Associate Professor
Network and Information Security Lab (NISL)
Institute for Network Science and Cyberspace Tsinghua University

Mailing address:
FIT 3-209 Tsinghua University, Beijing, China 100084

chaoz #
chaoz #
chao.zhang #


Research Interests

  • Software security analysis, including binary analysis and reverse engineering.
  • Vulnerability detection, exploit and protection techniques.
  • Web security and P2P network security analysis.
  • Programing language theory and implementation.
  • AI and security.
  • Cool stuff: IoT, blockchain…




  1. Towards Efficient Heap Overflow Discovery [PDF]
    Xiangkun Jia, Chao Zhang, Purui Su, Yi Yang, Huafeng Huang, Dengguo Feng
    In the 26th {USENIX} Security Symposium ({USENIX} Security 17), Vancouver, BC, Aug 2017
  2. VTrust: Regaining Trust on Virtual Calls [PDF]
    Chao Zhang, Scott A. Carr, Tongxin Li, Yu Ding, Chengyu Song, Mathias Payer, Dawn Song
    In the Network and Distributed System Security Symposium (NDSS’16), San Diego, CA, Feb 2016
  3. VTint: Protecting Virtual Function Tables’ Integrity [pdf] [slides]
    Chao Zhang, Chengyu Song, Kevin Zhijie Chen, Zhaofeng Chen, Dawn Song
    In the Network and Distributed System Security Symposium (NDSS’15), San Diego, CA, Feb 2015
  4. Exploiting and Protecting Dynamic Code Generation [pdf]
    Chengyu Song, Chao Zhang, Tielei Wang, Wenke Lee, David Melski
    In the Network and Distributed System Security Symposium (NDSS’15), San Diego, CA, Feb 2015
  5. JITScope: Protecting Web Users from Control-Flow Hijacking Attacks
    Chao Zhang, Mehrdad Niknami, Kevin Zhijie Chen, Chengyu Song, Zhaofeng Chen, Dawn Song
    In the 34th Annual IEEE International Conference on Computer Communications (InfoCom’15), Hong Kong, China, April 2015
  6. UAFChecker: Scalable Static Detection of Use-After-Free Vulnerabilities (poster)
    Jiayi Ye, Chao Zhang, Xinhui Han
    In the 21st ACM Conference on Computer and Communications Security (CCS’14), Scottsdale, Arizona, Nov 2014
  7. PHPGate: A Practical White-Delimiter-Tracking Protection against SQL-Injection for PHP (poster)
    Lihua Zhang, Yu Ding, Chao Zhang, Lei Duan, Zhaofeng Chen, Tao Wei, Xinhui Han
    In the 24th USENIX Security Symposium, San Diego, CA, Aug 2014
  8. The Store-and-Flood Distributed Reflective Denial of Service Attack
    Bingshuang Liu, Skyler Berg, Jun Li, Tao Wei, Chao Zhang, Xinhui Han
    In the 23rd International Conference on Computer Communications and Networks (ICCCN‘14), Shanghai, China, Aug 2014
  9. Android Low Entropy Demystified
    Yu Ding, Zhuo Peng, Yuanyuan Zhou, Chao Zhang
    In IEEE International Conference on Communications (ICC’14), Sydney, Australia, June 2014
  10. Unider: Exploit Attack Emulator Armed with State-of-Art Exploit Techniques (poster)
    Yu Ding, Chao Zhang, Tao Wei
    In the Network and Distributed System Security Symposium (NDSS’14), San Diego, CA, Feb 2014
  11. Splider: A Split-based Crawler of the BT-DHT Network and its Applications
    Bingshuang Liu, Shidong Wu, Tao Wei, Chao Zhang, Jun Li, Jianyu Zhang, Yu Chen, Chen Li
    In the 11th Annual IEEE Consumer Communications & Networking Conference (CCNC’14), Las Vegas, Nevada, Jan 2014
  12. Practical Control Flow Integrity & Randomization for Binary Executables [PDF] [slides]
    Chao Zhang, Tao Wei, Zhaofeng Chen, Lei Duan, Laszlo Szekeres, Stephen McCamant, Dawn Song, Wei Zou.
    In the 34th IEEE Symposium on Security & Privacy (Oakland’13), San Francisco, CA, May 2013.
  13. Protecting Function Pointers in Binary
    Chao Zhang, Tao Wei, Zhaofeng Chen, Lei Duan, Stephen McCamant, Laszlo Szekeres.
    In the 8th ACM Symposium on Information, Computer and Communications Security (ASIACCS’13), Hangzhou, China, May 2013.
  14. LinkTrust: A Phishing Detection Method Depending on the PageRank (in Chinese)
    Lihua Zhang, Tao Wei, Kun Li, Jian Mao, Chao Zhang, Wei Zou.
    In the 5th Conference on Vulnerability Analysis and Risk Assessment (VARA’12), Shanghai, China, Dec, 2012.
  15. FPGate: The Last Building Block For A Practical CFI Solution [PDF]
    Tao Wei, Chao Zhang, Zhaofeng Chen, Lei Duan, Laszlo Szekeres, Stephen McCamant, Dawn Song.
    Technical Report for Microsoft BlueHat Prize Contest, Apr. 2012.
  16. A Framework to Eliminate Backdoors from Response Computable Authentication [PDF]
    Shuaifu Dai, Tao Wei, Chao Zhang, Tielei Wang, Yu Ding, Wei Zou, Zhenkai Liang.
    In the 33rd IEEE Symposium on Security and Privacy (Oakland’12), San Francisco, CA, May 2012.
  17. IntPatch: Automatically Fix Integer-Overflow-to-Buffer-Overflow Vulnerability at Compile-Time [PDF]
    Chao Zhang, Tielei Wang, Tao Wei, Yu Chen, Wei Zou.
    In the 15th European Symposium on Research in Computer Security (ESORICS’10), Athens, Greece, Sep. 2010.


  1. SQL injection prevention based on sensitive characters. (in Chinese)
    Huilin Zhang, Yu Ding, Lihua Zhang, Lei Duan, Chao Zhang, Tao Wei, Guancheng Li, Xinhui Han
    In Journal of Computer Research and Development Vol. 53, No. 10, Oct. 2016
  2. Accurate and Efficient Exploit Capture and Classification
    Yu Ding, Tao Wei, Hui Xue, Yulong Zhang, Chao Zhang, Xinhui Han
    In SCIENCE CHINA Information Sciences (SCIS), Vol. 60, No. 5, 2016
  3. SF-DRDoS: The store-and-flood distributed reflective denial of service attack
    Bingshuang Liu, Jun Li, Tao Wei, Skyler Berg, Jiayi Ye, Chen Li, Chao Zhang , Jianyu Zhang, Xinhui Han
    In Computer Communications, Vol. 69, Sep. 2015
  4. Improving lookup reliability in Kad
    Bingshuang Liu, Tao Wei, Chao Zhang , Jun Li, Jianyu Zhang
    In Peer-to-Peer Networking and Applications, Vol. 8, Issue 1, Jan. 2015
  5. Using Type Analysis in Compiler to Eliminate Integer-Overflow-to-Buffer-Overflow Threat.[PDF]
    Chao Zhang, Wei Zou, Tielei Wang, Yu Chen, Tao Wei.
    In Journal of Computer Security (JCS), Vol. 19, No. 6, Dec. 2011

Professional Service

Program Commitee for:

Student/Shadow PC for:

Editor for:

Reviewer for journals:

Reviewer for conferences:

Open Source Projects