I am a postdoctoral researcher in the Advanced Software Technologies (AST) lab at ETH Zurich, mentored by Prof. Zhendong Su. I obtained my Ph.D. in Computer Science and Engineering from The Hong Kong University of Science and Technology (HKUST) in 2024 under the supervision of Prof. Shuai Wang. Prior to that, I received my B.S. in Computer Science from Fudan University in 2020.

E-mail: yuanyuan.yuan [at] inf.ethz.ch

🌟 I am on the academic job market and would be delighted to connect! Please feel free to reach out if you’re interested.

Research Interests

My research focuses on the safety (i.e., addressing unintentional defects and ensuring reliable behaviors) and security (i.e., uncovering and mitigating intentional attacks and privacy breaches) of AI systems. My long-term goal is to strengthen AI systems’ safety and security across a range of conventional and emerging scenarios. Over the past several years, I have been pursuing this goal primarily from software and hardware perspectives.

From the software perspective, I employ software testing and verification, two fundamental and complementary techniques, to enhance the safety of AI systems. My research has redefined the entire testing framework for AI systems, including the testing input generation [TSE 24], testing objectives [ICSE 23a, ICSE 23b], testing oracles [ASE 22, CVPR 21], and the follow-up repairing [ISSTA 24]. It has also bridged different verification techniques to real-world applications of AI systems [USENIX Security 23b].

From the hardware perspective, I analyze hardware activities in AI systems to uncover new attack vectors. Specifically, my research has revealed different hardware side channels that compromise data privacy, such as input leakages to malicious users [USENIX Security 22, ICLR 21], input and AI model leakages to untrusted hosts in TEE-protected AI systems [IEEE S&P 25, CCS 24]. It has also identified pervasive and stealthy hardware fault injections that manipulate AI system’s outputs [NDSS 25a]. To defend against these attacks, I have proposed universal detection techniques for the leakages [USENIX Security 23a] and injections [NDSS 25b, NDSS 23].

Education & Experience

• Postdoctoral Researcher. AST lab, ETH Zurich. Oct. 2024 - present.

• Ph.D. in Computer Science and Engineering. HKUST. Sep. 2020 - Sep. 2024.
  🎓 Thesis: Side Channel Analysis for AI Infrastructures
  🏆 Best PhD Dissertation Award 2024 (one awardee per year), CSE, HKUST

• Visiting Researcher. AST lab, ETH Zurich. Sep. 2022 - Sep. 2023.

• B.S. in Computer Science. Fudan University. Sep. 2016 - July 2020.

Selected Publications (full list)

$^\dagger$ indicates corresponding authors, i.e., first-author works of junior students I mentored.

• [IEEE S&P 25] CipherSteal: Stealing Input Data from TEE-Shielded Neural Networks with Ciphertext Side Channels.
  Yuanyuan Yuan, Zhibo Liu, Sen Deng, Yanzuo Chen, Shuai Wang, Yinqian Zhang, and Zhendong Su.
  In 46th IEEE Symposium on Security and Privacy, 2025.
  🏆 Distinguished Paper Award
  [preprint]

• [CCS 24] HyperTheft: Thieving Model Weights from TEE-Shielded Neural Networks via Ciphertext Side Channels.
  Yuanyuan Yuan, Zhibo Liu, Sen Deng, Yanzuo Chen, Shuai Wang, Yinqian Zhang, and Zhendong Su.
  In 31st ACM Conference on Computer and Communications Security, 2024.
  [extended version]

• [ISSTA 24] See the Forest, not Trees: Unveiling and Escaping the Pitfalls of Error-Triggering Inputs in Neural Network Testing.
  Yuanyuan Yuan, Shuai Wang, and Zhendong Su.
  In 33rd International Symposium on Software Testing and Analysis, 2024.
  [preprint]

• [TSE 24] Provably Valid and Diverse Mutations of Real-World Media Data for DNN Testing.
  Yuanyuan Yuan, Qi Pang, and Shuai Wang.
  In IEEE Transactions on Software Engineering, 2024.
  [preprint]

• [USENIX Security 23b] Precise and Generalized Robustness Certification for Neural Networks.
  Yuanyuan Yuan, Shuai Wang, and Zhendong Su.
  In 32nd USENIX Security Symposium, 2023.
  [extended version], [code]

• [USENIX Security 23a] CacheQL: Quantifying and Localizing Cache Side-Channel Vulnerabilities in Production Software.
  Yuanyuan Yuan, Zhibo Liu, and Shuai Wang.
  In 32nd USENIX Security Symposium, 2023.
  [extended version], [findings], [code]

