Song Li's Homepage

Song Li

ZJU-100 Young Professor
College of Computer Science and Technology
School of Cyber Science and Technology
Zhejiang University

Bio

My research primarily focuses on security areas such as web security, system security, and program analysis. My prior work focused on web tracking, but now is directed toward static/dynamic analysis and privacy -- trying to solve real-world challenging problems such as increasing the accuracy and efficiency of vulnerability detection, mobile APP analysis and privacy protection.

Education

Ph.D. in Computer Science, Aug. 2018 - Feb. 2022
Advisor: Dr. Yinzhi Cao
Johns Hopkins University
M.S. in Computer Science and Engineering, Aug. 2015 - May. 2017
Lehigh University
B.S. in Software Engineering, Aug. 2011 - May. 2015
Beijing Institute of Technology

Publications

  • [USENIX Security '22]Mining Node.js Vulnerabilities via Object Dependence Graph and Query
    Song Li, Mingqing Kang, Jianwei Hou, Yinzhi Cao
    to appear in the Proceedings of the 31th USENIX Security Symposium, 2022
    [paper] [source code]
    The artifact is evaluated and the results are reproduced by the USENIX AE committee.
    Badges: Artifacts Available, Artifacts Functional, Results Reproduced
    The research results in 70 CVEs, e.g., CVE-2019-10777 in aws-lambda and CVE-2020-7625 in op-browser.
  • [NDSS '22]Probe the Proto: Measuring Client-Side Prototype Pollution Vulnerabilities of One Million Real-world Websites
    Zifeng Kang, Song Li, Yinzhi Cao
    to appear in the Proceedings of Network & Distributed System Security Symposium (NDSS), 2022
    [paper] [source code]
    The research results in 2,738 real-world websites, including ten among the top 1,000 Tranco websites, which are vulnerable to 2,917 zero-day, exploitable prototype pollution vulnerabilities. 48 vulnerabilities further lead to XSS, 736 to cookie manipulations, and 830 to URL manipulations. A detailed list of vulnerable websites(excluding some websites that cannot be reached or are still in the process of vulnerability patching) is here.
  • [AsiaCCS '22] GraphTrack: A Graph-based Cross-Device Tracking Framework
    Binghui Wang, Tianchen Zhou, Song Li, Yinzhi Cao, and Neil Gong
    to appear in the ACM Asia Conference on Computer and Communications Security, 2022.
  • [ESEC/FSE '21]Detecting Node.js Prototype Pollution Vulnerabilities via Object Lookup Analysis
    Song Li, Mingqing Kang, Jianwei Hou, Yinzhi Cao
    in the Proceeding of the ACM Joint European Software Engineering Conference and Symposium on-the Foundations of Software Engineering (ESEC/FSE), 2021
    [paper] [DOI] [source code]
    The research results in 11 CVEs, e.g., CVE-2019-10795 in undefsafe (>5M weekly downloads) and CVE-2020-7643 in paypal-adaptive.
  • [IMC '20]Who Touched My Fingerprint? A Large-scale Measurement Study and Classification of Fingerprint Dynamics
    Song Li, Yinzhi Cao
    in the Proceeding of the Internet Measurement Conference (IMC), 2020
    [paper] [DOI/video]
  • [USENIX Security '19]Rendered Private: Making GLSL Execution Uniform to Prevent WebGL-based Browser Fingerprinting
    Shujiang Wu, Song Li and Yinzhi Cao, Ningfei Wang
    in the Proceeding of the 28th USENIX Security Symposium, 2019
    [paper]
  • [CCS '17]Deterministic Browser
    Yinzhi Cao, Zhanhao Chen, Song Li, Shujiang Wu
    in the Proceeding of ACM Conference on Computer and Communications Security (CCS), 2017
    [paper]
  • [NDSS '17](Cross-)Browser Fingerprinting via OS and Hardware Level Features
    Yinzhi Cao, Song Li* and Erik Wijmans
    (* First student author)
    in the Proceeding of the Annual Network & Distributed System Security Symposium (NDSS), 2017
    [paper] [video] [source code]
    The research is featured by many media outlets, such as
    BeepingComputer, ZDNet, Top Tech News, EurekAlert, Ars Technica, Fossbytes, Sci-Tech Today, The Hackers News,
    The Register, I Programmer, Digital Journal and IEEE Spectrum

Professional Activities

Program Committee

  • USENIX Security: USENIX Security '22 AE

    • External Reviewer for

  • WWW: International World Wide Web Conference, Security and Privacy Track, 2018
  • TheWebConf (formerly known as WWW): The ACM Web Conference 2022, Security, Privacy, and Trust Track, 2022

    • TA and RA

  • Teaching Assistant: Web Security, Johns Hopkins University, Fall/2019
  • Research Assistant: Web Security, Lehigh University, advisor: Yinzhi Cao, 10/2015-04/2017

    • Research Mentoring

    Master Students

  • Yichao Xu: Johns Hopkins University, 07/2021-Present
  • Siqi Cao: Johns Hopkins University, 12/2020-03/2021
  • Huangyin Chen: Johns Hopkins University, 12/2020-03/2021
  • Qingshan Zhang: Johns Hopkins University, 12/2020-03/2021
  • Mingqing Kang: Johns Hopkins University, now a PhD student at the Johns Hopkins University, 03/2019-08/2020
  • Queenie Gao: Johns Hopkins University, 12/2019-03/2020
  • Minjie Fu: Johns Hopkins University, First Job: Facebook, 12/2019-03/2020
  • Jingyi Li: Johns Hopkins University, 12/2019-03/2020
  • Guanlong Wu: Johns Hopkins University, now a PhD student at the University of Virginia, 04/2018-03/2019
  • Ningfei Wang: Lehigh University, now a PhD student at the University of California, Irvine, 10/2017-05/2018

    • BS Students

  • Rohan Jasani: Indian Institutes of Technology, 06/2020-09/2020
  • Tianchen Zhang: Beihang University, 06/2020-09/2020
  • Gongqi Huang: Johns Hopkins University, 08/2019-02/2020
  • Xueqi Ren: Lehigh University, then a Master student at the Columbia University, 10/2017-05/2018
  • Olivia Orrell-Jones: Brown University, 05/2017-08/2017
  • Erik Wijmans: Washington University in St. Louis, now a PhD student at the Georgia Institute of Technology, 05/2016-08/2016

    • High School Students:

  • Kylie Gong: 07/2021-09/2021
  • Kevin Yao: 07/2021-09/2021