possible solutions to 443 and 80 highjack

Once I'm updating my centos VPS to the latest ngnix and kernel, the server weirdly disables 443 and 80 connection.

Using Wireshark, I found multiple connections to my socks server on 1082 from multiple IP seem to be scanned and SYN attacked.

69	1.379581	TCP	54	1082 → 42168 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
122	2.078443	TCP	54	1082 → 57925 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
763	13.859168	TCP	54	1082 → 52535 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
1412	23.098894	TCP	74	SuperMic_42:b7:48
198	5.122016	TCP	54	JuniperN_bb:05:01
1352	29.871004	TLSv1.3	212	SuperMic_42:b7:48

I realize the open file for accept4 will have a limit by ulimit -n max opening file in parallel, which also limits the accept4 syscall. It was reset by kernel updates. Some nginx upload file limits also may be the outcome of this. After setting it to 65534, no 443 and 80 highjacks will be enforced.

centos7/8 podman kernel not support overlayfs

Sounds like I'm messed up the mount of overlay hostPath that stores the containers when updating from centos7 to 8-stream. I also noticed that 9-stream is in beta.

[root@ecs-t6-large-2-linux-20190912001402 ~]# podman ps
Error: kernel does not support overlay fs: 'overlay' is not supported over extfs at "/var/lib/containers/storage/overlay": backing file system is unsupported for this graph driver

For Kubernetes, we automatically apply the pod using yaml file like

  name: vo-hostpath-pod
  - name: filebeat
    image: ikubernetes/filebeat:5.6.7-alpine
    - name: REDIS_HOST              
      value: redis.ilinux.io:6379   
    - name: LOG_LEVEL               
      value: info                   
    - name: varlog            
      mountPath: /var/log   
    - name: socket                
      mountPath: /var/run/docker.sock
    - name: varlibdockercontainers 
      mountPath: /var/lib/docker/containers
      readOnly: true    
  - name: varlog  
      path: /var/log   
      type: DirectoryOrCreate 
  - name: varlibdockercontainers
      path: /var/lib/docker/containers
      type: Directory
  - name: socket
      path: /var/run/docker.sock
      type: Socket              

Debbug the command using strace

newfstatat(AT_FDCWD, "/root/bin/crun", 0xc00019e378, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/bin/runc", {st_mode=S_IFREG|0755, st_size=11889776, ...}, 0) = 0
openat(AT_FDCWD, "/etc/selinux/refpolicy/contexts/lxc_contexts", O_RDONLY|O_CLOEXEC) = 9
epoll_ctl(4, EPOLL_CTL_ADD, 9, {events=EPOLLIN|EPOLLOUT|EPOLLRDHUP|EPOLLET, data={u32=1719281968, u64=140043422935344}}) = 0
fcntl(9, F_GETFL)                       = 0x8000 (flags O_RDONLY|O_LARGEFILE)
fstat(9, {st_mode=S_IFREG|0644, st_size=0, ...}) = 0

The open at /etc/selinux/refpolicy/contexts/lxc_contexts is wierd so I think there's sth about the selinux, so I remvoe container-selinux and everythin works fine.

[root@ecs-t6-large-2-linux-20190912001402 ~]# docker ps
Emulate Docker CLI using podman. Create /etc/containers/nodocker to quiet msg.
WARN[0000] Error validating CNI config file /etc/cni/net.d/10-flannel.conflist: [failed to find plugin "flannel" in path [/usr/local/libexec/cni /usr/libexec/cni /usr/local/lib/cni /usr/lib/cni /opt/cni/bin]]

Also after upgrade to CentOS 8, don't forget to disable firealld and selinux because it'll update the settings. I debug it through self ping success and couldn't get anything from browser.

