Mengyuan Li

Assistant Professor [Google Scholar]

TEE, Confidential Computing, Verifiable AI, Side-Channel Attacks, and AI Systems Security

Thomas Lord Department of Computer Science
Ming Hsieh Department of Electrical and Computer Engineering
University of Southern California

E-mail: mengyuanli@usc.edu

About me

Mengyuan Li is an Assistant Professor of Computer Science Department at University of Southern California. He leads the SEPT Lab (SEcurity, Privacy, and Trust), where the group focuses on cutting-edge research in systems and security and is actively looking for motivated PhD, MS, and undergraduate students. Prior to USC, he was a postdoc researcher in CSAIL at MIT (2022 - 2024), working with Prof. Mengjia Yan. Mengyuan graduated from The Ohio State University (OSU) with a Ph.D. in Computer Science and Engineering in 2022, advised by Prof. Yinqian Zhang. Before coming to OSU, he graduated from Shanghai Jiao Tong University (SJTU) with the Bachelor's degree of Electronic Engineering.

Research

My research focuses on the design of trustworthy computing environments through the tight integration of advanced hardware mechanisms and software systems. This co-design is essential for ensuring secure computation and data privacy, across platforms spanning personal devices to cloud AI systems. My group works on Trusted Execution Environments (TEE), confidential computing, verifiable AI, side-channel attacks, and broader AI systems security.

• Uncovering, Understanding, and Defending Against System and Hardware Vulnerabilities, including cloud system security, CPU security, GPU security, and AI system security.
• Software-Hardware Co-Design for Secure and Efficient AI Systems.

These topic pages summarize the main problems, representative papers, and teaching material behind the research directions that readers often search for directly.

TEE and Confidential Computing

Research on TEE-based systems and performance optimization, attacks on confidential computing platforms, and defenses for secure cloud and AI infrastructure.

Keywords: TEE, confidential computing, AMD SEV/SEV-SNP, SGX, confidential VMs/GPUs.

Verifiable AI

Research on verification of LLM inference, privacy-preserving model oversight, and system support for trustworthy AI deployment.

Keywords: verifiable AI, zero-knowledge verification, LLM inference, model oversight, trustworthy AI.

AI Agent Security

Research on using TEE and runtime monitoring to monitor agent execution and build trusted infrastructure for LLM systems and AI agents.

Keywords: AI agent security, TEE, runtime monitoring, trusted infrastructure, LLM systems, agent execution.

News

2026

Paper "MC-ORAM: A Mask-Assisted and Counter-Based Non-Deterministic ORAM Inside VM-Based TEEs" accepted to ISCA'26.

2026

Paper "Hollow-LLM Attack: Computationally Trivial Weights in Zero-Knowledge Verification of LLM Inference" accepted to IEEE S&P'26.

2026

Paper "SCALE: Tackling Communication Bottlenecks in Confidential Multi-GPU ML" accepted to IEEE HPCA'26.

2026

Paper "WAVE: Leveraging Architecture Observation for Privacy-Preserving Model Oversight" accepted to ACM ASPLOS'26.

2025

Paper "Chekhov's Gun: Uncovering Hidden Risks in macOS Application-Sandboxed PID-Domain Services" accepted to ACM CCS'25.

2025

Paper "A Close Look at RMP Entry Caching and Its Security Implications in SEV-SNP" accepted to HASP'25.

2025

Paper "Few-Shot Graph Out-of-Distribution Detection with LLMs" published in Lecture Notes in Computer Science.

2024

Joined USC as Assistant Professor in the Thomas Lord Department of Computer Science.

2024

Paper "SoK: Understanding Design Choices and Pitfalls of Trusted Execution Environments" accepted to ACM ASIACCS'24.

2023

Paper "CipherH: Automated Detection of Ciphertext Side-channel Vulnerabilities" accepted to USENIX Security'23.

2022

Two papers accepted to IEEE S&P'22: "A Systematic Look at Ciphertext Side Channels" and "vSGX: Virtualizing SGX Enclaves on AMD SEV".

2021

Paper "CROSSLINE" accepted to ACM CCS'21 and received Best Paper Award (Runner-Up).

2021

Paper "CIPHERLEAKS" accepted to USENIX Security'21. AMD issued security bulletin and CVE.

