West wind withered trees, alone on high tower, I gazed at distant lanes.
No regrets, my belt loose, but love's enduring strain for you.
Seeking her again and again, in dim light, she resides, where lanterns wane.
Hey, I am Yunlong Lyu, currently is a PhD student at the HKU-JC STEM Lab of Intelligent Cybersecurity. In 2024-2025, I am working at Alibaba Cloud as a Senior Security Engineer, and in 2022-2024, I worked at Tencent Security Lab. I am dedicated to using AI to solve problems in the field of software and system security. I have detected and fixed nearly a hundred security vulnerabilities in well-known open-source software such as the Linux kernel. I obtained a master's degree in CyperSpace Security from the University of Science and Technology of China in 2022, under the guidance of Professor Qibin Sun. In 2019, I received a bachelor's degree in Information Security from China University of Geosciences (Wuhan). From 2020 to 2021, I interned at the G.O.S.S.I.P Software Security Research Group at Shanghai Jiao Tong University, under the guidance of Professor Juanru Li.
Research Interests
- Program Analysis
- AI-driven Security
- LLM-applied Security
昨夜西风凋碧树,独上高楼,望尽天涯路。
衣带渐宽终不悔,为伊消得人憔悴。
众里寻他千百度,蓦然回首,那人却在,灯火阑珊处。
Hey,我是吕云龙,目前是香港大学赛马会智能数位安全创科实验室的博士生。在2024-2025年,我在阿里云任高级安全工程师,在2022-2024年,我在腾讯安全大数据实验室工作。我致力于用AI来解决软件安全和系统安全领域中的问题,在多个知名开源软件上检测并修复近百个安全缺陷。 我于2022年在中国科学技术大学获得了网络空间安全专业的硕士学位,指导老师为孙启彬教授, 并于2019年在中国地质大学(武汉)获得信息安全专业的学士学位。 在2020年至2021年,我曾在上海交通大学 G.O.S.S.I.P 软件安全研究组实习,指导老师为李卷孺。
研究兴趣
- 程序分析
- AI驱动安全
- LLM应用安全
Publiciations
-
FuzzAgent: Multi-Agent System for Evolutionary Library Fuzzing.
Yunlong Lyu, Peng Chen, Fengyi Wu, Junzhe Yu, Kit Long Hon, and Hao Chen.
Arxiv preprint, 2026. -
"Tab, Tab, Bug": Security Pitfalls of Next Edit Suggestions in AI-Integrated IDEs
Yunlong Lyu, Yixuan Tang, Peng Chen, Tian Dong, Xinyu Wang, Zhiqiang Dong, Hao Chen.
Arxiv preprint, 2026. -
Prompt Fuzzing for Fuzz Driver Generation.
Yunlong Lyu, Yuxuan Xie, Peng Chen, and Hao Chen.
In ACM Conference on Computer and Communications Security (CCS) , Salt Lake City, U.S.A., 12, 2024 -
HOPPER: Interpretative Fuzzing for Libraries.
Peng Chen, Yuxuan Xie, Yunlong Lyu, Yuxiao Wang, and Hao Chen.
In ACM Conference on Computer and Communications Security (CCS) , Copenhagen, Denmark, 11, 2023 -
Goshawk: Hunting Memory Corruptions via Structure-Aware and Object-Centric Memory Operation Synopsis.
Yunlong Lyu, Yi Fang, Yiwei Zhang, Qibin Sun, Siqi Ma, Elisa Bertino, Kangjie Lu, Juanru Li.
In the Proceedings of the 43rd IEEE Symposium on Security and Privacy (S&P), 2022. -
SparrowHawk: Memory Safety Flaw Detection via Data-Driven Source Code Annotation.
Yunlong Lyu, Wang Gao, Siqi Ma, Qibin Sun, Juanru Li.
In the Proceedings of the 17th International Conference on Information Security and Cryptology (Inscrypt) (CCF-C), 2021.