[root@ecs-t6-large-2-linux-20190912001402 ~]# sudo ss -tulpn
Netid                 State                  Recv-Q                 Send-Q                                                    Local Address:Port                                  Peer Address:Port                Process
udp                   UNCONN                 0                      0                                                                                  *                    users:(("systemd-resolve",pid=1045,fd=12))
udp                   UNCONN                 0                      0                                                                              *                    users:(("systemd-resolve",pid=1045,fd=18))
udp                   UNCONN                 0                      0                                                                             *                    users:(("ntpd",pid=640,fd=21))
udp                   UNCONN                 0                      0                                                                                 *                    users:(("ntpd",pid=640,fd=18))
udp                   UNCONN                 0                      0                                                                                   *                    users:(("ntpd",pid=640,fd=16))
udp                   UNCONN                 0                      0                                                                  [::]:5355                                          [::]:*                    users:(("systemd-resolve",pid=1045,fd=14))
udp                   UNCONN                 0                      0                                      [fe80::f816:3eff:fe8b:cbe7]%eth0:123                                           [::]:*                    users:(("ntpd",pid=640,fd=22))
udp                   UNCONN                 0                      0                                                                 [::1]:123                                           [::]:*                    users:(("ntpd",pid=640,fd=19))
udp                   UNCONN                 0                      0                                                                  [::]:123                                           [::]:*                    users:(("ntpd",pid=640,fd=17))
tcp                   LISTEN                 0                      9                                                                                    *                    users:(("pure-ftpd",pid=601,fd=5))
tcp                   LISTEN                 0                      511                                                                                 *                    users:(("nginx",pid=2970,fd=20),("nginx",pid=2969,fd=20),("nginx",pid=2792,fd=20))
tcp                   LISTEN                 0                      128                                                                                *                    users:(("BT-Panel",pid=764,fd=6))
tcp                   LISTEN                 0                      100                                                                                *                    users:(("master",pid=1030,fd=16))
tcp                   LISTEN                 0                      511                                                                                 *                    users:(("nginx",pid=2970,fd=22),("nginx",pid=2969,fd=22),("nginx",pid=2792,fd=22))
tcp                   LISTEN                 0                      511                                                                              *                    users:(("redis-server",pid=1706,fd=6))
tcp                   LISTEN                 0                      128                                                                                *                    users:(("systemd-resolve",pid=1045,fd=13))
tcp                   LISTEN                 0                      1024                                                                            *                    users:(("memcached",pid=734,fd=28))
tcp                   LISTEN                 0                      128                                                                                *                    users:(("sshd",pid=1244,fd=5))
tcp                   LISTEN                 0                      511                                                                                  *                    users:(("nginx",pid=2970,fd=21),("nginx",pid=2969,fd=21),("nginx",pid=2792,fd=21))
tcp                   LISTEN                 0                      9                                                                  [::]:21                                            [::]:*                    users:(("pure-ftpd",pid=601,fd=6))
tcp                   LISTEN                 0                      100                                                               [::1]:25                                            [::]:*                    users:(("master",pid=1030,fd=17))
tcp                   LISTEN                 0                      150                                                                   *:3306                                             *:*                    users:(("mysqld",pid=2166,fd=19))
tcp                   LISTEN                 0                      128                                                                [::]:5355                                          [::]:*                    users:(("systemd-resolve",pid=1045,fd=15))
tcp                   LISTEN                 0                      1024                                                              [::1]:11211                                         [::]:*                    users:(("memcached",pid=734,fd=29))
tcp                   LISTEN                 0                      128                                                                [::]:9999                                          [::]:*                    users:(("sshd",pid=1244,fd=6))
[root@ecs-t6-large-2-linux-20190912001402 ~]#

高级语言 to LLVM 的解释层

最近在做编译原理课程设计的设计,看了很多到 LLVM 的编译器的想法,同时发现 Rust 类型体操作为黑魔法合集也能带给社区很多新鲜玩意,就把之前设计 Chocopy LLVM 层的一些小想法放在这,上科大的同学想玩可以加个piazza,invite code: CHOCOPY。有一部分参考 High Level Constructs to LLVM_IR, 范型的设计更多参考 rust 和 c。

Continue reading "高级语言 to LLVM 的解释层"

POPL 22 attendency






trace point autometa

Detection for kernel, maybe useful for metigation of the MDS.

MDS part


Cats and Rice game

Too strong to reduce the time difference of ARRAY_MAX and non ARRAY_MAX case

another case

spectre v2

spectre v4


Towards Understanding Spectre-PHT in Memory Safe Language


`ucx` not necessarily occupy all the cores at all times even bind by core when using openmpi

root@epyc:~# uname -a
Linux epyc.node2 4.19.0-18-amd64 #1 SMP Debian 4.19.208-1 (2021-09-29) x86_64 GNU/Linux
root@epyc:~# ldd --version
ldd (Debian GLIBC 2.28-10) 2.28
Copyright (C) 2018 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
Written by Roland McGrath and Ulrich Drepper.

