About

Kangjie Lu is an Associate Professor in the Department of Computer Science & Engineering at the University of Minnesota Twin Cities. He joined the department in 2017 after receiving his Ph.D. in Computer Science from the Georgia Institute of Technology in 2017. His educational background also includes a Master of Engineering in Software Engineering from Peking University and a Bachelor of Science in Software Engineering from Chongqing University. His research interests encompass computer security, software engineering, operating systems, artificial intelligence, and security ethics. His work aims to secure both traditional software systems and AI systems, with a focus on program understanding and reasoning, secure-by-design principles, and sustainable security assurance. He employs techniques such as dynamic, static, and symbolic program analysis, compiler techniques, system building, machine learning, and natural language processing to achieve his research goals. Kangjie Lu has received notable recognition including the NSF CAREER Award in 2021 and an Outstanding Paper Award at the Annual Computer Security Applications Conference in 2022. Prior to his academic career, he served as a visiting scholar at MPI-SWS and CISPA Helmholtz Center for Information Security in Germany, and as a research intern at NEC Labs America and Samsung Research America.

Research topics

• Computer Science
• Computer Security
• Data Mining
• Artificial Intelligence
• Operating system
• Machine Learning
• Archaeology
• Software engineering
• Distributed computing
• Parallel computing
• Human–computer interaction
• Embedded system
• Computer network
• Programming language
• Geography

Selected publications

• GenDetect: Generalizing Reactive Detection for Resilience Against Imitative DeFi Attack Cascade

  arXiv (Cornell University) · 2026-04-28

  preprintOpen accessSenior author

  As blockchain ecosystems grow, financially motivated attackers increasingly exploit decentralized finance (DeFi) protocols, causing frequent and severe losses. Unlike conventional cyberattacks, DeFi exploits propagate rapidly due to the transparent and composable nature of smart contracts. We identify a critical pattern, Imitative Attack Cascade: an initial successful exploit is quickly followed by mimicking transactions that reuse attack logic with minor modifications or parameter changes. Our empirical analysis shows that over 69% of DeFi attacks exhibit strong behavioral similarity to earlier incidents, often within hours or days of the initial attack. This exposes a fundamental limitation in current reactive detection. Initial attacks are typically flagged via heuristic alerts (Tornado Cash traces, anomalous nonce usage, exploiter labels), but turning these signals into detection rules requires manual validation and handcrafted trace analysis -- a labor-intensive, slow process that leaves follow-up attacks to spread. Our goal is to ensure that once an attack has been observed, even a single instance, it can be rapidly abstracted into an actionable, generalizable detection rule. We decompose the problem into two challenges: (I) abstracting the semantics of diverse, obscure function signatures, and (II) matching transaction logic in noisy, evasive traces. We leverage two insights: (i) the open-source nature of most DeFi protocols enables high-fidelity semantic classification of function signatures; (ii) contract labels isolate essential logic by filtering irrelevant calls and classifying attack intent. Building on these, we develop GenDetect, which achieves ACC 98%, FPR 1%, FNR 3% and discovers 56 previously unrevealed attacks from the past three years. Source code and dataset: https://github.com/NobodyIsAnonymous/GenDetect_ICSE2026

  PublisherDOI

• CLower: Detecting Compiler Pessimization Bugs through Redundant Memory Accesses

  Zenodo (CERN European Organization for Nuclear Research) · 2026-02-05

  otherOpen access

  Artifact for CLower This artifact provides the source code, scripts, and environment necessary to reproduce the results presented in our paper: "CLower: Detecting Compiler Pessimization Bugs through Redundant Memory Accesses". Citing our paper: @inproceedings {xu2026clower, author = {Jianhao Xu and Kunbo Zhang and Mathias Payer and Kangjie Lu and Bing Mao}, title = {CLower: Detecting Compiler Pessimization Bugs through Redundant Memory Accesses}, booktitle = {Proceedings of the ACM on Programming Languages}, year = {2026}, } Quick Start Download CLower.tar.gz - Main artifact package Extract and read CLower/README.md for detailed instructions Download additional resource files as guided by the README Files in This Repository Main Package (Start Here) CLower.tar.gz - Contains all source code, documentation, and setup scripts Extract first: tar -xzf CLower.tar.gz Read the README: CLower/README.md has a complete setup guide This package guides you through using all other resources Supplementary Resources File Description resource.tar.gz (8.40 GB) Pre-compiled binaries for program detection loadcase.tar.gz (1.04 GB) Pre-generated load test cases storecases.tar.gz (946 MB) Pre-generated store test cases