🏆Trophy
| ID | Project | Bug ID | Bug Type | Method |
|---|---|---|---|---|
| 1 | Linux kernel | 3093ee182f | use-after-free | Goshawk |
| 2 | Linux kernel | 2bb817712e | double-free | Goshawk |
| 3 | Linux kernel | db74623a38 | use-after-free | Goshawk |
| 4 | Linux kernel | ea45b6008f | double-free | Goshawk |
| 5 | Linux kernel | 63415767a2 | use-after-free | Goshawk |
| 6 | Linux kernel | 6e5a03bcba | use-after-free | Goshawk |
| 7 | Linux kernel | 8392df5d7e | use-after-free | Goshawk |
| 8 | Linux kernel | f7cae626ca | double-free | Goshawk |
| 9 | Linux kernel | b25b343db0 | double-free | Goshawk |
| 10 | Linux kernel | a8e083ee8e | double-free | Goshawk |
| 11 | Linux kernel | 076de75de1 | double-free | Goshawk |
| 12 | Linux kernel | 6bf24dc0cc | double-free | Goshawk |
| 13 | Linux kernel | 6d72e7c767 | use-after-free | Goshawk |
| 14 | Linux kernel | 643001b47a | use-after-free | Goshawk |
| 15 | Linux kernel | 7525858679 | double-free | Goshawk |
| 16 | Linux kernel | 37df9f3fed | double-free | Goshawk |
| 17 | Linux kernel | 1b479fb801 | double-free | Goshawk |
| 18 | Linux kernel | 9ceee7d084 | use-after-free | Goshawk |
| 19 | Linux kernel | bdc2ab5c61 | use-after-free | Goshawk |
| 20 | Linux kernel | adb76a520d | use-after-free | Goshawk |
| 21 | Linux kernel | c8c165dea4 | use-after-free | Goshawk |
| 22 | Linux kernel | abec6561fc | use-after-free | Goshawk |
| 23 | Linux kernel | 1c98f57440 | use-after-free | Goshawk |
| 24 | Linux kernel | 34b39efa5a | double-free | Goshawk |
| 25 | Linux kernel | 72ce11ddfa | double-free | Goshawk |
| 26-27 | Linux kernel | 4fb44dd2c1 | use-after-free | Goshawk |
| 28 | Linux kernel | 52762efa2b | use-after-free | Goshawk |
| 29 | Linux kernel | 9272e5d002 | double-free | Goshawk |
| 30 | Linux kernel | ea995218dd | double-free | Goshawk |
| 31-32 | Linux kernel | 7272b591c4 | use-after-free | Goshawk |
| 33 | Linux kernel | 115726c5d3 | double-free | Goshawk |
| 34 | Linux kernel | 01fe904c9a | use-after-free | Goshawk |
| 35 | Linux kernel | 1404497 | double-free | Goshawk |
| 36-40 | Linux kernel | aadb22ba2f6 | use-after-free | Goshawk |
| 41 | Linux kernel | f973795a | double-free | Goshawk |
| 42 | Linux kernel | 7b0ddc134 | use-after-free | Goshawk |
| 43 | FreeBSD kernel | 255859 | use-after-free | Goshawk |
| 44 | FreeBSD kernel | 255862 | double-free | Goshawk |
| 45 | FreeBSD kernel | 255863 | use-after-free | Goshawk |
| 46 | FreeBSD kernel | 255864 | double-free | Goshawk |
| 47-48 | FreeBSD kernel | 255865 | use-after-free | Goshawk |
| 49 | FreeBSD kernel | 255866 | use-after-free | Goshawk |
| 50 | FreeBSD kernel | 255868 | use-after-free | Goshawk |
| 51 | FreeBSD kernel | 255869 | use-after-free | Goshawk |
