Curriculum Vitae


Contact Information


Education


Work experience


Research Interests

My research interest is in the area of Cyber Security (SEC), Programming Language (PL) and Software Engineering (SE). I aim to address SEC problems by developing PL and SE methods, or address PL and SE problems to support SEC analysis. More specifically, I focus on the use of program analysis, testing and verification techniques for making software systems more secure and reliable.


Publications

You can also find my articles on my Google Scholar profile.

2021

  1. Zhiwu Xu, Cheng Wen, Shengchao Qin and Mengda He.
    Extracting automata from neural networks using active learning.
    PeerJ Computer Science. April 2021.
    PDF, BibTex, DOI

2020

  1. Cheng Wen, Haijun Wang, Yuekang Li, Shengchao Qin, Yang Liu, Zhiwu Xu, Hongxu Chen, Xiaofei Xie, Geguang Pu and Ting Liu.
    MemLock: Memory Usage Guided Fuzzing.
    IEEE/ACM 42nd International Conference on Software Engineering (ICSE). Seoul, South Korea, 5-11th October 2020.
    ICSE'20 Artifact Evaluation Committee awarded reusable badge and available badge for MemLock!
    Learn more at https://wcventure.github.io/MemLock/
    PDF, BibTex, DOI, Slides, DataSet, Video, Code
  2. Haijun Wang, Xiaofei Xie, Yi Li, Cheng Wen, Yang Liu, Shengchao Qin, Hongxu Chen and Yulei Sui.
    Typestate-Guided Fuzzer for Discovering Use-after-Free Vulnerabilities.
    IEEE/ACM 42nd International Conference on Software Engineering (ICSE). Seoul, South Korea, 5-11 October 2020.
    Learn more at https://sites.google.com/view/uafl/
    PDF, BibTex, DOI, Slides, DataSet

2019

  1. Zhiwu Xu, Cheng Wen, and Shengchao Qin.
    Type Learning for Binaries and its Applications.
    IEEE Transactions on Reliability (Volume: 68:893-912, Issue:3, Sep 2019)
    PDF, BibTex, DOI, Slides, DataSet, Code

2018

  1. Zhiwu Xu, Xiongya Hu, Cheng Wen, and Shengchao Qin.
    Extracting Automata from Neural Networks Using Active Learning.
    National Conference on Formal Methods and Applications (FMAC). Chongqin, China. 3-4th Nov 2018.
    Best Paper Award
    PDF, BibTex, DOI
  2. Zhiwu Xu, Cheng Wen, and Shengchao Qin.
    State-taint analysis for detecting resource bugs.
    Science of Computer Programming. Elsevier, 162:93-109, 15th Sep 2018.
    PDF, BibTex, DOI

2017

  1. Zhiwu Xu, Cheng Wen, Shengchao Qin and Zhong Ming.
    Effective malware detection based on behaviour and data features.
    International Conference on Smart Computing and Communication (SmartCom). Springer, Cham, Shenzhen, China. 12-14th Dec 2017.
    Best Student Paper Award
    PDF, BibTex, DOI, Slides, Code
  2. Zhiwu Xu, Cheng Wen, and Shengchao Qin.
    Learning types for binaries.
    International Conference on Formal Engineering Methods (ICFEM). Springer, Cham, Xi'an, China. 13-17th Nov 2017.
    PDF, BibTex, DOI, Slides, DataSet, Code


Misc


Practical Security Impact

CVE ID (70)

