On a typical mobile device today, financial and medical apps nestled up next to everything from karaoke playlists to time-killing games like Fruit Ninja.
How to secure data that matters in this diverse digital buffet is a challenge for many researchers. For Zhihao “Zephyr” Yao, it’s a challenge that fuels his life’s work and also led to an award-winning project.
That project—which earned ACM MobiSys 2023’s Best Artifact Award—demonstrated that making systems less complex can actually enhance mobile platform security. This approach physically isolates and partitions smartphone hardware components and couples this with a minimal operating system—the open source OctopOS—to achieve verifiable security guarantees.
Yao is an assistant professor of computer science at New Jersey Institute of Technology, where he directs the Redoubt System Security Lab. He is also one of Computing’s Top 30 Early Career Professionals for 2024. In the following Q&A, Yao describes
- Why open source projects—including his Best Artifact Award-winning one—are essential to hardware and software security now and moving forward
- How poor industry priorities—including favoring features over system security—drives his determination to create solutions that positively impact people’s daily lives
- The role and responsibilities of researchers in discovering security vulnerabilities and disclosing them to ensure prompt patching and more secure systems for users
- How his own ability to prioritize helps to fuel his service to the field, which in turn generates new insights that he integrates into his research, teaching, and mentoring work
You earned the Best Artifact Award at ACM MobiSys 2023 for your project on securing the mobile platform. Can you share the key findings of this project and its potential impact on mobile security?
Our ACM MobiSys 2023 project developed a unique hardware and software solution to minimize the Trusted Computing Base (TCB) on smartphone platforms, namely the Split-Trust hardware design and the OctopOS that manages the hardware. Our work demonstrated that reducing hardware and software complexity substantially enhances the security of mobile platforms. This is achieved by physically isolating and statically partitioning smartphone hardware components, creating an isolated execution domain at the hardware level for security- or privacy-sensitive apps and services. The hardware-level isolation, paired with a minimal operating system that we built (OctopOS), achieves security guarantees that can be formally verified.
Our work is open source, and its potential impact is significant: We have demonstrated that our Split-Trust hardware design provides strong security guarantees to security-critical mobile applications, such as medical and financial apps, through exclusively used, physically isolated, statically partitioned hardware domains. Such strong security guarantees are becoming increasingly necessary in the digitalized society, where the security of these mobile applications directly influences users’ well-being and safety.
The ACM MobiSys 2023’s paper acceptance rate was 21% (41 out of 198) and among the accepted papers, only four papers (including our work) received all four Artifact Evaluation badges—Artifacts available, Artifacts evaluated functional, Artifacts evaluated reusable, Results replicated—and only our work received the Best Artifact Award.
You have more than 12 published papers and two awarded patents. What drives your passion for research and innovation, and how do you stay motivated to continuously contribute to the field of computer science?
I am very interested in solving real-world computer system security problems and passionate about creating practical digital solutions that improve peoples’ daily lives. Too often, new digital technologies prioritize features over security and treat security as an afterthought. This gap drives my curiosity and pushes me to design and implement system security solutions.
Specifically, my research passion is to improve mobile system security with novel hardware design, formal verification, and programming analysis. Mobile systems have become an integral part of daily life, and mobile-based healthcare, finance, and personal assistant features bring new requirements and challenges in cybersecurity. My work aims to build verifiable systems for people to confidently use and benefit from. This goal is keeping me motivated. I also draw energy from working with incredible colleagues at the Ying Wu College of Computing at New Jersey Institute of Technology, a hub for collaboration and innovation in computer science research.
You have reviewed more than 42 papers and organized five international conferences. How do you balance your responsibilities as a reviewer and organizer with your research and teaching commitments?
Balancing academic service, research, and teaching requires me to manage time wisely and set clear priorities. Peer-reviewing and conference organizing refreshes my mind by connecting me to the new ideas, methodologies, and trends in the field. I believe academic service, research, teaching, and mentoring mutually benefit one another.
I integrate these insights into my teaching and mentorship and actively encourage my students to participate in academic opportunities. For example, my PhD students have received ACM MobiSys 2024’s HotMobile 2024 Student Travel Grant and served as volunteers at these venues.
You have responsibly disclosed 55 vulnerabilities, including two Common Vulnerabilities and Exposures (CVEs). Can you discuss the importance of responsible disclosure in cybersecurity and share an example of a significant vulnerability you discovered?
Cybersecurity is a collective effort, and researchers play an important role in discovering vulnerabilities through research, and they have a responsibility to disclose them to the software developers. Responsible disclosure ensures that the vulnerabilities identified through research are promptly patched—ultimately making computer systems more secure for everyone.
One of the most severe vulnerabilities I identified (CVE-2019-10547) was a memory management flaw affecting many Android smartphone, wearable, and Internet of Things devices using certain chipsets. Our disclosure enabled Qualcomm and Google to produce timely patches, protecting millions of users. This is an example of how responsible disclosure strengthens trust, transparency, and collaboration in cybersecurity.
