ASE 2025
Sun 16 - Thu 20 November 2025 Seoul, South Korea

This program is tentative and subject to change.

Wed 19 Nov 2025 14:10 - 14:20 at Grand Hall 5 - Security 4

Smart contracts have become a foundational component of blockchain systems, enabling decentralized, transparent, and autonomous execution of application logic across various domains, including decentralized finance (DeFi), gaming, and digital identity. Due to their immutable and trustless nature, smart contracts often manage and transfer substantial amounts of assets without human intervention. However, vulnerabilities in smart contracts can lead to substantial financial losses. Among these, access control vulnerabilities are particularly critical, typically originating from inadequately designed or incorrectly implemented permission mechanisms. Most existing methods for detecting access control vulnerabilities are based on static analysis, which heavily relies on manually defined rules and pattern matching. While these methods are efficient at identifying certain classes of known vulnerabilities, they are inherently limited in scope and generalization. In particular, they often fail to capture the underlying business logic of smart contracts.

In this paper, we propose an LLM-based multi-agent system, named ACTaint, for detecting access control vulnerabilities in Solidity smart contracts. ACTaint first performs static analysis to guide the sink agent in identifying potential sinks. Then, based on the identified sinks, the taint agent conducts taint analysis to determine whether a data flow exists from untrusted sources to these sinks. We evaluate our approach on a dataset comprising known CVE cases and 624 real-world smart contracts. The results demonstrate that our method outperforms existing tools in both datasets. On the first dataset, our approach outperforms state-of-the-art tools, including AChecker and GPTLens, achieving higher recall and F1-score. On the second dataset, our method surpasses the leading static analysis tool AChecker, with a 16% improvement in precision and an 8.5% improvement in F1-score.

This program is tentative and subject to change.

Wed 19 Nov

Displayed time zone: Seoul change

14:00 - 15:30
14:00
10m
Talk
Advancing Binary Code Similarity Detection via Context-Content Fusion and LLM Verification
Research Papers
Chaopeng Dong Institute of Information Engineering, CAS, Beijing, China; School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China;, Jingdong Guo Institute of Information Engineering, CAS, Beijing, China; School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China;, Shouguo Yang Zhongguancun Laboratory, Beijing, China, Yi Li Nanyang Technological University, Dongliang Fang Beijing Key Laboratory of IOT Information Security Technology, Institute of Information Engineering, CAS, China; School of Cyber Security, University of Chinese Academy of Sciences, China, Yang Xiao Chinese Academy of Sciences, Yongle Chen Taiyuan University of Technology, China, Limin Sun Institute of Information Engineering at Chinese Academy of Sciences; University of Chinese Academy of Sciences
14:10
10m
Talk
ACTaint: Agent-Based Taint Analysis for Access Control Vulnerabilities in Smart Contracts
Research Papers
Huarui Lin Zhejiang University, Zhipeng Gao Shanghai Institute for Advanced Study - Zhejiang University, Jiachi Chen Sun Yat-sen University, Xiang Chen Nantong University, Xiaohu Yang Zhejiang University, Lingfeng Bao Zhejiang University
14:20
10m
Talk
AMPLE: Fine-grained File Access Policies for Server Applications
Research Papers
Seyedhamed Ghavamnia Bloomberg, Julien Vanegue Imperial College London; Bloomberg
14:30
10m
Talk
Mockingbird: Efficient Excessive Data Exposures Detection via Dynamic Code Instrumentation
Research Papers
Chenxiao Xia Beijing Institute of Technology, Jiazheng Sun Fudan University, Jun Zheng Beijing Institute of Technology, Yu-an Tan Beijing Institute of Technology, Hongyi Su Beijing Institute of Technology
14:40
10m
Talk
DrainCode: Stealthy Energy Consumption Attacks on Retrieval-Augmented Code Generation via Context Poisoning
Research Papers
Jiadong Wu School of Software Engineering, Sun Yat-sen University, Yanlin Wang Sun Yat-sen University, Tianyue Jiang Sun Yat-sen University, Mingwei Liu Sun Yat-Sen University, Jiachi Chen Sun Yat-sen University, Chong Wang Nanyang Technological University, Ensheng Shi Huawei, Xilin Liu Huawei Cloud, Yuchi Ma Huawei Cloud Computing Technologies, Hongyu Zhang Chongqing University, Zibin Zheng Sun Yat-sen University
14:50
10m
Talk
Finding Insecure State Dependency in DApps via Multi-Source Tracing and Semantic Enrichment
Research Papers
Jingwen Zhang School of Software Engineering, Sun Yat sen University, Yuhong Nan Sun Yat-sen University, Wei Li School of Software Engineering, Sun Yat sen University, Kaiwen Ning Sun Yat-sen University, Zewei Lin Sun Yat-sen University, Zitong Yao School of Software Engineering, Sun Yat sen University, Yuming Feng Peng Cheng Laboratory, Weizhe Zhang Harbin Institute of Technology, Zibin Zheng Sun Yat-sen University
15:00
10m
Talk
Better Safe than Sorry: Preventing Policy Violations through Predictive Root-Cause-Analysis for IoT Systems
Research Papers
Michael Norris Penn State University, Syed Rafiul Hussain Pennsylvania State University, Gang (Gary) Tan Pennsylvania State University
15:10
10m
Talk
Backdoors in Code Summarizers: How Bad Is It?
Research Papers
Chenyu Wang Singapore Management University, Zhou Yang University of Alberta, Alberta Machine Intelligence Institute , Yaniv Harel Tel Aviv University, David Lo Singapore Management University
Pre-print
15:20
10m
Talk
ProfMal: Detecting Malicious NPM Packages by the Synergy between Static and Dynamic Analysis
Research Papers
Yiheng Huang Fudan University, Wen Zheng Fudan University, Susheng Wu Fudan University, Bihuan Chen Fudan University, You Lu Fudan University, Zhuotong Zhou Fudan University, Yiheng Cao Fudan University, Xiaoyu Li Fudan University, Xin Peng Fudan University