Skip to content


I am seeking a Tenure-Track Assistant Professor position and am also open to working in industry. If you have job opportunities, please feel free to contact me.

I am always thinking outside the box when it comes to cybersecurity's cat-and-mouse game. It started with Capture the Flag (CTF) cybersecurity competition, where I learned to break systems, e.g., reverse engineering binaries and developing exploits, and be a team player. Over the years, collaborating with my colleagues, we have developed new approaches to protect systems from attacks. Specifically, we have proposed advanced fuzz testing techniques to unveil vulnerabilities in OS kernels and hypervisors before this infrastructure software is released. I am interested in the infrastructure software, such as OS kernels and hypervisors, because they are used everywhere to establish security trust for the upper layers. These systems must be flawless, as any error could significantly impact not only individuals but also organizations. Their reliability is crucial for ensuring the smooth functioning of both personal and professional activities in daily life. All in all, my research focuses on making infrastructure software, such as OS kernels and hypervisors, protocols and browsers as well, bug and exploitation-free through innovative designs in both hardware and software.

Hi, I am Qiang Liu, currently a postdoc at EPFL under the guidance of Prof. Mathias Payer. I obtained my Ph.D. in cybersecurity at Zhejiang University (ZJU) in 2023, advised by Prof. Yajin Zhou. Prior to ZJU, I earned my bachelor's degree at Beijing Institute of Technology (BIT) in 2018. We have published a few papers at top-tier security conferences like IEEE S&P, Usenix Security, and CCS. To engage the community, we always open-source our tools and evaluation scripts.

Along the way of research, I've also gotten better at managing multiple projects smoothly, communicating with people well, and making the team deliver results.

We're open to discussing and collaborating on any of the following active projects. Feel free to reach out via this long-term email address:

CV Google Scholar GitHub Twitter LinkedIn

Projects and Publications

Hypervisor Fuzzing

This project tries to discover vulnerabilities in both open-source and closed-source hypervisors, covering virtual devices, VM management, and CPU emulation, and to fix them as early as possible. Relative research papers are ViDeZZo (1st author) and HyperPill (2nd author).

We open source the following projects.

  • ViDeZZo can fuzz QEMU/VirtualBox virtual devices in a scalable and efficient way. (Author and Maintainer)

  • ViDeZZo LLVM Project, forked from LLVM Project 13, contains the compiler/libFuzzer we use to compile QEMU/VirtualBox virtual devices. (Author and Maintainer)

  • buildroot-external-packages provides a template for your own userspace programs and kernel modules into a Buildroot kernel. I've been using this a lot to reproduce QEMU bugs. (Author and Maintainer)

Network Protocol Fuzzing

This project tries to fuzz network protocols, especially router protocols. I joined this project as an intern and wrote several Peach Pits by 1) learning the grammar of Peach Pit, 2) understanding specific network protocols via their specifications, 3) collaborating with others to deploy our Peach Pits.

Embedded System Rehosting (Archived)

This project rehosts embedded Linux kernels for routers, cameras, and other high-end devices with QEMU. Then, we can dynamically analyze rootkits or vulnerabilities in the embedded Linux kernels and create honeypots at scale. Relative research papers are FirmGuide (ASE'21, co-first-authors), and ECMO (CCS'21, 4th author).

We open source the following projects.

  • pyqemulog is the qemu-log ported to Python. It converts the structured trace generated by QEMU with -d to JSON. (Author and Maintainer)

  • llbic, which is short for LLVM Linux Build Issues Collection, helps compile old Linux kernels in LLVM bitcode. It replaces GCC to clang and adjusts other flags in the make command lines to generate bitcode files, and then links them all together to a vmlinux.bc. (Co-authors and Maintainer)

  • openwrt-build-docker supports automatically building the OpenWrt project given a target/subtarget of a specific OpenWrt revision from 10.03 to 19.07.1. (Co-author and Maintainer)

  • FirmGuide can help you to develop a QEMU virtual machine for a Linux-based embedded system, especially boosting the capability of dynamic analysis of the corresponding Linux kernel. In the emulator, you can debug, trace, and test the Linux kernel to collect runtime information that can be used to understand vulnerabilities, PoCs, root causes of crashes in the Linux kernel. FirmGuide is an effectively complementary to Firmadyne that focuses on user space programs - FirmGuide focuses on the Linux kernel. (Co-author and Maintainer)

  • ECMO receives a firmware image, and it can successfully re-host the Linux kernel inside the image to get the shell. Due to the variety of peripherals in embedded firmware images. It is rather hard to build a general emulator that supports all kinds of machines. The basic idea of ECMO is to transplant the peripherals by support ones into the target Linux kernel, hence solve the problem of peripheral variety.

Android Authentication (Archived)

This project evaluates existing and proposes new implicit continuous authentication approaches to serve as a second authentication factor longside fingerprint and facial identification. I joined this project as an intern and then proposed this project to be my final project for my Bachelor's degree. Relative research papers are RiskCog (TMC'20), ESPIALCOG (TMC'20)(5th author), One Cycle Attack (TIFS'20) (3rd author), and TRAPCOG (TMC'23) (3rd author).