Nanzi Yang

Postdoctoral Associate, Department of Computer Science & Engineering, University of Minnesota

📧 yang9467@umn.edu 🎓 Google Scholar

Trustworthy AI Systems AI System Security Cloud Security Agent & Protocol Security (MCP, A2A)

Research Interests

Trustworthy AI systems; AI system security; cloud security; security of AI agents and orchestration protocols (MCP, A2A).

System-level security for modern AI services: from cloud-native infrastructure to emerging agent protocols.

Kubernetes, container platforms, serverless, protocol compliance, security hardening.

Postdoctoral Associate, Department of Computer Science
Host: Prof. Kangjie Lu

Ph.D. in Cyberspace Security (2019–2024)
B.S. in Information Engineering (2014–2018)

The Dark Side of Flexibility: Detecting Risky Permission Chaining Attacks in Serverless Applications
Xunqi Liu*, Nanzi Yang*, Chang Li, Jinku Li, Jianfeng Ma, Kangjie Lu — NDSS 2026
Dangers Behind Access Control: Understanding and Exploiting Implicit Permissions in Kubernetes
Nanzi Yang, Xingyu Liu, Wenbo Shen, Jinku Li, Kangjie Lu — ACM CCS 2025
Towards Understanding and Defeating Abstract Resource Attacks for Container Platforms
Wenbo Shen, Yifei Wu, Yutian Yang, Qirui Liu, Nanzi Yang, Jinku Li, Kangjie Lu, Jianfeng Ma — IEEE TDSC 2025
Take Over the Whole Cluster: Attacking Kubernetes via Excessive Permissions of Third-party Applications
Nanzi Yang, Wenbo Shen, Jinku Li, Xunqi Liu, Xin Guo, Jianfeng Ma — ACM CCS 2023
Attacks are forwarded: breaking the isolation of MicroVM-based containers through operation forwarding
Jietao Xiao*, Nanzi Yang*, Wenbo Shen, Jinku Li, Xin Guo, Zhiqiang Dong, Fei Xie, Jianfeng Ma — USENIX Security 2023
Demons in the Shared Kernel: Abstract Resource Attacks Against OS-level Virtualization
Nanzi Yang*, Wenbo Shen*, Jinku Li, Yutian Yang, Kangjie Lu, Jietao Xiao, Tianyu Zhou, Chenggang Qin, Wang Yu, Jianfeng Ma, Kui Ren — ACM CCS 2021

Tip: You can keep this list “selected” and link to your full publication list on Google Scholar.

Discovered and responsibly disclosed 10+ CVEs in production cloud systems.
- MicroVM-based containers: CVE-2022-0358 (RedHat, score 7, moderate)
- Kubernetes RBAC & applications: e.g., CVE-2024-9779 (RedHat, score 7.5, high)
- Serverless permission chaining: e.g., CVE-2024-37293 (AWS GitHub, score 7.8, high)
Received two security bounties from Google Bug Hunter for vulnerabilities in Kubernetes-related cloud services.

Contributed substantially to preparation of three faculty-led funding proposals on AI system security and cloud infrastructure hardening, submitted to AWS and Google security funding award programs (technical approach, milestones, evaluation plans).

Guest Lecturer — CSCI 5271: Introduction to Computer Security, University of Minnesota (Fall 2025)
Teaching Assistant — Computer System Security, Xidian University (Summer 2022)

Mentored four Master's students during Ph.D; two mentored projects led to co-first-author publications at top-tier security conferences (USENIX Security 2023, NDSS 2026).
Mentoring two Ph.D students during PostDoc at UMN; one student is expected to graduate next year.

Reviewer, IEEE Transactions on Communications
Assisting my PostDoc advisor in reviewing manuscripts for NDSS, ACM CCS, and RAID

Demons in the Shared Kernel: Abstract Resource Attacks Against OS-level Virtualization, CCS 2021
Attacks are forwarded: breaking the isolation of MicroVM-based containers through operation forwarding, USENIX Security 2023
Take Over the Whole Cluster: Attacking Kubernetes via Excessive Permissions of Third-party Applications, CCS 2023
Dangers Behind Access Control: Understanding and Exploiting Implicit Permissions in Kubernetes Applications, CCS 2025
The Dark Side of Flexibility: Detecting Risky Permission Chaining Attacks in Serverless Applications, NDSS 2026