I am an associate professor at Institute of Information Engineering (IIE), Chinese Academy of Sciences (CAS). My primary research interests focus on software supply chain security, particularly in curating and refining high-quality vulnerability data, software component analysis, and risk propagation and analysis, as well as AI-driven approaches to software security, including vulnerability identification, vulnerability analysis with large language models (LLMs), and agent-based vulnerability analysis. Please feel free to contact me by email (xiaoyang[at]iie.ac.cn).
Research Interests
- AI for Cybersecurity (智能化漏洞挖掘与分析)
- Agent-based Vulnerability Detection, Verification and Remediation
- Automated Vulnerability Discovery
- Software Supply Chain Security (软件供应链安全)
- Vulnerability Intelligence and Data Analytics
- Software Component Analysis
- Binary Code Similarity Detection
- Vulnerability Variant Discovery
- Vulnerability Remediation
- AI Infra Security (AI基础设施安全)
- Agent Security
- AI Serving and Inference Framework Security
- AI Application Platform Security
Background
- 2022.1 - Present, Institute of Information Engineering, Chinese Academy of Sciences, Associate Professor.
- 2019.7 - 2020.2, Nanyang Technology University, Visiting student. (Supervised by Yang Liu)
- 2015.9 - 2022.1, Institute of Information Engineering, Chinese Academy of Sciences, Ph.D. (Supervised by Wei Zou and Wei Huo)
- 2011.9 - 2015.6, Sun Yat-sen University, Bachelor.
Publications
2026
[OOPSLA] From Similarity Ranking to Definitive Verdict: LLM-Enhanced Source-to-Binary Function Localization.
Jingyi Shi, Chengyue Liu, Zhengzi Xu, Yang Xiao(*), Xingchu Chen, Yeting Li, Wei Huo, Yang Liu.
OOPSLA. (CCF-A)[TOSEM] Empirical Study of Code Large Language Models for Binary Security Patch Detection.
Qingyuan Li, Binchang Li, Cuiyun Gao, Shuzheng Gao, Zongjie Li, Yang Xiao, Chuanyi Li, Bin Luo.
ACM Transactions on Software Engineering and Methodology. (CCF-A)[FSE] Understanding the Limitations of C/C++ Binary Third-Party Library Detection Tool: An Empirical Study at Scale.
Chengyue Liu, Zhengzi Xu, Kaixuan Li, Jiahui Wu, Sihao Qiu, Siyuan Li, Siyang Xiong, Yang Xiao, Yang Liu.
The ACM International Conference on the Foundations of Software Engineering. (CCF-A)[ASE-J] SPVR: syntax-to-prompt vulnerability repair based on large language models.
Ruoke Wang, Zongjie Li, Cuiyun Gao, Chaozheng Wang, Yang Xiao, Xuan Wang.
Automated Software Engineering. (CCF-B)[NDSS] Through the Authentication Maze: Detecting Authentication Bypass Vulnerabilities in Firmware Binaries.
Nanyu Zhong, Yuekang Li, Yanyan Zou, Jiaxu Zhao, Jinwei Dong, Yang Xiao, Bingwei Peng, Yeting Li, Wei Wang, Wei Huo.
Network and Distributed System Security (NDSS) Symposium. (CCF-A)[EuroSys] LifeFuzz: Lifecycle-Guided Fuzzing for Windows Driver Cross-Handler Vulnerabilities.
Chendong Yu, Yuekang Li, Yang Xiao(*), Jie Lu, Yeting Li, Defang Bo, Wei Huo(*).
EuroSys 2026. (CCF-A)
2025
[TOSEM] PLocator: Fine-Grained Patch Presence Test in Binaries via Patch Code Localization.
Chaopeng Dong, Jingdong Guo, Shouguo Yang, Yang Xiao(*), Yi Li, Hong Li, Zhi Li, Limin Sun(*).
ACM Transactions on Software Engineering and Methodology. (CCF-A)[ASE] Advancing Binary Code Similarity Detection via Context-Content Fusion and LLM Verification.
Chaopeng Dong, Jingdong Guo, Shouguo Yang, Yi Li, Dongliang Fang(*), Yang Xiao(*), Yongle Chen, Limin Sun.
In Proceedings of the 40th IEEE/ACM Automated Software Engineering Conference (ASE 2025). (CCF-A)[ASE] A Large Scale Study of AI-based Binary Function Similarity Detection Techniques for Security Researchers and Practitioners.
Jingyi Shi, Yufeng Chen, Yang Xiao(*), Yuekang Li, Zhengzi Xu, Sihao Qiu, Chi Zhang, Keyu Qi, Yeting Li, Xingchu Chen, Yanyan Zou, Yang Liu, Wei Huo(*).
