Education
- Ph.D in Computer Science, University at Buffalo, 2024-Present, GPA: 4.0
- Ph.D in Computer Science, Washington State University, 2020-2024 GPA: 3.92
- M.S. in Computer Science, Washington State University, 2018-2020, GPA: 3.96
- B.S. in Automation, South China University of Technology, 2014-2018
Publications
APPATCH: Automated Adaptive Prompting Large Language Models for Real-World Software Vulnerability Patching
Yu Nong, Haoran Yang, Long Cheng, Hongxin Hu, Haipeng Cai. USENIX Security Symposium (USENIX Security), 2025.
We leverage the power and merits of pre-trained language language models (LLMs) to enable automated vulnerability patching using our introduced vulnerability semantics reasoning and adaptive prompting to elicit LLMs to effectively reason about vulnerable code behaviors, which is essential for quality patch generation.Chain-of-thought prompting of large language models for discovering and fixing software vulnerabilities
Yu Nong, Mohammed Aldeen, Long Cheng, Hongxin Hu, Feng Chen, Haipeng Cai. Under Review, 2025.
We explore how to leverage large lange models and chain-of-thoughts to address three key software vulnerability analysis tasks: identifying a given type of vulnerabilities, discovering vulnerabilities of any type, and patching detected vulnerabilities.VinJ: An Automated Tool for Large-Scale Software Vulnerability Data Generation
Yu Nong, Haoran Yang, Feng Chen, Haipeng Cai. ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE), 2024.
We present VinJ, an efficient automated tool for large-scale diverse vulnerability data generation. VinJ automatically generates vulnerability data by injecting vulnerabilities into given programs, based on knowledge learned from existing vulnerability data.Multi-Language Software Development: Issues, Challenges, and Solutions
Haoran Yang, Yu Nong, Shaowei Wang, Haipeng Cai. IEEE Transactions on Software Engineering (TSE), 2024.
Developing software projects that incorporate multiple languages has been a prevalent practice for many years. In this paper, we provide answers to the issues encountered by developers during the development process, the underlying challenges causing these issues, and the solutions provided to developers.Learning to Detect and Localize Multilingual Bugs
Haoran Yang, Yu Nong, Tao Zhang, Xiapu Luo, Haipeng Cai. Proceedings of the ACM on Software Engineering (FSE), 2024.*
Extant static/dynamic analysis and deep learning (DL) based approaches all face major challenges in addressing multilingual bugs which cross different programming languages. In this paper, we present xLoc, a DL-based technique/tool for detecting and localizing multilingual bugs through pre-training and fine-tuning a Transformer model with customized position encoding.VGX: Large-Scale Sample Generation for Boosting Learning-Based Software Vulnerability Analyses
Yu Nong, Richard Fang, Guangbei Yi, Kunsong Zhao, Xiapu Luo, Feng Chen, Haipeng Cai. IEEE/ACM International Conference on Software Engineering (ICSE), 2024. We propose VGX, a new technique aimed for large-scale generation of high-quality vulnerability datasets. VGX combines semantics-aware contextualization, which identifies the context of vulnerability injection code edits, and human-knowledge-enhanced edit pattern formation, which uses the materialized contextualized code edits, to generate large-scale high-quality vulnerability datasets effectively.VulGen: Realistic Vulnerable Sample Generation via Pattern Mining and Deep Learning
Yu Nong, Yuzhe Ou, Michael Pradel, Feng Chen, and Haipeng Cai. IEEE/ACM International Conference on Software Engineering (ICSE), 2023.
We present VulGen, the first injection-based vulnerability-generation technique that is not limited to a particular class of vulnerabilities. It combines the strengths of deterministic (pattern-based) and probabilistic (deep-learning/DL-based) program transformation approaches while mutually overcoming respective weaknesses.Open Science in Software Engineering: A Study on Deep Learning-Based Vulnerability Detection
Yu Nong, Rainy Sharma, Abdelwahab Hamou-Lhadj, Xiapu Luo, Haipeng Cai. IEEE Transactions on Software Engineering (TSE) 2022.