Publications

MC-ORAM: A Mask-Assisted and Counter-Based Non-Deterministic ORAM Inside VM-Based TEEs

Yongqin Wang, Rachit Rajat, Jonghyun Lee, Mengyuan Li, Murali Annavaram

IEEE/ACM International Symposium on Computer Architecture (ISCA) 2026

[link]

Hollow-LLM Attack: Computationally Trivial Weights in Zero-Knowledge Verification of LLM Inference

Chen Gong, Beijie Liu, Mengyuan Li

IEEE Symposium on Security and Privacy (S&P) 2026

[link]

SCALE: Tackling Communication Bottlenecks in Confidential Multi-GPU ML

Joongun Park, Yongqin Wang, Huan Xu, Hanjiang Wu, Mengyuan Li, Tushar Krishna

IEEE International Symposium on High-Performance Computer Architecture (HPCA) 2026

[link]

WAVE: Leveraging Architecture Observation for Privacy-Preserving Model Oversight

Haoxuan Xu*, Chen Gong*, Beijie Liu*, Haizhong Zheng, Beidi Chen, Mengyuan Li (*equal contribution)

ACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS) 2026

[link]

Few-Shot Graph Out-of-Distribution Detection with LLMs

Haoyan Xu, Zhengtao Yao, Yushun Dong, Ziyi Wang, Ryan Rossi, Mengyuan Li, Yue Zhao

Joint European Conference on Machine Learning and Knowledge Discovery in Databases (ECML-PKDD) 2025

[link]

Chekhov's Gun: Uncovering Hidden Risks in macOS Application-Sandboxed PID-Domain Services

Minghao Lin, Jiaxun Zhu, Tingting Yin, Zechao Cai, Guanxing Wen, Yanan Guo, Mengyuan Li

ACM Conference on Computer and Communications Security (CCS) 2025

[link]

A Close Look at RMP Entry Caching and Its Security Implications in SEV-SNP

Alexis Bagia, Vincent Quentin Ulitzsch, Daniël Trujillo, Mengyuan Li, Mengjia Yan, Jean-Pierre Seifert

14th International Workshop on Hardware and Architectural Support for Security and Privacy (HASP) 2025

[link]

Ditto: Elastic Confidential VMs with Secure and Dynamic CPU Scaling

Shixuan Zhao*, Mengyuan Li*, Mengjia Yan, Zhiqiang Lin (*equal contribution)

Under Submission

[arxiv]

Bridge the Future: High-Performance Networks in Confidential VMs without Trusted I/O devices

Mengyuan Li, Shashvat Srivastava, Mengjia Yan

Under Submission

[arxiv]

SoK: Understanding Design Choices and Pitfalls of Trusted Execution Environments

Mengyuan Li, Yuheng Yang, Guoxing Chen, Mengjia Yan, Yinqian Zhang

ACM ASIACCS'24

[pdf]

CipherH: Automated Detection of Ciphertext Side-channel Vulnerabilities in Cryptographic Implementations

Sen Deng, Mengyuan Li, Yining Tang, Shuai Wang, Shoumeng Yan, Yinqian Zhang

USENIX Security Symposium'23

[pdf]

PWRLEAK: Exploiting Power Reporting Interface for Side-channel Attacks on AMD SEV

Wubing Wang, Mengyuan Li, Yinqian Zhang, Zhiqiang Lin

20th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA 2023)

[pdf]

Security bulletin from AMD [AMD-SB-3004], CVE [CVE-2023-20575]

A Systematic Look at Ciphertext Side Channels

Mengyuan Li*, Luca Wilke*, Jan Wichelmann, Thomas Eisenbarth, Radu Teodorescu, Yinqian Zhang (*equal contribution)

IEEE Symposium on Security and Privacy'22 (Acceptance rate: 57/407=14.0%)

[pdf]

Security bulletin from AMD [AMD-SB-1033], CVE [CVE-2021-46744]
An official [White Paper] from AMD for TEE developers and users to write code in a Ciphertext Side-channel-resistant way.

vSGX: Virtualizing SGX Enclaves on AMD SEV

Shixuan Zhao, Mengyuan Li, Yinqian Zhang, Zhiqiang Lin

IEEE Symposium on Security and Privacy'22 (Acceptance rate: 54/327=15.2%)

[pdf]

