Search

Your search keyword '"Qinming He"' showing total 303 results
Start Over Author "Qinming He"

Refine your results

more »

more »

more »
303 results on '"Qinming He"'

1. Towards Automated Reentrancy Detection for Smart Contracts Based on Sequential Models

Author

Peng Qian, Zhenguang Liu, Qinming He, Roger Zimmermann, and Xun Wang

Subjects
Blockchain, smart contract, deep learning, sequential models, vulnerability detection, Electrical engineering. Electronics. Nuclear engineering, TK1-9971
Abstract

In the last decade, smart contract security issues lead to tremendous losses, which has attracted increasing public attention both in industry and in academia. Researchers have embarked on efforts with logic rules, symbolic analysis, and formal analysis to achieve encouraging results in smart contract vulnerability detection tasks. However, the existing detection tools are far from satisfactory. In this paper, we attempt to utilize the deep learning-based approach, namely bidirectional long-short term memory with attention mechanism (BLSTM-ATT), aiming to precisely detect reentrancy bugs. Furthermore, we propose contract snippet representations for smart contracts, which contributes to capturing essential semantic information and control flow dependencies. Our extensive experimental studies on over 42,000 real-world smart contracts show that our proposed model and contract snippet representations significantly outperform state-of-the-art methods. In addition, this work proves that it is practical to apply deep learning-based technology on smart contract vulnerability detection, which is able to promote future research towards this area.

Published
2020
Full Text
View/download PDF

2. Towards Understanding the Security of Modern Image Captchas and Underground Captcha-Solving Services

Author

Haiqin Weng, Binbin Zhao, Shouling Ji, Jianhai Chen, Ting Wang, Qinming He, and Raheem Beyah

Subjects
image captchas, captcha security, captcha-solving service, underground market, Electronic computers. Computer science, QA75.5-76.95
Abstract

Image captchas have recently become very popular and are widely deployed across the Internet to defend against abusive programs. However, the ever-advancing capabilities of computer vision have gradually diminished the security of image captchas and made them vulnerable to attack. In this paper, we first classify the currently popular image captchas into three categories: selection-based captchas, slide-based captchas, and click-based captchas. Second, we propose simple yet powerful attack frameworks against each of these categories of image captchas. Third, we systematically evaluate our attack frameworks against 10 popular real-world image captchas, including captchas from tencent.com, google.com, and 12306.cn. Fourth, we compare our attacks against nine online image recognition services and against human labors from eight underground captcha-solving services. Our evaluation results show that (1) each of the popular image captchas that we study is vulnerable to our attacks; (2) our attacks yield the highest captcha-breaking success rate compared with state-of-the-art methods in almost all scenarios; and (3) our attacks achieve almost as high a success rate as human labor while being much faster. Based on our evaluation, we identify some design flaws in these popular schemes, along with some best practices and design principles for more secure captchas. We also examine the underground market for captcha-solving services, identifying 152 such services. We then seek to measure this underground market with data from these services. Our findings shed light on understanding the scale, impact, and commercial landscape of the underground market for captcha solving.

Published
2019
Full Text
View/download PDF

26. Rethinking Smart Contract Fuzzing: Fuzzing With Invocation Ordering and Important Branch Revisiting

Author

Zhenguang Liu, Peng Qian, Jiaxu Yang, Lingfeng Liu, Xiaojun Xu, Qinming He, and Xiaosong Zhang

Subjects
Software Engineering (cs.SE), FOS: Computer and information sciences, Computer Science - Software Engineering, Computer Science - Cryptography and Security, Computer Science - Programming Languages, Computer Networks and Communications, Safety, Risk, Reliability and Quality, Cryptography and Security (cs.CR), Programming Languages (cs.PL)
Abstract