| 52 | FreeBSD kernel | 255871 | use-after-free | Goshawk |
| 53 | FreeBSD kernel | 255872 | use-after-free | Goshawk |
| 54 | FreeBSD kernel | 255874 | double-free | Goshawk |
| 55 | FreeBSD kernel | 255875 | double-free | Goshawk |
| 56 | FreeBSD kernel | 255878 | double-free | Goshawk |
| 57 | FreeBSD kernel | 255879 | double-free | Goshawk |
| 58 | FreeBSD kernel | 255880 | double-free | Goshawk |
| 59 | FreeBSD kernel | 255881 | use-after-free | Goshawk |
| 60 | OpenSSL | 14910 | double-free | Goshawk |
| 61 | OpenSSL | 14913 | double-free | Goshawk |
| 62 | OpenSSL | 14914 | double-free | Goshawk |
| 63 | OpenSSL | 14915 | double-free | Goshawk |
| 64-67 | OpenSSL | 14916 | double-free | Goshawk |
| 68 | OpenSSL | 20278 | double-free | Goshawk |
| 69 | OpenSSL | 20299 | use-after-free | Goshawk |
| 70 | Redis | 8797 | use-after-free | Goshawk |
| 71-75 | Tencent-IoT-Explorer-SDK | 10 | double-free | Goshawk |
| 76-77 | Tencent-IoT-Explorer-SDK | 11 | use-after-free | Goshawk |
| 78-80 | Tencent-IoT-SDK | 37 | use-after-free | Goshawk |
| 81 | cJSON | 722 | null-pointer-crash | Hopper |
| 82 | cJSON | 726 | null-pointer-crash | Hopper |
| 83-84 | c-ares | 496 | stack-overflow | Hopper |
| 85 | libpng | 453 | invalid-string | Hopper |
| 86 | zlib | 761 | SEGV | Hopper |
| 87 | zlib | 837 | SEGV | Hopper |
| 88 | zlib | 840 | SEGV | Hopper |
| 89 | sqlite3 | bbbbb66b6b | SEGV | Hopper |
| 90 | Little-CMS | 350 | SEGV | Hopper |
| 91 | Little-CMS | 351 | SEGV | Hopper |
| 92 | Little-CMS | 353 | SEGV | Hopper |
| 93 | Little-CMS | 354 | SEGV | Hopper |
| 94 | Little-CMS | 355 | SEGV | Hopper |
| 95-96 | Libpcap | 1147 | SEGV | Hopper |
| 97-101 | Python | cef5438cc896 | null-pointer-dereference | SparrowHawk |
| 102 | Vim | b9616af23f31 | double-free | SparrowHawk |
| 103-104 | GnuTLS | Reported via mails | null-pointer-dereference | SparrowHawk |
| 105 | GnuTLS | Reported via mails | double-free | SparrowHawk |
| 106-117 | OpenHarmony (third-party) | by mails | null-pointer-dereference | SparrowHawk |
| 118 | Libaom | 3489 | SEGV | PromptFuzz |
| 119 | Libaom | 3509 | Uninitialized memory | PromptFuzz |
| 120 | Libaom | 3510 | Integer overflow | PromptFuzz |
| 121 | Libaom | 3534 | SEGV | PromptFuzz |
| 122 | LibVpx | 1817 | SEGV | PromptFuzz |
| 123 | LibVpx | 1827 | Buffer overflow | PromptFuzz |
| 124 | LibVpx | 1828 | Integer overflow | PromptFuzz |
| 125 | LibVpx | 1831 | Integer overflow | PromptFuzz |
| 126 | LibVpx | 1837 | SEGV | PromptFuzz |
| 127 | LibTIFF | CVE-2023-6277 (CVSS 6.5) |
OOM | PromptFuzz |
| 128 | LibTIFF | 619 | OOM | PromptFuzz |
| 129-130 | LibTIFF | 620 | OOM | PromptFuzz |
| 131 | LibTIFF | CVE-2023-52355 (CVSS 7.5 HIGH!) |