  PublisherDOI

• Capturing Monetarily Exploitable Vulnerability in Smart Contracts via Auditor Knowledge-Learning Fuzzing

  arXiv (Cornell University) · 2026-04-20

  articleOpen accessSenior author

  Smart contracts extended blockchain functionality beyond simple transactions, powering complex applications like decentralized finance (DeFi). However, this complexity introduces serious security challenges, including price manipulation and inflation attacks. Despite the development of various security tools, the rapid rise in financially motivated exploits continues to pose a significant threat to the blockchain ecosystem. These financially motivated exploits often stem from Monetarily Exploitable Vulnerabilities (MEVuls), which refer to vulnerabilities arising from exploitable implementations in monetary transactions or value-transfer logic. Due to their complexity, intricate chains of function calls, multifaceted logic, and diverse manifestations across different smart contracts, MEVuls are particularly challenging for current security tools to identify. Instead of providing actionable insights, existing tools frequently generate excessive warnings that overwhelm developers without effectively mitigating risks. To address the challenge of recognizing MEVuls, we first formalize MEVuls based on common real-world financial exploits. Then, we introduce FAUDITOR, a specialized fuzzer designed to detect MEVuls in smart contracts. The key insight is that leveraging smart contracts' finance-related interfaces directly exposes critical vulnerabilities, making detection more targeted. We further integrate auditors' reports using NLP to extract valuable insights on exploitation patterns, enabling a more informed search strategy. Additionally, FAUDITOR employs a self-learning mechanism that refines its detection strategies over time, allowing it to improve based on prior fuzzing results. In our evaluation, FAUDITOR impressively reveals 220 zero-day MEVuls. Meanwhile, compared to existing fuzzers, FAUDITOR detects vulnerabilities faster and achieves better instruction coverage.

  PublisherOA PDF

• Compatibility at a Cost: Systematic Discovery and Exploitation of MCP Clause-Compliance Vulnerabilities

  arXiv (Cornell University) · 2026-03-10

  preprintOpen accessSenior author

  The Model Context Protocol (MCP) is a recently proposed interoperability standard that unifies how AI agents connect with external tools and data sources. By defining a set of common client-server message exchange clauses, MCP replaces fragmented integrations with a standardized, plug-and-play framework. However, to be compatible with diverse AI agents, the MCP specification relaxes many behavioral constraints into optional clauses, leading to misuse-prone SDK implementation. We identify it as a new attack surface that allows adversaries to achieve multiple attacks (e.g, silent prompt injection, DoS, etc.), named as \emph{compatibility-abusing attacks}. In this work, we present the first systematic framework for analyzing this new attack surface across multi-language MCP SDKs. First, we construct a universal and language-agnostic intermediate representation (IR) generator that normalizes SDKs of different languages. Next, based on the new IR, we propose auditable static analysis with LLM-guided semantic reasoning for cross-language/clause compliance analysis. Third, by formalizing the attack semantics of the MCP clauses, we build three attack modalities and develop a modality-guided pipeline to uncover exploitable non-compliance issues.

  PublisherDOI

• CLower: Detecting Compiler Pessimization Bugs through Redundant Memory Accesses

  Zenodo (CERN European Organization for Nuclear Research) · 2026-04-08

  otherOpen access

  Artifact for CLower This artifact provides the source code, scripts, and environment necessary to reproduce the results presented in our paper: "CLower: Detecting Compiler Pessimization Bugs through Redundant Memory Accesses". Citing our paper: @inproceedings {xu2026clower, author = {Jianhao Xu and Kunbo Zhang and Mathias Payer and Kangjie Lu and Bing Mao}, title = {CLower: Detecting Compiler Pessimization Bugs through Redundant Memory Accesses}, booktitle = {Proceedings of the ACM on Programming Languages}, year = {2026}, } Quick Start Download CLower.tar.gz - Main artifact package Extract and read CLower/README.md for detailed instructions Download additional resource files as guided by the README Files in This Repository Main Package (Start Here) CLower.tar.gz - Contains all source code, documentation, and setup scripts Extract first: tar -xzf CLower.tar.gz Read the README: CLower/README.md has a complete setup guide This package guides you through using all other resources Supplementary Resources File Description resource.tar.gz (9.44 GB) Pre-compiled binaries for program detection loadcase.tar.gz (1.04 GB) Pre-generated load test cases storecases.tar.gz (946 MB) Pre-generated store test cases

