Welcome to Yuhong Nan's Homepage

I am currently an Associate Professor in the School of Software Engineering at Sun Yat-sen University (Zhongshan University). Prior to this, I was a Postdoctoral Research Associate in the Department of Computer Science at Purdue University, where I worked with Prof. Dongyan Xu. I received my Ph.D. from Fudan University in 2018, under the supervision of Prof. Min Yang. I am recognized as one of the active top authors in publishing at leading security venues [1][2].

My research interests broadly span software security and user privacy, with a primary focus on analyzing and enhancing the security and privacy of emerging platforms, including LLM Agents, Blockchain, and Mobile ecosystems. My research involves designing and developing practical systems and tools to systematically detect, mitigate, and remediate a wide spectrum of security and privacy threats.

I am always looking for self-motivated students to join my group at Sun Yat-sen University. Please refer to my publications below for more information about my ongoing research projects. If you are interested, feel free to reach out via email with your CV.

Publications

• [Preprint] AgentRaft: Automated Detection of Data Over-Exposure in LLM Agents. Yixi Lin*, Jiangrong Wu*, Yuhong Nan, Xueqiang Wang, Xinyuan Zhang, Zibin Zheng. arXiv preprint arXiv:2603.07557, 2026.
• [Preprint] Control at Stake: Evaluating the Security Landscape of LLM-Driven Email Agents. Jiangrong Wu, Yuhong Nan, Jianliang Wu, Zitong Yao, Zibin Zheng. arXiv preprint arXiv:2507.02699, 2025.
• [ICSE’26] Is My RPC Response Reliable? Detecting RPC Bugs in Ethereum Blockchain Client under Context. Zhijie Zhong, Yuhong Nan, Mingxi Ye, Qing Xue, Jiashui Wang, Xinlei Ying, Long Liu, Zibin Zheng. In Proceedings of the 48th ACM/IEEE International Conference on Software Engineering.
• [Security’26] Cracking Federated Privacy: Initialization-Resilient Gradient Inversion with Fine-Grained Reconstruction. Kaiming Zhu, Jinsheng Yang, Siyang Guo, Huaqian Qin, Taiyu Wang, Junbo Wang, Yuhong Nan, Zibin Zheng. In USENIX Security Symposium 2026.
• [ICSE’25] SmartReco: Detecting Read-Only Reentrancy via Fine-Grained Cross-DApp Analysis. Jingwen Zhang, Zibin Zheng, Yuhong Nan, Mingxi Ye, Kaiwen Ning, Yu Zhang, Weizhe Zhang. In Proceedings of the 47th ACM/IEEE International Conference on Software Engineering. ICSE 2025: 2138-2150.
• [TOSEM’25] Detecting and Analyzing Fine-grained Third-party Library Dependencies in Solidity Smart Contracts. Sicheng Hao, Yuhong Nan, Zeqin Liao, Juan Zhai, and Zibin Zheng. ACM Transactions on Software Engineering and Methodology (2025).
• [TSE’25] ASTRO: Detecting Access Control Vulnerabilities in Smart Contracts via Graph Similarity Comparison. Wei Li, Yuhong Nan, Mingxi Ye, Jingwen Zhang, Peilin Zheng, Zibin Zheng. IEEE Trans. Software Eng. 51(12): 3267-3283 (2025).
• [TSE’25] Satellite: Detecting and Analyzing Smart Contract Vulnerabilities Caused by Subcontract Misuse. Zeqin Liao, Yuhong Nan, Zixu Gao, Henglong Liang, Sicheng Hao, Jiajing Wu, Zibin Zheng. IEEE Trans. Software Eng. 51(12): 3360-3375 (2025).
• [TSE’25] Augmenting Smart Contract Decompiler Output Through Fine-Grained Dependency Analysis and LLM-Facilitated Semantic Recovery. Zeqin Liao, Yuhong Nan, Zixu Gao, Henglong Liang, Sicheng Hao, Peifan Reng, Zibin Zheng. IEEE Trans. Software Eng. 51(12): 3574-3590 (2025).