In cases of quantum espresso

mpirun -hostfile ../AUSURF112/host --mca pml ucx --mca btl sm,rc,ud,self --mca btl_tcp_if_include --bind-to core -x PATH -x LD_LIBRARY_PATH -x OMP_NUM_THREADS=1 -np 256 /home/qe/sb/bin/pw.x -nk 4 -nd 64 -i ./grir443.in > 11_7_out256 2> 11_7_out256err

It would dead for a while

The bug is reported by pthread_rwlock.

diff --git 2.28/nptl/pthread_rwlock_common.c 2.29/nptl/pthread_rwlock_common.c
index a290d08332..81b162bbee 100644
--- 2.28/nptl/pthread_rwlock_common.c
+++ 2.29/nptl/pthread_rwlock_common.c
@@ -310,6 +310,7 @@ __pthread_rwlock_rdlock_full (pthread_rwlock_t *rwlock,
          if (atomic_compare_exchange_weak_relaxed
              (&rwlock->__data.__readers, &r, r | PTHREAD_RWLOCK_RWAITING))
+              r |= PTHREAD_RWLOCK_RWAITING;
              /* Wait for as long as the flag is set.  An ABA situation is
                 harmless because the flag is just about the state of
                 __readers, and all threads set the flag under the same

TwinVisor: Hardware-isolated Confidential Virtual Machines for ARM @SOSP2021

The foundation of trustzone

Here's the graph extrated from [1], essentially to tell the root of trust. A secure system depends on every part in the system to cooperate. For SGX, the Trusted Computing Base(Trusted Counter/ RDRAND/ hardware sha/ ECDSA) is the memory region allocated from a reserved memory on the DRAM called the Enclave Page Cache (EPC), which is initialized at the booting time. The EPC is currently limited to 128MB (in IceLake, was raised to 1TB with weakened HW support. Only 96 MB(24K*4KB pages) could be used, 32MB is for various metadata.) To prevent distruptions by physical attack or previledge software attack from cacheline-granularity modification, every cacheline can be assoiciated with a Message Authentication Code(MAC), but this does not prevent replay attack. To extend the trusted region of memory and do not introduce huge overheads, one solution is put the construct the merkle tree, that every cacheline of leaf is assured by MAC and root MAC is stored at EPC. Transaction Memory Abort with SGX can be leveraged to do page fault side-channel. The transaction memory page fault attack on peresistent memory is still under research.

For Riscv, we have currently 2 proposals - Keystone and Penglai for enclave and every vendor has different implementations. Keystone essentially utilize M- mode PMP limited special registers the control permissions of U- mode and S- mode accesses to a specified memory region. The number/priority of PMP could be pre-configured. and the addressing is mode of naturally aligned power-of-2 regions (NAPOT) and base and bound strategy. The machine mode is unavoidable introduce physical memory fragmentation and waste: everytime you enter another enclave, you have to call M- mode once. Good Side is S/U- Mode are both enclaved by M- mode with easy shared buffer and enclave operation throughout all modes. Penglai has upgraded a lot since its debut(from 19 first commit on Xinlai's SoC to OSDI 21). The originality for sPMP is to reduces the TCB in the machine mode and could provides guarded page table(locked cacheline), Mountable Merkle Tree and Shadow Fork to speed up. However, it introduce the double PMPs for OS to handle, and overhead of page table walk could still be high, which makes it hard to be universal.

Starting from Penglai, IPADS continuously focus on S- mode Enclaves. One of the application may be the double hypervisor in the secure/non-secure S- Mode. The Armv8.4 introduce the both secure and non-secure mode hypervisor originally to support cloud native secure hypervisor. TwinVisor is to run unmodified VM images both as normal and confidential VMs. Armv9 introduce the Confidential Compute Architecture(CCA), another similar technology. TwinVisor is an pre-opensource implementation of it.

supported trustzone extention starting from Armv7.

  1. AMBA-AXI bus extension, adding the flags secure read and write address lines: AWPROT and ARPROT.
  2. extension of controller (or extension of master), adding SCR.NS bits inside ARM Core, so that operations initiated by ARM Core can be marked as "access initiated as secure or access initiated as non-secure".
  3. TZPC extension, TZPC is added to the AXI-TO-APB side to configure the apb controller privileges (or secure controller).
  4. TZASC extension, in the DDRC (DMC) on top of the addition of a memory filter.
  5. MMU support for security extensions:
    1. TTBRx_EL0, TTBRx_EL1 extension: In Armv7, these two registers are banked for secure and non-secure attributes, that is, there is a set of such registers in the secure and non-secure worlds, so in linux and tee, each can maintain a memory page table of its own. The secureos and monitor could share the page table if they are both 64 bits.
    2. cache extension: add the (non-)secure attributes.
    3. VSTTBR_EL2 extension: Since Armv8.4, when the non-secure world uses TTBR_EL2 to translate the address, the entry attribute is checked to be secure and will be translated by itself.
  6. GIC to secure extensions. The trap is devided into group0, secure group1 and non-secure group1. The group0 and secure group1 will not trap to linux.

