Network and System Security Laboratory,
School of Computer Science and Technology,
University of Science and Technology of China

(Updated:2020-07-06)  曾凡平的中文主页

Fanping Zeng (曾凡平)

I am an Associate Professor and Master's Supervisor of the School of Computer Science and Technology, University of Science and Technology of China. I graduated from Harbin Institute of Technology with a bachelor's degree and obtained my doctor's degree from the University of Science and Technology of China in 2009.

Since 2001, facing the major needs of national high technology, I have mainly engaged in the research of software analysis, software testing, network and system security. As the project leader or main technical backbone, I have participated in and completed more than 10 national level scientific research projects, including the National Natural Science Foundation, the National 863 Program and the National Key Research and Development Program of China.

My research interests include software testing, network and system security. Recently, I mainly focus on the Internet of things, study the collaborative optimization of edge and end resources, security analysis, security testing and evaluation.

At present, I have participated in a National Key Research and Development Program of China as sub project leader, participated in a National Natural Science Foundation project as the second applicant, and participated in a National Key Research and Development Program of China.

Associate Professor
CCF Senior Member,
ACM Member



Fanping Zeng's Teaching.

  • Spring 2020, Undergraduate: Introduction to information security

  • Fall 2019, Graduate: Network security

  • Spring 2019, Undergraduate: Introduction to information security

  • Fall 2018, Graduate: Network security

  • Spring 2018, Undergraduate: Computer network

  Main papers since 2015

  • Mingsong Zhou, Fanping Zeng, Yu Zhang, Chengcheng Lv, Zhao Chen, Guozhu Chen. Automatic Generation of Capability Leaks’ Exploits for Android Applications. 2019 IEEE International Conference on Software Testing, Verification and Validation Workshops (ICSTW). ICSTW 2019 (April 22-27, 2019, Xian, Shaanxi, China), 291-295.

AbstractThe capability leak of Android applications is one kind of serious vulnerability. It causes other apps to leverage its functions to achieve their illegal goals. In this paper, we propose a tool which can automatically generate capability leaks’ exploits of Android applications with path-sensitive symbolic execution-based static analysis and test. It can aid in reducing false positives of vulnerability analysis and help engineers find bugs. We utilize control flow graph (CFG) reduction and call graph (CG) search optimization to optimize symbolic execution, which make our tool applicable for practical apps. By applying our tool to 439 popular applications of the Wandoujia (a famous app market in China) in 2017, we found 2239 capability leaks of 16 kinds of permissions. And the average analysis time was 4 minutes per app. A demo video can be found at the website

Full Paper:  2019-04-ICSTW2019.pdf 

  • Chengcheng Lv, Long Zhang, Fanping Zeng, Jian Zhang. Adaptive Random Testing for XSS Vulnerability. The 26th Asia-Pacific Software Engineering Conference. APSEC 2019 (Dec 2-5, 2019, Putrajaya, Malaysia), 63-69.

Abstract—XSS is one of the common vulnerabilities in web applications. Many black-box testing tools may collect a large number of payloads and traverse them to find a payload that can be successfully injected, but they are not very efficient. Previous research has paid less attention to how to improve the efficiency of black-box testing to detect XSS vulnerability. To improve the efficiency of testing, we develop an XSS testing tool. It collects 6128 payloads and uses a headless browser to detect XSS vulnerability. The tool can discover XSS vulnerability quickly with adaptive random testing method. We conduct an experiment using 3 extensively adopted open source vulnerable benchmarks and 2 actual websites to evaluate the adaptive random testing method. The experimental results indicate that the adaptive random testing method can effectively improve the fuzzing method by more than 27.1% in reducing the number of attempts before accomplishing a successful injection.

Full Paper: 2019-12-Adaptive Random Testing for XSS Vulnerability.pdf  

  • Mingsong Zhou, Fanping Zeng, Zhao Chen. Capability Leakage Detection Between Android Applications Based on Dynamic Feedback. The 25th International Conference on Parallel and Distributed Systems. ICPADS 2019 (December 4-6, 2019, Tianjin, China), 943-948.

Abstract—The capability leakage of Android applications is one kind of serious vulnerabilities. It can cause other applications to leverage its functions to achieve their illegal goals. In this paper, we propose a tool which can automatically detect and confirm capability leakages of Android applications with dynamic-feedback testing. The tool utilizes context-sensitive, flow-sensitive inter-procedural data flow analysis to find key variables and instrumentation points, then it tests the application continuously by test cases generated from test log. We have made experiments on 607 most popular applications of Wandoujia in 2017, and found a total of 6,070 in 16 kinds of capability leakages. Compared with the famous IntentFuzzer, our tool is 19.38% better on the average ability to detect permission capability leakage.

Full Paper:  2019-12-CapabilityLeakageDetection.pdf

  • Zhao Chen, Fanping Zeng, Tingting Lu, Wenjuan Shu. Multi-platform Application Interaction Extraction for IoT Devices. The 25th International Conference on Parallel and Distributed Systems. ICPADSW 2019 (December 4-6, 2019, Tianjin, China), 990-995.

