Hao Zhou

• Research Assistant Professor
• Department of Computing (COMP)
  The Hong Kong Polytechnic University
  PQ813, Mong Man Wai Building, PolyU
  Hung Hom, Kowloon, Hong Kong SAR, China
• E-mail: hcnzhou (at) polyu.edu.hk, sunmoonsky0001 (at) gmail.com, cshaoz (at) comp.polyu.edu.hk

Biography

Hao received the Ph.D. degree in Department of Computing at the Hong Kong Polytechnic University, supervised by Prof. Xiapu Luo. He obtained his B.E. in Communication Engineering and M.E. in Information Security from Nanjing University of Posts and Telecommunications, advised by Prof. Wei Zhang. His current research interests include Mobile Systems Security, Operating Systems Security, Malware Analysis, Program Analysis, and Blockchain with papers published in top-tier venues (e.g., CCS, NDSS, S&P, USENIX SEC, ASE, FSE, ICSE, ISSTA, INFOCOM, WWW, TIFS, TSE). His ISSTA’22 paper received the ACM SIGSOFT Distinguished Paper Award. His research uncovered many severe vulnerabilities in mobile systems with 20 CVEs assigned.

Experience

• 08/2023 - current, Research Assistant Professor, The Hong Kong Polytechnic University
• 11/2022 - 08/2023, Postdoctoral Fellow, The Hong Kong Polytechnic University

Education

• 09/2018 - 10/2022, Ph.D., The Hong Kong Polytechnic University
  [Thesis] Defending against Stealthy Mobile Unwanted Apps
• 09/2015 - 06/2018, M.E., Nanjing University of Posts and Telecommunications
  [Thesis] Android Repackaged App Detection
• 09/2011 - 06/2015, B.E., Nanjing University of Posts and Telecommunications

Selected Publication (More in Google Scholar)

