
I'm Paul Chung 👋
I am a Computer Science undergraduate at the University of Wisconsin - Madison and a strong enthusiast for security and privacy. I am honored to be working with Professors Rahul Chatterjee and Kassem Fawaz to deliver safe and secure systems.
I am actively seeking CS Ph.D. positions starting Fall 2024.
You can reach out to
me (at) pywc.dev.
Education
University of Wisconsin - Madison- B.S. in Computer Science · 2020 - Present
- STEM High School Degree · 2017 - 2020
Positions
Research Assistant- UW-Madison MadS&P · Fall 2021 - Present
- UW-Madison WI-PI · Spring 2022 - Present
- Carnegie Mellon CyLab · Summer 2022
- Cybersecurity UW Club · Fall 2020 - Present
- UW-Madison CSOC · Fall 2020 - Present
Recent Projects
2023
- Shawshank Intel: A Heuristic-based Analysis of Censorship Mechanisms Formulated a pipeline to analyze censorship tactics worldwide.
- Automatic Selection and Analysis of Google Data Safety Cards Mapped and trained Privacy Policies to Data Safety Cards with DistilBERT.
- Mitigating CVE-2023-2033 at a Programming Language Level Simulated Type Confusion to compare C++ and Rust in terms of security.
2022
- Engineering Privacy in iOS App Groups Implemented the app groups threat model with Xcode.
- picoCTF: Introducing Adversarial Machine Learning to CTFs Developed 10 Regression and CNN-based challenges.
- CookieEnforcer: Automated Cookie Notice Analysis and Enforcement Designed the front-end UX based on the user study results.
- Araña: Characterizing Password Guessing Attacks in Practice Analyzed real-world credential stuffing attacks and the attack tools.
2019
- Exploiting CVE-2019-0708 on Embedded Systems Presented a threat model for compromising traditional ATM machines.
Abstract
Privacy nutrition labels provide a way to understand an app's key data practices without reading the long and hard-to-read privacy policies. Recently, the app distribution platforms for iOS(Apple) and Android(Google) have implemented mandates requiring app developers to fill privacy nutrition labels highlighting their privacy practices such as data collection, data sharing, and security practices. These privacy labels contain very fine-grained information about the apps' data practices such as the data types and purposes associated with each data type. This provides us with a unique vantage point from which we can understand apps' data practices at scale.
Abstract
Remote password guessing attacks remain one of the largest sources of account compromise. Understanding and characterizing attacker strategies is critical to improving security but doing so has been challenging thus far due to the sensitivity of login services and the lack of ground truth labels for benign and malicious login requests. We perform an in-depth measurement study of guessing attacks targeting two large universities. Using a rich dataset of more than 34 million login requests to the two universities as well as thousands of compromise reports, we were able to develop a new analysis pipeline to identify 29 attack clusters—many of which involved compromises not previously known to security engineers. Our analysis provides the richest investigation to date of password guessing attacks as seen from login services. We believe our tooling will be useful in future efforts to develop real-time detection of attack campaigns, and our characterization of attack campaigns can help more broadly guide mitigation design.
Abstract
This study examines the ARP and RDP Bluekeep vulnerabilities on using Embedded Systems and identifies the possible implications of such vulnerabilities by performing penetration testing on virtualized embedded machines. Furthermore, this study elaborates on that the Administrative privileges can be easily taken away through the RDP Bluekeep vulnerability, and that all packets containing communication information of various protocols could be severely leaked by the ARP Spoofing method. The result of this study presents the solutions for these vulnerabilities.