub Kim, Sangho Lee, and Jong Kim 32nd Annual Computer Security Applications Conference (ACSAC 2016), Los Angeles, California, USA, December 5-9, 2016.
(acceptance rate: 48/210=22.8%)
Identifying Cross-origin Resource Status Using Application Cache [pdf] [slide] [demo video]
Sangho Lee, Hyungsub Kim, and Jong Kim 22nd Network and Distributed System Security Symposium (NDSS 2015), San Diego, California, USA, February 8-11, 2015.
(acceptance rate: 50/302=16.6%)
Exploring and Mitigating Privacy Threats of HTML5 Geolocation API [pdf] [slide] [demo video] Hyungsub Kim, Sangho Lee, and Jong Kim 30th Annual Computer Security Applications Conference (ACSAC 2014), New Orleans, Louisiana, USA, December 8-12, 2014.
(acceptance rate: 47/236=19.9%)
Short Paper
Short: Rethinking Secure Pairing in Drone Swarms [pdf] [video]
Muslum Ozgur Ozmen, Habiba Farrukh, Hyungsub Kim, Antonio Bianchi, Z. Berkay Celik The Inaugural ISOC Symposium on Vehicle Security and Privacy (VehicleSec 2023), San Diego, California, USA, February 27, 2023.
Workshop/Demo/Poster Papers
Poster: A Multi-Agent Framework for Formal Specification of Robotic Vehicle Control Software
Chaoqi Zhang, Hyungsub Kim 3rd USENIX Symposium on Vehicle Security and Privacy (VehicleSec 2025), Seattle, WA, USA, August 11-12, 2025.
Demo: Discovering Faulty Patches in Robotic Vehicle Control Software [pdf] [demo video 1] [demo video 2] Hyungsub Kim, Muslum Ozgur Ozmen, Z. Berkay Celik, Antonio Bianchi, Dongyan Xu The Inaugural ISOC Symposium on Vehicle Security and Privacy (VehicleSec 2023), San Diego, California, USA, February 27, 2023.
Demo: Policy-based Discovery and Patching of Logic Bugs in Robotic Vehicles [pdf] [demo video] [github] Hyungsub Kim, Muslum Ozgur Ozmen, Antonio Bianchi, Z. Berkay Celik, Dongyan Xu 4th International Workshop on Automotive and Autonomous Vehicle Security (AutoSec 2022), San Diego, California, USA, April 24, 2022.
Dissertation/Thesis
Defeating Cyber and Physical Attacks in Robotic Vehicles [pdf]
PhD dissertation, Department of Computer Science, Purdue University, 2023.
Privacy Threats in HTML5 Geolocation API: Case Studies and Countermeasures [pdf]
Master's Thesis, Department of Computer Science and Engineering, POSTECH, 2015.
Interdisciplinary Work
Community-based death preparation and education: A scoping review [pdf]
Sungwon Park, Hyungkyung Kim, Min Kyeong Jang, Hyungsub Kim, Rebecca Raszewski & Ardith Z. Doorenbos Death Studies, March 11, 2022.
Md Rayhanul Islam @University of Connecticut (Spring 2025)
Jewook Park @Georgia Tech (Spring 2025)
At Purdue University
PhD
Ruoyu Song (Fall 2021 - Spring 2024)
Master
Rwitam Bandyopadhyay (Fall 2022 - Spring 2023)
Undergraduate
Faaiz Masood Memon (Fall 2023 - Spring 2024)
Teaching
Lecturer
Cyber-Physical Systems Security (CSCI-B 649), Fall 2025 [syllabus]
Systems and Protocol Security and Information Assurance (CSCI-B 547 & INFO-I 533), Spring 2025 [syllabus]
Security for Networked Systems (CSCI-B 544 & INFO-I 520), Fall 2024 [syllabus]
Guest Lecturer
Topic: Defeating Logic bugs in Robotic Vehicles, Software Security (CS 490) Purdue University, West Lafayette, IN, USA, Fall 2023. [slide]
Topic: Static Analysis, Software Security (CS 490) Purdue University, West Lafayette, IN, USA, Fall 2022. [slide]
Topic: Program Analysis for IoT/CPS (Dynamic, Static Analysis, and Symbolic Execution), IoT/CPS Security (CS 590) Purdue University, West Lafayette, IN, USA, Spring 2022. [slide]
Teaching Assistant (TA)
TA, Project Development (CS180 and CS251), Purdue University, West Lafayette, IN, USA, Fall 2019.
TA, Software Design Methods (CSED332), POSTECH, Pohang, Republic of Korea, Fall 2014.
Talks
Defeating Cyber and Physical Attacks in Robotic Vehicles
Georgia Institute of Technology, Indiana University Bloomington, Purdue University,
University of Illinois at Urbana-Champaign, Washington University in St. Louis, University of Florida,
University of California, Santa Barbara, New Jersey Institute of Technology, CISPA Helmholtz Center for Information Security,
University of Maryland, Georgia State University, Arizona State University,
UNIST, Agency for Defense Development, Korea University,
POSTECH, KAIST, National Security Research Institute, Sejong University
PatchVerif: Discovering Faulty Patches in Robotic Vehicles [video]
32nd USENIX Security Symposium (USENIX security 2023), Anaheim, CA, USA, August 10, 2023.