Abstract—IoT devices used in smart home have become a fundamental part of modern society. Such devices enable our living space to be more convenient. This enables human interaction with physical environment, also happens between two applications or others third-party rules in addition, and causes some unexpected automation, even causes safety concerns. What’s worse is that attackers can leverage stealthy physical interactions to launch attacks against IoT systems or steal user privacy. In this paper, we propose a tool called IoTIE that discovers any possible physical interactions and extract all potential interactions across applications and rules in the IoT environment. And we present a comprehensive system evaluation on the Samsung SmartThings and IFTTT platform. We study 187 official SmartThings applications and 98 IFTTT rules, and find they can form 231 hidden inter-app interactions through physical environments. In particular, our experiment reveals that 74 interactions are highly risky and could be potentially exploited to impact the security and safety of the IoT environment. Index Terms—IoT, multi-platform, application analysis and interaction extraction

Full Paper:  2019-12-Multi-platformApplicationInteractionExtractionforIoTDevices.pdf

  • Niannian Xie, Fanping Zeng, Xiaoxia Qin, Yu Zhang, Mingsong Zhou and Chengcheng Lv. RepassDroid: Automatic Detection of Android Malware Based on Essential Permissions and Semantic Features of Sensitive APIs. The 12th International Symposium on Theoretical Aspects of Software Engineering. TASE 2018 (August 29-31, 2018, Guangzhou, Guangdong, China), 52-59.

Abstract—Most current literature on Android malware pays particular attention to the features of applications. Much of them focus on permissions or APIs, neglecting the behavioral semantics of applications, and the literature considering behavioral semantics is often expensive and weak in extendibility. In this paper, we introduce RepassDroid – a relatively coarse-grained but faster tool for automatic Android malware detection. We define Generalized-sensitive API and emphasize on considering if the trigger points of generalized sensitive APIs are UI-related or not. It analyzes the application by abstracting the generalized sensitive API with its trigger point as the semantic feature, with the addition of Really essential Permission as the syntax feature. Then it utilizes machine learning to automatically determine whether an application is benign or malicious. We evaluate RepassDroid on 24288 samples in total, 20000 for training and 4288 for test. With the comparative experiments, we find that Random Forest is the optimal classification technique for our feature set, achieving 97.7% accuracy and 0.99 AUC, along with a malware classification precision as high as 99.3%. Our evaluation results confirm that our approach and the feature set are logical and effective for Android malware detection.

Full Paper:  2018-08-RepassDroid-TASE2018.pdf 

  • Xingqiu Zhong, Fanping Zeng, Zhichao Cheng, Niannian Xie, Xiaoxia Qin, Shuli Guo. Privilege Escalation Detecting in Android Applications[C]. The 3rd International Conference on Big Data Computing and Communications. BigCom2017 (August 10th-11th, 2017, Chengdu, Sichuan, China).

Abstract—As the most popular mobile operating system, there are large amount of applications developed for  Android. Considering security issues, developers are forced to declare relative permissions in manifest file when they need to use sensitive APIs. With the ability of inter-component communication (ICC) provided by Android, malicious applications can indirectly call sensitive APIs through components exposed by other applications, leading to privilege escalation. To address this problem, we propose a method to detect this kind of privilege escalation between two applications. First, we compare the permission sets of both applications. Then, if necessary we identify call links between two applications and perform inter-application control flow analysis. Finally, according to the result of control flow analysis, we can judge whether the privilege escalation exists. As the experiment result shows, our
method can accurately detect privilege escalation between two applications.

  • Zhichao Cheng, Fanping Zeng, Xingqiu Zhong, Mingsong Zhou, Chengcheng Lv, Shuli Guo. Resolving Reflection Methods in Android Applications [C]. 2017 IEEE International Conference on Intelligence and Security Informatics. IEEEISI2017 (July 22-24, 2017, Beijing, China).

Abstract—Although reflection methods in Android can facilitate developing applications, they will block control flow and data flow in static analysis, making its precision decreased. To solve this problem, we trigger applications to execute reflection methods and record its reflection targets at runtime. Reflection targets may be a method invocation, field setting or instantiating of some classes. Considering many static analysis’ input is apk file, we further transform reflection methods in apk into explicit method invocation, field setting and class initiating according to the recorded reflection targets. Our experiment result shows that, based on our method, some static analysis can perform better on these transformed apk and produce more precise results.



  • 吕成成, 张龙, 邓茜, 曾凡平, 严俊,张健. 针对 WEB 应用程序搜索功能的组合测试[J], 计算机科学与探索, 2019, 13(11): 1839-1851.