In Proceedings of the 40th IEEE/ACM Automated Software Engineering Conference (ASE 2025). (CCF-A)[ASE] Vulnerability-Affected Versions Identification: How Far Are We?
Xingchu Chen, Chengwei Liu, Jialun Cao, Yang Xiao(*), Xinyue Cai, Yeting Li, Jingyi Shi, Tianqi Sun, Haiming Chen, Wei Huo(*).
In Proceedings of the 40th IEEE/ACM Automated Software Engineering Conference (ASE 2025). (CCF-A)[USENIX SEC] From Constraints to Cracks: Constraint Semantic Inconsistencies as Vulnerability Beacons for Embedded Systems.
Jiaxu Zhao, Yuekang Li, Yanyan Zou, Yang Xiao, Naijia Jiang, Yeting Li, Nanyu Zhong, Bingwei Peng, Kunpeng Jian, Wei Huo.
In Proceedings of the 34th USENIX Security Symposium. (CCF-A)[USENIX SEC] VULCANBOOST: Boosting ReDoS Fixes through Symbolic Representation and Feature Normalization.
Yeting Li, Yecheng Sun, Zhiwu Xu, Haiming Chen, Xinyi Wang, Hengyu Yang, Huina Chao, Cen Zhang, Yang Xiao, Yanyan Zou, Feng Li, Wei Huo.
In Proceedings of the 34th USENIX Security Symposium. (CCF-A)[USENIX SEC] ZIPPER: Static Taint Analysis for PHP Applications with Precision and Efficiency.
Xinyi Wang, Yeting Li, Jie Lu, Shizhe Cui, Chenghang Shi, Qin Mai, Yunpei Zhang, Yang Xiao, Feng Li, Wei Huo.
In Proceedings of the 34th USENIX Security Symposium. (CCF-A)[ACL] Boosting Vulnerability Detection of LLMs via Curriculum Preference Optimization with Synthetic Reasoning Data.
Xin-Cheng Wen, Yijun Yang, Cuiyun Gao, Yang Xiao, Deheng Ye.
Association for Computational Linguistics. (CCF-A)
2024
[USENIX SEC] Leveraging Semantic Relations in Code and Data to Enhance Taint Analysis of Embedded Systems.
Jiaxu Zhao, Yuekang Li, Yanyan Zou, Zhaohui Liang, Yang Xiao, Yeting Li, Bingwei Peng, Nanyu Zhong, Xinyi Wang, Wei Wang, Wei Huo.
In Proceedings of the 33rd USENIX Security Symposium. (CCF-A)[ISSTA] SCALE: Constructing Structured Natural Language Comment Trees for Software Vulnerability Detection.
Xincheng Wen, Cuiyun Gao, Shuzheng Gao, Yang Xiao, Michael R Lyu.
ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA). (CCF-A)[NDSS] File Hijacking Vulnerability: The Elephant in the Room.
Chendong Yu, Yang Xiao(*), Jie Lu, Yuekang Li, Yeting Li, Lian Li, Yifan Dong, Jian Wang, Jingyi Shi, Defang Bo, Wei Huo.
Network and Distributed System Security (NDSS) Symposium. (CCF-A)[ICSE] LibvDiff: Library Version Difference Guided OSS Version Identification in Binaries. Chaopeng Dong, Siyuan Li, Shouguo Yang, Yang Xiao, Yongpan Wang, Hong Li, Zhi Li, Limin Sun.
46th International Conference on Software Engineering. (CCF-A)
2023
[CCS] Enhancing OSS Patch Backporting with Semantics.
Su Yang, Yang Xiao, Zhengzi Xu, Chengyi Sun, Chen Ji, Yuqing Zhang.
The ACM Conference on Computer and Communications Security. (CCF-A)[ESEC/FSE] Learning Program Semantics for Vulnerability Detection via Vulnerability-specific Inter-procedural Slicing.
Bozhi Wu, Shangqing Liu, Yang Xiao, Zhiming Li, Jun Sun, Shang-Wei Lin.
ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering. (CCF-A)[TOSEM] Asteria-Pro: Enhancing Deep-Learning Based Binary Code Similarity Detection by Incorporating Domain Knowledge.
Shouguo Yang, Chaopeng Dong, Yang Xiao(*), Yiran Cheng, Zhiqiang Shi, Zhi Li, Limin Sun.
ACM Transactions on Software Engineering and Methodology. (CCF-A)[TOSEM] Towards Practical Binary Code Similarity Detection: Vulnerability Verification via Patch Semantic Analysis.
Shouguo Yang, Zhengzi Xu(*), Yang Xiao(*), Zhe Lang, Wei Tang, Yang Liu, Zhiqiang Shi, Hong Li, Limin Sun.
