Penghui Li

Postdoctoral Research Scientist

Columbia University

Email | Google Scholar | GitHub | Awards | Services

I am a Postdoctoral Research Scientist at Columbia University, working with Prof. Junfeng Yang. I am broadly interested in software system security. I am currently leveraging language-based and neural-symbolic program analysis to automatically find security vulnerabilities. My research has found over 100 new vulnerabilities and has been recognized with a Distinguished Paper Award and a Best Paper Honorable Mention both from ACM CCS.

I did my Ph.D. with Prof. Wei Meng at the Chinese University of Hong Kong.

Recent News:

2024/10: I am invited to serve on the program committee of ACM CCS 2025!

2024/10: Our FuzzCache paper received a distinguished paper award at ACM CCS 2024! This is my first independent work after Ph.D.

2024/09: I received a distinguished reviewer award at USENIX Security 2024 Artifact Evaluation.

Publications

2025

Predator: Directed Web Application Fuzzing for Efficient Vulnerability Validation
Chenlin Wang, Wei Meng, Changhua Luo, Penghui Li
In Proceedings of the 46th IEEE Symposium on Security and Privacy (S&P), May 2025 (to appear)

VulShield: Protecting Vulnerable Code Before Deploying Patches
Yuan Li, Chao Zhang, Jinhao Zhu, Penghui Li, Chenyang Li, Songtao Yang, Wende Tan
In Proceedings of the 31st Annual Network and Distributed System Security Symposium (NDSS), February 2025 (to appear)

2024

FuzzCache: Optimizing Web Application Fuzzing Through Software-Based Data Cache [PDF] [CODE]
Penghui Li, Mingxue Zhang
In Proceedings of the 31st ACM Conference on Computer and Communications Security (CCS), October 2024
★ Distinguished Paper Award

Test Suites Guided Vulnerability Validation for Node.js Applications [PDF] [CODE]
Changhua Luo, Penghui Li, Wei Meng, Chao Zhang
In Proceedings of the 31st ACM Conference on Computer and Communications Security (CCS), October 2024

SDFuzz: Target States Driven Directed Fuzzing [PDF]
Penghui Li, Wei Meng, Chao Zhang
In Proceedings of the 33rd USENIX Security Symposium (Security), August 2024

Testing Graph Database Systems via Graph-Aware Metamorphic Relations [PDF] [CODE]
Zeyang Zhuang, Penghui Li, Pingchuan Ma, Wei Meng, Shuai Wang
In Proceedings of the 50th International Conference on Very Large Data Bases (VLDB), August 2024

Holistic Concolic Execution for Dynamic Web Applications via Symbolic Interpreter Analysis [PDF] [CODE]
Penghui Li, Wei Meng, Mingxue Zhang, Chenlin Wang, Changhua Luo
In Proceedings of the 45th IEEE Symposium on Security and Privacy (S&P), May 2024

2023

DDRace: Finding Concurrency UAF Vulnerabilities in Linux Drivers with Directed Fuzzing [PDF] [CODE]
Ming Yuan, Bodong Zhao, Penghui Li, Jiashuo Liang, Xinhui Han, Xiapu Luo, Chao Zhang
In Proceedings of the 32nd USENIX Security Symposium (Security), August 2023

SelectFuzz: Efficient Directed Fuzzing with Selective Path Exploration [PDF] [CODE]
Changhua Luo, Wei Meng, Penghui Li
In Proceedings of the 44th IEEE Symposium on Security and Privacy (S&P), May 2023

2022

SEDiff: Scope-Aware Differential Fuzzing to Test Internal Function Models in Symbolic Execution [PDF] [CODE]
Penghui Li, Wei Meng, Kangjie Lu
In Proceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (FSE), Research Track, November 2022

TChecker: Precise Static Inter-Procedural Analysis for Detecting Taint-Style Vulnerabilities in PHP Applications [PDF] [CODE]
Changhua Luo, Penghui Li, Wei Meng
In Proceedings of the 29th ACM Conference on Computer and Communications Security (CCS), November 2022
★ Best Paper Honorable Mention

2021

Understanding and Detecting Performance Bugs in Markdown Compilers [PDF] [CODE]
Penghui Li, Yinxi Liu, Wei Meng
In Proceedings of the 36th IEEE/ACM International Conference on Automated Software Engineering (ASE), Research Track, November 2021
★ Best Software Artifact Nomination

LChecker: Detecting Loose Comparison Bugs in PHP [PDF] [CODE]
Penghui Li, Wei Meng
In Proceedings of the Web Conference 2021 (WWW), Security Track, April 2021

On the Feasibility of Automated Built-in Function Modeling for PHP Symbolic Execution [PDF] [CODE]
Penghui Li, Wei Meng, Kangjie Lu, Changhua Luo
In Proceedings of the Web Conference 2021 (WWW), Security Track, April 2021

Awards

ACM CCS Distinguished Paper Award, 2024

USENIX Security Distinguished Artifact Reviewer, 2024

ACM CCS Best Paper Honorable Mention, 2022

HKSAR Reaching Out Award, 2022

IEEE/ACM ASE Best Software Artifact Normination, 2021

The Web Conference Student Scholarship, 2021

CUHK Postgraduate Student Scholarship, 2019 - 2023

Services

Program Committee

The ACM Conference on Computer and Communications Security (CCS), 2025

Workshop on Measurements, Attacks, and Defenses for the Web (MADWeb), 2024, 2025

European Conference on Computer Systems (EuroSys), Shadow PC, 2024

USENIX Security (Security), Artifact Evaluation Committee, 2024

ACM Conference on Computer and Communications Security (CCS), Artifact Evaluation Committee, 2023

Journal Reviewer

ACM Transactions on Software Engineering and Methodology (TOSEM)

IEEE Transactions on Dependable and Secure Computing (TDSC)