  PublisherDOI

• Compatibility at a Cost: Systematic Discovery and Exploitation of MCP Clause-Compliance Vulnerabilities

  arXiv (Cornell University) · 2026-03-10

  articleOpen accessSenior author

  The Model Context Protocol (MCP) is a recently proposed interoperability standard that unifies how AI agents connect with external tools and data sources. By defining a set of common client-server message exchange clauses, MCP replaces fragmented integrations with a standardized, plug-and-play framework. However, to be compatible with diverse AI agents, the MCP specification relaxes many behavioral constraints into optional clauses, leading to misuse-prone SDK implementation. We identify it as a new attack surface that allows adversaries to achieve multiple attacks (e.g, silent prompt injection, DoS, etc.), named as \emph{compatibility-abusing attacks}. In this work, we present the first systematic framework for analyzing this new attack surface across multi-language MCP SDKs. First, we construct a universal and language-agnostic intermediate representation (IR) generator that normalizes SDKs of different languages. Next, based on the new IR, we propose auditable static analysis with LLM-guided semantic reasoning for cross-language/clause compliance analysis. Third, by formalizing the attack semantics of the MCP clauses, we build three attack modalities and develop a modality-guided pipeline to uncover exploitable non-compliance issues.

  PublisherOA PDF

• GenDetect: Generalizing Reactive Detection for Resilience Against Imitative DeFi Attack Cascade

  ArXiv.org · 2026-04-28

  articleOpen accessSenior author

  As blockchain ecosystems grow, financially motivated attackers increasingly exploit decentralized finance (DeFi) protocols, causing frequent and severe losses. Unlike conventional cyberattacks, DeFi exploits propagate rapidly due to the transparent and composable nature of smart contracts. We identify a critical pattern, Imitative Attack Cascade: an initial successful exploit is quickly followed by mimicking transactions that reuse attack logic with minor modifications or parameter changes. Our empirical analysis shows that over 69% of DeFi attacks exhibit strong behavioral similarity to earlier incidents, often within hours or days of the initial attack. This exposes a fundamental limitation in current reactive detection. Initial attacks are typically flagged via heuristic alerts (Tornado Cash traces, anomalous nonce usage, exploiter labels), but turning these signals into detection rules requires manual validation and handcrafted trace analysis -- a labor-intensive, slow process that leaves follow-up attacks to spread. Our goal is to ensure that once an attack has been observed, even a single instance, it can be rapidly abstracted into an actionable, generalizable detection rule. We decompose the problem into two challenges: (I) abstracting the semantics of diverse, obscure function signatures, and (II) matching transaction logic in noisy, evasive traces. We leverage two insights: (i) the open-source nature of most DeFi protocols enables high-fidelity semantic classification of function signatures; (ii) contract labels isolate essential logic by filtering irrelevant calls and classifying attack intent. Building on these, we develop GenDetect, which achieves ACC 98%, FPR 1%, FNR 3% and discovers 56 previously unrevealed attacks from the past three years. Source code and dataset: https://github.com/NobodyIsAnonymous/GenDetect_ICSE2026

  PublisherOA PDFDOI

• Capturing Monetarily Exploitable Vulnerability in Smart Contracts via Auditor Knowledge-Learning Fuzzing

  arXiv (Cornell University) · 2026-04-20

  preprintOpen accessSenior author

  Smart contracts extended blockchain functionality beyond simple transactions, powering complex applications like decentralized finance (DeFi). However, this complexity introduces serious security challenges, including price manipulation and inflation attacks. Despite the development of various security tools, the rapid rise in financially motivated exploits continues to pose a significant threat to the blockchain ecosystem. These financially motivated exploits often stem from Monetarily Exploitable Vulnerabilities (MEVuls), which refer to vulnerabilities arising from exploitable implementations in monetary transactions or value-transfer logic. Due to their complexity, intricate chains of function calls, multifaceted logic, and diverse manifestations across different smart contracts, MEVuls are particularly challenging for current security tools to identify. Instead of providing actionable insights, existing tools frequently generate excessive warnings that overwhelm developers without effectively mitigating risks. To address the challenge of recognizing MEVuls, we first formalize MEVuls based on common real-world financial exploits. Then, we introduce FAUDITOR, a specialized fuzzer designed to detect MEVuls in smart contracts. The key insight is that leveraging smart contracts' finance-related interfaces directly exposes critical vulnerabilities, making detection more targeted. We further integrate auditors' reports using NLP to extract valuable insights on exploitation patterns, enabling a more informed search strategy. Additionally, FAUDITOR employs a self-learning mechanism that refines its detection strategies over time, allowing it to improve based on prior fuzzing results. In our evaluation, FAUDITOR impressively reveals 220 zero-day MEVuls. Meanwhile, compared to existing fuzzers, FAUDITOR detects vulnerabilities faster and achieves better instruction coverage.

