Hao Sun
M.Sc., Tsinghua University

Currently, I am an M.Sc. student in the School of Software at Tsinghua University, and I am doing security research in Software System Security Assurance Group, supervised by Prof. Yu Jiang. I plan to apply for a Ph.D. degree after graduation (in 2023) to continue my research on system security. Please send me an email if you have interests in me. Here is a brief intro on my areas:

  • I am extremely enthusiastic about the architecture and design of large systems. Most projects I wrote in the past consist of more than 10,000 lines of code. I’ve studied multiple large systems via reading their source code, e.g., Linux kernel and leveldb.
  • Automated vulnerability discovery in large systems is my current research area. The major approaches I used include fuzz testing and symbolic execution. I’m the author of Healer, a kernel fuzzer inspired by Syzkaller. I also wrote another symbolic execution based tool for the Linux kernel, but not been published yet.
  • I’m an entry-level fan of programming language, interested in programming language theory (but have not yet delved into it). I’ve mastered more than 10 programming languages, including system-level language, GC-based language, functional language, etc. Rust is currently my preferred language (Hi there, Rustaceans!).


  • Operating system kernel, Linux kernel
  • Security, Fuzz testing, Symbolic execution
  • Programing language
  • System programing, Rustacean


Tsinghua University
2020 - current
M.Sc. Software System Security Assurance Group
System security, kernel fuzzing, supervised by Prof.Yu Jiang
Beijing University of Posts and Telecommunications
2016 - 2020
B.Sc. Software Engineering


HEALER: Relation Learning Guided Kernel Fuzzing, 2021, ACM SIGOPS 28th Symposium on Operating Systems Principles (SOSP '21)
Hao Sun , Yuheng Shen, Cong Wang, Jianzhong Liu, Yu Jiang, Ting Chen, and Aiguo Cui
Rtkaller: State-aware Task Generation for RTOS Fuzzing, 2021, ACM Transactions on Embedded Computing Systems (EMSOFT 2021)
Yuheng Shen , Hao Sun, Yu Jiang, Heyuan Shi, Yixiao Yang, and Wanli Chang
Go-Sanitizer: Bug-Oriented Assertion Generation for Golang, 2019, 2019 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW)
Cong Wang , Hao Sun, Yiwen Xu, Yu Jiang, Huafeng Zhang, Ming Gu


Healer: kernel fuzzer inspired by Syzkaller.
Healer uses Syzlang descriptions to generate sequencese of syscalls like Syzkaller. Unlike Syzkaller, Healer detects the influence relationships between syscalls with a learning algorithm and uses a different architecture.
libtcc: Rust Binding for Tcc Compiler.
TinyCC (or tcc) is short for Tiny C Compiler. It's a small, fast, unlimited, safe C language compiler. `libtcc` provide a safe wrapper for it, which supports jit compilation and low level control of code generation.