Chao Zhang (张超)

Associate Professor
FIT 3-209 Tsinghua University, Beijing, China 100084
chaoz #
chao.zhang #
chaoz # (expired)


I am looking for highly-motivated collaborators all the time.

  • Positions: postdocs, visiting scholars, research assistants, interns
  • Topics: software security, AI security and program analysis
  • Read more at contact page if you are interested.


  • I am a tenure-track Associate Professor at Tsinghua University.
  • I am the coach of the Blue-Lotus CTF team.


Research Interests

  • Software Security, System Security, AI Security
  • Vulnerability analysis (discovery, mitigation, pwn)
  • Malware analysis (detection)
  • Cool stuff: IoT, blockchain …


Hack for Fun



  1. Argot: Generating Adversarial Readable Chinese Texts
    Zihan Zhang, Mingxuan Liu, Chao Zhang*, Yiming Zhang, Zhou Li, Qi Li, Haixin Duan, Donghong Sun.
    To appear in the 29th International Joint Conference on Artificial Intelligence (IJCAI’20)
  2. FANS: Fuzzing Android Native System Services via Automated Interface Analysis
    Baozheng Liu, Chao Zhang*, Guang Gong, Yishun Zeng, Haifeng Ruan, Jianwei Zhuge*.
    To appear in the 29th USENIX Security Symposium (USENIX Security’20)
  3. A Large-Scale Empirical Study on Vulnerability Distribution within Projects and the Lessons Learned
    Bingchang Liu, Guozhu Meng*, Wei Zou, Qi Gong, Feng Li, Min Lin, Dandan Sun, Wei Huo, Chao Zhang. To appear in the International Conference on Software Engineering (ICSE 2020)
  4. DRAMD: Detect Advanced DRAM-based Stealthy Communication Channels with Neural Networks
    Zhiyuan Lv, Youjian Zhao, Chao Zhang*, Haibin Li
    To appear in the IEEE Conference on Computer Communications (IEEE INFOCOM 2020)
  5. GreyOne: Data-Flow Sensitive Fuzzing
    Shuitao Gan, Chao Zhang*, Xiaojun Qin, Peng Chen, Bodong Zhao, Zuoning Chen
    To appear in the 29th USENIX Security Symposium (USENIX Security’20)
  6. SRFuzzer: An Automatic Fuzzing Framework for Physical SOHO Router Devices to Discover Multi-Type Vulnerabilities
    Yu Zhang, Wei Huo, Kunpeng Jian, Ji Shi, Haoliang Lu, Longquan Liu, Chen Wang, and Dandan Sun, Chao Zhang, Baoxu Liu
    In the 35th Annual Computer Security Applications Conference (ACSAC’19)
  7. Fuzzing IPC with Knowledge Inference
    Kun Yang, Hanqing Zhao, Chao Zhang*, Jianwei Zhuge and Haixin Duan
    In the 38th International Symposium on Reliable Distributed Systems (SRDS’19)
  8. MOPT: Optimized Mutation Scheduling for Fuzzers
    Chenyang Lyu, Shouling Ji*, Chao Zhang*, Yuwei Li, Wei-Han Lee, Yu Song, Raheem Beyah
    In the 28th USENIX Security Symposium (USENIX Security’19), Santa Clara, CA, Aug 2019
  9. Revery: from Proof-of-Concept to Exploitable (One Step towards Automatic Exploit Generation)
    Yan Wang, Chao Zhang*, Xiaobo Xiang, Zixuan Zhao, Wenjie Li, Xiaorui Gong*, Bingchang Liu, Kaixiang Chen, Wei Zou
    In the ACM Conference on Computer and Communications Security (CCS’18), Toronto, Canada, Oct 2018
  10. Abusing CDNs for Fun and Profit: Security Issues in CDNs’ Origin Validation
    Run Guo, Jianjun Chen, Baojun Liu, Jia Zhang*, Chao Zhang*, Haixin Duan, Tao Wan, Jian Jiang, Shuang Hao, Yaoqi Jia
    In 37th IEEE International Symposium on Reliable Distributed Systems (SRDS 2018), Bahia, Brazil, Oct 2018
  11. αDiff: Cross-Version Binary Code Similarity Detection with DNN
    Binchang Liu, Wei Huo*, Chao Zhang*, Wenchao Li, Feng Li, Aihua Piao, Wei Zou
    In IEEE/ACM Automated Software Engineering (ASE’18), Montpellier, France, Sep 2018
  12. ICUFuzzer: Fuzzing ICU Library for Exploitable Bugs in Multiple Software
    Kun Yang, Yuan Deng, Chao Zhang, Jianwei Zhuge and Haixin Duan
    In Information Security Conference (ISC’18), London, UK, Sep 2018

  13. CollAFL: Path Sensitive Fuzzing
    Shuitao Gan, Chao Zhang*, Xiaojun Qin, Xuwen Tu, Kang Li, Zhongyu Pei, Zuoning Chen
    In IEEE Security & Privacy 2018 (IEEE S&P’18), San Francisco, CA, May 2018