Proposed Attack Model

The author mentioned physical attack or previledge software attack from N-VM to S-VM, this can be prevent by controlling the transmission channel.

TACTOC attack led by Shared Pages for General-purpose Registers, check-after-load way [50] by reading register values before checking them.


  • Horisontal trap: modifies the N-visor to logically deprivledge N-visor without sharing the data. Exeptional Return(ERET) is the only sensitive instruction affect trusted chain, it intercepted by TZASC and repoted to S-visor.

  • Shadow S2PT: shadow page table of VSTTBR_EL2, used in kvm, too. It has page fault with different status when in different world.

  • Split Continuous Memory Allocation: Tricks to improves utilization and speed up memory management in Twinvisor. In linux, buddy allocator used to decide a continuous memory is big enough for boot and do CMA, this is for better performance of IOMMU that require physical memory to be continuous. (This deterministic algorithm makes it easy for memory probing and memory dump by e.g. row hammer/DRAMA ).

  • Efficient world switch: change NS bit in SCR_EL3 register in EL3, side core polling and shared memory to avoid context switches

  • Shadow PV I/O: use shadow I/O rings and shdow DMA buffer to be transparent to S-VMs. reduce ring overhead by do IRQ only when WFx instructions.



The world switch does not happen so frequently.


Kirin 990. (Not scalable to Big machines, because KunPeng920 is not yet Armv8.4, scability is not convincible)


  1. A Survey on RISC-V Security: Hardware and Architecture TAO LU, Marvell Semiconductor Ltd., USA
  2. MIT 6.888
  3. ShieldStore: Shielded In-memory Key-value Storage with SGX
  4. Improving the Performance and Endurance of Encrypted Non-volatile Main Memory through Deduplicating Writes
  5. RiscV Spec 1.11
  6. Armv7 TZ
  7. lwn CMA and IOMMU

Phosphor - My Pitfalls writing dependency

Currently, I'm busy writing emails for my Ph.D and taking TOEFL and taking care of the Quantum ESPRESSO library changing and MadFS Optimization, so it may waste some time. Till now, I have to apply the DTA tool of phosphor for the java order dependency project.

about surfire integration into normal tests.

  • Maven extension
    • Integration into Maven add the redirector
      • Insert phosphor plugin one class by one into.
      • Configuration to the phosphor
      • Class Visitor, Method Visitor, Adaptor Mode Visitor
    • Mutable field in the Dependency Tainter
      • Start the taint for some place attach the tainted check after the test
      • Assert the junit stuf in check=omparison.
      • Brittle assertions in check(Taint) recursively.
    • Output the tainted version into the sufire executable folder
  • Debug
    • mvn install -Dmaven.surefire.debug -f /Volumes/DataCorrupted/project/UIUC/bramble/integration-tests/pom.xml and attach the trace point.
      • Start from the maven compilation.

Brittle Assertion

This outputs only the dependency for one test introduced in Oracle Polish JPF. For dependenct between test1 and test2,

For NPE, get the pair by idflakies test first.

 JVM Asm


  1. https://www.kingkk.com/2020/08/ASM%E5%8E%86%E9%99%A9%E8%AE%B0/

一个 本科生 直面 PhD 的碰壁人生

自救乃第一天理 -《慈悲与玫瑰》熊培云

我是个普通人,普通到每天都在觉得自己各种无力,无论是自己的能力无法在合适的方向抒发,同时又困窘于自己的时间有限,在同时兼顾发paper,申请和考托考GRE当助教。都太难了!申请上的想法,和 Shu 聊过以后,了解到了国内读研的可能性,同时感觉到我作为本科生的无力。可是我却有拼一拼,没有博士,就工作的想法,因为我个人觉得国内三年的研究生设置过长,对于培养一个有给定问题解决一个问题能力的研究者太长,对于探索更大领域中 vision 的博士又太短。同时我觉得去美国的机会不太多,看了看 乔神/USTCqzy/caoshuxin 的处境,我觉得MSRA真的是本世纪最成功的留学机构。