VulnerabilityPackageProgramVulnerability Type
CVE-2020-36375MJS 1.20.1mjsStack-overflow
CVE-2020-36374MJS 1.20.1mjsStack-overflow
CVE-2020-36373MJS 1.20.1mjsStack-overflow
CVE-2020-36372MJS 1.20.1mjsStack-overflow
CVE-2020-36371MJS 1.20.1mjsStack-overflow
CVE-2020-36370MJS 1.20.1mjsStack-overflow
CVE-2020-36369MJS 1.20.1mjsStack-overflow
CVE-2020-36368MJS 1.20.1mjsStack-overflow
CVE-2020-36367MJS 1.20.1mjsStack-overflow
CVE-2020-36366MJS 1.20.1mjsStack-overflow
CVE-2020-18900libyal before 20181128libexeHeap Buffer Overflow
CVE-2020-18899Exiv2 0.27exiv2Uncontrolled Memory Allocation
CVE-2020-18898Exiv2 0.27exiv2Stack-overflow
CVE-2020-18897libyal before 2018112libpffUse-after-free
CVE-2020-18395GNU Gama 2.04gamaNULL Pointer Dereference
CVE-2020-18392MJS 1.20.1mjsStack-overflow
CVE-2019-16166GNU cflow 1.6cflowHeap Buffer Overflow
CVE-2019-16165GNU cflow 1.6cflowUse-after-free
CVE-2019-15140ImageMagick 7.0.8-43convertUse-after-free
CVE-2019-11471libheif v1.4.0heif-convertUse-after-free
CVE-2019-7704Binaryen 1.38.22wasm-optUncontrolled-memory-allocation
CVE-2019-7703Binaryen 1.38.22wasm-mergeUse-after-free
CVE-2019-7702Binaryen 1.38.22wasm-asNULL pointer dereference
CVE-2019-7701Binaryen 1.38.22wasm2jsHeap Buffer-overflow
CVE-2019-7700Binaryen 1.38.22wasm-mergeHeap Buffer-overflow
CVE-2019-7699Bento4 v1.5.1-627avcinfoHeap Buffer-overflow
CVE-2019-7698Bento4 v1.5.1-627mp4dumpUncontrolled-memory-allocation
CVE-2019-7697Bento4 v1.5.1-627mp42hlsAssertion failed
CVE-2019-7665Elfutils 0.175eu-readelfHeap Buffer-overflow
CVE-2019-7664Elfutils 0.175eu-elflintnegative-size in memcpy
CVE-2019-7663Libtiff 4.0.10tiffcpInvalid Address Read
CVE-2019-7662Binaryen 1.38.22wasm-optAssertion failed
CVE-2019-7154Binaryen 1.38.22wasm2jsHeap Buffer-overflow
CVE-2019-7153Binaryen 1.38.22wasm-optNULL pointer dereference
CVE-2019-7152Binaryen 1.38.22wasm-optHeap Buffer-overflow
CVE-2019-7151Binaryen 1.38.22wasm-optNULL pointer dereference
CVE-2019-7150Elfutils 0.175eu-stackUnknown Crash
CVE-2019-7149Elfutils 0.175eu-nmHeap Buffer-overflow
CVE-2019-7148Elfutils 0.175eu-arUncontrolled-memory-allocation
CVE-2019-7147NASM 2.14rc16nasmGlobal Buffer-overflow
CVE-2019-7146Elfutils 0.175eu-readelfHeap Buffer-overflow
CVE-2019-6293Flex 2.6.4flexStack-overflow
CVE-2019-6292Yaml-cpp v0.6.2praseStack-overflow
CVE-2019-6291NASM 2.14.03rc1nasmStack-overflow
CVE-2019-6290NASM 2.14.03rc1nasmStack-overflow
CVE-2018-20712Binutils 2.31c++filtHeap Buffer-overflow
CVE-2018-20657Binutils 2.31c++filtMemory Leak
CVE-2018-20652Tinyexr v0.9.5tinyexrUncontrolled-memory-allocation
CVE-2018-20651Binutils 2.31ldInvalid Address Read
CVE-2018-20593Mini Xml v2.1mxmldocStack Buffer-overflow
CVE-2018-20592Mini Xml v2.1mxmldocUse-after-free
CVE-2018-20591libming v0.4.8swftocxxHeap Buffer-overflow
CVE-2018-20002Binutils 2.31nmMemory Leak
CVE-2018-18701Binutils 2.31nmStack-overflow
CVE-2018-18700Binutils 2.31nmStack-overflow
CVE-2018-18607Binutils 2.31ldNULL Pointer Dereference
CVE-2018-18606Binutils 2.31ldNULL Pointer Dereference
CVE-2018-18605Binutils 2.31ldHeap Buffer-overflow
CVE-2018-18521Elfutils 0.174eu-ranlibDivide-by-zero
CVE-2018-18520Elfutils 0.174eu-sizeInvalid Address Read
CVE-2018-18484Binutils 2.31c++filtStack-overflow
CVE-2018-18483Binutils 2.31c++filtUncontrolled-memory-allocation
CVE-2018-18310Elfutils 0.174eu-stackInvalid Address Read
CVE-2018-18309Binutils 2.31objdumpInvalid Address Read
CVE-2018-17985Binutils 2.31c++filtStack-overflow
CVE-2018-17795LibTIFF 4.0.9tiff2pdfHeap Buffer-overflow
CVE-2018-17794Binutils 2.31c++filtNULL Pointer Dereference
CVE-2018-16403Elfutils 0.173eu-readelfHeap Buffer-overflow
CVE-2018-16402Elfutils 0.173eu-nmDouble Free
CVE-2018-16062Elfutils 0.173eu-addr2lineHeap Buffer-overflow


