-
[IEEE S&P '25] Follow My Flow: Unveiling Client-Side Prototype Pollution Gadgets from One Million Real-World Websites
Zifeng Kang, Muxi Lyu, Zhengyu Liu, Jianjia Yu, Runqi Fan, Song Li, Yinzhi Cao
to appear in the Proceedings of the IEEE Symposium on Security and Privacy (Oakland), 2025.
-
[TIFS] Sensitive Behavioral Chain-focused Android Malware Detection Fused with AST Semantics
Jiacheng Gong, Weina Niu, Song Li, Mingxue Zhang, Xiaosong Zhang
IEEE Transactions on Information Forensics and Security
-
[TIFS] GraphTunnel: Robust DNS Tunnel Detection Based on DNS Recursive Resolution Graph
Guangyuan Gao, Weina Niu, Jiacheng Gong, Dujuan Gu, Song Li, Mingxue Zhang, Xiaosong Zhang
IEEE Transactions on Information Forensics and Security
-
[SoCC' 24] SQLStateGuard: Statement-Level SQL Injection Defense Based on Learning-Driven Middleware
Xin Liu, Yuanyuan Huang, Tianyi Wang, Song Li, Weina Niu, Jun Shen, Qingguo Zhou, Xiaokang Zhou
to appear in the Proceedings of the The 15th ACM Symposium on Cloud Computing (SoCC), 2024
-
[MM '24] What's the Real: A Novel Design Philosophy for Robust AI-Synthesized Voice Detection
Xuan Hai, Xin Liu, Yuan Tan, Gang Liu, Song Li, Weina Niu, Rui Zhou, Xiaokang Zhou
in the Proceedings of the ACM Multimedia 2024
-
[ISSRE '24] LiScopeLens: An Open-Source License Incompatibility Analysis Tool Based on Scope Representation of License Terms
Ziang Liu, Xin Liu, Yingli Zhang, Zihao Zhang, Song Li,Weina Niu, Qingguo Zhou, Rui Zhou and Xiaokang Zhou
Best Paper Runner-up Award
in the Proceedings of the The lEEE International Symposium on Software Reliability Engineering 2024
-
[ICME '24] Ghost-in-Wave: How Speaker-Irrelative Features Interfere DeepFake Voice Detectors
Xuan Hai, Xin Liu, Zhaorun Chen, Yuan Tan, Song Li, Weina Niu, Gang Liu, Rui Zhou, QINGGUO ZHOU
in the Proceedings of the IEEE Conference on Multimedia Expo 2024
-
[CCS '23] CoCo: Efficient Browser Extension Vulnerability Detection via Coverage-guided, Concurrent Abstract Interpretation
Jianjia Yu, Song Li, Junmin Zhu, and Yinzhi Cao,
Distinguished Paper Award
in the Proceedings of The ACM Conference on Computer and Communications Security (CCS), 2023
-
[IEEE S&P '23] Scaling JavaScript Abstract Interpretation to Detect and Exploit Node.js Taint-style Vulnerability
Mingqing Kang, Yichao Xu, Song Li, Rigel Gjomemo, Jianwei Hou, V.N. Venkatakrishnan, and Yinzhi Cao
in the Proceedings of the IEEE Symposium on Security and Privacy (Oakland), 2023.
-
[USENIX Security '22]Mining Node.js Vulnerabilities via Object Dependence Graph and Query
Song Li, Mingqing Kang, Jianwei Hou, Yinzhi Cao
in the Proceedings of the 31th USENIX Security Symposium, 2022
[paper]
[source code]
The artifact is evaluated and the results are reproduced by the USENIX AE committee.
Badges:
Artifacts Available, Artifacts Functional, Results Reproduced
The research results in 70 CVEs, e.g.,
CVE-2019-10777 in aws-lambda and
CVE-2020-7625 in op-browser.
-
[NDSS '22]Probe the Proto: Measuring Client-Side Prototype Pollution Vulnerabilities of One Million Real-world Websites
Zifeng Kang, Song Li, Yinzhi Cao
in the Proceedings of Network & Distributed System Security Symposium (NDSS), 2022
[paper]
[source code]
The research results in 2,738 real-world websites, including ten among the top 1,000 Tranco websites, which are vulnerable to 2,917 zero-day, exploitable prototype pollution vulnerabilities. 48 vulnerabilities further lead to XSS, 736 to cookie manipulations, and 830 to URL manipulations. A detailed list of vulnerable websites(excluding some websites that cannot be reached or are still in the process of vulnerability patching) is
here.
-
[AsiaCCS '22] GraphTrack: A Graph-based Cross-Device Tracking Framework
Binghui Wang, Tianchen Zhou, Song Li, Yinzhi Cao, and Neil Gong
in the Proceedings of ACM Asia Conference on Computer and Communications Security, 2022.
-
[ESEC/FSE '21]Detecting Node.js Prototype Pollution Vulnerabilities via Object Lookup Analysis
Song Li, Mingqing Kang, Jianwei Hou, Yinzhi Cao
in the Proceeding of the ACM Joint European Software Engineering Conference and Symposium on-the Foundations of Software Engineering (ESEC/FSE), 2021
-
[IMC '20]Who Touched My Fingerprint? A Large-scale Measurement Study and Classification of Fingerprint Dynamics
Song Li, Yinzhi Cao
in the Proceeding of the Internet Measurement Conference (IMC), 2020
-
[USENIX Security '19]Rendered Private: Making GLSL Execution Uniform to Prevent WebGL-based Browser Fingerprinting
Shujiang Wu, Song Li and Yinzhi Cao, Ningfei Wang
in the Proceeding of the 28th USENIX Security Symposium, 2019
-
[CCS '17]Deterministic Browser
Yinzhi Cao, Zhanhao Chen, Song Li, Shujiang Wu
in the Proceeding of ACM Conference on Computer and Communications Security (CCS), 2017
-
[NDSS '17](Cross-)Browser Fingerprinting via OS and Hardware Level Features
Yinzhi Cao, Song Li* and Erik Wijmans
(* First student author)
in the Proceeding of the Annual Network & Distributed System Security Symposium (NDSS), 2017
The research is featured by many media outlets, such as
BeepingComputer,
ZDNet,
Top Tech News,
EurekAlert,
Ars Technica,
Fossbytes,
Sci-Tech Today,
The Hackers News,
The Register,
I Programmer,
Digital Journal and
IEEE Spectrum