我的预判是 Computer System (with Arch) 是比较好的方向,无论是从现在的趋势,还是未来的 funding 。DBMS 一定是大热的方向(作为一个文件系统和软工搬砖者,还是夸一夸敌军),毕竟现在数据为王。和 Arch 相关的有最近出的 NVDimm, 有很多可拓展的方向。而 ML system 的大热注定了这个方向是一个泡沫。

GPA 拉胯

个人感觉从能力上和看问题的 vision 上我是属于比较有好的统括性能力的人,但缺乏马上复线的坚持能力。自从我对超算比赛魔改代码的兴趣有所丧失以后,对带同学和教他们改代码还是很有兴趣的。我个人有挺多高考遗留下来的后遗症,简单来说就是考试失能,实在不想在这种maybe “高分低能”的人堆当中卷致死了。





暑研或许是 Ph.D. 的唯一机会

这个集散地 nsf fund 的工作只招美国居民或者绿卡。之前看到一亩三分地上有个关于为什么美国和中国同工不同酬,有个解释很有趣,visa 就好似一种半透膜,不是所有人都付得起硕士 OPT 的钱。不过这钱有点Overpay了。而码农这种工作确实吃青春饭,只有在学的最快的时候多学一点才有用。感觉只有加州、UIUC、剩下三大的暑研或者未来PhD 适合我去念。

General Requirement

  1. Online Application
  2. One-page Personal Statement: why this teacher? why this program
  3. Official Transcript
  4. Curriculum Vitae (CV)
  5. Your Top Faculty Choices - If no faculty matches your interest, please indicate your preferred. Preferably the professor with similar aim.
  6. professor whose research area best aligns with your interest. You can learn about each faculty member’s research area by referring to the Samueli School of Engineering website.
  7. Two References – Required email and the

UCI onsite ranking 1.30

  1. https://www.ics.uci.edu/~harris/
    1. Electronic Design Automation from Natural Language
    2. Embedded Systems
    3. Social Engineering Attack
    4. Functional Verification
  2. https://faculty.sites.uci.edu/zhouli/
    1. IoT
    2. Embedded System
  3. Fadi Kurdahi digital system
  4. mohammad AL Faruque
  5. https://www.ics.uci.edu/~mlevorat/
    1. Real-Time distributed computing in wireless systems
    2. Wireless systems for AI and AI for wireless systems
    3. IoT and Healthcare
  6. https://chenli.ics.uci.edu/research/
    1. database
  7. https://www.ics.uci.edu/~xhx/
    1. AI data mining
  • 最终选定 Zhou Li (张一帆在这)和 另两个 system 的。

UIUC Online ranking undecided

Caltech 2.22

Harvard undecided

CMU 2.2

  • Fuzzing & Arch & DBMS 啥都有,如果能去这的话 MCS 也可。 https://applygrad.cs.cmu.edu/apply/bio.php
  • Awaiting Recommendation
  • No reply
Screen Shot 2021-02-01 at 3.58.42 PM

WUSTL 2.17

  • https://sites.wustl.edu/csereu/apply/ HPC 写 CPP
  • Awaiting Recommendation
  • Rej


  • https://connect.ucr.edu/register/MSRIP Gu yan & Sun 并行算法
  • Posted
  • Rej



将会被UIUC接手。之后再补充面筋。主要是4月的时候看到招生群里有人贴出UIUC SE今年投递了200人最后只会有20人左右进,然后就投了,让我做了一个修复flaky test的小实验,说是实验其实就是个并发RAW bug没啥难度,然后就进了,7月开始work,跑OD Flaky test实验,有去年发的TACAS一篇。[2022.2]现在感觉Darko只给了平推或者黑推。因为开学以后搞超算,Wing也没什么时间知道,就丢给我一个Bramble访问者模式DTA插桩,主要之前对JVM不太熟,写Java还行,但maven阶段的debug 真的难顶,一开始赶ICST,但是北大的弟弟咕了我也咕咕了。

Darko Meeting 最喜欢躺着


和北大的同学修bug,darko会给很多修bug的建议,然后我们看是工具的锅/项目的锅还是java 1.8。刚开始做就是修修Flaky Test 的 bug, 最多的是类似hdfs和hbase数据库里的并发bug。



主要是在搞毕业论文和SC21. 从队长升级为学生教练的感觉挺不错,但是问题是在这方面发力对申请毫无作用,唯一的作用大概是让殷老师在申请的时候给我说好话。

当然从培养能力的角度来说,还是有领导力的培养的。至少NTU/THU有的造血pipeline(wiki/teaching/yole spirit)都有。也算是终于把进大学时候的梦想有一个阶段性的成果。我认为以后的几年,每次拿个前三不是问题。



