Penghui Li Postdoctoral Research Scientist Columbia University Email | Publications Google Scholar | Services

Research Interests

Software security, web security, and language-based security

Publications

Note: * denotes the work where I served as the corresponding author

2025

• Predator: Efficient Dynamic Validation for Web Application Vulnerabilities
  Chenlin Wang, Wei Meng, Changhua Luo, Penghui Li
  In Proceedings of the 46th IEEE Symposium on Security and Privacy (S&P), May 2025
  

2024

• FuzzCache: Optimizing Web Application Fuzzing Through Software-Based Data Cache [PDF] [CODE]
  Penghui Li, Mingxue Zhang
  In Proceedings of the 31st ACM Conference on Computer and Communications Security (CCS), October 2024
  

• Test Suites Guided Vulnerability Validation for Node.js Applications [PDF] [CODE]
  Changhua Luo, Penghui Li*, Wei Meng, Chao Zhang
  In Proceedings of the 31st ACM Conference on Computer and Communications Security (CCS), October 2024
  

• SDFuzz: Target States Driven Directed Fuzzing [PDF]
  Penghui Li, Wei Meng, Chao Zhang
  In Proceedings of the 33rd USENIX Security Symposium (Security), August 2024
  

• Testing Graph Database Systems via Graph-Aware Metamorphic Relations [PDF] [CODE]
  Zeyang Zhuang, Penghui Li, Pingchuan Ma, Wei Meng, Shuai Wang
  In Proceedings of the 50th International Conference on Very Large Data Bases (VLDB), August 2024
  

• Holistic Concolic Execution for Dynamic Web Applications via Symbolic Interpreter Analysis [PDF] [CODE]
  Penghui Li, Wei Meng, Mingxue Zhang, Chenlin Wang, Changhua Luo
  In Proceedings of the 45th IEEE Symposium on Security and Privacy (S&P), May 2024
  

2023

• DDRace: Finding Concurrency UAF Vulnerabilities in Linux Drivers with Directed Fuzzing [PDF] [CODE]
  Ming Yuan, Bodong Zhao, Penghui Li, Jiashuo Liang, Xinhui Han, Xiapu Luo, Chao Zhang
  In Proceedings of the 32nd USENIX Security Symposium (Security), August 2023
  

• SelectFuzz: Efficient Directed Fuzzing with Selective Path Exploration [PDF] [CODE]
  Changhua Luo, Wei Meng, Penghui Li
  In Proceedings of the 44th IEEE Symposium on Security and Privacy (S&P), May 2023
  

2022

• SEDiff: Scope-Aware Differential Fuzzing to Test Internal Function Models in Symbolic Execution [PDF] [CODE]
  Penghui Li, Wei Meng, Kangjie Lu
  In Proceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (FSE), Research Track, November 2022
  

• TChecker: Precise Static Inter-Procedural Analysis for Detecting Taint-Style Vulnerabilities in PHP Applications [PDF] [CODE]
  Changhua Luo, Penghui Li, Wei Meng
  In Proceedings of the 29th ACM Conference on Computer and Communications Security (CCS), November 2022
  ★ Best Paper Honorable Mention

2021

• Understanding and Detecting Performance Bugs in Markdown Compilers [PDF] [CODE]
  Penghui Li, Yinxi Liu, Wei Meng
  In Proceedings of the 36th IEEE/ACM International Conference on Automated Software Engineering (ASE), Research Track, November 2021
  ★ Best Software Artifact Nomination

• LChecker: Detecting Loose Comparison Bugs in PHP [PDF] [CODE]
  Penghui Li, Wei Meng
  In Proceedings of the Web Conference 2021 (WWW), Security Track, April 2021
  

• On the Feasibility of Automated Built-in Function Modeling for PHP Symbolic Execution [PDF] [CODE]
  Penghui Li, Wei Meng, Kangjie Lu, Changhua Luo
  In Proceedings of the Web Conference 2021 (WWW), Security Track, April 2021
  

Services

Program Committee

• European Conference on Computer Systems (EuroSys), Shadow PC, 2024

• Workshop on Measurements, Attacks, and Defenses for the Web (MADWeb), 2024

• USENIX Security (Security), Artifact Evaluation Committee, 2024

• ACM Conference on Computer and Communications Security (CCS), Artifact Evaluation Committee, 2023

Journal Reviewer

• ACM Transactions on Software Engineering and Methodology (TOSEM)

• IEEE Transactions on Dependable and Secure Computing (TDSC)

External Reviewer

• ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA), 2024

• IEEE Symposium on Security and Privacy (S&P), 2023, 2024

• The Annual Computer Security Applications Conference (ACSAC), 2023

• The ACM Conference on Computer and Communications Security (CCS), 2021, 2022

• The Web Conference (WWW), 2020, 2022

• The ACM ASIA Conference on Computer and Communications Security (ASIACCS), 2021, 2022