Defeating Logic Bugs in Robotic Vehicles
POSTECH, Pohang, Korea, June 1, 2023.
UNIST, Ulsan, Korea, May 31, 2023.
Ohio State University, OH, USA, February 17, 2023 (link).
Purdue University, IN, USA, November 18, 2022 (preliminary examination).
New York University Abu Dhabi, UAE, November 10, 2022.
Logic Bug-Finding and Patching Tools
2nd Technology Innovation Institute (TII) Annual SSRC Research Partners Summit, Abu Dhabi, UAE, November 8, 2022.
PGPATCH: Policy-Guided Logic Bug Patching for Robotic Vehicles [video]
43rd IEEE Symposium on Security and Privacy (S&P), San Francisco, CA, USA, May 25, 2022.
PGFUZZ: Policy-Guided Fuzzing for Robotic Vehicles [video]
28th Network and Distributed System Security Symposium (NDSS), San Diego, CA, USA, Feb 24, 2021.
Inferring Browser Activity and Status Through Remote Monitoring of Storage Usage
32nd Annual Computer Security Applications Conference (ACSAC), Los Angeles, CA, USA, Dec 8, 2016.
Exploring and Mitigating Privacy Threats of HTML5 Geolocation API
30th Annual Computer Security Applications Conference (ACSAC), New Orleans, LA, USA, Dec 11, 2014.
I Know the Shortened URLs You Clicked on Twitter: Inference Attack using Public Click Analytics and Twitter Metadata
Workshop among Asian Information Security Labs (WAIS), Shanghai, China, Jan 10, 2014.
Fellowships, Awards, and Honors
Distinguished Reviewer Award, ISOC Network and Distributed System Security Symposium (NDSS) 2025 (link).
Outstanding Reviewer Award, ISOC Symposium on Vehicle Security and Privacy (VehicleSec) 2024.
Noteworthy Reviewer, International Symposium on Research in Attacks, Intrusions and Defenses (RAID) 2023 (link).
European Symposium on Research in Computer Security (ESORICS) 2021
ACM ASIA Conference on Computer and Communications Security (ASIACCS) 2021, 2022
Dependable Systems and Networks (DSN) 2020
Security and Privacy in Communication Networks (SecureComm) 2020, 2023
Workshop on Automotive and Autonomous Vehicle Security (AutoSec) 2022
World Conference on Information Security Applications (WISA) 2014
Session Chair
"Electromagnetic Attacks" Session, Network and Distributed System Security Symposium (NDSS 2025)
"Side and Covert Channels" Session, IEEE/ACM Workshop on the Internet of Safe Things (SafeThings 2024)
"Firewall and IDS" Session, Symposium on Vehicle Security and Privacy (VehicleSec 2024)
"Autonomous Driving Security" Session, Symposium on Vehicle Security and Privacy (VehicleSec 2023)
"Robotic Vehicles Security" Session, Workshop on Automotive and Autonomous Vehicle Security (AutoSec 2022)
Volunteering participating in the international World Wide Web Conference 2014, April, 7-11, Seoul, Korea.
University Services
Services for College
Hosting the Cybersecurity Reading Group at the Luddy School from August 2024 to now, Indiana University, Bloomington, Indiana, USA.
Research presentation for incoming undergraduate researchers, Luddy Student Research Fair, August 27, 2024, Indiana University, Bloomington, Indiana, USA.
Services for Department
Graduate education committee, 2024-2025, Indiana University, Bloomington, Indiana, USA.
Master student admission committee, 2024-2025, Indiana University, Bloomington, Indiana, USA.
"Discovering Faulty Patches in Robotic Vehicles", Prospective PhD Visit Day Poster Session, March 23, 2023, Purdue University, West Lafayette, Indiana, USA.
Reported Vulnerabilities/bugs
115 bugs in ArduPilot and PX4, discoverd by PatchVerif, 2023. (link)
207 bugs in ArduPilot, PX4, and Paparazzi, discoverd by PGFuzz, 2021. (link)
The places I have visited: China (Beijing and Shanghai), Japan (Tokyo and Fukuoka), Canada (Vancouver), the U.S. (New Orleans, Orlando, Denver, Seattle, Los Angeles, Las Vegas, Kansas City, Chicago, Indianapolis, Bloomington, New York, Louisville, San Diego, San Francisco, Washington DC, Ann Arbor, Anaheim, Irvine, Atlanta, Urbana–Champaign, St. Louis, Gainesville, Santa Barbara, and Newark), UAE (Abu Dhabi), Germany (Saarbrücken)
(The cities in each country are listed in the order I visited)
The universities I have visited: China (Peking University, Tsinghua University, and Fudan University), Japan (Tokyo Institute of Technology), the U.S. (University of Washington, University of Chicago, University of Illinois Chicago, Indiana University, Georgetown University, University of Michigan, Georgia Institute of Technology, University of Illinois Urbana-Champaign, Washington University in St. Louis, University of Florida, UC Santa Barbara, and NJIT), UAE (New York University Abu Dhabi), Germany (Saarland University)
(The universities in each country are listed in the order I visited)