Open Bugs Reported (129)

PackageProgramBug TypeReference
AxelaxelData Racehttps://github.com/axel-download-accelerator/axel/issues/354
AxelaxelMemory Leakhttps://github.com/axel-download-accelerator/axel/issues/353
SVFwpaAssertion failed’https://github.com/SVF-tools/SVF/issues/457
AgetagetHeap Buffer-overflowhttps://github.com/EnderUNIX/Aget/issues/4
libminglistswfStack-overflowhttps://github.com/libming/libming/issues/181
libsixel v1.8.2sixel2pngHeap Buffer-overflowhttps://github.com/saitoha/libsixel/issues/90
tinyexr 0.9.5tinyexrHeap Buffer-overflowhttps://github.com/syoyo/tinyexr/issues/121
mjs 1.20.1mjsStack-overflow*https://github.com/cesanta/mjs/issues/106
mjs 1.20.1mjsStack-overflow*https://github.com/cesanta/mjs/issues/110
mupdf 1.15.0-rc1murasterHeap Buffer-overflowhttps://bugs.ghostscript.com/show_bug.cgi?id=701034
mupdf 1.15.0-rc1murasterUse-after-free*https://bugs.ghostscript.com/show_bug.cgi?id=701018
imagemagick 7.0.8-43convertUse-after-free*https://github.com/ImageMagick/ImageMagick/issues/1554
libheif v1.4.0heif-convertUse-after-free*https://github.com/strukturag/libheif/issues/123
libosip2-5.1.0torture_testHeap Buffer-overflowhttps://savannah.gnu.org/bugs/index.php?56071
gama 2.04gama-g3NULL pointer deference*http://lists.gnu.org/archive/html/bug-gama/2019-04/msg00000.html
cflow 1.6cflowUse-after-free*http://lists.gnu.org/archive/html/bug-cflow/2019-04/msg00001.html
cflow 1.6cflowHeap Buffer-overflow*http://lists.gnu.org/archive/html/bug-cflow/2019-04/msg00000.html
Binutils 2.32gprofGlobal Buffer-overflowhttps://sourceware.org/bugzilla/show_bug.cgi?id=24402
liblouis 3.9.0lou_checktableStack Buffer-overflowhttps://github.com/liblouis/liblouis/issues/728
liblouis 3.9.0lou_checktableGlobal Buffer-overflowhttps://github.com/liblouis/liblouis/issues/721
Bison 3.3bisonHeap Buffer-overflowhttp://lists.gnu.org/archive/html/bug-bison/2019-03/msg00007.html
Bison 3.3yaccNULL pointer deferencehttp://lists.gnu.org/archive/html/bug-bison/2019-03/msg00008.html
recutils 1.8recfixdouble freehttp://lists.gnu.org/archive/html/bug-recutils/2019-03/msg00001.html
elfutils 0.176eu-readelfInvalid Address Read’https://sourceware.org/bugzilla/show_bug.cgi?id=24398
boolector 3.0.0boolectorHeap Buffer-overflowhttps://github.com/Boolector/boolector/issues/42
boolector 3.0.0boolectorUse-after-freehttps://github.com/Boolector/boolector/issues/41
elfutils 0.176eu-stackInvalid Address Read’https://sourceware.org/bugzilla/show_bug.cgi?id=24387
elfutils 0.176eu-stripInvalid Address Read’https://sourceware.org/bugzilla/show_bug.cgi?id=24385
lrzip 0.631lrzipInvalid Address Readhttps://github.com/ckolivas/lrzip/issues/109
zziplib 0.13.69unzzipStack Buffer-overflowhttps://github.com/gdraheim/zziplib/issues/70
Binutils 2.32ldInvalid Address Read’https://sourceware.org/bugzilla/show_bug.cgi?id=24340
Binutils 2.32ldInvalid Address Read’https://sourceware.org/bugzilla/show_bug.cgi?id=24339
Binutils 2.32ldHeap Buffer-overflow’https://sourceware.org/bugzilla/show_bug.cgi?id=24338
