Penghui Li Postdoctoral Research Scientist Columbia University Email: pl2689 [at] columbia [dot] edu Google Scholar | GitHub

I am a Postdoctoral Research Scientist at Columbia University, working with Prof. Junfeng Yang at Columbia and Prof. Yinzhi Cao at Johns Hopkins University.

My research focuses on software system security and frequently intersects with software engineering, programming languages, and machine learning. Most recently, I have been building agentic systems to autonomously secure software at scale. I leverage rigorous program analysis and autonomous LLM agents to tackle critical security tasks, including vulnerability detection, exploit generation, and runtime defense.

I received my Ph.D. from the Chinese University of Hong Kong, where I was advised by Prof. Wei Meng. Prior to that, I received my B.Eng. from University of Chinese Academy of Sciences. In my research career, I had the privilege of working with Prof. Chao Zhang from Tsinghua University, Prof. Kangjie Lu from University of Minnesota, and Prof. Kai Chen from Chinese Academy of Sciences.

Awards and Honors

• ACM CCS Top Reviewer Award, 2025

• ACM CCS Distinguished Artifact Award, 2025

• ACM CCS Distinguished Paper Award, 2024

• USENIX Security Distinguished Artifact Reviewer Award, 2024

• ACM CCS Best Paper Honorable Mention, 2022

• HKSAR Reaching Out Award, 2022

• The Web Conference Student Scholarship, 2021

Publications

Preprint

• Automated Static Vulnerability Detection via a Holistic Neuro-Symbolic Approach [arXiv]
  Penghui Li, Songchen Yao, Josef Sarfati Korich, Changhua Luo, Jianjia Yu, Yinzhi Cao, Junfeng Yang
  

2026

• Fuzzing JavaScript Engines by Fusing JavaScript and WebAssembly [PDF]
  Jiayi Lin, Changhua Luo, Mingxue Zhang, Lanteng Lin, Penghui Li, Chenxiong Qian
  In Proceedings of the 48th International Conference on Software Engineering (ICSE), April 2026
  

2025

• PickleBall: Secure Deserialization of Pickle-Based Machine Learning Models [PDF]
  Andreas D. Kellas, Neophytos Christou, Wenxin Jiang, Penghui Li, Laurent Simon, Yaniv David, Vasileios P. Kemerlis, James C. Davis, Junfeng Yang
  In Proceedings of the 32nd ACM Conference on Computer and Communications Security (CCS), October 2025
  ★ Distinguished Artifact Award

• Predator: Directed Web Application Fuzzing for Efficient Vulnerability Validation [PDF]
  Chenlin Wang, Wei Meng, Changhua Luo, Penghui Li
  In Proceedings of the 46th IEEE Symposium on Security and Privacy (S&P), May 2025
  

• VulShield: Protecting Vulnerable Code Before Deploying Patches [PDF]
  Yuan Li, Chao Zhang, Jinhao Zhu, Penghui Li, Chenyang Li, Songtao Yang, Wende Tan
  In Proceedings of the 31st Annual Network and Distributed System Security Symposium (NDSS), February 2025
  

2024

• Test Suites Guided Vulnerability Validation for Node.js Applications [PDF]
  Changhua Luo, Penghui Li, Wei Meng, Chao Zhang
  In Proceedings of the 31st ACM Conference on Computer and Communications Security (CCS), October 2024
  

• FuzzCache: Optimizing Web Application Fuzzing Through Software-Based Data Cache [PDF]
  Penghui Li, Mingxue Zhang
  In Proceedings of the 31st ACM Conference on Computer and Communications Security (CCS), October 2024
  ★ Distinguished Paper Award

• SDFuzz: Target States Driven Directed Fuzzing [PDF]
  Penghui Li, Wei Meng, Chao Zhang
  In Proceedings of the 33rd USENIX Security Symposium (Security), August 2024
  

• Testing Graph Database Systems via Graph-Aware Metamorphic Relations [PDF]
  Zeyang Zhuang, Penghui Li, Pingchuan Ma, Wei Meng, Shuai Wang
  In Proceedings of the 50th International Conference on Very Large Data Bases (VLDB), August 2024
  

• Holistic Concolic Execution for Dynamic Web Applications via Symbolic Interpreter Analysis [PDF]
  Penghui Li, Wei Meng, Mingxue Zhang, Chenlin Wang, Changhua Luo
  In Proceedings of the 45th IEEE Symposium on Security and Privacy (S&P), May 2024
  

2023

• DDRace: Finding Concurrency UAF Vulnerabilities in Linux Drivers with Directed Fuzzing [PDF]
  Ming Yuan, Bodong Zhao, Penghui Li, Jiashuo Liang, Xinhui Han, Xiapu Luo, Chao Zhang
  In Proceedings of the 32nd USENIX Security Symposium (Security), August 2023
  

• SelectFuzz: Efficient Directed Fuzzing with Selective Path Exploration [PDF]
  Changhua Luo, Wei Meng, Penghui Li
  In Proceedings of the 44th IEEE Symposium on Security and Privacy (S&P), May 2023
  

2022

• TChecker: Precise Static Inter-Procedural Analysis for Detecting Taint-Style Vulnerabilities in PHP Applications [PDF]
  Changhua Luo, Penghui Li, Wei Meng
  In Proceedings of the 29th ACM Conference on Computer and Communications Security (CCS), November 2022
  ★ Best Paper Honorable Mention

• SEDiff: Scope-Aware Differential Fuzzing to Test Internal Function Models in Symbolic Execution [PDF]
  Penghui Li, Wei Meng, Kangjie Lu
  In Proceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE), November 2022
  

2021

• Understanding and Detecting Performance Bugs in Markdown Compilers [PDF]
  Penghui Li, Yinxi Liu, Wei Meng
  In Proceedings of the 36th IEEE/ACM International Conference on Automated Software Engineering (ASE), November 2021
  

• LChecker: Detecting Loose Comparison Bugs in PHP [PDF]
  Penghui Li, Wei Meng
  In Proceedings of the Web Conference (WWW), April 2021
  

• On the Feasibility of Automated Built-in Function Modeling for PHP Symbolic Execution [PDF]
  Penghui Li, Wei Meng, Kangjie Lu, Changhua Luo
  In Proceedings of the Web Conference (WWW), April 2021
  

Services

Program Committee

• ACM CCS (2025, 2026)

• USENIX Security (2026)

• LLM4Code (2026)

• MADWeb (2024, 2025)

• EuroSys Shadow PC (2024)

• USENIX Security, Artifact Evaluation Committee (2024)

• ACM CCS, Artifact Evaluation Committee (2023)

Journal Reviewer

• IEEE TDSC (2024, 2025)

• IEEE TIFS (2025)

• ACM TOSEM (2024, 2025)

• IEEE TSE (2025)