• [ICSE 23a] Revisiting Neuron Coverage for DNN Testing: A Layer-Wise and Distribution-Aware Criterion.
  Yuanyuan Yuan, Qi Pang, and Shuai Wang.
  In 45th IEEE/ACM International Conference on Software Engineering, 2023.
  [extended version], [code]

• [ASE 22] Unveiling Hidden DNN Defects with Decision-Based Metamorphic Testing.
  Yuanyuan Yuan, Qi Pang, and Shuai Wang.
  In 37th IEEE/ACM International Conference on Automated Software Engineering, 2022.
  [extended version], [code]

• [USENIX Security 22] Automated Side Channel Analysis of Media Software with Manifold Learning.
  Yuanyuan Yuan, Qi Pang, and Shuai Wang.
  In 31st USENIX Security Symposium, 2022.
  🏅 Artifact Evaluation Badges: Available; Functional; Reproduced.
  [extended version], [code]

• [CVPR 21] Perception Matters: Detecting Perception Failures of VQA Models Using Metamorphic Testing.
  Yuanyuan Yuan, Shuai Wang, Mingyue Jiang, and Tsong Yueh Chen.
  In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2021.
  [code]

• [ICLR 21] Private Image Reconstruction from System Side Channels Using Generative Models.
  Yuanyuan Yuan, Shuai Wang, and Junping Zhang.
  In International Conference on Learning Representations, 2021.
  [code]

• [NDSS 25b] BitShield: Defending Against Bit-Flip Attacks on DNN Executables.
  Yanzuo Chen, Yuanyuan Yuan$^\dagger$, Zhibo Liu, Sihang Hu, Tianxiang Li, and Shuai Wang$^\dagger$.
  In 32nd Network and Distributed System Security Symposium, 2025.
  $^\dagger$ Corresponding authors.
  [preprint]

• [NDSS 25a] Compiled Models, Built-In Exploits: Uncovering Pervasive Bit-Flip Attack Surfaces in DNN Executables.
  Yanzuo Chen, Zhibo Liu, Yuanyuan Yuan$^\dagger$, Sihang Hu, Tianxiang Li, and Shuai Wang$^\dagger$.
  In 32nd Network and Distributed System Security Symposium, 2025.
  $^\dagger$ Corresponding authors.
  [preprint]

• [NDSS 23] OBSan: An Out-Of-Bound Sanitizer to Harden DNN Executables.
  Yanzuo Chen, Yuanyuan Yuan$^\dagger$, and Shuai Wang$^\dagger$.
  In 30th Network and Distributed System Security Symposium, 2023.
  $^\dagger$ Corresponding authors.
  [project page], [code]

• [ICSE 23b] CC: Causality-Aware Coverage Criterion for Deep Neural Networks.
  Zhenlan Ji, Pingchuan Ma$^\dagger$, Yuanyuan Yuan$^\dagger$, and Shuai Wang.
  In 45th IEEE/ACM International Conference on Software Engineering, 2023.
  $^\dagger$ Corresponding authors.
  [code]

Awards

• 🏆 Distinguished Paper Award, IEEE Symposium on Security and Privacy, 2025.

• 🏆 Best PhD Dissertation Award (one awardee per year), Department of Computer Science and Engineering, HKUST, 2024.

Academic Services

• Program Committee: ICSE 2026, LMPL 2025, DeepTest 2025, USENIX Security 2023 (Artifact Evaluation), OSDI 2022 and USENIX ATC 2022 (Artifact Evaluation), ISSTA 2022 (Artifact Evaluation).

• Reviewer: IEEE Transactions on Software Engineering, IEEE Transactions on Dependable and Secure Computing.

Teaching Experience

• Teaching Assistant: Automated Software Testing. ETH Zurich, Spring 2025.
• Teaching Assistant: Research Topics in Software Engineering. ETH Zurich, Spring 2025.
• Teaching Assistant: Compiler Design. ETH Zurich, Fall 2024.
• Guest Lecturer: Automated Software Testing. ETH Zurich, Spring 2023.
• Teaching Assistant: COMP3632: Principles of Cybersecurity. HKUST, Fall 2021.
• Teaching Assistant: COMP3632: Principles of Cybersecurity. HKUST, Spring 2021.
• Teaching Assistant: Introduction to Computer System. Fudan University, Fall 2018.

Last updated: 14 May 2025