News! 10/2023 Pwned Wyze Cam v3 at Pwn2Own Toronto 2023 (video).
News! 10/2023 Awarded Google PhD Fellowship 2023.
News! 07/2023 Our paper, RetSpill, got accepted in CCS 2023.
News! 05/2023 Our paper, Greenhouse, got accepted in USENIX Security 2023.
News! 03/2023 Exploited Ubuntu Desktop 22.10 at Pwn2Own Vancouver 2023 (video).
News! 12/2022 Pwned Synology NAS DiskStation 920+ at Pwn2Own Toronto 2022.
News! 12/2022 Awarded bounty from kCTF VRP for the Linux kernel vulnerability: CVE-2022-2585.
News! 08/2022 Reported (and exploited) CVE-2022-2585 that affects billions of Android devices.
News! 08/2022 Awarded the first maximum bounty from Google kCTF VRP in its entire history.
News! 06/2022 Won Linux Kernel LPE Category at TyphoonPWN (video).
News! 05/2022 Exploited Google’s COS through kCTF VRP with a novel technique.
News! 04/2022 Awarded bounty from kCTF VRP for the Linux kernel vulnerability: CVE-2022-29581.
News! 02/2022 Two papers accepted in USENIX Security 2022.

About Me

I’m Yihui (Kyle) Zeng – a PhD student of School of Computing and Augmented Intelligence at Arizona State University (ASU). My primary advisor is Dr. Tiffany Bao, but I also actively work with Dr. Yan Shoshitaishvili, Dr. Ruoyu (Fish) Wang, and Dr. Adam Doupé. I currently work at SEFCOM with a group of amazing cybersecurity researchers. My research focuses on system security, especially on automated program analysis and vulnerability discovery. I was an intern at University of California, Santa Barbara (UCSB) under the supervision of Dr. Giovanni Vigna and Dr. Christopher Kruegel in 2018.

I am a core member of the Shellphish CTF team, under the handle “kylebot”. I’m crazy about CTF. I do PWN, Reversing, and sometimes a little bit of Web and Crypto. I have participated DEF CON CTF and entered the finals every year since I joined the team in 2018. Every year, I organize iCTF, one of the largest attack-defense hacking competition in the world.

I am active in the open-source community: I am a core developer of the binary analysis platform angr, leading the development of the automatic exploitation generation framework rex, maintaining the popular educational heap exploitation project how2heap, and more.

Recently, under Google’s kCTF VRP program, I successfully performed Container Escape five times with four different novel exploitation techniques in Google Kubernetes Engine (GKE) (and won a lot of cash). In Aug 2022, I was fortunate enough to get the first maximum bounty in kCTF’s entire history (before it raised the bounty). I am a winner of Pwn2Own and TyphoonPWN.


RetSpill: Igniting User-Controlled Data to Burn Away Linux Kernel Protections
Kyle Zeng, Zhenpeng Lin, Kangjie Lu, Xinyu Xing, Ruoyu Wang, Adam Doupé, Yan Shoshitaishvili, Tiffany Bao
Proceedings of the ACM Conference on Computer and Communications Security (CCS),
Copenhagen, Denmark November 2023.

Greenhouse: Single-Service Rehosting of Linux-Based Firmware Binaries in User-Space Emulation
Hui Jun Tay, Kyle Zeng, Jayakrishna Menon Vadayath, Arvind S Raj, Audrey Dutcher, Tejesh Reddy, Wil Gibbs, Zion Leonahenahe Basque, Fangzhou Dong, Zack Smith, Adam Doupé, Tiffany Bao, Yan Shoshitaishvili, Ruoyu Wang
Proceedings of the USENIX Security Symposium,
Anaheim, USA August 2023.

Playing for K(H)eaps: Understanding and Improving Linux Kernel Exploit Reliability
Kyle Zeng*, Yueqi Chen*, Haehyun Cho, Xinyu Xing, Adam Doupé, Yan Shoshitaishvili, Tiffany Bao
Proceedings of the USENIX Security Symposium,
Boston, USA August 2022.
* indicates equal contribution

Arbiter: Bridging the Static and Dynamic Divide in Vulnerability Discovery on Binary Programs
Jayakrishna Vadayath, Moritz Eckert, Kyle Zeng, Nicolaas Weideman, Gokulkrishna Praveen Menon, Yanick Fratantonio, Davide Balzarotti, Adam Doupé, Tiffany Bao, Ruoyu Wang, Christophe Hauser, Yan Shoshitaishvili
Proceedings of the USENIX Security Symposium,
Boston, USA August 2022.

