Changhua Luo

Changhua Luo

Assistent Professor

Wuhan University

I am a tenure-track assistant professor in the Institute for Math & AI and School of Cyber Science and Engineering(国家网络安全学院) at Wuhan University. Prior to that, I was a postdoctoral scholar in the System Security at HKU. I received my Ph.D. from the Chinese University of Hong Kong under the supervision of Prof. Wei Meng and received my B.Eng. from Wuhan University.

My research focuses on program analysis and software security. I prioritize analyzing and addressing security problems with real-world implications. My first- and corresponding-author papers have discovered over 100 high-severity security vulnerabilities in real-world software infrastructure such as Chrome and OpenSSL. These efforts have been recognized with vulnerability bounty awards exceeding 200,000 USD from major companies such as Google.

I am actively seeking highly motivated Ph.D. and master’s students. If you are interested in security and have experience through CTF or security research, please feel free to reach out to me.

Interests
  • Software Security
  • Program Analysis
  • Web Security
Education

  • Ph.D. in Computer Science and Engineering, 2024

    The Chinese University of Hong Kong

  • B.Eng. in Information Security, 2019

    Wuhan University

News

  • <2025-06> One paper accepted to USENIX Security.
  • <2025-02> I joined WHU as a tenure-track assistant professor.
  • <2024-11> One paper accepted to NDSS 25.
  • <2024-09> One paper accepted to Oakland 2025.
  • <2024-08> One paper accepted to CCS 2024.
  • <2024-07-16 Tue> I joined HKU as a postdoctoral researcher.
  • <2024-05-14 Tue> I passed my Ph.D. defense at CUHK.

Publications

* Denotes the Corresponding Author.

  • IDFuzz: Intelligent Directed Grey-box Fuzzing.

    Yiyang Chen, Chao Zhang*, Long Wang*, Wenyu Zhu, Changhua Luo, Nuoqi Gui, Zheyu Ma, Xingjian Zhang, and Bingkai Su

    In Proceedings of The 34th USENIX Security Symposium, August 2025.

  • Predator: Directed Web Application Fuzzing for Efficient Vulnerability Validation. [PDF][code]

    Chenlin Wang, Wei Meng, Changhua Luo, and Penghui Li.

    In Proceedings of The 46th IEEE Symposium on Security and Privacy (Oakland), May 2025.

  • Automatic Library Fuzzing through API Relation Evolvement. [PDF][code]

    Jiayi Lin, Qingyu Zhang, Junzhe Li, Chenxin Sun, Hao Zhou, Changhua Luo*, and Chenxiong Qian*.

    In Proceedings of The 32nd Annual Network and Distributed System Security Symposium (NDSS), Feb 2025.

  • Test Suites Guided Vulnerability Validation for Node.js Applications. [PDF][code]

    Changhua Luo, Penghui Li, Wei Meng, Chao Zhang.

    In Proceedings of The 31st ACM Conference on Computer and Communications Security (CCS), Oct 2024.

  • Holistic Concolic Execution for Dynamic Web Applications via Symbolic Interpreter Analysis. [PDF][code]

    Penghui Li, Wei Meng, Mingxue Zhang, Chenlin Wang, Changhua Luo.

    In Proceedings of The 45th IEEE Symposium on Security and Privacy (Oakland), May 2024.

  • Strengthening Supply Chain Security with Fine-grained Safe Patch Identification. [PDF][code]

    Changhua Luo, Wei Meng, Shuai Wang.

    In Proceedings of 46th International Conference on Software Engineering (ICSE), research track, April 2024.

  • SelectFuzz: Efficient Directed Fuzzing with Selective Path Exploration. [PDF][code]

    Changhua Luo, Wei Meng, Penghui Li.

    In Proceedings of The 44th IEEE Symposium on Security and Privacy (Oakland), May 2023.

  • TChecker: Precise Static Inter-Procedural Analysis for Detecting Taint-Style Vulnerabilities in PHP Applications. [PDF][code]

    Changhua Luo, Penghui Li, Wei Meng.

    In Proceedings of The 29th ACM Conference on Computer and Communications Security (CCS), Nov 2022.

    ★ ACM CCS 2022 Best Paper Honorable Mention, 20/971=2.06%.

  • On the Feasibility of Automated Built-in Function Modeling for PHP Symbolic Execution. [PDF][code]

    Penghui Li, Wei Meng, Kangjie Lu, Changhua Luo.

    In Proceedings of the 30th Web Conference (WWW), security track, Feb 2021.

Services

Technical Program Committee

  • IEEE International Conference on Parallel and Distributed Systems (ICPADS), 2024
  • The ACM International Workshop on Fuzzing (FUZZING), 2025
  • IEEE Transactions on Software Engineering (TSE), 2025

External Reviewer

  • IEEE Symposium on Security and Privacy (Oakland), 2023, 2024
  • The ACM Conference on Computer and Communications Security (CCS), 2021, 2022, 2023, 2024
  • The Web Conference (WWW), 2020, 2021, 2022, 2024
  • The ACM ASIA Conference on Computer and Communications Security (ASIACCS), 2021, 2022