跟AP做就不用担心没有idea,反倒是和Tenure需要考虑。我看很多人想不到新idea的时候就去大公司实习几个月,既可以合作带出一些项目、尤其是产业界的数据,像我CMU ECE套的那位。

更新进度条放上面,同时在 gradcafe 更新

Cornell 貌似马桶堵了,发现自己填了奇怪的by mail。Dec.1 CST 交完了。

UIUC/CMU/UW/MIT/UTAustin/NorthWest/UCSD/Purdue/UCLA/WISCONSIN/UMass/UTAustin/Purdue/GaTech/UCSC Dec.15 CST  交完了,静待面试。

12.22 某great chicago校私下面。

1.17 某chicago校套过的教授面,说了我的ps有问题,意思就是没戏。

1.19 GT meltdown 作者 Daniel Genkin 教授面,应该是过了教授法眼,面完感觉稳了。他有8位Ph.D,他完全不care防御,感觉eBPF对他没啥用(这句话在我看到PriSC开篇talk后觉得可以搞),他说最近有个browser RIDL的锅。但此人有数据造假和搞学生等问题。其实更想去做rudra的kim那。后来写了个邮件,给了个chat。

1.21 UCSC Rising Star 他说进去做hw/sw codesign,然后fpga virtualization,然后傲腾高性能系统。对每一个project都挺感兴趣的。至少connection他都在UMich.

1.25 CMU ECE某套过的教授约面。由于paper过于实验数据性不太想去她那,但有总比没好。面完就觉得挂了,问了下cache replacement和logistics。

2.3 收到UCSC offer,估计没其他地方了。

2.4 UW 拒

2.15 UMadison 拒

差不多完结了,大概知道自己什么水平和竞品差距了云云,在一个完全竞争的市场就是winner takes all,还是贴的buff越多越强手,我直接filter掉了泛华人民族主义老师,我在这论述中美差距想必不是个好劳动力。面我的都是强导师学校,其他应该都拒了,找个安稳的地方、nice的导师搞自己的研究就好。同时祝贺美女拿到UIUC offer,学长拿到ETHz offer,叶神UCB offer.


双非 GPA 3.01/4 65% / T103 / G不交了. 只申请美帝 System/Arch/SE Ph.D. (梦校UIUC,一个二流学生进,一流学生出的地方,梦想成为的人 Chris Lattner )抑或去工业界恰烂钱,Ph.D.毕业大概率恰几年软饭再创业,主页。


大一打了点CTF和Hackathon,暑假跟学校安全实验室发了篇ISSTA,大二暑假Jump Trading Linux Team实习有return offer,学校某组干了半年的NVM 和 Compiler TA,超算带队2年,发了篇 critique,拿了个第二,大三 UIUC SE 暑研。

想去的 UIUC 组,距消息人士 ,不投今年大概率没坑位的组,可能被diversity。

  1. Ghose Memory
  2. Charitm Sec
  3. Lingming Zhang AI Fuzzing
  4. Jianhuang Memory
  5. Darko Marinov Flaky test


  1. Emmett Witchel UT Austin Serverless 强 committee replied 据消息人士,Austin人都去恰烂钱了 已回
  2. Michael Swift Madison NVM 强 committee relied 老板人很nice 已回
  3. Jishen Zhao UCSD ML/NVM 貌似ML化了 强导师 未回
  4. Brandon Lucia CMU ECE NVM 强导师 未回
  5. Dimitrios Skarlatos CMU ECE NVM 强导师 未回
  6. Barisk Umich NVM FPGA密院大本营 强导师 未回 但和 jiachen和ian都聊过。只招收合作过的学生,据说学长面还给个小project试试水平。
  7. Xinyu Xing NW AI kernel Sec强导师 已回
  8. Changhee Jung Purdue NVM 强committee 套了 已回欢迎
  9. Mengjia MIT NVM Sec强committee 已回欢迎
  10. Moin Gatech Memory 强导师 未回
  11. Dkohlbre UW Riscv TEE 强 Committee 已回欢迎
  12. Christina Delimitrou Cornell Serverless 强committee 已回欢迎
  13. Andrew R. Quinn FPGA OS ucsc 无回信
  14. J. ELIOT B. MOSS UMass Database/Parallel Algorithm 强committee 无回信
  15. Harry Xu's Homepage UCLA Data-race related java SE/Formal/NVM 强committee 无回信
  16. Akshitha Sriraman CMU Low latency HPC Metrics Cache replacement 强导师 twitter上套
  17. Alexandros GaTech HPC Network 强导师 无回信

