Choongwoo Han Software Engineer tunz

About

choongwoo.han@microsoft.com
cwhan.tunz@gmail.com

Interests

  • Software Security
  • Performance Engineering
  • Fuzzing

Work Experience

  • Security Software Engineer
    Microsoft
    Edge Browser Vulnerability Research.
    Apr 2020 -
  • Software Engineer
    NAVER
    Worked on AI (deep learning models) serving platform at Search team.
    Nov 2018 - Oct 2019
  • Security Engineer
    NAVER
    Worked on Naver product security.
    June 2017 - Nov 2018

Education

  • M.S. Computer Science
    Korea Advanced Institute of Science and Technology (KAIST)
    Software Security Lab
    March 2015 - Febraury 2017
  • B.S., Computer Science and Engineering,
    Ulsan National Institue of Science and Technology (UNIST)
    March 2011 - February 2015

Publications

Conference

[1] Jaeseung Choi, Joonun Jang, Choongwoo Han, and Sang Kil Cha, “Grey-box Concolic Testing on Binary Code”, In Proceedings of the International Conference on Software Engineering (ICSE) 2019, Technical Track.

Journal

[1] Joohyun Lee, Kyunghan Lee, Choongwoo Han, Taehoon Kim, and Song Chong, “Resource-efficient Mobile Multimedia Streaming with Adaptive Network Selection”, IEEE Transactions on Multimedia (IF: 2.536), 2016.

Projects

  • binch/binch-go: A ELF binary patch tool in console. This makes binary patch works easy and quick for small fixes.
  • V8: JavaScript Engine of Chromium. I improved TypedArray performance and fixed security bugs (commits).
  • Chow: Rough static analysis tool with micro-grammar written in Haskell.

(Selected) Vulnerability Reports [more]

  • 2020
    • Heap buffer overflow in Skia (CVE-2020-6548) (link)
  • 2019
    • Type Confusion in Chrome V8 (reward $5,000 / CVE-2019-5791) (link)
  • 2018
    • Out-of-bounds read in Chrome V8 (reward $4,500 / CVE-2018-6142) (link)
  • 2017
    • Out-of-bounds access in Chrome V8 (reward $3,000 / CVE-2017-5122) (link)
    • Out-of-bounds read in Chrome V8 (reward $3,000 / CVE-2017-5071) (link)
    • Information Disclosure in Chrome V8 (reward $2,000 / CVE-2017-5040) (link)
  • 2016
    • Out-of-bounds write in Chrome V8 (reward $5,000 / CVE-2016-5200) (link)
    • Memory Corruption in Chrome V8 (reward $5,000 / CVE-2016-5172) (link)
    • Unauthorized branch access on GitHub (reward $5,000 + bonus $1,000) (link)
    • Heap Buffer Overflow in Chrome V8 (reward $3,000 / CVE-2016-1669) (link)
    • Out-of-bounds write in Chrome V8 (reward $5,000 / CVE-2016-1653) (link)
  • 2015
    • Remote Code Execution in GitHub for Mac (reward $2,500) (link)
    • XSS in Dropbox (reward $1,331) (post)
  • 2014
    • Remote Code Execution in Dr.Soft Netclient5 PMS (reward XXX / KISA 14-084)

Hacking Competition Awards

  • 2019
    • Finalist, DEFCON CTF 27, Las Vegas (team CGC)
  • 2018
    • Finalist, DEFCON CTF 26, Las Vegas (team C.G.K.S)
  • 2017
    • 3rd place, Cyber Conflict Exercise & Contest 2017 (team 쿠앤크, award $4,000)
    • Finalist, DEFCON CTF 25, Las Vegas (team RRR)
  • 2015
    • Finalist, SECCON CTF 2015 (team CodeRed), Japan
    • 2nd place, HDCON 12 (team CodeRed) by KISA, South Korea (award $4,000)
  • 2014
    • 5th place, HDCON 11 (team CodeC) by KISA, South Korea (award $2,000)
    • 2nd place, Incognito CTF (team CodeRed, award $600)
    • Finalist, DEFCON CTF 22, Las Vegas (team CodeRed)
  • 2013
    • 1st place, Holyshield CTF (team CodePink) by Catholic University of Korea (award $1,000)
    • 3rd place, Whitehat Hacking Contest (team HeXA) by MND, South Korea (award $8,000)

Groups

  • KaisHack (2016)
  • CodeRed (2013 ~)
  • HeXA, UNIST Computer Security Club (2011 ~ 2014)

Talks