ACM Transactions on Software Engineering and Methodology. (CCF-A)[USENIX SEC] Detecting API Post-Handling Bugs Using Code and Description in Patches.
Miaoqian Lin, Kai Chen, Yang Xiao.
In Proceedings of the 32nd USENIX Security Symposium. (CCF-A)[ISSTA] ACETest: Automated Constraint Extraction for Testing Deep Learning Operators.
Jingyi Shi, Yang Xiao(*), Yuekang Li, Yeting Li, Dongsong Yu, Chendong Yu, Hui Su, Yufeng Chen, Wei Huo.
ACM SIGSOFT International Symposium on Software Testing and Analysis. (CCF-A)[S&P] Effective ReDoS Detection by Principled Vulnerability Modeling and Exploit Generation.
Xinyi Wang, Cen Zhang, Yeting Li, Zhiwu Xu, Shuailin Huang, Yi Liu, Yican Yao, Yang Xiao, Yanyan Zou, Yang Liu, Wei Huo.
2023 IEEE Symposium on Security and Privacy. (CCF-A)
2022
[Cybersecurity] Unleashing the power of pseudo-code for binary code similarity analysis.
Weiwei Zhang, Zhengzi Xu, Yang Xiao, Yinxing Xue.
Journal of Cyber Security. (CCF-C)[ICSME] VERJava: Vulnerable Version Identification for Java OSS with a Two-Stage Analysis.
Qing Sun, Lili Xu, Yang Xiao, Feng Li, He Su, Yiming Liu, Hongyun Huang, Wei Huo.
2022 IEEE International Conference on Software Maintenance and Evolution. (CCF-B)[USENIX SEC] RegexScalpel: Regular Expression Denial of Service (ReDoS) Defense by Localize-and-Fix.
Yeting Li, Yecheng Sun, Zhiwu Xu, Jialun Cao, Yuekang Li, Rongchen Li, Haiming Chen, Shing-Chi Cheung, Yang Liu, Yang Xiao.
In Proceedings of the 31st USENIX Security Symposium. (CCF-A)
2021
[Cybersecurity] B2SMatcher: Fine-Grained Version Identification of Open-Source Software in Binary Files.
Gu Ban, Lili Xu, Yang Xiao, Xinhua Li, Zimu Yuan, Wei Huo.
Journal of Cyber Security. (CCF-C)[SANER] VIVA: Binary Level Vulnerability Identification via Partial Signature.
Yang Xiao, Zhengzi Xu, Weiwei Zhang, Chendong Yu, Longquan Liu, Wei Zou, Zimu Yuan, Yang Liu, Aihua Piao, Wei Huo.
IEEE International Conference on Software Analysis, Evolution and Reengineering. (CCF-B)
2020
- [USENIX SEC] MVP: Detecting Vulnerabilities using Patch-Enhanced Vulnerability Signatures.
Yang Xiao, Bihuan Chen, Chendong Yu, Zhengzi Xu, Zimu Yuan, Feng Li, Binghong Liu, Yang Liu, Wei Huo, Wei Zou, Wenchang Shi.
In Proceedings of the 29th USENIX Security Symposium. (CCF-A)
2019
[ASE] B2SFinder: Detecting Open-Source Software Reuse in COTS Software.
Muyue Feng, Zimu Yuan, Feng Li, Gu Ban, Yang Xiao, Shiyang Wang, Qian Tang, He Su, Chendong Yu, Jiahuan Xu, Aihua Piao, Jingling Xuey, Wei Huo.
IEEE/ACM International Conference on Automated Software Engineering. (CCF-A)[SANER] Open-source License Violations of Binary Software at Large Scale.
Muyue Feng, Weixuan Mao, Zimu Yuan, Yang Xiao, Gu Ban, Wei Wang, Shiyang Wang, Qian Tang, Jiahuan Xu, He Su, Binghong Liu, Wei Huo.
International Conference on Software Analysis, Evolution and Reengineering. (CCF-B)
Services
Editorial Broad Member
- CyberSecurity, 2024 - now
- 信息安全学报, 2024 - now
Journal Reviewer
- TOSEM
- TSE
- Computer & Security
- Neural Networks
- EMSE
- FCS
Conference Program Committee Member
- Internetware 2025
Students
- Current PhD Students (Co-advised):
- Chendong Yu
- Jingyi Shi
- Yufeng Chen
- Xingchu Chen
- Sihao Qiu
- Chi Zhang
- Jin Zhu
- Pingheng Wan
- Current Master’s Students:
- Keyu Qi
- Xinyue Cai
- Sheng Li
- Haimin Wang
- Former Students:
- Qing Sun - Now at [Huawei]
- Tianqi Sun - Now at [Huawei]
- Chengxi Chen - Now at [Huawei]