Blockchain smart contracts have given rise to a variety of interesting and compelling applications and emerged as a revolutionary force for the Internet. Quite a few practitioners have devoted themselves to developing tools for detecting bugs in smart contracts. One line of efforts revolve around static analysis techniques, which heavily suffer from high false-positive rates. Another line of works concentrate on fuzzing techniques. Unfortunately, current fuzzing approaches for smart contracts tend to conduct fuzzing starting from the initial state of the contract, which expends too much energy revolving around the initial state and thus is usually unable to unearth bugs triggered by other states. Moreover, most existing methods treat each branch equally, failing to take care of the branches that are rare or more likely to possess bugs. This might lead to resources wasted on normal branches. In this paper, we try to tackle these challenges from three aspects: (1) In generating function invocation sequences, we explicitly consider data dependencies between functions to facilitate exploring richer states. We further prolong a function invocation sequence S1 by appending a new sequence S2, so that S2 can start fuzzing from states that are different from the initial state. (2) We incorporate a branch distance-based measure to evolve test cases iteratively towards a target branch. (3) We engage a branch search algorithm to discover rare and vulnerable branches, and design an energy allocation mechanism to take care of exercising these crucial branches. We implement IR-Fuzz and extensively evaluate it over 12K real-world contracts. Empirical results show that: (i) IR-Fuzz achieves 28% higher branch coverage than state-of-the-art fuzzing approaches, and (ii) IR-Fuzz detects more vulnerabilities and increases the average accuracy of vulnerability detection by 7% over current methods., Comment: This paper has been accepted by IEEE Transactions On Information Forensics And Security (TIFS 2022)

Published
2023

33. Demystifying Random Number in Ethereum Smart Contract: Taxonomy, Vulnerability Identification, and Attack Detection

Author

Peng Qian, Jianting He, Lingling Lu, Siwei Wu, Zhipeng Lu, Lei Wu, Yajin Zhou, and Qinming He

Subjects
Software Engineering (cs.SE), FOS: Computer and information sciences, Computer Science - Software Engineering, Computer Science - Cryptography and Security, Cryptography and Security (cs.CR), Software
Abstract

Recent years have witnessed explosive growth in blockchain smart contract applications. As smart contracts become increasingly popular and carry trillion dollars worth of digital assets, they become more of an appealing target for attackers, who have exploited vulnerabilities in smart contracts to cause catastrophic economic losses. Notwithstanding a proliferation of work that has been developed to detect an impressive list of vulnerabilities, the bad randomness vulnerability is overlooked by many existing tools. In this paper, we make the first attempt to provide a systematic analysis of random numbers in Ethereum smart contracts, by investigating the principles behind pseudo-random number generation and organizing them into a taxonomy. We also lucubrate various attacks against bad random numbers and group them into four categories. Furthermore, we present RNVulDet - a tool that incorporates taint analysis techniques to automatically identify bad randomness vulnerabilities and detect corresponding attack transactions. To extensively verify the effectiveness of RNVulDet, we construct three new datasets: i) 34 well-known contracts that are reported to possess bad randomness vulnerabilities, ii) 214 popular contracts that have been rigorously audited before launch and are regarded as free of bad randomness vulnerabilities, and iii) a dataset consisting of 47,668 smart contracts and 49,951 suspicious transactions. We compare RNVulDet with three state-of-the-art smart contract vulnerability detectors, and our tool significantly outperforms them. Meanwhile, RNVulDet spends 2.98s per contract on average, in most cases orders-of-magnitude faster than other tools. RNVulDet successfully reveals 44,264 attack transactions. Our implementation and datasets are released, hoping to inspire others., This is the preprint of the paper that has been accepted by IEEE Transactions on Software Engineering (TSE)

Published
2023

45. A Truthful and Near-Optimal Mechanism for Colocation Emergency Demand Response

Author

Zhenguang Liu, Jianhai Chen, Qinming He, Deshi Ye, Yang Xiang, and Shouling Ji

Subjects
Demand response, Mathematical optimization, Load management, Mechanism design, Smart grid, Computer Networks and Communications, Computer science, Optimal mechanism, Electricity market, Approximation algorithm, Electrical and Electronic Engineering, Grid, Software
Abstract

Demand response (DR) has been widely adopted as a strategic plan of the electricity market in maintaining power grid reliability, sustainability, and stability. In a typical emergency DR (EDR) that arises in colocation data centers, participating tenants can reduce their power consumption when the supply of electricity is a shortage and be rewarded with financial compensation. In this paper, we study a mechanism design problem of motivating tenants for colocation EDR (MEDR). To solve the MEDR problem, we present a truthful Fully Polynomial-Time Approximation Scheme (FPTAS) which is theoretically proved deterministic, truthful and near-optimal, and can be approximated within $1 + \epsilon$ 1 + e for any given $\epsilon > 0$ e > 0 , while the running time is in the polynomial of the number of tenants $n$ n and $1/\epsilon$ 1 / e . To speed up the calculation of the payments, we further study the Vickrey-Clarke-Groves (VCG) based mechanism. Moreover, we build a MEDR auction system (MEDRAS) and implement all mechanism algorithms for a colocation data center. Comprehensive and detailed experiments have been implemented to validate the efficiency of our proposed mechanisms.

Published
2021

Catalog

Books, media, physical & digital resources
See catalog results