I'm Paul Chung 👋
I am a Computer Science undergraduate at the University of Wisconsin - Madison and a strong enthusiast for security and privacy. I am honored to be working with Professors Rahul Chatterjee and Kassem Fawaz to deliver safe and secure systems.
I am actively seeking CS Ph.D. positions starting Fall 2024.
You can reach out to me (at) pywc.dev.
EducationUniversity of Wisconsin - Madison
- B.S. in Computer Science · 2020 - Present
- STEM High School Degree · 2017 - 2020
- UW-Madison MadS&P · Fall 2021 - Present
- UW-Madison WI-PI · Spring 2022 - Present
- Carnegie Mellon CyLab · Summer 2022
- MetaCTF · Summer 2023 - Present
- Cybersecurity UW Club · Fall 2020 - Present
- UW-Madison CSOC · Fall 2020 - Present
- PriBOT: Automated Privacy-Practice-Answering Chatbot Trained a privacy-practices-answering Llama 2 chatbot.
- Shawshank Breakout: Analysis of Worldwide Censorship Mechanisms Formulated a pipeline to analyze censorship tactics worldwide.
- Automatic Selection and Analysis of Google Data Safety Cards Mapped and trained Privacy Policies to Data Safety Cards with DistilBERT.
- Mitigating CVE-2023-2033 at a Programming Language Level Simulated Type Confusion to compare C++ and Rust in terms of security.
- Engineering Privacy in iOS App Groups Implemented the app groups threat model with Xcode.
- picoCTF: Introducing Adversarial Machine Learning to CTFs Developed 10 Regression and CNN-based challenges.
- CookieEnforcer: Automated Cookie Notice Analysis and Enforcement Designed the front-end UX based on the user study results.
- Araña: Characterizing Password Guessing Attacks in Practice Analyzed real-world credential stuffing attacks and the attack tools.
- Exploiting CVE-2019-0708 on Embedded Systems Presented a threat model for compromising traditional ATM machines.
Google has mandated developers to use Data Safety Sections (DSS) to increase transparency in data collection and sharing practices. In this paper, we present a comprehensive analysis of Google's Data Safety Section (DSS) using both quantitative and qualitative methods. We conduct the first large-scale measurement study of DSS using apps from Android Play store (n=1.1M). We find that there are internal inconsistencies within the reported practices. We also find trends of both over and under-reporting practices in the DSSs. Finally, we conduct a longitudinal study of DSS to explore how the reported practices evolve over time, and find that the developers are still adjusting their practices. To contextualize these findings, we conduct a developer study, uncovering the process that app developers undergo when working with DSS. We highlight the challenges faced and strategies employed by developers for DSS submission, and the factors contributing to changes in the DSS. Our research contributes valuable insights into the complexities of implementing and maintaining privacy labels, underlining the need for better resources, tools, and guidelines to aid developers. This understanding is crucial as the accuracy and reliability of privacy labels directly impact their effectiveness.
The increasing concern for privacy protection in mobile apps has prompted the development of tools such as privacy labels to assist users in understanding the privacy practices of applications. Both Google and Apple have mandated developers to use privacy labels to increase transparency in data collection and sharing practices. These privacy labels provide detailed information about apps' data practices, including the types of data collected and the purposes associated with each data type. This offers a unique opportunity to understand apps' data practices at scale. In this study, we conduct a large-scale measurement study of privacy labels using apps from the Android Play Store (n=2.4M) and the Apple App Store (n=1.38M). We establish a common mapping between iOS and Android labels, enabling a direct comparison of disclosed practices and data types between the two platforms. By studying over 100K apps, we identify discrepancies and inconsistencies in self-reported privacy practices across platforms. Our findings reveal that at least 60% of all apps have different practices on the two platforms. Additionally, we explore factors contributing to these discrepancies and provide valuable insights for developers, users, and policymakers. Our analysis suggests that while privacy labels have the potential to provide useful information concisely, in their current state, it is not clear whether the information provided is accurate. Without robust consistency checks by the distribution platforms, privacy labels may not be as effective and can even create a false sense of security for users. Our study highlights the need for further research and improved mechanisms to ensure the accuracy and consistency of privacy labels.
Remote password guessing attacks remain one of the largest sources of account compromise. Understanding and characterizing attacker strategies is critical to improving security but doing so has been challenging thus far due to the sensitivity of login services and the lack of ground truth labels for benign and malicious login requests. We perform an in-depth measurement study of guessing attacks targeting two large universities. Using a rich dataset of more than 34 million login requests to the two universities as well as thousands of compromise reports, we were able to develop a new analysis pipeline to identify 29 attack clusters—many of which involved compromises not previously known to security engineers. Our analysis provides the richest investigation to date of password guessing attacks as seen from login services. We believe our tooling will be useful in future efforts to develop real-time detection of attack campaigns, and our characterization of attack campaigns can help more broadly guide mitigation design.
This study examines the ARP and RDP Bluekeep vulnerabilities on using Embedded Systems and identifies the possible implications of such vulnerabilities by performing penetration testing on virtualized embedded machines. Furthermore, this study elaborates on that the Administrative privileges can be easily taken away through the RDP Bluekeep vulnerability, and that all packets containing communication information of various protocols could be severely leaked by the ARP Spoofing method. The result of this study presents the solutions for these vulnerabilities.