I am a tenure-track assistant professor in the School of Software at Tsinghua University. My research mainly focuses on the safety and security of AI systems.

Before joining Tsinghua University, I was a post-doc researcher at ETH Zurich, working with Prof. Zhendong Su. I obtained my Ph.D. degree from HKUST in 2024 under the supervision of Prof. Shuai Wang, and my B.S. degree from Fudan University in 2020.

E-mail: yyyuan@tsinghua.edu.cn

Openings: I am looking for self-motivated students (Post-doc, PhD, Master, and Undergraduate) with research interests in Security, AI, and Software Engineering. If you are interested in joining my group, please drop me an email with your CV and transcripts.

Education & Experience

• Assistant Professor. School of Software, Tsinghua University. Dec. 2025 - present.

• Postdoctoral Researcher. AST lab, ETH Zurich. Oct. 2024 - Dec. 2025.

• Ph.D. in Computer Science and Engineering. HKUST. Sep. 2020 - Sep. 2024.
  🎓 Thesis: Side Channel Analysis for AI Infrastructures
  🏆 Best PhD Dissertation Award 2024 (one awardee per year), CSE, HKUST

• Visiting Researcher. AST lab, ETH Zurich. Sep. 2022 - Sep. 2023.

• B.S. in Computer Science. Fudan University. Sep. 2016 - July 2020.

Selected Publications (full list)

$^\dagger$ indicates (co-)corresponding authors.

• [IEEE S&P 25] CipherSteal: Stealing Input Data from TEE-Shielded Neural Networks with Ciphertext Side Channels.
  Yuanyuan Yuan, Zhibo Liu, Sen Deng, Yanzuo Chen, Shuai Wang, Yinqian Zhang, and Zhendong Su.
  In 46th IEEE Symposium on Security and Privacy, 2025.
  🏆 Distinguished Paper Award
  [preprint]

• [CCS 24] HyperTheft: Thieving Model Weights from TEE-Shielded Neural Networks via Ciphertext Side Channels.
  Yuanyuan Yuan, Zhibo Liu, Sen Deng, Yanzuo Chen, Shuai Wang, Yinqian Zhang, and Zhendong Su.
  In 31st ACM Conference on Computer and Communications Security, 2024.
  [extended version]

• [ISSTA 24] See the Forest, not Trees: Unveiling and Escaping the Pitfalls of Error-Triggering Inputs in Neural Network Testing.
  Yuanyuan Yuan, Shuai Wang, and Zhendong Su.
  In 33rd International Symposium on Software Testing and Analysis, 2024.
  [preprint]

• [TSE 24] Provably Valid and Diverse Mutations of Real-World Media Data for DNN Testing.
  Yuanyuan Yuan, Qi Pang, and Shuai Wang.
  In IEEE Transactions on Software Engineering, 2024.
  [preprint]

• [USENIX Security 23b] Precise and Generalized Robustness Certification for Neural Networks.
  Yuanyuan Yuan, Shuai Wang, and Zhendong Su.
  In 32nd USENIX Security Symposium, 2023.
  [extended version], [code]

• [USENIX Security 23a] CacheQL: Quantifying and Localizing Cache Side-Channel Vulnerabilities in Production Software.
  Yuanyuan Yuan, Zhibo Liu, and Shuai Wang.
  In 32nd USENIX Security Symposium, 2023.
  [extended version], [findings], [code]

• [ICSE 23a] Revisiting Neuron Coverage for DNN Testing: A Layer-Wise and Distribution-Aware Criterion.
  Yuanyuan Yuan, Qi Pang, and Shuai Wang.
  In 45th IEEE/ACM International Conference on Software Engineering, 2023.
  [extended version], [code]

• [ASE 22] Unveiling Hidden DNN Defects with Decision-Based Metamorphic Testing.
  Yuanyuan Yuan, Qi Pang, and Shuai Wang.
  In 37th IEEE/ACM International Conference on Automated Software Engineering, 2022.
  [extended version], [code]

• [USENIX Security 22] Automated Side Channel Analysis of Media Software with Manifold Learning.
  Yuanyuan Yuan, Qi Pang, and Shuai Wang.
  In 31st USENIX Security Symposium, 2022.
  🏅 Artifact Evaluation Badges: Available; Functional; Reproduced.
  [extended version], [code]