  PublisherDOI

• The Dark Side of Flexibility: Detecting Risky Permission Chaining Attacks in Serverless Applications

  2026-01-01

  articleOpen accessSenior author

  Modern serverless platforms enable rapid application evolution by decoupling infrastructure from function-level development.However, this flexibility introduces a fundamental mismatch between the decentralized, function-level privilege configurations of serverless applications and the centralized cloud access control systems.We observe that this mismatch commonly incurs risky permissions of functions in serverless applications, and an attacker can chain multiple risky-permissioned functions to escalate privileges, take over the account, and even move laterally to compromise other accounts.We term such an attack a risky permission chaining attack.In this work, we propose an automated reasoning system that can detect risky permissions that are exploitable for chaining attacks.First, we root in attacker-centric modality abstraction, which explicitly captures how independent permissions from different functions and accounts can be merged into real attack chains.Based on this abstraction, we build a modalityguided detection tool that uncovers exploitable privilege chains in real-world serverless applications.We evaluate our approach across two major cloud platforms -AWS and Alibaba Cloud -by analyzing serverless applications sourced from their official, production-grade application repositories.As a result, our analysis uncovers 28 vulnerable applications, including five confirmed CVEs, six responsible vulnerability acknowledgments, and one security bounty.These findings underscore that the risky permission chaining attack is not only a theoretical risk but also a structural and exploitable threat already present in commercial serverless deployments, rooted in the fundamental mismatch between decentralized serverless applications and centralized access control models.

  PublisherDOI

• CLower: Detecting Compiler Pessimization Bugs through Redundant Memory Accesses

  Zenodo (CERN European Organization for Nuclear Research) · 2026-02-06 · 1 citations

  otherOpen access

  Artifact for CLower This artifact provides the source code, scripts, and environment necessary to reproduce the results presented in our paper: "CLower: Detecting Compiler Pessimization Bugs through Redundant Memory Accesses". Citing our paper: @inproceedings {xu2026clower, author = {Jianhao Xu and Kunbo Zhang and Mathias Payer and Kangjie Lu and Bing Mao}, title = {CLower: Detecting Compiler Pessimization Bugs through Redundant Memory Accesses}, booktitle = {Proceedings of the ACM on Programming Languages}, year = {2026}, } Quick Start Download CLower.tar.gz - Main artifact package Extract and read CLower/README.md for detailed instructions Download additional resource files as guided by the README Files in This Repository Main Package (Start Here) CLower.tar.gz - Contains all source code, documentation, and setup scripts Extract first: tar -xzf CLower.tar.gz Read the README: CLower/README.md has a complete setup guide This package guides you through using all other resources Supplementary Resources File Description resource.tar.gz (8.40 GB) Pre-compiled binaries for program detection loadcase.tar.gz (1.04 GB) Pre-generated load test cases storecases.tar.gz (946 MB) Pre-generated store test cases

  PublisherDOI

Recent grants

• SaTC: CORE: Small: MOSE: Automated Detection of Module-Specific Semantic Errors

  NSF · $495k · 2018–2021

• SaTC: CORE: Small: Checking Security Checks in OS Kernels

  NSF · $500k · 2019–2023

Frequent coauthors

• Qiushi Wu

  University of Minnesota System

  31 shared

• Shouling Ji

  Zhejiang University

  14 shared

• Wenke Lee

  Georgia Institute of Technology

  10 shared

• Yong Qi

  Gene Tech (China)

  10 shared

• Xuhong Zhang

  9 shared

• Wenjia Zhao

  Aerospace Information Research Institute

  9 shared

• Aditya Pakki

  University of Minnesota

  9 shared

• Chenggang Wu

  Shenzhen Municipal People's Government

  8 shared

Labs

• Kangjie LuPI

Awards & honors

• Outstanding Paper Award, Annual Computer Security Applicatio…
• National Science Foundation Faculty Early Career Development…