Binutils 2.32ldInvalid Address Read’https://sourceware.org/bugzilla/show_bug.cgi?id=24337
Binutils 2.32ldHeap Buffer-overflow’https://sourceware.org/bugzilla/show_bug.cgi?id=24336
Binutils 2.32ldHeap Buffer-overflow’https://sourceware.org/bugzilla/show_bug.cgi?id=24334
Binutils 2.32ldInvalid Address Read’https://sourceware.org/bugzilla/show_bug.cgi?id=24333
Binutils 2.32ldHeap Buffer-overflow’https://sourceware.org/bugzilla/show_bug.cgi?id=24332
exiv2 0.27exiv2Uncontrolled-memory-allocation*https://github.com/Exiv2/exiv2/issues/742
exiv2 0.27exiv2Stack-overflow*https://github.com/Exiv2/exiv2/issues/741
openh264 1.8.0h264decUse After Free’https://github.com/cisco/openh264/issues/3108
Binaryen 1.38.26wasm-optHeap Buffer-overflow’https://github.com/WebAssembly/binaryen/issues/1900
Binaryen 1.38.25wasm-asNULL Pointer Dereference’https://github.com/WebAssembly/binaryen/issues/1893
Elfutils 0.175eu-nmHeap Buffer-overflowhttps://sourceware.org/bugzilla/show_bug.cgi?id=24140
Binaryen 1.38.25wasm2jsAssertion failed’https://github.com/WebAssembly/binaryen/issues/1885
Elfutils 0.175eu-readelfHeap Buffer-overflow’https://sourceware.org/bugzilla/show_bug.cgi?id=24116
Binaryen 1.38.22wasm-optNULL Pointer Dereference*https://github.com/WebAssembly/binaryen/issues/1881
Binaryen 1.38.22wasm-optHeap Buffer-overflow*https://github.com/WebAssembly/binaryen/issues/1880
Binaryen 1.38.22wasm-optNULL Pointer Dereference*https://github.com/WebAssembly/binaryen/issues/1879
Binaryen 1.38.22wasm-optAssertion failed’https://github.com/WebAssembly/binaryen/issues/1878
Binaryen 1.38.22wasm2jsAssertion failed’https://github.com/WebAssembly/binaryen/issues/1877
Binaryen 1.38.22wasm2jsHeap Buffer-overflow*https://github.com/WebAssembly/binaryen/issues/1876
Elfutils 0.175eu-stackWild Pointer Deference*https://sourceware.org/bugzilla/show_bug.cgi?id=24103
Elfutils 0.175eu-nmHeap Buffer-overflow*https://sourceware.org/bugzilla/show_bug.cgi?id=24102
Binaryen 1.38.22wasm-optAssertion failed*https://github.com/WebAssembly/binaryen/issues/1872
Binaryen 1.38.22wasm-asNULL Pointer Dereference*https://github.com/WebAssembly/binaryen/issues/1867
Binaryen 1.38.22wasm-optUncontrolled-memory-allocation*https://github.com/WebAssembly/binaryen/issues/1866
Binaryen 1.38.22wasm-megreUse After Free*https://github.com/WebAssembly/binaryen/issues/1865
Binaryen 1.38.22wasm-megreHeap Buffer-overflow*https://github.com/WebAssembly/binaryen/issues/1864
Binaryen 1.38.22wasm2jsHeap Buffer-overflow*https://github.com/WebAssembly/binaryen/issues/1863
Elfutils 0.174eu-readelfHeap Buffer-overflow*https://sourceware.org/bugzilla/show_bug.cgi?id=24089
Elfutils 0.174eu-stripMemory Leak’https://sourceware.org/bugzilla/show_bug.cgi?id=24086
Elfutils 0.174eu-arUncontrolled-memory-allocation*https://sourceware.org/bugzilla/show_bug.cgi?id=24085
Elfutils 0.174eu-elflintNegative-size-param*https://sourceware.org/bugzilla/show_bug.cgi?id=24084