• Beyond the Surface: Uncovering the Unprotected Components of Android Against Overlay Attack
  [paper] [artifacts]
  Hao Zhou^*, Shuohan Wu^*(co-first authors), Chenxiong Qian, Xiapu Luo, Haipeng Cai, Chao Zhang
  31st Network and Distributed Systems Security Symposium (NDSS), 2024
• WADIFF: A Differential Testing Framework for WebAssembly Runtimes
  [paper]
  Shiyao Zhou, Muhui Jiang, Weimin Chen, Hao Zhou, Haoyu Wang, Xiapu Luo
  38th IEEE/ACM International Conference on Automated Software Engineering (ASE), 2023
• CydiOS: A Model-based Testing Framework for iOS Apps
  [paper] [artifacts]
  Shuohan Wu, Jianfeng Li, Hao Zhou, Yongsheng Fang, Kaifa Zhao, Haoyu Wang, Chenxiong Qian, Xiapu Luo
  32nd International Symposium on Software Testing and Analysis (ISSTA), 2023
• Automata-Guided Control-Flow-Sensitive Fuzz Driver Generation
  [paper] [artifacts]
  Cen Zhang, Yuekang Li, Hao Zhou, Xiaohan Zhang, Yaowen Zheng, Xian Zhan, Xiaofei Xie, Xiapu Luo, Xinghua Li, Yang Liu, Sheikh Mahbub Habib
  32nd USENIX Security Symposium (USENIX SEC), 2023
• Uncovering Intent based Leak of Sensitive Data in Android Framework
  [paper] [artifacts]
  Hao Zhou, Xiapu Luo, Haoyu Wang, Haipeng Cai
  29th ACM Conference on Computer and Communications Security (CCS), 2022
• FOAP: Fine-Grained Open-World Android App Fingerprinting
  [paper] [artifacts]
  Jianfeng Li, Hao Zhou, Shuohan Wu, Xiapu Luo, Ting Wang, Xian Zhan, Xiaobo Ma
  31st USENIX Security Symposium (USENIX SEC), 2022
• NCScope: Hardware-Assisted Analyzer for Native Code in Android Apps
  [paper] [artifacts] [ACM SIGSOFT Distinguished Paper Award]
  Hao Zhou, Shuohan Wu, Xiapu Luo, Ting Wang, Yajin Zhou, Chao Zhang, Haipeng Cai
  31st International Symposium on Software Testing and Analysis (ISSTA), 2022
• Lie to Me: Abusing the Mobile Content Sharing Service for Fun and Profit
  [paper]
  Guosheng Xu, Siyi Li, Hao Zhou, Shucen Liu, Yutian Tang, Li Li, Xiapu Luo, Xusheng Xiao, Guoai Xu, Haoyu Wang
  ACM Web Conference (WWW), 2022
• Uncovering Cross-Context Inconsistent Access Control Enforcement in Android
  [paper] [artifacts]
  Hao Zhou, Haoyu Wang, Xiapu Luo, Ting Chen, Yajin Zhou, Ting Wang
  29th Network and Distributed Systems Security Symposium (NDSS), 2022
• Packet-Level Open-World App Fingerprinting on Wireless Traffic
  [paper] [artifacts]
  Jianfeng Li, Shuohan Wu, Hao Zhou, Xiapu Luo, Ting Wang, Yangyang Liu, Xiaobo Ma
  29th Network and Distributed Systems Security Symposium (NDSS), 2022
• Structural Attack against Graph Based Android Malware Detection
  [paper] [artifacts]
  Kaifa Zhao, Hao Zhou, Yulin Zhu, Xian Zhan, Kai Zhou, Jianfeng Li, Le Yu, Wei Yuan, Xiapu Luo
  28th ACM Conference on Computer and Communications Security (CCS), 2021
• Finding the Missing Piece: Permission Specification Analysis for Android NDK
  [paper] [artifacts]
  Hao Zhou, Haoyu Wang, Shuohan Wu, Xiapu Luo, Yajin Zhou, Ting Chen, Ting Wang
  36th IEEE/ACM International Conference on Automated Software Engineering (ASE), 2021
• XDebloat: Towards Automated Feature-Oriented App Debloating
  [paper] [artifacts]
  Yutian Tang, Hao Zhou, Xiapu Luo, Ting Chen, Haoyu Wang, Zhou Xu, Yan Cai
  IEEE Transactions on Software Engineering (TSE), 2021
• Happer: Unpacking Android Apps via a Hardware-Assisted Approach
  [paper] [artifacts] [datasets]
  Lei Xue^*, Hao Zhou^* (co-first authors), Xiapu Luo, Yajin Zhou, Yang Shi, Guofei Gu, Fengwei Zhang, Man Ho Au
  42nd IEEE Symposium on Security and Privacy (S&P), 2021
• Demystifying Diehard Android Apps
  [paper] [artifacts]
  Hao Zhou, Haoyu Wang, Yajin Zhou, Xiapu Luo, Yutian Tang, Lei Xue, Ting Wang
  35th IEEE/ACM International Conference on Automated Software Engineering (ASE), 2020
• UI Obfuscation and Its Effects on Automated UI Analysis for Android Apps
  [paper] [artifacts]
  Hao Zhou, Ting Chen, Haoyu Wang, Le Yu, Xiapu Luo, Ting Wang, Wei Zhang
  35th IEEE/ACM International Conference on Automated Software Engineering (ASE), 2020
• PackerGrind: An Adaptive Unpacking System for Android Apps
  [paper] [artifacts]
  Lei Xue, Hao Zhou, Xiapu Luo, Le Yu, Dinghao Wu, Yajin Zhou, Xiaobo Ma
  IEEE Transactions on Software Engineering (TSE), 2020
• DINA: Detecting Hidden Android Inter-App Communication in Dynamic Loaded Code
  [paper] [artifacts]
  Mohannad Alhanahnah, Qiben Yan, Hamid Bagheri, Hao Zhou, Yutaka Tsutano, Witawas Srisa-an, Xiapu Luo
  IEEE Transactions on Information Forensics and Security (TIFS), 2020
• Detecting Vulnerable Android Inter-App Communication in Dynamically Loaded Code
  [paper] [artifacts]
  Mohannad Alhanahnah, Qiben Yan, Hamid Bagheri, Hao Zhou, Yutaka Tsutano, Witawas Srisa-an, Xiapu Luo
  IEEE Conference on Computer Communications (INFOCOM), 2019
• PPChecker: Towards Accessing the Trustworthiness of Android Apps’ Privacy Policies
  [paper]
  Le Yu, Xiapu Luo, Jiachi Chen, Hao Zhou, Tao Zhang, Henry Chang, Hareton K. N. Leung
  IEEE Transactions on Software Engineering (TSE), 2018
• NDroid: Toward Tracking Information Flows Across Multiple Android Contexts
  [paper] [artifacts]
  Lei Xue, Chenxiong Qian, Hao Zhou, Xiapu Luo, Yajin Zhou, Yuru Shao, Alvin T.S. Chan
  IEEE Transactions on Information Forensics and Security (TIFS), 2018

Awards

• ACM SIGSOFT Distinguished Paper Award at ISSTA’22

Services

• Technical Program Committee Member
  2024: AsiaCCS, ISSTA, SEKE, USENIX Security
• Artifacts Evaluation Committee Member
  2022: ACSAC
  2020: ACSAC
• Conference Reviewer
  2024: WWW
• Journal Reviewer
  IEEE Transactions on Dependable and Secure Computing (TDSC)
  Artificial Intelligence Review (AIRE)

Teaching Experience

• Object-oriented Programming (COMP2021), Teaching Assistant
• Software Project Management (COMP3235), Teaching Assistant
• Social and Collaborative Computing (COMP3121), Teaching Assistant
• Cyber and Internet Security (COMP5355), Teaching Assistant

Discovered Vulnerabilities

• Google Android
  CVE-2020-27057, CVE-2021-39789, CVE-2021-39702, CVE-2021-39692, CVE-2021-39796,
  CVE-2022-20200, CVE-2023-21017, CVE-2023-*****
• Honor MagicUI
  CVE-2022-*****
• Samsung OneUI
  CVE-2022-27575, CVE-2022-27576, CVE-2022-30722, CVE-2022-30723, CVE-2022-30724,
  CVE-2022-30725, CVE-2022-30729, CVE-2022-30755, CVE-2022-33723, CVE-2022-33727,
  CVE-2022-33729, CVE-2022-36868,
• Vivo OriginOS
  CVE-2022-*****, CVE-2022-*****, CVE-2022-*****
• Several low-severity vulnerabilities in Google Android, Honor MagicUI, Samsung OneUI, Xiaomi MIUI, and Meizu FlymeOS.