• [ASE’25] Finding Insecure State Dependency in DApps via Multi-Source Tracing and Semantic Enrichment. Jingwen Zhang, Yuhong Nan, Wei Li, Kaiwen Ning, Zewei Lin, Zitong Yao, Yuming Feng, Weizhe Zhang, Zibin Zheng. In Proceedings of the 40th IEEE/ACM International Conference on Automated Software Engineering. ASE 2025: 1529-1540.
• [Security 25] Demystifying the (In)Security of QR Code-based Login in Real-world Deployments. Xin Zhang, Xiaohan Zhang, Bo Zhao, Yuhong Nan, Zhichen Liu, Jianzhou Chen, Huijun Zhou, Min Yang. In Proceedings of the 34th USENIX Security Symposium (USENIX Security'25), pp. 3161-3180 [Top] [CCF-A].
• [ICSE 25] SmartReco: Detecting Read-Only Reentrancy via Fine-Grained Cross-DApp Analysis. Jingwen Zhang, Zibin Zheng, Yuhong Nan, Mingxi Ye, Kaiwen Ning, Yu Zhang, Weizhe Zhang. In Proceedings of the 47th IEEE/ACM International Conference on Software Engineering (ICSE 2025), pp. 2138-2150 [Top] [CCF-A].
• [ICICS 25] Identifying Unusual Personal Data in Mobile Apps for Better Privacy Compliance Check. Jiatao Cheng, Yuhong Nan, Xueqiang Wang, Zhefan Chen, Yuliang Zhang. In Proceedings of the 18th International Conference on Information and Communications Security (ICICS 2025), pp. 545-563.
• [Security 24] Navigating the Privacy Compliance Maze: Understanding Risks with Privacy-Configurable Mobile SDKs. Yifan Zhang, Zhaojie Hu, Xueqiang Wang, Yuhui Hong, Yuhong Nan, XiaoFeng Wang, Jiatao Cheng, Luyi Xing. In Proceedings of the 33th USENIX Security Symposium (USENIX Security’24) [Top] [CCF-A].
• [CCS 24] Are We Getting Well-informed? An In-depth Study of Runtime Privacy Notice Practice in Mobile Apps. Shuai Li, Zhemin Yang, Yuhong Nan, Shutian Yu, Qirui Zhu, Min Yang. In Proceedings of the 31st ACM Conference on Computer and Communications Security, CCS’24. [Top] [CCF-A].
• [CCS 24] Understanding Cross-Platform Referral Traffic for Illicit Drug Promotion. Mingming Zha, Zilong Lin, Siyuan Tang, Xiaojing Liao, Yuhong Nan, XiaoFeng Wang. In Proceedings of the 31st ACM Conference on Computer and Communications Security, CCS’24. [Top] [CCF-A].
• [NDSS 24] Leaking the Privacy of Groups and More: Understanding Privacy Risks of Cross-App Content Sharing in Mobile Ecosystem. Jiangrong Wu, Yuhong Nan, Luyi Xing, Jiatao Cheng, Zimin Lin, Zibin Zheng, Min Yang. In proceedings of the 31th Network and Distributed System Security Symposium [Top] [CCF-A].
• [Security 24] MAGIC: Detecting Advanced Persistent Threats via Masked Graph Representation Learning. Zian Jia, Yun Xiong, Yuhong Nan, Yao Zhang, Jinjing Zhao, Mi Wen. In Proceedings of the 33th USENIX Security Symposium (USENIX Security’24) [Top] [CCF-A].
• [FSE 24] SmartAxe: Detecting Cross-Chain Vulnerabilities in Bridge Smart Contracts via Fine-Grained Static Analysis. Zeqin Liao, Yuhong Nan, Henglong Liang, Sicheng Hao, Juan Zhai, Jiajing Wu, Zibin Zheng. Proc. ACM Softw. Eng. 1(FSE): 249-270 (2024). [Top] [CCF-A].
• [ASE 23] SmartCoco: Checking Comment-code Inconsistency in Smart Contracts via Constraint Propagation and Binding. Sicheng Hao, Yuhong Nan, Zibin Zheng, Xiaohui Liu. In Proceedings of the 38th IEEE/ACM International Conference on Automated Software Engineering [Top] [CCF-A].
• [Security 23] AIRTAG: Towards Automated Attack Investigation by Unsupervised Learning with Log Texts. Hailun Ding, Juan Zhai, Yuhong Nan and Shiqing Ma. In Proceedings of the 32th USENIX Security Symposium (USENIX Security’23) [Top] [CCF-A].