TLB Poisoning Attacks on AMD Secure Encrypted Virtualization

Mengyuan Li, Yinqian Zhang, Huibo Wang, Kang Li, Yueqiang Chen

The 2021 Annual Computer Security Applications Conference (ACSAC 2021) (Acceptance rate: 56/326=15.2%)

[pdf]

Security bulletin from AMD [AMD-SB-1023], CVE [CVE-2021-26340], Announcement from Lenovo

CROSSLINE: Breaking "Security-by-Crash" based Memory Isolation in AMD SEV

Mengyuan Li, Yinqian Zhang, Zhiqiang Lin

ACM Conference on Computer and Communications Security'21, Nov. 2021 (Acceptance rate: 196/879=22.3%)

[pdf] [bib]

Best Paper Awards (Runner-Ups) (14/879=1.6%) [plaque] [link]

CIPHERLEAKS: Breaking Constant-time Cryptography on AMD SEV via the Ciphertext Side Channel

Mengyuan Li, Yinqian Zhang, Huibo Wang, Kang Li, Yueqiang Chen

USENIX Security Symposium'21, Virtual, Aug. 2021 (Acceptance rate: 248/1319=18.8%)

[pdf] [bib] [Website]

AMD filed an embargo for the ciphertext side channel identified in the paper and announced a security bulletin together with a hardware patch for SEV-SNP in August 2021 [CVE-2020-12966]

Defeating speculative-execution attacks on SGX with HyperRace

Guoxing Chen, Mengyuan Li, Fengwei Zhang, Yinqian Zhang

IEEE Conference on Dependable and Secure Computing'19, Hangzhou, China, Nov. 2021

[pdf] [bib]

Exploiting Unprotected I/O Operations in AMD's Secure Encrypted Virtualization

Mengyuan Li, Yinqian Zhang, Zhiqiang Lin, Yan Solihin

USENIX Security Symposium'19, Santa Clara, CA, Aug. 2019 (Acceptance rate: 113/697=16.2%)

[pdf] [bib]

Peeking Behind the Curtains of Serverless Platforms

Liang Wang, Mengyuan Li, Yinqian Zhang, Thomas Ristenpart, Michael Swift

USENIX ATC'18, Boston, MA, USA, July. 2018 (Acceptance rate: 76/378=20.1%)

[pdf] [Github] [bib]

Stacco: Differentially Analyzing Side-Channel Traces for Detecting SSL/TLS Vulnerabilities in Secure Enclaves

Yuan Xiao, Mengyuan Li, Sanchuan Chen, Yinqian Zhang

ACM Conference on Computer and Communications Security'17, Dallas, TX, USA, Oct. 2017 (Acceptance rate: 151/843=17.9%)

[pdf] [arxiv] [Github] [bib]

When CSI Meets Public WiFi: Inferring Your Mobile Phone Password via WiFi Signals

Mengyuan Li, Yan Meng, Junyi Liu, Haojin Zhu, Xiaohui Liang, Yao Liu, Na Ruan

ACM Conference on Computer and Communications Security'16, Vienna, Austria, Oct. 2016 (Acceptance rate: 137/831=16.5%)

[pdf] [slides] [bib] [Demo] [Youtube]

Professional Services

Program Committee

ACM Conference on Computer and Communications Security (CCS)

2024

IEEE European Symposium on Security and Privacy (EuroS&P)

2024

International Conference on Applied Cryptography and Network Security (ACNS)

2023

Reviewer

IEEE Transactions on Dependable and Secure Computing (TDSC)

2021, 2022, 2023

IEEE Transactions on Parallel and Distributed Systems (TPDS)

2023

IEEE Transactions on Mobile Computing (TMC)

2021, 2022

IEEE/ACM Transactions on Networking (TNET)

2021, 2022

IEEE Transactions on Emerging Topics in Computing (TETCSI)

2022

External Reviewer

IEEE Symposium on Security and Privacy (Oakland)

2020, 2022, 2023

ACM Conference on Computer and Communications Security (CCS)

2019, 2020, 2022, 2023

USENIX Security Symposium

2021

ISOC Network and Distributed System Security Symposium (NDSS)

2019

ACM Asia Conference on Computer and Communications Security (AsiaCCS)

2020

ACM Cloud Computing Security Workshop (CCSW)

2021