Tianchang Yang

I am a third-year Ph.D. student in the Systems and Network Security (SyNSec) Research Group at Penn State University. I'm working as a graduate research assistant with Dr. Syed Rafiul Hussain.
My research involves using a variety of methods (program analysis, symbolic execution, formal methods, LLM, etc) to verify and protect the security and robustness of network systems, telecommunication systems, and service-based systems.

Research Interest

Systems & Network Security
5G and Next-Generation Networks
Open RAN (O-RAN) Systems
Program Analysis
Formal Methods for Security
ML-/LLM- Security & Privacy

Education

The Pennsylvania State University
Ph.D. Student, Computer Science
Advisor: Dr. Syed Rafiul Hussain
08/2022 - Present
Columbia University
M.S., Computer Science, Computer Security Track
08/2019 - 12/2020
University of Richmond
B.S., Double Major in both Computer Science and Mathematics
Minor in Business Administration
08/2015 - 05/2019

Experience

Penn State University (SyNSec Lab)
Graduate Research Assistant, August 2022 - Present
AT&T Labs
Senior Associate Student Technical Intern, June 2024 - August 2024, June 2025 - Present
Tencent Holdings, Ltd. (Tencent Video)
Backend Engineer, April 2021 - May 2022
Wangsu Science & Technology
Security R&D Research Intern, May 2018 - July 2018
University of Richmond
Summer Research Fellowship, May 2017 - July 2017

Publications

CORECRISIS: Threat-Guided and Context-Aware Iterative Learning and Fuzzing of 5G Core Networks
Yilu Dong, Tianchang Yang, Abdullah Al Ishtiaq, Syed Md Mukit Rashid, Ali Ranjbar, Kai Tu, Tianwei Wu, Md Sultan Mahmud, Syed Rafiul Hussain
USENIX Security Symposium (USENIX Security), 2025
[Link] [Code]
```
TODO

      
```

Stateful Analysis and Fuzzing of Commercial Baseband Firmware
Ali Ranjbar, Tianchang Yang, Kai Tu, Saaman Khalilollahi, Syed Rafiul Hussain
IEEE Symposium on Security and Privacy (SP), 2025

[PDF] [Link] [Code]


@INPROCEEDINGS{ranjbar_loris_2025,
  author = { Ranjbar, Ali and Yang, Tianchang and Tu, Kai and Khalilollahi, Saaman and Hussain, Syed Rafiul },
  booktitle = { 2025 IEEE Symposium on Security and Privacy (SP) },
  title = {{ Stateful Analysis and Fuzzing of Commercial Baseband Firmware }},
  year = {2025},
  ISSN = {2375-1207},
  pages = {1120-1139},
  doi = {10.1109/SP61157.2025.00143},
  url = {https://doi.ieeecomputersociety.org/10.1109/SP61157.2025.00143},
  publisher = {IEEE Computer Society},
  address = {Los Alamitos, CA, USA},
  month = May
}

ORANalyst: Systematic Testing Framework for Open RAN Implementations
Tianchang Yang, Syed Md Mukit Rashid, Ali Ranjbar, Gang Tan, Syed Rafiul Hussain
USENIX Security Symposium (USENIX Security), 2024

[Link] [Code]


@inproceedings {ORANalyst,
author = {Tianchang Yang and Syed Md Mukit Rashid and Ali Ranjbar and Gang Tan and Syed Rafiul Hussain},
title = {{ORANalyst}: Systematic Testing Framework for Open {RAN} Implementations},
booktitle = {33rd USENIX Security Symposium (USENIX Security 24)},
year = {2024},
isbn = {978-1-939133-44-1},
address = {Philadelphia, PA},
pages = {1921--1938},
url = {https://www.usenix.org/conference/usenixsecurity24/presentation/yang-tianchang},
publisher = {USENIX Association},
month = aug
}

Formal Analysis of Access Control Mechanism of 5G Core Network
Mujtahid Akon, Tianchang Yang, Yilu Dong, Syed Rafiul Hussain
The ACM Conference on Computer and Communications Security (CCS), 2023

[PDF] [Link] [Code]


@inproceedings{5GCVerif,
author = {Akon, Mujtahid and Yang, Tianchang and Dong, Yilu and Hussain, Syed Rafiul},
title = {Formal Analysis of Access Control Mechanism of 5G Core Network},
year = {2023},
isbn = {9798400700507},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
url = {https://doi.org/10.1145/3576915.3623113},
doi = {10.1145/3576915.3623113},
abstract = {We present 5GCVerif, a model-based testing framework designed to formally analyze the access control framework of the 5G Core. With its modular design, 5GCVerif employs various abstraction techniques to craft an abstract model that captures the intricate details of the 5G Core's access control mechanism. This approach offers customizability and extensibility in constructing the abstract model and addresses the state explosion problem in model checking. 5GCVerif also sidesteps the challenge of exhaustively generating models for all possible core network configurations by restricting the model checker to explore policy violations only within the valid network configurations. Using 5GCVerif, we evaluated 55 security properties, leading to the discovery of five new vulnerabilities in 5G Core's access control mechanism. The uncovered vulnerabilities can result in multiple attacks including unauthorized entry to sensitive information, illegitimate access to services, and denial-of-services.},
booktitle = {Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security},
pages = {666–680},
numpages = {15},
keywords = {5g core network, access control, formal analysis, vulnerabilities},
location = {Copenhagen, Denmark},
series = {CCS '23}
}

News

2025
- June:Acknowledged in Google’s Android security acknowledgements for disclosing CVE-2025-26785. Awarded a bounty for the report.
- May: Our talk, Uncovering ‘NASty’ 5G Baseband Vulnerabilities through Dependency-Aware Fuzzing has been accepted to Black Hat USA 2025. Check out the abstract!
- May:Acknowledged in Samsung’s Product Security Update Bulletins for disclosing CVE-2024-52923, CVE-2024-52924, CVE-2025-26784, CVE-2025-26785, CVE-2025-27891. Awarded multiple bug bounties for our reports.
- March: CoreCrisis: Threat-Guided and Context-Aware Iterative Learning and Fuzzing of 5G Core Networks has been accepted to the 34th USENIX Security Symposium.
- January: Stateful Analysis and Fuzzing of Commercial Baseband Firmware has been accepted to the 46th IEEE Symposium on Security and Privacy.
2024
- August: Presented ORANalyst: Systematic Testing Framework for Open RAN Implementations at USENIX Security '24.
- August: Our findings from 5GCVerif resulted in multiple modifications to the 3GPP 5G technical specifications to mitigate our discovered access control vulnerabilities.
- June: Starting my internship at AT&T Labs.
- June: Our paper, ORANalyst: Systematic Testing Framework for Open RAN Implementations, has been accepted to USENIX Security '24.
2023
- July: Our paper, Formal Analysis of Access Control Mechanism of 5G Core Network, has been accepted to CCS '23.
- July: GSMA acknowledges our findings of six attacks on the 5G Core Network with CVD-2023-0069.