Elfutils 0.174eu-readelfHeap Buffer-overflow*https://sourceware.org/bugzilla/show_bug.cgi?id=24081
Elfutils 0.174eu-readelfHeap Buffer-overflow*https://sourceware.org/bugzilla/show_bug.cgi?id=24075
flex 2.6.4flexStack-overflow*https://github.com/westes/flex/issues/414
NASM 2.14.03rc1nasmStack-overflow*https://bugzilla.nasm.us/show_bug.cgi?id=3392549
NASM 2.14.03rc1nasmStack-overflow*https://bugzilla.nasm.us/show_bug.cgi?id=3392548
yaml-cpp 0.6.2praseStack-overflow*https://github.com/jbeder/yaml-cpp/issues/657
NASM 2.14rc16ndisamStack Buffer-overflow’https://bugzilla.nasm.us/show_bug.cgi?id=3392547
NASM 2.14rc16ndisamStack Buffer-overflow’https://bugzilla.nasm.us/show_bug.cgi?id=3392546
NASM 2.14rc16ndisamStack Buffer-overflow’https://bugzilla.nasm.us/show_bug.cgi?id=3392545
LibRaw 0.19.2dcraw_emuMemory leak’https://github.com/LibRaw/LibRaw/issues/196
NASM 2.14rc16nasmGlobal Buffer-overflow*https://bugzilla.nasm.us/show_bug.cgi?id=3392544
Bento4 v1.5.1-624avcinfoHeap Buffer-overflow*https://github.com/axiomatic-systems/Bento4/issues/355
Bento4 v1.5.1-624mp4dumpUncontrolled-memory-allocation*https://github.com/axiomatic-systems/Bento4/issues/354
Bento4 v1.5.1-624mp42hlsGlobal Buffer-overflow’https://github.com/axiomatic-systems/Bento4/issues/353
Bento4 v1.5.1-624mp42hlsInvalid Address Read*https://github.com/axiomatic-systems/Bento4/issues/352
Bento4 v1.5.1-624mp42hlsAssertion failed*https://github.com/axiomatic-systems/Bento4/issues/351
tinyexr v0.9.5test_tinyexrUncontrolled-memory-allocation*https://github.com/syoyo/tinyexr/issues/104
tinyexr v0.9.5test_tinyexrUncontrolled-memory-allocation’https://github.com/syoyo/tinyexr/issues/103
tinyexr v0.9.5test_tinyexrHeap Buffer-overflow’https://github.com/syoyo/tinyexr/issues/102
tinyexr v0.9.5test_tinyexrInvalid Address Read’https://github.com/syoyo/tinyexr/issues/101
htslib v1.9tabixInvalid Address Read’https://github.com/samtools/htslib/issues/810
Binutils 2.31c++filtHeap Buffer-overflow*https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88629
Binutils 2.31c++filtHeap Buffer-overflow*https://sourceware.org/bugzilla/show_bug.cgi?id=24043
Binutils 2.31ldGlobal Buffer-overflow’https://sourceware.org/bugzilla/show_bug.cgi?id=24042
Binutils 2.31ldInvalid Address Read*https://sourceware.org/bugzilla/show_bug.cgi?id=24041
jasper v2.0.14jasperAssertion failed’https://github.com/mdadams/jasper/issues/190
libming v0.4.8swftocxxHeap Buffer-overflow*https://github.com/libming/libming/issues/168
Mini Xml v2.1mxmldocStack Buffer-overflow*https://github.com/michaelrsweet/mxml/issues/237
Mini Xml v2.1mxmldocUse-after-free*https://github.com/michaelrsweet/mxml/issues/237
Binutils 2.31ldMemory leak’https://sourceware.org/bugzilla/show_bug.cgi?id=24007
Binutils 2.31c++filtMemory leak*https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88539
Binutils 2.31c++filtmemory leak*https://sourceware.org/bugzilla/show_bug.cgi?id=24002
Binutils 2.31objdumpmemory leak’https://sourceware.org/bugzilla/show_bug.cgi?id=24001
