I am a fifth-year Ph.D student in the System and Software Security Laboratory of the School of Computer Science at Fudan University, supervised by Prof. Yuan Zhang. My research focuses on software security, program analysis, and fuzzing.
During my doctoral studies, my research mainly focuses on the security of embedded systems, especially the firmware of IoT devices. I've designed several novel techniques that have detected thousands of 0-day vulnerabilities. The academic results have been published in top-tier security conferences, including IEEE S&P, and ACM CCS.
I am particularly interested in building effective and intelligent binary analysis techniques to enhance the security of software systems.
Email: hyxiao20 [AT] fudan.edu.cn
Github: https://github.com/Haoyu-Xiao
News
- [July, 2025] One paper accepted by NDSS'26. Contrats Runhao!
- [April, 2025] One paper accepted by IEEE S&P'25.
I'm going to present it at the conference.
If you are attending the conference, I would be delighted to connect with you there!
Background
- 2020~Now, Fudan University, School of Computer Science, Ph.D candidate
- 2016~2020, Harbin Institute of Technology (HIT), School of Computer Science, B.Eng
Publications
-
Detecting Taint-Style Vulnerabilities in C-Lua Hybrid Web Services of Linux-based FirmwareTo be Appeared in The Network and Distributed System Security (NDSS) Symposium 2026, San Diego, CA, USA, Feb 23-27, 2026.
Abstract.
-
HouseFuzz: Service-Aware Grey-Box Fuzzing for Vulnerability Detection in Linux-Based Firmware.In Proceedings of the 46th IEEE Symposium on Security and Privacy (S&P), San Francisco, CA, USA, May 12-15, 2025. [Paper] [Code]
Abstract.
To date, grey-box fuzzing has become an essential technique to detect vulnerabilities implied in Linux-based firmware. However, existing fuzzing approaches commonly encounter three overlooked obstacles stemming from firmware service characteristics, which largely hinder the effectiveness and efficiency of vulnerability identification. Firstly, the multi-process nature of firmware services is oversimplified during both the emulation and the fuzzing procedures, limiting the scope of firmware testing. Furthermore, firmware services usually incorporate customized service protocols, which feature rich and stringent semantic constraints, causing unique challenges for input generation. To address these obstacles, this paper proposes a service-aware grey-box fuzzing tool HouseFuzz. During the firmware emulation, HouseFuzz carefully traverses the system initialization procedure for identifying those network-facing and daemon processes overlooked by existing approaches. After that, during the fuzzing procedure, HouseFuzz features a multi-process fuzzing framework, enabling the comprehensive inspection of firmware services activated via multiple processes. Furthermore, HouseFuzz leverages both offline and online firmware service analysis to capture the token-level semantic constraints of customized service protocols, based on which HouseFuzz can effectively generate high-quality test cases. In evaluation, compared to SoTA grey-box firmware fuzzing approaches, HouseFuzz identified 76% more network services, achieved 33.4% more code coverage, and detected 175% more 0-day vulnerabilities on the same firmware dataset.
-
Accurate and Efficient Recurring Vulnerability Detection for IoT Firmware.In Proceedings of the 31st ACM Conference on Computer and Communications Security (CCS), Salt Lake City, USA, October 14-18, 2024. [Full Version] [Paper] [Code]
Abstract.
IoT firmware faces severe threats to security vulnerabilities. As an important method to detect vulnerabilities, recurring vulnerability detection has not been systematically studied in IoT firmware. In fact, existing methods would meet significant challenges from two aspects. First, firmware vulnerabilities are usually reported in texts without too much code-level information, e.g., security patches. Second, firmware images are released as binaries, making the analysis of known vulnerabilities and the detection of unknown vulnerabilities quite difficult.
This paper presents FirmRec, the first recurring vulnerability detection approach for IoT firmware. FirmRec features several new techniques to enable accurate and efficient vulnerability detection. First, it proposes a new exploitation-based vulnerability signature representation for firmware, which does not use syntactic code features but the semantic features along the dynamic vulnerability exploitation procedure (thus is more resilient to binary code changes and fits the context of binary-only firmware). Second, given a vulnerability report, it designs concolic execution-based vulnerability signature extraction to understand the vulnerability exploitation procedure and generate an exploitation-based vulnerability signature. Third, based on known vulnerability signatures, it employs a two-stage pipeline to accurately and efficiently detect recurring vulnerabilities.
