Email: c[lastname]

Office: Room 315A, Chow Yei Ching Building

The University of Hong Kong

Pokfulam, Hong Kong

I am an Assistant Professor at the Computer Science Department in The University of Hong Kong. I lead the HKUS3 Lab, where we design and build systems to automatically detect and prevent attacks in software and systems. Our research interests encompass program analysis, software debloating, dynamic/hybrid testing, and applying AI for security.


  • [2024-06] Our paper (Invisibility Cloak) is accepted by USENIX Security 2024.
  • [2024-05] Jiayi Zhang join our group as a Ph.D. student.
  • [2023-04] Yingying Liu is awarded HKPFS.
  • [2023-02] Yingying Liu and Junzhe Li are awarded HKU Presidential PhD Scholarship.
  • [2022-09] The Software Debloating project gets funded by NSFC.
  • [2022-08] The Blockchain Security project gets funded by HKU-SCF FinTech Academy.
  • [2022-07] Qingyu Zhang join our group as a Ph.D. student.
  • [2022-04] Jiayi Lin join our group as a Ph.D. student.

Selected Publications

Chenxin Sun, Kai Ye, Liangcai Su, Jiayi Zhang, and Chenxiong Qian. Invisibility Cloak: Proactive Defense Against Visual Game Cheating. (USENIX Security 2024, to appear) [Demo]

Hao Zhou, Shuohan Wu, Chenxiong Qian, Xiapu Luo, Haipeng Cai, and Chao Zhang. Beyond the Surface: Uncovering the Unprotected Components of Android Against Overlay Attack. (NDSS 2024).

Pengfei Jing, Zhiqiang Cai, Yingjie Cao, Le Yu, Yuefeng Du, Wenkai Zhang, Chenxiong Qian, Xiapu Luo, Sen Nie, and Shi Wu. Revisiting Automotive Attack Surfaces: a Practitioners’ Perspective. (S&P 2024).

Shuohan Wu, Jianfeng Li, Hao Zhou, Yongsheng Fang, Kaifa Zhao, Haoyu Wang, Chenxiong Qian, and Xiapu Luo. CydiOS: a model-based testing framework for iOS apps. ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2023).

ChangSeok Oh, Sangho Lee, Chenxiong Qian, Hyungjoon Koo, and Wenke Lee. DeView: Confining Progressive Web Applications by Debloating Web APIs. Annual Computer Security Applications Conference (ACSAC 22).

Chenxiong Qian, Hyungjoon Koo, ChangSeok Oh, Taesoo Kim, and Wenke Lee. Slimium: Debloating the Chromium Browser with Feature Subsetting. Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security (CCS 2020).

Chenxiong Qian, Hong Hu, Mansour Alharthi, Pak Ho Chung, Taesoo Kim, and Wenke Lee. RAZOR: A Framework for Post-deployment Software Debloating. 28th USENIX Security Symposium (USENIX Security 19).

Full List


  • 2024
    • PC – USENIX Security, ACSAC, SecureComm
  • 2023
    • PC – ACSAC 2023
    • PC – EAI SecureComm 2023
    • Reviewer – TDSC
    • Reviewer – Computers and Security
  • 2022
    • Reviewer – TDSC