Binutils 2.31nmmemory leak*https://sourceware.org/bugzilla/show_bug.cgi?id=23952
Binutils 2.31nmStack-overflow*https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87681
Binutils 2.31nmStack-overflow*https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87675
Binutils 2.31ldNULL Pointer Dereference*https://sourceware.org/bugzilla/show_bug.cgi?id=23806
Binutils 2.31ldNULL Pointer Dereference*https://sourceware.org/bugzilla/show_bug.cgi?id=23805
Binutils 2.31ldHeap Buffer-overflow*https://sourceware.org/bugzilla/show_bug.cgi?id=23804
Binutils 2.31c++filtStack-overflow*https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87636
Binutils 2.31c++filtInteger overflow*https://sourceware.org/bugzilla/show_bug.cgi?id=23767
Binutils 2.31c++filtUncontrolled-memory-allocation*https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87602
Binutils 2.31ldNULL-Pointer dereference’https://sourceware.org/bugzilla/show_bug.cgi?id=23772
Binutils 2.31objdumpUncontrolled-memory-allocation’https://sourceware.org/bugzilla/show_bug.cgi?id=23771
Binutils 2.31c++filtStack-overflow*https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87333
Binutils 2.31c++filtStack-overflow*https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87335
Binutils 2.31c++filtNULL Pointer Dereference*https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87350
Binutils 2.31objdumpInvalid Address Read*https://sourceware.org/bugzilla/show_bug.cgi?id=23770
Elfutils 0.174eu-ranlibDivide-by-zero*https://sourceware.org/bugzilla/show_bug.cgi?id=23786
Elfutils 0.174eu-sizeInvalid Address Read*https://sourceware.org/bugzilla/show_bug.cgi?id=23787
Elfutils 0.174eu-readelfNegative-size-param’https://sourceware.org/bugzilla/show_bug.cgi?id=23782
Elfutils 0.174eu-stackInvalid Address Read*https://sourceware.org/bugzilla/show_bug.cgi?id=23752
Elfutils 0.174eu-stackInvalid Address Read’https://sourceware.org/bugzilla/show_bug.cgi?id=23753
Elfutils 0.174eu-arNULL-Pointer Dereference’https://sourceware.org/bugzilla/show_bug.cgi?id=23754
Elfutils 0.174eu-findtextrelDivide-by-zero’https://sourceware.org/bugzilla/show_bug.cgi?id=23755
Elfutils 0.173eu-addr2lineHeap Buffer-overflow*https://sourceware.org/bugzilla/show_bug.cgi?id=23541
Elfutils 0.173eu-nmDouble Free*https://sourceware.org/bugzilla/show_bug.cgi?id=23528
Elfutils 0.173eu-readelfHeap Buffer-overflow*https://sourceware.org/bugzilla/show_bug.cgi?id=23529
Elfutils 0.173eu-elflintHeap Buffer-overflow’https://sourceware.org/bugzilla/show_bug.cgi?id=23542
LibTIFF 4.0.9tiff2pdfHeap Buffer-overflow*http://bugzilla.maptools.org/show_bug.cgi?id=2816
libexeexeinfoHeap Buffer-overflow*https://github.com/libyal/libexe/issues/1
ImageMagickmagick identifyUncontrolled-memory-allocation’https://github.com/ImageMagick/ImageMagick/issues/1350
ImageMagickmagickMemory Leak’https://github.com/ImageMagick/ImageMagick/issues/1403
liblnklnkinfoHeap Buffer-overflow’https://github.com/libyal/liblnk/issues/36