Penghui Li

Postdoctoral Research Scientist

Columbia University

Email: pl2689 [at] columbia [dot] edu

I am a Postdoctoral Research Scientist at Columbia University, working with Prof. Junfeng Yang at Columbia and Prof. Yinzhi Cao at Johns Hopkins University. I received my Ph.D. from the Chinese University of Hong Kong, where I was advised by Prof. Wei Meng.

My research focuses on software system security and its intersection with AI. Most recently, I build infrastructure to ground LLM-based software security agents with stronger guarantees. My work addresses security challenges across web, cloud, and system-level software.

I am looking for a few students to work on broad security and privacy topics. If you are interested, please fill out this form.

Awards and Honors

ACM CCS Top Reviewer Award, 2025

ACM CCS Distinguished Artifact Award, 2025

ACM CCS Distinguished Paper Award, 2024

USENIX Security AE Distinguished Reviewer Award, 2024

ACM CCS Best Paper Honorable Mention, 2022

Publications

Preprint

Neuro-symbolic Static Analysis with LLM-generated Vulnerability Patterns [arXiv]
Penghui Li, Songchen Yao, Josef Sarfati Korich, Changhua Luo, Jianjia Yu, Yinzhi Cao, and Junfeng Yang

2026

Explainer-Guided Targeted Adversarial Attacks against Binary Code Similarity Detection Models [PDF]
Tiancheng Zhu, Mingjie Chen, Mingxue Zhang, Yiling He, Minghao Lin, Penghui Li, and Kui Ren
In Proceedings of the 34th ACM SIGSOFT Symposium on the Foundations of Software Engineering (FSE), July 2026

Detecting Privilege Escalation in Polyglot Microservices via Agentic Program Analysis [PDF]
Penghui Li, Hong Yau Chong, Yinzhi Cao, and Junfeng Yang
In Proceedings of the 47th IEEE Symposium on Security and Privacy (S&P), May 2026

Fuzzing JavaScript Engines by Fusing JavaScript and WebAssembly [PDF]
Jiayi Lin, Changhua Luo, Mingxue Zhang, Lanteng Lin, Penghui Li, and Chenxiong Qian
In Proceedings of the 48th International Conference on Software Engineering (ICSE), April 2026

2025

PickleBall: Secure Deserialization of Pickle-Based Machine Learning Models [PDF]
Andreas D. Kellas, Neophytos Christou, Wenxin Jiang, Penghui Li, Laurent Simon, Yaniv David, Vasileios P. Kemerlis, James C. Davis, and Junfeng Yang
In Proceedings of the 32nd ACM Conference on Computer and Communications Security (CCS), October 2025
★ Distinguished Artifact Award

Predator: Directed Web Application Fuzzing for Efficient Vulnerability Validation [PDF]
Chenlin Wang, Wei Meng, Changhua Luo, and Penghui Li
In Proceedings of the 46th IEEE Symposium on Security and Privacy (S&P), May 2025

VulShield: Protecting Vulnerable Code Before Deploying Patches [PDF]
Yuan Li, Chao Zhang, Jinhao Zhu, Penghui Li, Chenyang Li, Songtao Yang, and Wende Tan
In Proceedings of the 31st Annual Network and Distributed System Security Symposium (NDSS), February 2025

2024

Test Suites Guided Vulnerability Validation for Node.js Applications [PDF]
Changhua Luo, Penghui Li, Wei Meng, and Chao Zhang
In Proceedings of the 31st ACM Conference on Computer and Communications Security (CCS), October 2024

FuzzCache: Optimizing Web Application Fuzzing Through Software-Based Data Cache [PDF]
Penghui Li and Mingxue Zhang
In Proceedings of the 31st ACM Conference on Computer and Communications Security (CCS), October 2024
★ Distinguished Paper Award

SDFuzz: Target States Driven Directed Fuzzing [PDF]
Penghui Li, Wei Meng, and Chao Zhang
In Proceedings of the 33rd USENIX Security Symposium (Security), August 2024

Testing Graph Database Systems via Graph-Aware Metamorphic Relations [PDF]
Zeyang Zhuang, Penghui Li, Pingchuan Ma, Wei Meng, and Shuai Wang
In Proceedings of the 50th International Conference on Very Large Data Bases (VLDB), August 2024

Holistic Concolic Execution for Dynamic Web Applications via Symbolic Interpreter Analysis [PDF]
Penghui Li, Wei Meng, Mingxue Zhang, Chenlin Wang, and Changhua Luo
In Proceedings of the 45th IEEE Symposium on Security and Privacy (S&P), May 2024

2023

DDRace: Finding Concurrency UAF Vulnerabilities in Linux Drivers with Directed Fuzzing [PDF]
Ming Yuan, Bodong Zhao, Penghui Li, Jiashuo Liang, Xinhui Han, Xiapu Luo, and Chao Zhang
In Proceedings of the 32nd USENIX Security Symposium (Security), August 2023

SelectFuzz: Efficient Directed Fuzzing with Selective Path Exploration [PDF]
Changhua Luo, Wei Meng, and Penghui Li
In Proceedings of the 44th IEEE Symposium on Security and Privacy (S&P), May 2023

2022

TChecker: Precise Static Inter-Procedural Analysis for Detecting Taint-Style Vulnerabilities in PHP Applications [PDF]
Changhua Luo, Penghui Li, and Wei Meng
In Proceedings of the 29th ACM Conference on Computer and Communications Security (CCS), November 2022
★ Best Paper Honorable Mention

SEDiff: Scope-Aware Differential Fuzzing to Test Internal Function Models in Symbolic Execution [PDF]
Penghui Li, Wei Meng, and Kangjie Lu
In Proceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE), November 2022

2021

Understanding and Detecting Performance Bugs in Markdown Compilers [PDF]
Penghui Li, Yinxi Liu, and Wei Meng
In Proceedings of the 36th IEEE/ACM International Conference on Automated Software Engineering (ASE), November 2021

LChecker: Detecting Loose Comparison Bugs in PHP [PDF]
Penghui Li and Wei Meng
In Proceedings of the Web Conference (WWW), April 2021

On the Feasibility of Automated Built-in Function Modeling for PHP Symbolic Execution [PDF]
Penghui Li, Wei Meng, Kangjie Lu, and Changhua Luo
In Proceedings of the Web Conference (WWW), April 2021

Services

Program Committee

ACM CCS (2025, 2026)

USENIX Security (2026)

LLM4Code (2026)

MADWeb (2024, 2025)

EuroSys Shadow PC (2024)

USENIX Security, Artifact Evaluation Committee (2024)

ACM CCS, Artifact Evaluation Committee (2023)

Journal Reviewer

IEEE TDSC (2024, 2025)

IEEE TIFS (2025)

ACM TOSEM (2024, 2025)

IEEE TSE (2025)