I am an Assistant Researcher at Zhongguancun Laboratory, Beijing. I received my Ph.D. from Network and Information Security Lab (NISL) at Tsinghua University (advised by Prof. Haixin Duan) in 2023.

My research focuses on measuring and enhancing the security of Internet infrastructure (DNS, Web PKI, CDN, etc.), uncovering significant vulnerabilities in core protocols (DNS, HTTP, TLS, DKIM, SPF, etc.), and understanding emerging cyberspace security threats.

News:

  • [Aug. 2024] Paper about bypass Same-Origin Policy (SOP) accepted to NDSS 2025. Congrats to Pinji!

  • [Jun. 2024] Paper about shared domain authoritative nameserver and domain hijacking accepted to Usenix Security 2024.

  • [Aug. 2023] Two papers accepted to NDSS 2024 and S&P 2024. Congrats to Chuhan and Xiang!

Interests

  • Network Security
  • Protocol Security
  • Web PKI
  • DNS

Education

  • Ph.D. in Network Security, 2023

    Tsinghua University

  • B.E. in Information Security / LL.B. (Double Major), 2018

    Nankai University

Publications

Posters & Publications

Pinji Chen, Jianjun Chen, Mingming Zhang, Qi Wang, Yiming Zhang, Mingwei Xu, Haixin Duan (2024). Cross-Origin Web Attacks via HTTP/2 Server Push and Signed HTTP Exchange. In NDSS 2025. San Diego, California, 24 February – 28 February, 2025. To appear.

Yunyi Zhang, Mingming Zhang, Baojun Liu, Zhan Liu, Jia Zhang, Haixin Duan, Min Zhang, Fan Shi, Chengxi Xu (2024). Cross the Zone: Toward a Covert Domain Hijacking via Shared DNS Infrastructure. In Usenix Security ‘23. Philadelphia, PA, USA, August 14-16, 2024. (Acceptance rate: 417/2276=18.32%).
* Presented in OARC 43 by Yunyi Zhang.

PDF Slides

Xiang Li, Wei Xu, Baojun Liu, Mingming Zhang, Zhou Li, Jia Zhang, Deliang Chang, Xiaofeng Zheng, Chuhan Wang, Jianjun Chen, Haixin Duan, Qi Li (2024). TuDoor Attack: Systematically Exploring and Exploiting Logic Vulnerabilities in DNS Response Pre-processing with Malformed Packets. In Oakland S&P 2024. San Francisco, California, May 20–23, 2024. (Acceptance rate: 261/1,466=17.8%).

PDF Poster Slides Source Document

Chuhan Wang, YASUHIRO KURANAGA, Yihang Wang, Mingming Zhang, Linkai Zheng, lixiang, Jianjun Chen, Haixin Duan, Yanzhong Lin, Qingfeng Pan (2024). BreakSPF: How Shared Infrastructures Magnify SPF Vulnerabilities Across the Internet. In NDSS ‘24. San Diego, California, 26 February – 1 March, 2024. (Acceptance rate: 104/694=15.0%, Acceptance rate in summer: 41/211=19.4%, Acceptance rate in fall: 63/483=13.0%).

Xiang Li, Baojun Liu, Xuesong Bai, Mingming Zhang, Qifan Zhang, Zhou Li, Haixin Duan, Qi Li (2023). Ghost Domain Reloaded: Vulnerable Links in Domain Name Delegation and Revocation. In NDSS ‘23. San Diego, California, 27 February – 3 March, 2023. (Acceptance rate: 94/581=16.2%).
* Presented in OARC 39.
* Presented in ICANN DNS Symposium 2022.
* Presented in Black Hat Asia 2023.
* Referenced by RFC Draft: Delegation Revalidation by DNS Resolvers.

PDF Code Project Slides DOI

Mingming Zhang, Xiang Li, Baojun Liu, Jianyu Lu, Yiming Zhang, Jianjun Chen, Haixin Duan, Shuang Hao, Xiaofeng Zheng (2022). Detecting and Measuring Security Risks of Hosting-Based Dangling Domains. In SIGMETRICS ‘23. Orlando, Florida, June 19-23, 2023. (Acceptance rate: 55/342=16.1%, Acceptance rate in summer: 17/93=18.3%, Acceptance rate in fall: 26/119=21.9%, Acceptance rate in winter: 12/130=9.2%).
* Presented in OARC 40.
* Presented in APAC DNS Forum 2023 by Mr Alban KWAN.