An empirical study that exhaustively searches the literature in the area of deep learning-based vulnerability detection and comprehensively investigates the four integral aspects of open science: availability, executability, reproducibility, and replicability.Generating Realistic Vulnerabilities via Neural Code Editing: An Empirical Study
Yu Nong, Yuzhe Ou, Michael Pradel, Feng Chen, Haipeng Cai. ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE), 2022
A study that explores the feasibility of vulnerability injection through neural code editing. With a synthetic dataset and a real-world one, we investigate the potential and gaps of three state-of-the-art neural code editors for vulnerability injection.Evaluating and comparing memory error vulnerability detectors
Yu Nong, Haipeng Cai, Pengfei Ye, Li Li, Feng Chen. Information and Software Technology (IST), 137, 106614. 2021
An empirical study that evaluates and compares state-of-the-art memory error vulnerability detectors against publicly available benchmark datasets of C/C++ programs, with case studies to gain in-depth explanations of successes and failures of individual tools.A Preliminary Study on Open-Source Memory Vulnerability Detectors
Yu Nong, Haipeng Cai. IEEE 27th International Conference on Software Analysis, Evolution and Reengineering (SANER) (pp. 557-561). 2020
Preliminary results of a study on memory vulnerability detectors based on (static and/or dynamic) program analysis, against a public suite of 520 C/C++ programs as benchmarks which cover 14 different vulnerability categories.
Teaching Experience
- Graduate Teaching Assistant (University at Buffalo)
- CSE 565 Computer Security
- Fall 2024
- CSE 418/518 Software Security
- Spring 2025
- CSE 565 Computer Security
- Graduate Teaching Assistant (Washington State University)
- CptS 322 Software Engineering Principles I
- Spring 2021
- Fall 2020
- CptS 422 Software Engineering Principles II
- Fall 2020
- CptS 322 Software Engineering Principles I
Work experience
- Summer 2020: Software Testing Consultant
Optimum Semiconductor Technologies Inc., Tarrytown, NY- Configured the integrated development environment (IDE) of SandBlaster SB3500 System on a Chip (SoC).
- Developed test programs and did functional tests of multithreading, pipelining, intrinsic, and RPU on SandBlaster SB3500 Simulator.
- Tested the compiler, linker, and IDE of SandBlaster SB3500.
- Reviewed and revised the manual of SandBlaster SB3500.
- Fall 2019: IT Helpdesk Tech Intern
Intuitive Networks, Inc., Newport Beach, CA- Configured Site-to-Site VPN on Cisco Meraki MX68 so that remote employees around the country could connect to the internal network at the headquarters by their Sonicwall TZ300s.
- Configured more than 50 Sonicwall TZ300s so that they could connect to the internal network at the headquarters correctly.
- Upgraded firmware on more than 50 Sonicwall TZ300s.
- Configured LDAP Authentication on more than 50 Sonicwall TZ300s.
- Summer 2019: Front-End Engineer Intern
Beijing Hantang Technology Stock Co., LTD, Beijing, China- Developed a front-end module for remote consulting rooms in a large-scale digital cooperation platform for more than 100 hospitals based on HTML, CSS, Javascript and jQuery.
- Based on the layout from the UI designer, developed web pages for browsing and editing lists of available remote consulting rooms; Switching video sources in meetings; Editing, browsing, and searching consulting reports; Managing consulting schedules for doctors and patients.
- Used JSON to contact the back-end server based on JSP.
Skills
- Programming Languages
- C, C++, Python, Java, C#, JavaScript, SQL, HTML, CSS
- Technologies:
- System Programming, Pattern Matching, Machine Learning, Computer Network, PyTorch, Anaconda, NodeJS, Docker, Linux, Git, MATLAB, OpenCV