Penghui Li Postdoctoral Research Scientist Columbia University Email | Google Scholar | GitHub | Awards | Services

I am a Postdoctoral Research Scientist at Columbia University, working with Prof. Junfeng Yang. I did my Ph.D. with Prof. Wei Meng at the Chinese University of Hong Kong.

I am broadly interested in systems and software security. I leverage language-based methods to secure software systems through automated vulnerability detection and defense. My research has found over 200 new vulnerabilities, and has been recognized with a Distinguished Paper Award (CCS 2024) and a Best Paper Honorable Mention (CCS 2022).

Publications

2025

• Predator: Directed Web Application Fuzzing for Efficient Vulnerability Validation
  Chenlin Wang, Wei Meng, Changhua Luo, Penghui Li
  In Proceedings of the 46th IEEE Symposium on Security and Privacy (S&P), May 2025 (to appear)
  

• VulShield: Protecting Vulnerable Code Before Deploying Patches [PDF] [CODE]
  Yuan Li, Chao Zhang, Jinhao Zhu, Penghui Li, Chenyang Li, Songtao Yang, Wende Tan
  In Proceedings of the 31st Annual Network and Distributed System Security Symposium (NDSS), February 2025
  

2024

• FuzzCache: Optimizing Web Application Fuzzing Through Software-Based Data Cache [PDF] [CODE]
  Penghui Li, Mingxue Zhang
  In Proceedings of the 31st ACM Conference on Computer and Communications Security (CCS), October 2024
  ★ Distinguished Paper Award

• Test Suites Guided Vulnerability Validation for Node.js Applications [PDF] [CODE]
  Changhua Luo, Penghui Li, Wei Meng, Chao Zhang
  In Proceedings of the 31st ACM Conference on Computer and Communications Security (CCS), October 2024
  

• SDFuzz: Target States Driven Directed Fuzzing [PDF]
  Penghui Li, Wei Meng, Chao Zhang
  In Proceedings of the 33rd USENIX Security Symposium (Security), August 2024
  

• Testing Graph Database Systems via Graph-Aware Metamorphic Relations [PDF] [CODE]
  Zeyang Zhuang, Penghui Li, Pingchuan Ma, Wei Meng, Shuai Wang
  In Proceedings of the 50th International Conference on Very Large Data Bases (VLDB), August 2024
  

• Holistic Concolic Execution for Dynamic Web Applications via Symbolic Interpreter Analysis [PDF] [CODE]
  Penghui Li, Wei Meng, Mingxue Zhang, Chenlin Wang, Changhua Luo
  In Proceedings of the 45th IEEE Symposium on Security and Privacy (S&P), May 2024
  

2023

• DDRace: Finding Concurrency UAF Vulnerabilities in Linux Drivers with Directed Fuzzing [PDF] [CODE]
  Ming Yuan, Bodong Zhao, Penghui Li, Jiashuo Liang, Xinhui Han, Xiapu Luo, Chao Zhang
  In Proceedings of the 32nd USENIX Security Symposium (Security), August 2023
  

• SelectFuzz: Efficient Directed Fuzzing with Selective Path Exploration [PDF] [CODE]
  Changhua Luo, Wei Meng, Penghui Li
  In Proceedings of the 44th IEEE Symposium on Security and Privacy (S&P), May 2023
  

2022

• SEDiff: Scope-Aware Differential Fuzzing to Test Internal Function Models in Symbolic Execution [PDF] [CODE]
  Penghui Li, Wei Meng, Kangjie Lu
  In Proceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (FSE), Research Track, November 2022
  

• TChecker: Precise Static Inter-Procedural Analysis for Detecting Taint-Style Vulnerabilities in PHP Applications [PDF] [CODE]
  Changhua Luo, Penghui Li, Wei Meng
  In Proceedings of the 29th ACM Conference on Computer and Communications Security (CCS), November 2022
  ★ Best Paper Honorable Mention

2021

• Understanding and Detecting Performance Bugs in Markdown Compilers [PDF] [CODE]
  Penghui Li, Yinxi Liu, Wei Meng
  In Proceedings of the 36th IEEE/ACM International Conference on Automated Software Engineering (ASE), Research Track, November 2021
  ★ Best Software Artifact Nomination

• LChecker: Detecting Loose Comparison Bugs in PHP [PDF] [CODE]
  Penghui Li, Wei Meng
  In Proceedings of the Web Conference 2021 (WWW), Security Track, April 2021
  

• On the Feasibility of Automated Built-in Function Modeling for PHP Symbolic Execution [PDF] [CODE]
  Penghui Li, Wei Meng, Kangjie Lu, Changhua Luo
  In Proceedings of the Web Conference 2021 (WWW), Security Track, April 2021
  

Awards

• ACM CCS Distinguished Paper Award, 2024

• USENIX Security Distinguished Artifact Reviewer, 2024

• ACM CCS Best Paper Honorable Mention, 2022

• HKSAR Reaching Out Award, 2022

• IEEE/ACM ASE Best Software Artifact Normination, 2021

• The Web Conference Student Scholarship, 2021

• CUHK Postgraduate Student Scholarship, 2019 - 2023

Services

Program Committee

• The ACM Conference on Computer and Communications Security (CCS), 2025

• Workshop on Measurements, Attacks, and Defenses for the Web (MADWeb), 2024, 2025

• European Conference on Computer Systems (EuroSys), Shadow PC, 2024

• USENIX Security (Security), Artifact Evaluation Committee, 2024

• ACM Conference on Computer and Communications Security (CCS), Artifact Evaluation Committee, 2023

Journal Reviewer

• ACM Transactions on Software Engineering and Methodology (TOSEM)

• IEEE Transactions on Dependable and Secure Computing (TDSC)