SyML: Guiding Symbolic Execution Toward Vulnerable States Through Pattern Learning
Nicola Ruaro, Lukas Dresel, Kyle Zeng, Tiffany Bao, Mario Polino, Andrea Continella, Stefano Zanero, Christopher Kruegel, Giovanni Vigna
Proceedings of the International Symposium on Research in Attacks, Intrusions and Defenses (RAID),
San Sebastian, Spain October 2021.

An Empirical Study on Mobile Payment Credential Leaks and Their Exploits
Shangcheng Shi, Xianbo Wang, Kyle Zeng, Ronghai Yang, Wing Cheong Lau
Proceedings of the 17th EAI International Conference on Security and Privacy in Communication Networks (SecureComm’21),
Virtual, September 2021.

Favocado: Fuzzing the Binding Code of JavaScript Engines Using Semantically Correct Test Cases
Sung Ta Dinh, Haehyun Cho, Kyle Martin, Adam Oest, Kyle Zeng, Alexandros Kapravelos, Gail-Joon Ahn, Tiffany Bao, Ruoyu Wang, Adam Doupé, Yan Shoshitaishvili
Proceedings of the Network and Distributed System Security Symposium (NDSS),
Virtual, February 2021.

Not All Coverage Measurements Are Equal: Fuzzing by Coverage Accounting for Input Prioritization
Yanhao Wang, Xiangkun Jia, Yuwei Liu, Kyle Zeng, Tiffany Bao, Dinghao Wu, Purui Su
Proceedings of the Network and Distributed System Security Symposium (NDSS),
San Diego, CA February 2020.

Honors & Awards

  • Partial Win in Surveillance Systems Category at Pwn2Own (Captain of SEFCOM T0), Toronto, Canada, 2023
  • Google PhD Fellowship, Google, 2023
  • Winner of Ubuntu Desktop LPE at Pwn2Own, Vancouver, Canada, 2023
  • SCAI Doctoral Fellowship, Arizona State University, 2023
  • Partial Win in NAS Category at Pwn2Own (Captain of ASU SEFCOM), Toronto, Canada, 2022
  • kCTF VRP Program (CVE-2022-2585), Google, 2022
  • 13th Place in DEF CON 30 CTF (Shellphish), Las Vegas, USA, 2022
  • kCTF VRP Program (CVE-2022-1786, First Maximum Bounty in kCTF’s history: $91,337), Google, 2022
  • Winner of Linux PE Category at TyphoonPWN 2022, SSD Secure Disclosure, 2022
  • kCTF VRP Program (CVE-2022-29581, with Zhenpeng Lin), Google, 2022
  • SCAI Doctoral Fellowship, Arizona State University, 2022
  • kCTF VRP Program (CVE-2021-4154, with Zhenpeng Lin), Google, 2021
  • 14th Place in DEF CON 29 CTF (Shellphish), Las Vegas, USA, 2021
  • 7th Place in DEF CON 28 CTF (Shellphish), Virtual, 2020
  • Engineering Graduate Fellowship, Arizona State University, 2020
  • 10th Place in DEF CON 27 CTF (Shellphish), Las Vegas, USA, 2019
  • Cybersecurity Fellowship, Arizona State University, 2019

Community Services

  • external reviewer in IEEE Symposium on Security and Privacy (IEEE S&P), 2024
  • PC member in IEEE Workshop on Offensive Technologies (WOOT), 2023
  • external reviewer in USENIX Security, 2022
  • external reviewer in IEEE European Symposium on Security and Privacy (EuroS&P), 2021
  • external reviewer in Annual Computer Security Applications Conference (ACSAC), 2020


  • Fall 2022 : Information Assurance (CSE 365), Teaching Assistant
  • Fall 2020 : Software Security (CSE 545), Teaching Assistant


GitHub: Kyle-Kyle
Email: zengyhkyle<AT>
Twitter: @ky1ebot