• [Security 23] Are You Spying on Me? Large-Scale Analysis on IoT Data Exposure through Companion Apps. Yuhong Nan, Xueqiang Wang, Luyi Xing, Xiaojing Liao, Ruoyu Wu, Jianliang Wu, Yifan Zhang, and XiaoFeng Wang. In Proceedings of the 32th USENIX Security Symposium [Top] [CCF-A].
• [Security 22] ProFactory: Improving IoT Security via Formalized Protocol Customization. Fei Wang, Jianliang Wu, Yuhong Nan, Yousra Aafer, Xiangyu Zhang, Dongyan Xu, and Mathias Payer. In Proceedings of the 31th USENIX Security Symposium (USENIX Security’22) [Top] [CCF A].
• [NDSS 22] Hazard Integrated: Understanding Security Risks in App Extensions to Team Chat Systems. Mingming Zha, Jice Wang, Yuhong Nan, XiaoFeng Wang, Yuqing Zhang, and Weidong Jing. In Proceedings of the 29th Network and Distributed System Security Symposium (NDSS’22) [Top] [CCF A].
• [NDSS 21] On the Insecurity of SMS One-Time Password Messages against Local Attackers in Modern Mobile Devices. Zeyu Lei, Yuhong Nan, Yanick Fratantonio and Antonio Bianchi. In Proceedings of the 28th Network and Distributed System Security Symposium (Acceptance ratio 15.2%), [Top] [CCF A].
• [Security 21] Understanding Malicious Cross-library Data Harvesting on Android. Jice Wang, Yue Xiao, Xueqiang Wang, Yuhong Nan, Luyi Xing, Xiaojing Liao, Jinwei Dong, Nicolas Serrano, Haoran Lu, Xiaofeng Wang, and Yuqing Zhang. In Proceedings of the 30th USENIX Security Symposium [Top] [CCF-A].
• [Security 21] ATLAS: A Sequence-based Learning Approach for Attack Investigation. Abdulellah Alsaheel, Yuhong Nan, Shiqing Ma, Le Yu, Gregory Walkup, Berkay Celik, Xiangyu Zhang and Dongyan Xu. In proceedings of the 30th USENIX Security Symposium [Top] [CCF-A]
• [RAID'20] Jianliang Wu, Yuhong Nan, Vireshwar Kumar, Mathias Payer, and Dongyan Xu."BlueShield: Detecting Spoofing Attacks in Bluetooth Low Energy (BLE) Networks." In proceedings of the 23rd International Symposium on Research in Attacks, Intrusions and Defenses. [CCF-B]
• [WOOT'20] Jianliang Wu, Yuhong Nan, Vireshwar Kumar, Dave (Jing) Tian, Antonio Bianchi, Mathias Payer, and Dongyan Xu. "BLESA: Spoofing Attacks against Reconnections in Bluetooth Low Energy." In proceedings of the 14th USENIX Workshop on Offensive Technologies.
• [CCS'18] Geng Hong, Zhemin Yang, Sen Yang, Lei Zhang, Yuhong Nan, Zhibo Zhang, Min Yang, Yuan Zhang, Zhiyun Qian, Haixin Duan. "How You Get Shot in the Back: A Systematical Study about Cryptojacking in the Real World." In proceedings of the 25th ACM Conference on Computer and Communications Security (CCS'18). [Top] [CCF-A].
• [NDSS'18] Yuhong Nan, Zhemin Yang, Xiaofeng Wang, Yuan Zhang, Donglai Zhu and Min Yang. "Finding Clues For Your Secrets: Semantics Driven, Learning Based Privacy Discovery in Mobile Apps." In proceedings of the 25th Network and Distributed System Security Symposium. [Top] [CCF-A].
• [TIFS'17] Yuhong Nan, Zhemin Yang, Min Yang, Shunfan Zhou, Yuan Zhang, Guofei Gu, Xiaofeng Wang, and Limin Sun. "Identifying User-Input Privacy in Mobile Applications at a Large Scale." IEEE Transactions on Information Forensics and Security 12, no. 3 (2017): 647-661. [Top] [CCF-A].
• [Security'15] Yuhong Nan, Zhemin Yang, Min Yang, Shunfan Zhou, Yuan Zhang, Guofei Gu, Xiaofeng Wang, and Limin Sun. "UIPicker: User-Input Privacy Identification in Mobile Applications." In proceedings of the 24th USENIX Security Symposium. [Top] [CCF-A]. 

