In May, Yinzhi Cao, an associate professor of computer science and the technical director of the Johns Hopkins University Information Security Institute, was recognized for his achievements and contributions to the field at the 46th IEEE Symposium on Security and Privacy.
One of his papers, “Follow My Flow: Unveiling Client-Side Prototype Pollution Gadgets from One Million Real-World Websites,” received a Distinguished Paper Award. Cao worked on this research with CS alumni Zifeng Kang, Engr ’25 (PhD) and Muxi Lyu, Engr ’25 (BS/MSE), CS PhD students Zhengyu Liu and Jianjia Yu, and collaborators at Zhejiang University in China including alumnus Song Li, Engr ’22 (PhD).
The paper shares the team’s research on pollution vulnerability, or when malicious actors manipulate properties in JavaScript that impact other objects in the environment. The team designed a dynamic analysis framework called GALA to automatically detect prototype pollution gadgets on real-world websites. The GALA framework was evaluated against one million websites and found that 133 zero-day gadgets not found by previous frameworks.
“Our research finds that prototype pollution can lead to many severe consequences, such as cross-site scripting and cookie manipulation. One of our gadget chains exists in Meta’s software; they gave us a bug bounty for finding the vulnerability, and then fixed it immediately,” Cao says. “We hope that future vendors can take such vulnerabilities, particularly prototype pollution gadget chains, seriously for immediate patches.”
A second paper of Cao’s—work he conducted a decade ago with his postdoctoral advisor—was awarded a Test of Time Award, which recognizes past publications that are still relevant, useful, and impactful within security and privacy. The paper, “Towards Making Systems Forget with Machine Unlearning,” presented an efficient approach to making learning systems forget, or “unlearn,” information, data, or lineages.
“I am pleased that the Test of Time Award committee recognized the importance of this work on machine unlearning. Since we first proposed the concept back in 2015, machine unlearning has become a blooming research field, attracting many researchers to work on it,” says Cao.