-
Exploit The Last Straw that Breaks Android System.In Proceedings of the 43rd IEEE Symposium on Security and Privacy (S&P), San Francisco, CA, May 22-26, 2022. [Paper] [Code]
Abstract.
The Android system services usually play a critical role in running multiple important tasks, and delivering seamless user experiences, e.g., conveniently storing user data. In this paper, we conduct the first systematic security study on the data storing process in Android system services, and consequently discover a novel class of design flaws (named Straw), which can lead to serious DoS (Denial-of-Service) attacks, e.g., permanently crashing the whole victim Android device.
Then we propose a novel directed fuzzing based approach, called StrawFuzzer, to automatically vet all system services against the straw vulnerabilities. StrawFuzzer balances the trade- off between path exploration and vulnerability exploitation. By applying StrawFuzzer on three Android systems with the latest security updates, we identified 35 unique straw vulnerabilities affecting 474 interfaces across 77 system services and successfully generated corresponding exploits, which can be used to conduct various permanent/temporary DoS attacks. We have reported our findings with suggestions for repairing the vulnerabilities to corresponding vendors. Up to now, Google has rated our vulnerability as high severity.
Projects & Experiences
-
Capture the Flag (CTF) Competition Experiences.
Details.
During 2017~2019 I was the chairman of the HIT Lilac CTF team. We have actively
participated in CTF competitions and won quantities of awards.
The awards include the 1th Prize in 2019 X-NUCA CTF,
the 3th Prize in the "National College Network Operation and Maintenance
Competition 2019",
the 2nd Prize in the "National College Students Information Security Innovation
Competition",
and the 5th Prize in "Defcon China CTF 2018".
-
Binary Patch Existence Detection Project.
Details.
This project is a collaboration between Alibaba Security and Fudan University.
It focuses on detecting whether a given upstream vulnerability patch has been
successfully applied to the downstream software binaries, which is essential for
supply chain security. In this project, I worked as a project lead, and we built
our system based on PDiff, a
state-of-the-art approach for kernel patch existence detection. We have proposed
a set of new symbolic execution-based methods to improve the effectiveness and
scalability of PDiff. As a result, this project achieves a high accuracy of 94%
and covers 85% of tasks on a large dataset consisting of 492 real-world programs
and 151 real-world vulnerability patches.
-
Educational Decompiler for Fudan PoRE Course.
Details.
I have built a decompiler for educational purposes as part of the TA duties for
the Principle of Reverse Engineering (PoRE) course at Fudan University (2024,
2025). If you are interested, please feel free to contact me, I'd like to share
more information about this project.
-
Security Engineering Internship in Huawei Consumer BG in 2018
Details.
Primarily focused on vulnerability analysis for mobile system at that time.
-
Security Engineering Internship in Tecent IEG in 2019
Details.
Primarily focused on game security at that time. Enjoyed writing cheat engines
and analyzing anti-cheat mechanisms.
-
Capture the Flag (CTF) Competition Experiences.
Details.
During 2017~2019 I was the chairman of the HIT Lilac CTF team. We have actively participated in CTF competitions and won quantities of awards. The awards include the 1th Prize in 2019 X-NUCA CTF, the 3th Prize in the "National College Network Operation and Maintenance Competition 2019", the 2nd Prize in the "National College Students Information Security Innovation Competition", and the 5th Prize in "Defcon China CTF 2018".
-
Binary Patch Existence Detection Project.
Details.
This project is a collaboration between Alibaba Security and Fudan University. It focuses on detecting whether a given upstream vulnerability patch has been successfully applied to the downstream software binaries, which is essential for supply chain security. In this project, I worked as a project lead, and we built our system based on PDiff, a state-of-the-art approach for kernel patch existence detection. We have proposed a set of new symbolic execution-based methods to improve the effectiveness and scalability of PDiff. As a result, this project achieves a high accuracy of 94% and covers 85% of tasks on a large dataset consisting of 492 real-world programs and 151 real-world vulnerability patches.
-
Educational Decompiler for Fudan PoRE Course.
Details.
I have built a decompiler for educational purposes as part of the TA duties for the Principle of Reverse Engineering (PoRE) course at Fudan University (2024, 2025). If you are interested, please feel free to contact me, I'd like to share more information about this project.
-
Security Engineering Internship in Huawei Consumer BG in 2018
Details.
Primarily focused on vulnerability analysis for mobile system at that time.
-
Security Engineering Internship in Tecent IEG in 2019
Details.
Primarily focused on game security at that time. Enjoyed writing cheat engines and analyzing anti-cheat mechanisms.
