The System Security Foundations Lab (SSF-Lab) at UIUC conducts foundational research on the security, privacy, and trustworthiness of real-world systems. Our mission is to identify, reason about, and eliminate fundamental security design flaws—not just implementation bugs—in the systems, platforms, and standards that society depends on every day.
SSF-Lab focuses on security as a system-level design problem, combining rigorous formal methods with empirical system analysis to deliver provable security guarantees and deployable protections.
SSF-Lab studies security and privacy challenges across the full system stack, with an emphasis on design-level vulnerabilities and long-term architectural correctness:
-
AI & Agentic Systems Security: Secure interoperability and policy enforcement for intelligent agents and multi-agent systems
-
System & Platform Security: Operating systems, mobile platforms, browsers, and cloud infrastructures
-
IoT & Cyber-Physical Systems (CPS): Smart home ecosystems, industrial IoT, and standardized IoT protocols (e.g., MQTT, Matter)
-
Formal Methods for Security & Privacy: Formal modeling, verification, and compliance guarantees for complex systems
-
Mobile & Cloud Security Authentication, access control, data isolation, and cross-service interactions
-
Software Supply Chain Security: SDKs, libraries, CI/CD pipelines, and ecosystem-scale risk propagation
Research from SSF-Lab has directly influenced and changed the security design of widely deployed systems and products, including:
-
Mobile and desktop platforms (Android, iOS, iPadOS, macOS)
-
Web browsers (Chrome, Safari, Firefox, Opera)
-
Cloud and IoT platforms (AWS IoT, Azure IoT, IBM IoT)
-
Smart home ecosystems (Apple Home / HomeKit, Google Home, SmartThings)
-
Large-scale apps, SDKs, and advertising platforms
-
Open-source and industry IoT standards
Across these efforts, the lab has uncovered 100+ previously unknown classes of security vulnerabilities, many of which exposed new attack surfaces and threat models that were not understood before.
Our work has led to security design changes and fixes deployed at global scale, protecting hundreds of millions of users.
SSF-Lab publishes regularly in top-tier security and systems venues, including:
-
IEEE Symposium on Security & Privacy (Oakland)
-
ACM CCS
-
USENIX Security
-
NDSS
Our research has been featured by major media outlets such as Time, CNN, Forbes, CNET, The Register, Yahoo, and others, reflecting both technical depth and real-world relevance.
SSF-Lab actively engages with standards bodies, open-source communities, and industry partners to ensure research outcomes translate into practice.
A key example is our involvement in designing and releasing Natural Language Interaction Protocol (NLIP)—the first formal standard for secure, interoperable communication among intelligent agents. NLIP aims to provide a predictable, policy-aware substrate for next-generation AI systems, analogous to the role TCP/IP and HTTP played for the Internet. NLIP is formally released by Ecma International on Dec. 10th, 2025.
🏛️ ECMA TC56: https://ecma-international.org/technical-committees/tc56/
🏛️ ECMA-430 Natural Language Interaction Protocol (NLIP) 1st edition, December 2025 https://ecma-international.org/publications-and-standards/standards/ecma-430/
The System Security Foundations Lab is directed by Prof. Luyi Xing (https://www.xing-luyi.com/), Associate Professor of Computer Science at UIUC, with prior industry experience building large-scale production systems and long-standing engagement with the global security research and hacking communities. System Security Foundations Lab works closely with Professor Xiaojing Liao at UIUC (https://www.xiaojingliao.com/), who has made signicantly contributions to our work that requires deep expertise in at least AI/NLP, AI agent, and software supply chain.