  14. Towards Efficient Heap Overflow Discovery
    Xiangkun Jia, Chao Zhang*, Purui Su*, Yi Yang, Huafeng Huang, Dengguo Feng
    In the 26th {USENIX} Security Symposium ({USENIX} Security 17), Vancouver, BC, Aug 2017
  15. VTrust: Regaining Trust on Virtual Calls
    Chao Zhang, Scott A. Carr, Tongxin Li, Yu Ding, Chengyu Song, Mathias Payer, Dawn Song
    In the Network and Distributed System Security Symposium (NDSS’16), San Diego, CA, Feb 2016
  16. VTint: Protecting Virtual Function Tables’ Integrity
    Chao Zhang, Chengyu Song, Kevin Zhijie Chen, Zhaofeng Chen, Dawn Song
    In the Network and Distributed System Security Symposium (NDSS’15), San Diego, CA, Feb 2015
  17. Exploiting and Protecting Dynamic Code Generation
    Chengyu Song, Chao Zhang, Tielei Wang, Wenke Lee, David Melski
    In the Network and Distributed System Security Symposium (NDSS’15), San Diego, CA, Feb 2015
  18. JITScope: Protecting Web Users from Control-Flow Hijacking Attacks
    Chao Zhang, Mehrdad Niknami, Kevin Zhijie Chen, Chengyu Song, Zhaofeng Chen, Dawn Song
    In the 34th Annual IEEE International Conference on Computer Communications (INFOCOM’15), Hong Kong, China, April 2015

  19. The Store-and-Flood Distributed Reflective Denial of Service Attack
    Bingshuang Liu, Skyler Berg, Jun Li, Tao Wei, Chao Zhang, Xinhui Han
    In the 23rd International Conference on Computer Communications and Networks (ICCCN‘14), Shanghai, China, Aug 2014
  20. Android Low Entropy Demystified
    Yu Ding, Zhuo Peng, Yuanyuan Zhou, Chao Zhang
    In IEEE International Conference on Communications (ICC’14), Sydney, Australia, June 2014

  21. Splider: A Split-based Crawler of the BT-DHT Network and its Applications
    Bingshuang Liu, Shidong Wu, Tao Wei, Chao Zhang, Jun Li, Jianyu Zhang, Yu Chen, Chen Li
    In the 11th Annual IEEE Consumer Communications & Networking Conference (CCNC’14), Las Vegas, Nevada, Jan 2014
  22. Practical Control Flow Integrity & Randomization for Binary Executables
    Chao Zhang, Tao Wei, Zhaofeng Chen, Lei Duan, Laszlo Szekeres, Stephen McCamant, Dawn Song, Wei Zou.
    In the 34th IEEE Symposium on Security & Privacy (IEEE S&P’13), San Francisco, CA, May 2013.
  23. Protecting Function Pointers in Binary
    Chao Zhang, Tao Wei, Zhaofeng Chen, Lei Duan, Stephen McCamant, Laszlo Szekeres.
    In the 8th ACM Symposium on Information, Computer and Communications Security (ASIACCS’13), Hangzhou, China, May 2013.

  24. A Framework to Eliminate Backdoors from Response Computable Authentication
    Shuaifu Dai, Tao Wei, Chao Zhang, Tielei Wang, Yu Ding, Wei Zou, Zhenkai Liang.
    In the 33rd IEEE Symposium on Security and Privacy (IEEE S&P’12), San Francisco, CA, May 2012.
  25. IntPatch: Automatically Fix Integer-Overflow-to-Buffer-Overflow Vulnerability at Compile-Time
    Chao Zhang, Tielei Wang, Tao Wei, Yu Chen, Wei Zou.
    In the 15th European Symposium on Research in Computer Security (ESORICS’10), Athens, Greece, Sep. 2010.


  1. From Proof-of-Concept to Exploitable (One Step towards Automatic Exploitability Assessment)
    Wang, Yan, Wei Wu, Xiaorui Gong, Chao Zhang, Xinyu Xing, and Wei Zou.
    Accepted by Cybersecurity, 2019
  2. 程序分析研究进展
  3. Fuzzing: a survey
    Jun Li, Bodong Zhao, Chao Zhang*
    In Cybersecurity, Jun 2018, 1(1)
  4. Glibc 堆利用的若干方法
    裴中煜, 张超*, 段海新
    信息安全学报, 2018, 3(1): 1-15
  5. 二进制程序中的use-after-free漏洞检测技术
    韩心慧, 魏爽, 叶佳奕, 张超, 叶志远
    清华大学学报(自然科学版), 2017, 57(10): 1022-1029
  6. 基于敏感字符的 SQL注入攻击防御方法
    张慧琳, 丁羽, 张利华, 段镭, 张超, 韦韬, 李冠成, 韩心慧
    计算机研究与发展,2016, 53(10)
  7. Accurate and Efficient Exploit Capture and Classification
    Yu Ding, Tao Wei, Hui Xue, Yulong Zhang, Chao Zhang, Xinhui Han
    In SCIENCE CHINA Information Sciences (SCIS), Vol. 60, No. 5, 2016
  8. SF-DRDoS: The store-and-flood distributed reflective denial of service attack
    Bingshuang Liu, Jun Li, Tao Wei, Skyler Berg, Jiayi Ye, Chen Li, Chao Zhang, Jianyu Zhang, Xinhui Han
    In Computer Communications, Vol. 69, Sep. 2015
  9. Improving lookup reliability in Kad
    Bingshuang Liu, Tao Wei, Chao Zhang, Jun Li, Jianyu Zhang
    In Peer-to-Peer Networking and Applications (PPNA), Vol. 8, Issue 1, Jan. 2015
  10. Using Type Analysis in Compiler to Eliminate Integer-Overflow-to-Buffer-Overflow Threat.
    Chao Zhang, Wei Zou, Tielei Wang, Yu Chen, Tao Wei.
    In Journal of Computer Security (JCS), Vol. 19, No. 6, Dec. 2011

Professional Service

Conference co-chair:

  • RAID’19,(Publicity Chair)
  • ACM TUR-C SIGSAC’19, (Publicity Chair)

Conference TPC:

  • CCS’19
  • ASIACCS’19
  • RAID’19
  • BAR’18, BAR’19
  • CSET’17, CSET’18,
  • SecureComm’18
  • NASAC’18

Journal Editorial Board Member:

Journal Reviewer: