Wenchao Huang

Wansen Wang, Pu Zhang, Renjie Ji et al.

Some smart contracts violate decentralization principles by defining privileged accounts that manage other users' assets without permission, introducing centralization risks that have caused financial losses. Existing methods, however, face challenges in accurately detecting diverse centralization risks due to their dependence on predefined behavior patterns. In this paper, we propose JANUS, an automated analyzer for Solidity smart contracts that detects financial centralization risks independently of their specific behaviors. JANUS identifies differences between states reached by privileged and ordinary accounts, and analyzes whether these differences are finance-related. Focusing on the impact of risks rather than behaviors, JANUS achieves improved accuracy compared to existing tools and can uncover centralization risks with unknown patterns. To evaluate JANUS's performance, we compare it with other tools using a dataset of 540 contracts. Our evaluation demonstrates that JANUS outperforms representative tools in terms of detection accuracy for financial centralization risks . Additionally, we evaluate JANUS on a real-world dataset of 33,151 contracts, successfully identifying two types of risks that other tools fail to detect. We also prove that the state traversal method and variable summaries, which are used in JANUS to reduce the number of states to be compared, do not introduce false alarms or omissions in detection.

Fuyou Miao, Yue Yu, Keju Meng et al.

Group oriented applications are getting more and more popular in mobile Internet and call for secure and efficient secret sharing (SS) scheme to meet their requirements. A $(t,n)$ threshold SS scheme divides a secret into $n$ shares such that any $t$ or more than $t$ shares can recover the secret while less than $t$ shares cannot. However, an adversary, even without a valid share, may obtain the secret by impersonating a shareholder to recover the secret with $t$ or more legal shareholders. Therefore, this paper uses linear code to propose a threshold changeable secret sharing (TCSS) scheme, in which threshold should increase from $t$ to the exact number of all participants during secret reconstruction. The scheme does not depend on any computational assumption and realizes asymptotically perfect security. Furthermore, based on the proposed TCSS scheme, a group authentication scheme is constructed, which allows a group user to authenticate whether all users are legal group members at once and thus provides efficient and flexible m-to-m authentication for group oriented applications.

Zhaoyi Meng, Yan Xiong, Wenchao Huang et al.

Android users are now suffering severe threats from unwanted behaviors of various apps. The analysis of apps' audit logs is one of the essential methods for some device manufacturers to unveil the underlying malice within apps. We propose and implement AppAngio, a novel system that reveals contextual information in Android app behaviors by API-level audit logs. Our goal is to help analysts of device manufactures understand what has happened on users' devices and facilitate the identification of the malice within apps. The key module of AppAngio is identifying the path matched with the logs on the app's control-flow graph (CFG). The challenge, however, is that the limited-quantity logs may incur high computational complexity in the log matching, where there are a large number of candidates caused by the coupling relation of successive logs. To address the challenge, we propose a divide and conquer strategy that precisely positions the nodes matched with log records on the corresponding CFGs and connects the nodes with as few backtracks as possible. Our experiments show that AppAngio reveals the contextual information of behaviors in real-world apps. Moreover, the revealed results assist the analysts in identifying malice of app behaviors and complement existing analysis schemes. Meanwhile, AppAngio incurs negligible performance overhead on the Android device.

Yan Xiong, Cheng Su, Wenchao Huang et al.

Current formal approaches have been successfully used to find design flaws in many security protocols. However, it is still challenging to automatically analyze protocols due to their large or infinite state spaces. In this paper, we propose a novel framework that can automatically verifying security protocols without any human intervention. Experimental results show that SmartVerif automatically verifies security protocols that cannot be automatically verified by existing approaches. The case study also validates the effectiveness of our dynamic strategy.

Qiwei Lu, Wenchao Huang, Xudong Gong et al.

With the rapid development of MANET, secure and practical authentication is becoming increasingly important. The existing works perform the research from two aspects, i.e., (a)secure key division and distributed storage, (b)secure distributed authentication. But there still exist several unsolved problems. Specifically, it may suffer from cheating problems and fault authentication attack, which can result in authentication failure and DoS attack towards authentication service. Besides, most existing schemes are not with satisfactory efficiency due to exponential arithmetic based on Shamir's scheme. In this paper, we explore the property of verifiable secret sharing(VSS) schemes with Chinese Remainder Theorem (CRT), then propose a secret key distributed storage scheme based on CRT-VSS and trusted computing for MANET. Specifically, we utilize trusted computing technology to solve two existing cheating problems in secret sharing area before. After that, we do the analysis of homomorphism property with CRT-VSS and design the corresponding shares-product sharing scheme with better concision. On such basis, a secure distributed Elliptic Curve-Digital Signature Standard signature (ECC-DSS) authentication scheme based on CRT-VSS scheme and trusted computing is proposed. Furthermore, as an important property of authentication scheme, we discuss the refreshing property of CRT-VSS and do thorough comparisons with Shamir's scheme. Finally, we provide formal guarantees towards our schemes proposed in this paper.