UMich SoP

For pure motivation, I need a Ph.D. for investigating a direction that is worth my life fighting for and the society's values. With the rapid growth of the Chinese economy followed by huge research investment, at least for the past three years in ShanghaiTech, I witnessed extraordinary scientific progress in all disciplines. China has also provided huge markets to fast deploy the research results and companies start to be willing to devote higher salaries and equipment for new grads to dig into their research fields. However, most professor in our school only takes care of short-term profits and put many efforts into applications of established ideas, which things solely get one direction worse in other institutes. Plus, no profitable company is founded on tech infrastructure as Nvidia, Intel and Xilinx do but exploiting the unsophisticated public's time like Tencent and ByteDance. That accounts for the U.S.A. is still the origin of innovation today. In China, the general public's pure pursuit for better technology downturns to self-imposed comfort based on the current circumstance. But, I'm not and from the bottom of my heart, want to use technology to change.

I recently published a paper on the adversarial sample in AI security scenario on ISSTA21 as the fourth author under the supervision of Prof. Fu Song. I helped the first author Ph.D. candidate Zhe Zhao run most experiments during my Freshman summer. It innovatively utilized the fact label change rate through model mutation testing to distinguish adversarial examples and put them on defend the data that use this technique, which we called Attack as Defense. I got to know how software engineering testing works on artificial intelligence and could apply to any other places like language spec on smart contracts, operating system‘s concurrency, and computer architecture's semantics. That's my two other Work-In-Progress work mainly focus on, to use Z3 solver on verifying the possible timestamp attack and arithmetic overflow on Diem move language. During my weekly seminar at System and Software Security Lab for two years, I grabbed ideas like Decision Procedures, basically, the originality/application of SMT solver as the combination of logic and program, fuzzing techniques, and Capture The Flags Surroundings - a security competition.

From my Sophomore year on, my main focus turns into industrial needs practice. GeekPie_HPC is a place I devote time to. We just obtain second place at SC21-SCC. I would say I put the obscure system knowledge into production on high-performance heterogeneous systems. For example, I got how the Linux system called flock work in class, but not until I found it messy once linking on GPFS with un-updated data drag me into this semantic deeper, I resolved it by fsync to manually force synchronize. I knew Cuda only as a library importer using Pytorch auto-gradient that for sure run on GPU, not until I compare different compiler hint with different HPC algorithm and MPI scatter/reduce and alltoallv takes me to figure out how data transmit on GPU. My school establishes a long-term connection to Jump Trading by us winning the super clustering competition that the recruiter gets to know that our students are unique to problem-solving with the right tools. My experience at Jump Trading in sophomore summer let me dig into the more cutting-edge technology eBPF and Intel Mesh Micro Architecture. However, the main focus of industrial is quite different. I mostly applied for the kernel dynamic inspection work on the distributed filesystem in terms of different lease users and apply the core affinity strategy considering core to NUMA, DDR, NIC, and GPU latency. From my perception through my ex-colleague, more production level engineers usually have Bachelor Degree only and are cultivated by the company like my mentor, but the real secret big thing is usually brought by Ph.D. like the author of eBPF or reverse-engineering work on intel processors.

For this summer, I remotely joined Darko Marinov's as REU(research experience for undergrads) and worked with a Peking University classmate Ruidong Zhu for testing order-dependent tests. I started a brand-new direction as pure software testing on order-dependent JUnit tests. Flakiness means tests may fail or pass for different rounds. This could be triggered by some order-dependent values which could be identified on Darko's iDFlaky tool automatically run on Azure. For testing, their previous work explains the cleaner, polluters, and victims of specific variables on specific values. Their latest work submitted for ICSE21 is to introduce Non-idempotent tests that could be identified by running methods one after one in isolated methods/class/entire suite to see whether they may be flaky. We run a dynamic taint analysis tool called PraDet on all the runnable tests on three of their latest test suites and report. We are currently modifying a more advanced tool based on these limitations. During the process. I'm intrigued by the passion of my mentor Wing Lam and Darko's energy in thoughts in contrast to his lazy lying posture.