• [CVPR 21] Perception Matters: Detecting Perception Failures of VQA Models Using Metamorphic Testing.
  Yuanyuan Yuan, Shuai Wang, Mingyue Jiang, and Tsong Yueh Chen.
  In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2021.
  [code]

• [ICLR 21] Private Image Reconstruction from System Side Channels Using Generative Models.
  Yuanyuan Yuan, Shuai Wang, and Junping Zhang.
  In International Conference on Learning Representations, 2021.
  [code]

• [NDSS 25b] BitShield: Defending Against Bit-Flip Attacks on DNN Executables.
  Yanzuo Chen, Yuanyuan Yuan$^\dagger$, Zhibo Liu, Sihang Hu, Tianxiang Li, and Shuai Wang$^\dagger$.
  In 32nd Network and Distributed System Security Symposium, 2025.
  $^\dagger$ Corresponding authors.
  [preprint], [code]

• [NDSS 25a] Compiled Models, Built-In Exploits: Uncovering Pervasive Bit-Flip Attack Surfaces in DNN Executables.
  Yanzuo Chen, Zhibo Liu, Yuanyuan Yuan$^\dagger$, Sihang Hu, Tianxiang Li, and Shuai Wang$^\dagger$.
  In 32nd Network and Distributed System Security Symposium, 2025.
  $^\dagger$ Corresponding authors.
  🏅 Presented at Black Hat Europe.
  [preprint], [code]

• [NDSS 23] OBSan: An Out-Of-Bound Sanitizer to Harden DNN Executables.
  Yanzuo Chen, Yuanyuan Yuan$^\dagger$, and Shuai Wang$^\dagger$.
  In 30th Network and Distributed System Security Symposium, 2023.
  $^\dagger$ Corresponding authors.
  [project page], [code]

• [ICSE 23b] CC: Causality-Aware Coverage Criterion for Deep Neural Networks.
  Zhenlan Ji, Pingchuan Ma$^\dagger$, Yuanyuan Yuan$^\dagger$, and Shuai Wang.
  In 45th IEEE/ACM International Conference on Software Engineering, 2023.
  $^\dagger$ Corresponding authors.
  [code]

• [CCS 24b] DeepCache: Revisiting Cache Side-Channel Attacks in Deep Neural Networks Executables.
  Zhibo Liu, Yuanyuan Yuan, Yanzuo Chen, Sihang Hu, Tianxiang Li, and Shuai Wang.
  In 31st ACM Conference on Computer and Communications Security, 2024.
  🏅 Presented at Black Hat Europe.
  [code]

• [USENIX Security 23c] Decompiling x86 Deep Neural Network Executables.
  Zhibo Liu, Yuanyuan Yuan, Shuai Wang, Xiaofei Xie, and Lei Ma.
  In 32nd USENIX Security Symposium, 2023.
  🏅 Artifact Evaluation Badges: Available; Functional; Reproduced.
  🏅 Presented at Black Hat USA.
  [extended version], [code]

Awards

• 🏆 Distinguished Paper Award, IEEE Symposium on Security and Privacy, 2025.

• 🏆 Best PhD Dissertation Award (one awardee per year), Department of Computer Science and Engineering, HKUST, 2024.

Academic Services

• Program Committee:
  USENIX Security Symposium (USENIX Security), 2026
  ACM Conference on Computer and Communications Security (CCS), 2026
  International Conference on Software Engineering (ICSE), 2026
  

• Reviewer:
  ACM Transactions on Software Engineering and Methodology (TOSEM), 2025
  IEEE Transactions on Software Engineering (TSE), 2025
  IEEE Transactions on Dependable and Secure Computing (TDSC), 2025
  Empirical Software Engineering (EMSE), 2025

• Artifact Evaluation Committee:
  USENIX Security Symposium (USENIX Security), 2023
  International Symposium on Software Testing and Analysis (ISSTA), 2022
  USENIX Symposium on Operating Systems Design and Implementation (OSDI), 2022
  USENIX Annual Technical Conference (ATC), 2022