OOM | PromptFuzz |
| 132 | LibTIFF | CVE-2023-52356 (CVSS 7.5 HIGH!) |
SEGV | PromptFuzz |
| 133 | Sqlite3 | e77a5c3445 | null-pointer-crash | PromptFuzz |
| 134 | Sqlite3 | 9ce835fe96 | null-pointer-crash | PromptFuzz |
| 135 | Sqlite3 | 5e3fc453a6 | null-pointer-crash | PromptFuzz |
| 136-137 | c-ares | d62627e8b3 | Memory leak | PromptFuzz |
| 138 | Libjpeg-turbo | 735 | OOM | PromptFuzz |
| 139 | Libjpeg-turbo | 05652673 | OOM | PromptFuzz |
| 140 | libpcap | 1233 | File leak | PromptFuzz |
| 141 | libpcap | 1239 | null-pointer-crash | PromptFuzz |
| 142 | cJSON | 807 | null-pointer-crash | PromptFuzz |
| 143 | curl | 12775 | Abort | PromptFuzz |
| 144 | zlib | #1222 | Integer Overflow | FuzzAgent |
| 145 | c-ares | #1144 | Integer Overflow | FuzzAgent |
| 146 | liblouis | #1976 | SEGV | FuzzAgent |
| 147 | liblouis | Embargo | Buffer Overflow | FuzzAgent |
| 148 | liblouis | #1978 | SEGV | FuzzAgent |
| 149 | liblouis | #1980 | Buffer Overflow | FuzzAgent |
| 150 | liblouis | #1982 | Buffer Overflow | FuzzAgent |
| 151 | liblouis | #1986 | Memory Leak | FuzzAgent |
| 152 | liblouis | #1984 | Integer Overflow | FuzzAgent |
| 153 | liblouis | #1987 | SEGV | FuzzAgent |
| 154 | libpcap | #1634 | Address Misalignment | FuzzAgent |
| 155 | libpcap | Embargo | Assertion Failure | FuzzAgent |
| 156 | lcms | #546 | Documentation | FuzzAgent |
| 157 | lcms | #545 | Documentation | FuzzAgent |
| 158 | lcms | #544 | NULL Pointer | FuzzAgent |
| 159 | libvpx | 506017558 | Assertion Failure | FuzzAgent |
| 160 | libvpx | 505947426 | Integer Overflow | FuzzAgent |
| 161 | libvpx | 505947421 (Embargo) | Buffer Overflow | FuzzAgent |
| 162 | libvpx | 505947417 (Embargo) | Assertion Failure | FuzzAgent |
| 163 | libvpx | 505947415 | SEGV | FuzzAgent |
| 164 | libvpx | 505902439 | SEGV | FuzzAgent |
| 165 | libvpx | 505902436 | Integer Overflow | FuzzAgent |
| 166 | libvpx | 505830937 (Embargo) | SEGV | FuzzAgent |
| 167 | libvpx | 505902433 (Embargo) | Buffer Overflow | FuzzAgent |
| 168 | libvpx | 505665625 (Embargo) | SEGV | FuzzAgent |
| 169 | libvpx | 505665619 | Assertion Failure | FuzzAgent |
| 170 | libvpx | 505665613 (Embargo) | Buffer Overflow | FuzzAgent |
| 171 | libvpx | 505631147 | Integer Overflow | FuzzAgent |
| 172 | libvpx | 505623919 | Integer Overflow | FuzzAgent |
| 173 | libvpx | 505286909 (Embargo) | SEGV | FuzzAgent |
| 174 | libvpx | 505286908 | Integer Overflow | FuzzAgent |
| 175 | libvpx | 505286906 | SEGV | FuzzAgent |
| 176 | libvpx | 505286904 | SEGV | FuzzAgent |
| 177 | libvpx | 505286902 | Integer Overflow | FuzzAgent |
| 178 | libvpx | 505286900 | Buffer Overflow | FuzzAgent |
| 179 | libvpx | 505215075 | Integer Overflow | FuzzAgent |
