choongwoo.han@microsoft.com
cwhan.tunz@gmail.com
Interests
- Software Security
- Performance Engineering
- Fuzzing
Work Experience
- Software Engineer
Microsoft
Edge Browser JavaScript and WebAssembly (Nov 2022 - )
Edge Browser Vulnerability Research (Apr 2020 - Nov 2022)
Apr 2020 - - Software Engineer
NAVER
Worked on AI (deep learning models) serving platform at Search team.
Nov 2018 - Oct 2019 - Security Engineer
NAVER
Worked on Naver product security.
June 2017 - Nov 2018
Education
- M.S. Computer Science
Korea Advanced Institute of Science and Technology (KAIST)
Software Security Lab
March 2015 - Febraury 2017 - B.S., Computer Science and Engineering,
Ulsan National Institue of Science and Technology (UNIST)
March 2011 - February 2015
Publications
Conference
[1] Jaeseung Choi, Joonun Jang, Choongwoo Han, and Sang Kil Cha, “Grey-box Concolic Testing on Binary Code”, In Proceedings of the International Conference on Software Engineering (ICSE) 2019, Technical Track.
Journal
[1] Joohyun Lee, Kyunghan Lee, Choongwoo Han, Taehoon Kim, and Song Chong, “Resource-efficient Mobile Multimedia Streaming with Adaptive Network Selection”, IEEE Transactions on Multimedia (IF: 2.536), 2016.
Projects
- binch/binch-go: A ELF binary patch tool in console. This makes binary patch works easy and quick for small fixes.
- V8: JavaScript Engine of Chromium. I improved TypedArray performance and fixed security bugs (commits).
- Chow: Rough static analysis tool with micro-grammar written in Haskell.
Vulnerability Reports
- 2020
- Heap buffer overflow in Skia (CVE-2020-6548) (link)
- 2019
- 2018
- 2017
- Out of bounds access in Chrome V8 (reward $3,000 / CVE-2017-5122) (link)
- Out of bounds read in Chrome V8 (reward $3,000 / CVE-2017-5071) (link)
- Information Disclosure in Chrome V8 (reward $2,000 / CVE-2017-5040) (link)
- Null Pointer Dereference in string prepend of mruby (reward $800) (link)
- Heap Overflow in array splice of mruby (reward $800) (link)
- Type Confusion in print_backtrace of mruby (reward $100) (link)
- Use After Free in array replace of mruby (reward $800) (link)
- Local File Inclusion Attack in Rocket (link)
- Integer Overflow in array splice of mruby (reward $800) (link)
- Integer Overflow in array set of mruby (reward $100) (link)
- Remote Code Execution in icoutils (CVE-2017-5208) (link)
- 2016
- Out-of-bounds write in Chrome V8 (reward $5,000 / CVE-2016-5200) (link)
- Memory Corruption in Chrome V8 (reward $5,000 / CVE-2016-5172) (link)
- Unauthorized branch access in GitHub (reward $5,000 + bonus $1,000) (link)
- Heap Buffer Overflow in Chrome V8 (reward $3,000 / CVE-2016-1669) (link)
- Out-of-bounds write in Chrome V8 (reward $5,000 / CVE-2016-1653) (link)
- 2015
- 2014
- Remote Code Execution in Dr.Soft Netclient5 PMS (reward XXX / KISA 14-084)
- Remote Code Execution in UNIST portal web site
- 2013
- SQL Injection and Break password encryption in UNIST portal web site
- SQL Injection in UNIST web mail
- Remote Code Execution in UNIST attendance checking devices
Hacking Competition Awards
- 2019
- Finalist, DEFCON CTF 27, Las Vegas (team CGC)
- 2018
- Finalist, DEFCON CTF 26, Las Vegas (team C.G.K.S)
- 2017
- 3rd place, Cyber Conflict Exercise & Contest 2017 (team 쿠앤크, award $4,000)
- Finalist, DEFCON CTF 25, Las Vegas (team RRR)
- 2015
- Finalist, SECCON CTF 2015 (team CodeRed), Japan
- 2nd place, HDCON 12 (team CodeRed) by KISA, South Korea (award $4,000)
- 2014
- 5th place, HDCON 11 (team CodeC) by KISA, South Korea (award $2,000)
- 2nd place, Incognito CTF (team CodeRed, award $600)
- Finalist, DEFCON CTF 22, Las Vegas (team CodeRed)
- 2013
- 1st place, Holyshield CTF (team CodePink) by Catholic University of Korea (award $1,000)
- 3rd place, Whitehat Hacking Contest (team HeXA) by MND, South Korea (award $8,000)
Groups
- KaisHack (2016)
- CodeRed (2013 ~)
- HeXA, UNIST Computer Security Club (2011 ~ 2014)
Talks
- 개발자가 꼭 알아야 할 보안 이야기 D2 Campus Seminar 2 Febraury 2015