Skip to content



Hi, my name is Qiang Liu, currently a Post.Doc. at EPFL. I obtained my Ph.D. at Zhejiang University (ZJU) in 2023. Before going to ZJU, I obtained my bachelor at Beijing Institute of Technology (BIT). My research focuses on system and software security. I have broad interests in attacks and defenses cover different areas, namely virtualization and operating systems. Besides research, I'm also interested in badminton, biking and road trips. Feel free to contact me via this long term email address:

CV Google Scholar GitHub Twitter


Our paper "ViDeZZo: Dependency-aware Virtual Device Fuzzing" got accepted at IEEESP 2023!

Glad to join the Program Committee within the ASE'22 Artifact Evaluation track!

Our Paper "ECMO: Peripheral Transplantation to Rehost Embedded Linux Kernels" got accepted at CCS'21!

Our Paper "FirmGuide: Boosting the Capability of Rehosting Embedded Linux Kernels through Model-Guided Kernel Execution" got accepted at @ASE_conf 2021! #ASE2021 @zhclhy @JMuhui @yajinzhou.


0x03 Hypervisor (Virtual Devices) Fuzzing

This project tries to discover vulnerabilities in virtual devices and fix them as early as possible. This has very much benefit for cloud providers and users. Relative research paper is ViDeZZo (1st author).

We open source the following projects.

  • ViDeZZo can fuzz QEMU/VirtualBox virtual devices in a scalable and efficient way. (Author and Maintainer)

  • ViDeZZo LLVM Project, forked from LLVM Project 13, contains the compiler/libFuzzer we use to compile QEMU/VirtualBox virtual devices. (Author and Maintainer)

  • buildroot-external-packages provides a template for your own userspace programs and kernel modules into a Buildroot kernel. I've been using this a lot to reproduce QEMU bugs. (Author and Maintainer)

0x02 Embedded System Rehosting

This project tries to rehost embedded Linux kernels for routers, cameras, and other high-end devices. Then, we can dynamically analyze bugs or vulnerabilities, detect bugs or vulnerabilities, make honey pots, detect and inspect malware. Relative research papers are FirmGuide (ASE'21, co-first-authors), and ECMO (CCS'21, 4th author).

We open source the following projects.

  • pyqemulog is the qemu-log ported to Python. It converts the structured trace generated by QEMU with -d to JSON. (Author and Maintainer)

  • llbic, which is short for LLVM Linux Build Issues Collection, helps compile old Linux kernels in LLVM bitcode. It replaces GCC to clang and adjusts other flags in the make command lines to generate bitcode files, and then links them all together to a vmlinux.bc. (Co-authors and Maintainer)

  • openwrt-build-docker supports automatically building the OpenWrt project given a target/subtarget of a specific OpenWrt revision from 10.03 to 19.07.1. (Co-author and Maintainer)

  • FirmGuide can help you to develop a QEMU virtual machine for a Linux-based embedded system, especially boosting the capability of dynamic analysis of the corresponding Linux kernel. In the emulator, you can debug, trace, and test the Linux kernel to collect runtime information that can be used to understand vulnerabilities, PoCs, root causes of crashes in the Linux kernel. FirmGuide is an effectively complementary to Firmadyne that focuses on user space programs - FirmGuide focuses on the Linux kernel. (Co-author and Maintainer)

  • ECMO receives a firmware image, and it can successfully re-host the Linux kernel inside the image to get the shell. Due to the variety of peripherals in embedded firmware images. It is rather hard to build a general emulator that supports all kinds of machines. The basic idea of ECMO is to transplant the peripherals by support ones into the target Linux kernel, hence solve the problem of peripheral variety. (Maintainer)

0x01 Android Authentication (Archived)

This project tries to evaluate existing and propose new implicit continuous authentication approaches. The implicit continuous authentication can be a second authentication factor for fingerprint and face identification. I joined this project as an intern and then proposed this project to be my final project for my Bachelor's degree. Relative research papers are RiskCog (TMC'20), ESPIALCOG (TMC'20)(5th author), One Cycle Attack (TIFS'20) (3rd author), and TRAPCOG (TMC'23) (3rd author).

0x00 Network Protocol Fuzzing (Archived)

This project tries to fuzz network protocols, especially router protocols. I joined this project as an intern and wrote several Peach Pits by 1) learning the grammar of Peach Pit, 2) understanding specific network protocols via their specifications, 3) collaborating with others to deploy our Peach Pits.