Receiving awards and support from organizations such as Android, Qualcomm, AMD, and OpenAI is a significant achievement. How have these recognitions and supports influenced your research and career?
These supports and recognitions from industry leaders validate the impact and relevance of our research. Specifically, Google and Qualcomm have acknowledged our findings through their security bug award programs. Generous resource support from AMD and OpenAI has enabled us to explore ambitious and novel research directions that require costly hardware or computing resources. With this backing, our group is well-positioned to carry out new research in mobile system security.
As a mentor to five doctoral students, how do you approach mentorship, and what do you find most rewarding about guiding the next generation of researchers?
I approach doctoral student mentorship as a collaborative partnership, guiding students to discover their unique strengths and research interests. In particular, I foster a supportive environment built on open communication. I encourage my doctoral students to freely stop by my office to discuss and develop their research ideas, even when my calendar is busy. Above all, I encourage creative and independent thinking, which I believe is necessary for their academic and professional growth.
Since I joined NJIT, my most senior doctoral student has passed the PhD qualifying exam and had his research findings under peer-review at top-tier cybersecurity conferences. It is deeply rewarding to see students grow professionally, improve their problem-solving skills, and confidently present their research findings.
You advocate for open science and have developed over eight open-source projects. Can you discuss the importance of open science in your field and highlight one of your notable open-source projects?
Open science provides the foundation for scientific progress by promoting transparency, reproducibility, and the opportunity to stand on the shoulders of giants. This is especially important in computer science, where openly accessible software and research artifacts have significantly accelerated innovation and digital transformation.
A notable open-source project is the research artifact of my ACM MobiSys 2023 work (the Split-Trust hardware design and its operating system, OctopOS), which won the Best Artifact Award.
Reflecting on your career journey—from your education at the University of California, Irvine, to your current role at the New Jersey Institute of Technology—what are key lessons you have learned, and how have they shaped your approach to research and innovation?
One of the biggest lessons I’ve learned along my journey is the importance of lifelong learning. Technology, especially in the field of computer science, moves rapidly, so staying curious and continuously picking up new skills is a must for any educator or researcher. I regularly learn new developments in the field from going to academic conferences, reading and peer-reviewing papers, talking to my students, and even judging pre-college science fairs.
For example, I was particularly curious about the recent advances in large language models; working with my doctoral student and colleague at NJIT, we conducted a rigorous study examining the quality of code generated by LLMs. Keeping an open mind and always seeking new knowledge is something I deeply value at my alma mater, UC Irvine, and it is a mindset I continue to practice every day in my current role at NJIT.
As an assistant professor and director of the Redoubt System Security Lab, what is the focus of your current research, and what do you hope to achieve in the next few years?
My current research is focused on two primary areas.
Strengthening trust and security in mobile systems. In our increasingly digitized society, ensuring the security of mobile systems has become critical, especially as smartphone owners often run security-critical financial applications and life-critical medical applications alongside untrusted programs. Our research focuses on creating novel solutions to strengthen trust in these devices, particularly in scenarios where security and privacy are challenged by the increasingly complex software stack and the integration of artificial intelligence. By minimizing the Trusted Computing Base (TCB), designing trusted execution environments, and developing hardware-based isolation techniques, we aim to provide robust safeguards against privacy leakage, unauthorized access and service disruption, while maintaining performance and usability. These efforts enable secure and reliable mobile systems that support a range of novel applications, from verifying video authenticity to ensuring the reliability of high-assurance medical systems.
Enhancing privacy and security in large language model interactions. As LLMs become more integrated into online experiences, the privacy and security implications of their use are increasingly concerning. Our research aims to address these challenges by developing methods to protect user privacy and enhance the security of LLM interactions. We focus on mitigating privacy risks by sanitizing sensitive user data before it reaches LLM services and examining the security flaws in LLM-generated code. Additionally, we explore the security implications of the emerging WebGPU interface, which is increasingly used in conjunction with LLMs to accelerate performance in a web browser. Our goal is to make the interactions with LLMs more secure for everyday users.
Bio: Zhihao “Zephyr” Yao
Zhihao “Zephyr” Yao is an assistant professor of computer science at the New Jersey Institute of Technology, where he directs the Redoubt System Security Lab. Yao received his BS with honor and his MS and PhD in computer science, all from the University of California, Irvine, and joined the New Jersey Institute of Technology in 2023. His research areas are at the intersection of operating systems, system security, and mobile computing, with a strong focus on building practical, secure system solutions to solve real-world challenges in mobile and cloud computing. He has published scholarly papers in leading conferences and journals, including ACM MobiSys, MobiCom, ACM CCS, ASPLOS, USENIX Security, and Applied Energy. His work published at ACM MobiSys 2023 was recognized with the Best Artifact Award.
Dig Deeper
To learn more about Yao’s work and research,
Over the next few months, Tech News will highlight different Top 30 honorees each week. For a full list, see Computing’s Top 30 Early Career Professionals for 2024.
To read more about how IEEE ComputerSociety supports our world and its innovative thinkers through funding, education, and activities, check out its other contributions to the computing community.