Students

PhDs (co-advised with Prof. Zibin Zheng)

• 2025 Yuming Xiao
• 2023 Jiangrong Wu (Intern@ByteDance), Jingwen Zhang (Pencheng Lab), Bowei Su(Intern@AntGroup)
• 2022 Mingxi Ye (Intern@AntGroup), Sicheng Hao (Intern@Tencent), Wei Li (Intern@Huawei), Zhijie Zhong (Intern@AntGroup)
• 2021 Zeqin Liao (now Postdoc@NTU)

Graduates

• 2025 Zitong Yao, Yixi Lin
• 2024 Mengyi Long (Intern@Southern Power Grid), Yiming Zhang (Intern@ByteDance)
• 2023 Xun Zhu, Zhefan Chen (Intern@Tencent), Shaojiang Wang
• 2022 Jiatao Chen (PhD Student@HKU), Jiayin Huang, Dongpeng Wu (First job: WizardQuant)
• 2021 Zhaoxin Cai (First job: Tencent), Peifu Yang (First job: Tencent)

Undergraduates

• 2022 Xinyuan Zhang, Jiequan Zheng
• 2021 Yue Xu (Graduate Student@CMU), Qihua Ou (Graduate Student@SYSU), Zijian Chen (Public Institution@Dongguan)
• 2020 Yuliang Zhang (PhD Student@CityU), Junpeng Zhang (PhD Student@SJTU)

Academic Services

• The 2nd ACM Workshop on Explainable and Reliable Software Systems (EXPRESS 2026, co-located with SPLASH/ISSTA 2026), Organizing Committee Member
• The USENIX Security Symposium 2026, PC Member
• The ACM Conference on Computer and Communications Security (CCS) 2024, 2025, 2026, PC Member
• The IEEE/ACM International Conference on Automated Software Engineering (ASE) 2024, PC Member
• ACM Asia Conference on Computer and Communications Security (ASIACCS) 2021, 2022, PC Member
• International Conference on Information and Communications Security (ICICS) 2021, 2022, PC Member
• IEEE Transactions on Dependable and Secure Computing (TDSC), Reviewer
• IEEE Transactions on Information Forensics and Security (TIFS), Reviewer
• IEEE Transactions on Software Engineering (TSE), Reviewer
• IEEE Transactions on Mobile Computing (TMC), Reviewer
• ACM Transactions on Software Engineering and Methodology (TOSEM), Reviewer
• ACM Computing Surveys (CSUR), Reviewer
• ACM Transactions on Architecture and Code Optimization (TACO), Reviewer
• ACM Transactions on Privacy and Security (TOPS), Reviewer