摘要为了方便用户查询感兴趣的资源,许多 WEB 应用程序会提供搜索功能。如果搜索功能存在故障,将会导致 WEB 应用程序的功能异常,甚至会引发安全问题,因而需要对其进行充分地测试。可以使用组合测试的方法生成测试用例测试 WEB 应用程序的搜索功能,其中每一个测试用例是由特殊字符组成的字符串。对于引起系统错误的测试用例,使用组合测试错误定位的方法找到系统错误是由哪些字符组合引起的。使用该方法对学校、政府和事业单位的 96 个网站进行了测试,发现其中 23 个网站在搜索某些特殊字符组合时,会引起服务器错误响应。错误定位结果表明,56%的服务器错误响应是由”%”、”<”、”’”、”\”和其他字符的组合引起的。

Full Paper: 2019-11-JournalOfFrontiersOfComputerScienceAndTechnology.pdf

  • 谢念念, 曾凡平, 周明松, 秦晓霞, 吕成成, 陈钊. 多维敏感特征的Android恶意应用检测[J], 计算机科学, 2019, 46(2): 95-101.


  • 陈钊, 曾凡平, 陈国柱, 张燕咏, 李向阳. 物联网安全测评技术综述[J], 信息安全学报, 2019, 4(3): 2-16.


Full Paper: 2019-05-JournalofCyberSecurity.pdf

  • 彭凌, 曾凡平, 严俊, 汤杨. 一种有效的Android应用隐式权限提取方法[J], 小型微型计算机系统, 2016, 37(3): 515-519.

[摘要] 隐式权限在Android应用开发中有大量的应用。针对隐式权限审核与资源关联的特性,本文提出一种基于程序静态分析与过程内数据流分析技术的隐式权限检测方法。该方法首先根据函数调用在引发权限审核的过程中是否与系统资源关联分类为显式和隐式;然后借助过程内数据流分析技术对隐式调用提取参数值,构建包含资源信息的完整函数调用;最后与事先收集的权限-函数映射关系比对后得到权限信息。实验结果表明,方法可以有效地检测程序中的隐式权限,漏误报数目少,在性能上相比同类型工具有极大的提升。此外,本文收集的隐式权限-资源映射关系相比其他相关工作更完整,将其与开源的显式权限映射表结合,本文实现了权限自动提取工具UpsetEx。

[Abstract] Implicit permissions are often used in Android application development. Concerning the feature of implicit permissions associated with the target resources, this paper proposes a novel implicit permission detecting method based on static analysis and procedural data flow analysis technique. Firstly, the function calls are classified to explicit or implicit according to whether the permission approval process is related to the system resource. Then, the resource parameter’s value of implicit function calls is obtained by procedural data flow analysis, and a complete function calls are built. Finally, the permissions are found by comparing the function calls with a pre-requisite permission specification. The experimental results show that our method can effectively detect implicit permissions with relatively few false positive and false negative, much better than similar analysis tools. What’s more, the implicit permission specification that we have collected is more complete than other related works did. Combined with an open source explicit permission specification, we have developed the automated permission extraction tool UpsetEx.

  • 朱正欣, 曾凡平, 黄心依. 动态符号化污点分析研究及实现[J], 计算机科学, 2016, 43(2): 155-158, 187.

[摘要] 动态污点分析技术常用于跟踪二进制程序的信息流及检测安全漏洞,通过程序的动态执行来检测出程序中由测试用例触发的漏洞.它的误报率很低,但是漏报率较高,效率较低.针对动态污点分析的这一问题,动态符号化污点分析方法对污点分析进行了改进,通过将污点分析符号化来降低漏报率及提高效率.根据基于指令的污点传播来获得相关污点数据的信息,同时制定符号化的风险分析规则,通过检测污点信息是否违反风险规则来发现存在的风险.实验结果表明,该方法不仅具有污点分析低误报率的优点,而且克服了污点分析高漏报率的缺点.在污点分析过程中产生的漏洞、风险及相关污点信息还可用于指导测试用例的生成,提高测试效率以及降低测试用例的冗余.

  • 王建敏, 曾凡平, 王健康. 用优化的正则表达式引擎进行快速网络流分类[J], 小型微型计算机系统, 2015, 36(12): 2690-2695.

[摘要] 依赖于正则表达式匹配的深度包检测技术因准确率高成为网络流分类广泛使用的技术.为了能在线性时间内对网络流进行快速分类,需采用时间高效的确定性有限自动机(DFA)匹配引擎,但DFA存在空间爆炸问题,无法满足实际需求.为了解决这个问题,本文从DFA中每个状态在不同的输入字符转换下到达的目的状态特性出发,提出了一种基于默认目的状态和位图技术的DFA压缩算法(对应的自动机模型称为DBDFA),该算法能够将有着相同目的状态的多条转移边压缩为只需一个默认目的状态或只需一个时空高效的位图.实验表明,DBDFA能达到平均99%的压缩效率,优于目前大多数的DFA压缩技术,且压缩后的总体匹配效率是原有DFA的3~5倍,这是目前大部分的压缩技术所不能达到的。