PDF Code Project Slides

Chuhan Wang, Kaiwen Shen, Minglei Guo, Yuxuan Zhao, Mingming Zhang, Jianjun Chen, Baojun Liu, Xiaofeng Zheng, Haixin Duan, Yanzhong Lin, Qingfeng Pan (2022). A Large-scale and Longitudinal Measurement Study of DKIM Deployment. In Usenix Security 2022.

PDF

Yiming Zhang, Mingxuan Liu, Mingming Zhang, Chaoyi Lu, Haixin Duan (2022). Ethics in Security Research: Visions, Reality, and Paths Forward. In EthiCS 2022.

PDF

Kaiwen Shen, Jianyu Lu, Yaru Yang, Jianjun Chen, Mingming Zhang, Haixin Duan, Jia Zhang, Xiaofeng Zheng (2022). HDiff: A Semi-automatic Framework for Discovering Semantic Gap Attack in HTTP Implementations. In DSN 2022.

PDF

Mingming Zhang, Xiaofeng Zheng, Kaiwen Shen, Ziqiao Kong, Chaoyi Lu, Yu Wang, Haixin Duan, Shuang Hao, Baojun Liu, Min Yang (2020). Talking with Familiar Strangers: An Empirical Study on HTTPS Context Confusion Attacks. In CCS 2020.

PDF Slides

Chaoyi Lu, Baojun Liu, Zhou Li, Shuang Hao, Haixin Duan, Mingming Zhang, Chunying Leng, Ying Liu, Zaifeng Zhang, Jianping Wu (2020). An End-to-End, Large-Scale Measurement of DNS-over-Encryption: How Far Have We Come?. In IMC 2019.
* IRTF Applied Networking Research Prize (ANRP) 2020 Award Winner..

PDF Slides Video

Mingming Zhang, Baojun Liu, Chaoyi Lu, Jia Zhang, Shuang Hao, Haixin Duan (2020). Measuring Privacy Threats in China-Wide Mobile Networks. In FOCI 2018.

PDF Slides

Activities

Fallstreak Hole of Internet Clouds: Unraveling the Threat of Hosting-Based Domain Takeovers

Paper title:**Detecting and Measuring Security Risks of Hosting-Based Dangling Domains (published by ACM SIGMETRICS 2023) Domain names, vital for tasks like digital certificate authentication, face growing vulnerabilities in our evolving digital landscape.
Mingming Zhang, Xiang Li, Baojun Liu, Jianyu Lu, Yiming Zhang, Jianjun Chen, Haiixn Duan, Shuang Hao, Xiaofeng Zheng
Last updated on Feb 27, 2024 5 min read Blog
Fallstreak Hole of Internet Clouds: Unraveling the Threat of Hosting-Based Domain Takeovers

Attend ACM SIGMETRICS 2023 and Present Our Research on Domain Takeover

In the SIGMETRICS 2023, I presented our paper “Detecting and Measuring Security Risks of Hosting-Based Dangling Domains” and met so many friend. Happy to be there!
Mingming Zhang
Last updated on Feb 27, 2024 1 min read Presentation
Attend ACM SIGMETRICS 2023 and Present Our Research on Domain Takeover

OARC 40 & NANOG 87 Workshop

In OARC 40 & NANOG 87 Workshop (hybrid in-person and online workshop), I presented a novel hosting-based domain takeover detection framework DareShark to the audiences.
lixiang
Last updated on Oct 8, 2023 1 min read Presentation
OARC 40 & NANOG 87 Workshop

Won the Championship of GeekPwn2019

We successfully hijacked the QR code of the HTTPS website in the same local area network and hijacked the mailbox to obtain the mailbox password.
Mingming Zhang
Last updated on Nov 22, 2020 2 min read GeekPwn
Won the Championship of GeekPwn2019

Misc

🏅 Honors & Awards

Academia & Community

  • EthiCS'22 Best Student Paper, 2022
  • DSN'22 Best Paper Runner-up, 2022
  • IRTF Applied Networking Research Prize, 2020
  • ACM IMC Nominee of Distinguished Paper Award & Community Contribution Award, 2019

Education & Scholarship

  • Doctoral Dissertation Award of Tsinghua University, 2023
  • Qihang Award of Tsinghua University for Graduate Students, 2023
  • LongFor Academic Scholarship. 2023
  • 2st-Class Scholarship of Tsinghua University for Graduate Students, 2020
  • Cyberspace Scholarship of China Internet Development Foundation, 2018
  • China National Scholarship, 2017

Competition

  • The 1st Prize in GeekPWN 2019

🔖 Patents

👩‍💻 Academic Services

Conference TPC member

  • 2023: EAI SecureComm

External Reviewer

  • 2022: NDSS, EthiCS
  • 2021: NDSS, ACSAC
  • 2020: ESORICS
  • 2019: CCS

Contact