| 180 | libvpx | 505208797 | Integer Overflow | FuzzAgent |
| 181 | libvpx | 496881245 | NULL Pointer | FuzzAgent |
| 182 | libvpx | 496881243 | Integer Overflow | FuzzAgent |
| 183 | libvpx | 496807676 | Integer Overflow | FuzzAgent |
| 184 | libvpx | 441668134 (Embargo) | Buffer Overflow | FuzzAgent |
| 185 | libvpx | 442161280 (Embargo) | Buffer Overflow | FuzzAgent |
| 186 | libvpx | 442105459 (Embargo) | SEGV | FuzzAgent |
| 187 | libaom | 503987489 | Assertion Failure | FuzzAgent |
| 188 | libaom | 503993976 | Assertion Failure | FuzzAgent |
| 189 | libaom | 503810640 | Integer Overflow | FuzzAgent |
| 190 | libaom | 503689686 (Embargo) | Integer Overflow | FuzzAgent |
| 191 | libaom | 503326506 (Embargo) | SEGV | FuzzAgent |
| 192 | libaom | 503197490 | Integer Overflow | FuzzAgent |
| 193 | libaom | 503187935 (Embargo) | Integer Overflow | FuzzAgent |
| 194 | libaom | 503171644 (Embargo) | Integer Overflow | FuzzAgent |
| 195 | libaom | 503197473 (Embargo) | Buffer Overflow | FuzzAgent |
| 196 | libaom | 503171639 (Embargo) | Buffer Overflow | FuzzAgent |
| 197 | libaom | 503013394 | Integer Overflow | FuzzAgent |
| 198 | libaom | 502933723 | Integer Overflow | FuzzAgent |
| 199 | libaom | 504317456 (Embargo) | Buffer Overflow | FuzzAgent |
| 200 | libaom | 503993985 (Embargo) | Buffer Overflow | FuzzAgent |
| 201 | libaom | 503993984 (Embargo) | Buffer Overflow | FuzzAgent |
| 202 | libaom | 503975732 (Embargo) | Buffer Overflow | FuzzAgent |
| 203 | libaom | 503689685 (Embargo) | SEGV | FuzzAgent |
| 204 | libaom | 503691210 | SEGV | FuzzAgent |
| 205 | libaom | 471031723 | Abort | FuzzAgent |
| 206 | libaom | 471095598 | Buffer Overflow | FuzzAgent |
| 207 | libaom | 205641 | Buffer Overflow | FuzzAgent |
| 208 | protobuf | #27099 | SEGV | FuzzAgent |
| 209 | protobuf | #26546 | NULL Pointer | FuzzAgent |
| 210 | OpenSSL | #30919 | NULL Pointer | FuzzAgent |
| 211 | OpenSSL | #30922 | NULL Pointer | FuzzAgent |
| 212 | OpenSSL | #30921 | NULL Pointer | FuzzAgent |
| 213 | OpenSSL | #29617 | Type Mismatch | FuzzAgent |
| 214 | OpenSSL | #29616 | Type Mismatch | FuzzAgent |
| 215 | OpenSSL | #29615 | Type Mismatch | FuzzAgent |
| 216 | OpenCV | #28580 | Type Mismatch | FuzzAgent |
| 217 | OpenCV | #28597 | Misaligned Address | FuzzAgent |
| 218 | OpenCV | #28598 | Integer Overflow | FuzzAgent |
| 219 | OpenCV | #28926 | Integer Overflow | FuzzAgent |
| 220 | OpenCV | #28928 | Type Mismatch | FuzzAgent |
| 221 | OpenCV | #28930 | Integer Overflow | FuzzAgent |
| 222 | OpenCV | #28940 | Integer Overflow | FuzzAgent |
| 223 | OpenCV | #28941 | Buffer Overflow | FuzzAgent |
| 224 | pugixml | #713 | Assertion Failure | FuzzAgent |
| 225 | pugixml | #714 | Buffer Overflow | FuzzAgent |