For choosing UMich, I'm captivated by a school that chose potential people that are intrinsically apt with engineering problem-solving skills and cultivate them into world-class researchers like Baris Kasikci. The recently published paper "Rethinking File Mapping for Persistent Memory" on FAST21 is really amazing. The authors propose to use hash for File Mapping. an example is given in the text, PMem is divided into a file data region and metadata region, if the logical address to be mapped is <inum=1, iblk=21>, the offset of this logical block in the hash is i, then the physical block address corresponding to this logical block is ( file data region start address + i*4KB). There is 5+ paper every year from Baris. For these world-class research opportunities, the CS department of UMich is especially attractive to me. It would be a privilege to study under the guidance of its remarkable faculty during "A New Golden Age for Computer Architecture".

I have enjoyed being able to apply what I learned in classes such as computer architecture and the principle of the compiler to my research. On the other hand, I have also cultivated a broad interest in other areas, such as Reinforce Learning, as a source of inspiration. I seek different kinds of creativity in engineering and in the beauty of itself when it was realized. It is this creative will that I wish to pursue in UMich's Ph.D. program and afterward as a researcher in the industry. My learning experience under the guidance of my advisor convinced me not only of the potential of research but also of the value of teaching. I have also enjoyed working as an undergraduate teaching assistant for the compiler. Through my course studies, I expect to become and will work hard to be a productive researcher and teacher.


First of all, my previous experience makes me an open-minded person with high motivation that does not take the current circumstances for granted. I think that kind of momentum and curiosity is cultivated through my travel and experience. As for the social practices, for the summer of Sophomore, 20 other students and I come to PingTang, the place installed with a Five-hundred-meter Aperture Spherical Telescope. We investigated how this externality affects the locals' tourism from the first year's pouring of capital to the second year's over-saturated and how it changed with the downturn of the Chinese economy. China's investment of Infrastructure is fundamental to every public in the rural area, and socialism is taking effect with the targeted poverty alleviation in this Xi's time. 800 RMB per year per family is the definition of the poor and until 2020 if he's still under this line, he has disabled member or unwillingness to labor. However, criticism is cast on the push of every man to engage in the smallholder economy like strawberries that do not match the local environment. I solo visit HK during the protest, Singapore, Malaysia, Thailand, India, and Nepal within 12 days. I witnessed the big countries' hegemony and small country esteem. I witnessed the deep inequality of poverty in this world and the importance of establishing the network/highway infrastructure.

The open mind takes me naturally into a diverse environment. My previous employer, Jump Trading is a place that embraces diversity. I first come to realize that in a tiny office, there exists multiple races, LGBTQ+, multiple languages as a native language, and multiple religions. For communicating more fluently without barriers, all we did is to respect with no discrimination. The colleague who worked with me is an MtF(Male to Female), besides calling 'her', talking off sex mutual stuff and no man's joke. My mentor is born in Malaysia and his mother is from England and his father is from Hong Kong. So he's quite familiar with Cantonese words. From a technical perspective, the people who graduated from French Schools focus more on mathematical proof as well as intuition while those from American Schools care more about implementation and effectiveness. We are valuing every people from different backgrounds which I'm tuned a while for it since I'm situated in a single race country with a single religion. Every year, there are 3 top-tier competitions for super-cluster competition and I'm the lead for the team to compete with prestigious universities like UCSD, UIUC, and Gatech. Our team GeekPie_HPC has recruited 2 females out of 6 for daily training and eventual competition. We highly recommend female computer science students to join in such a low female density department.

My research taste and delight come from the demand of my curiosity. Many dummy things happen when choosing the courses and taking exams, I get accustomed to getting the hardest course that gives me the challenge of pressure. Once I'm determined to do something, I would focus on the point until it's figuring out or give up it because I knew the stuff does not fit me. The overall process of college for me is a time of testing failures. The projects and exams are similar to a I knew that I have many shortages, but it didn't bother my desperation to solve hardest open questions.

Jung making-connection Letter

I’m CS Undergrad from ShanghaiTech specializing in general systems. I grabbed most of my practical skills by attending GeekPie HPC. I spent some time working on eBPF and intel processor micro arch at Jump Trading Shanghai (which has proven to be engineers' efforts talking with other guys but get me into the micro arch world). During summer 2022, I worked on Java Flaky Testing with Darko Marinov from UIUC. During my time at Chundong's lab, we discussed a lot on your paper of study on failure tolerance, memory order bugs, and performance on Optane persistent memory. I referred to your paper for grabbing a general knowledge of how to tune performance on Optane Memory. I think I could put energy into them if I had the opportunity to join your team. Sincerely, would you recruit Ph.D. or masters this year?

Best Yiwei

  1. 南科大飞跃手册@wjc‘s recommendation
  2. 孙明瑞@n+e’s recommendation
  3. James.Qiu@Zhihuihu