计算机科学 ›› 2021, Vol. 48 ›› Issue (11): 79-88.doi: 10.11896/jsjkx.210600117
涂良琼, 孙小兵, 张佳乐, 蔡杰, 李斌, 薄莉莉
TU Liang-qiong, SUN Xiao-bing, ZHANG Jia-le, CAI Jie, LI Bin, BO Li-li
摘要: 智能合约是区块链平台实现交易的重要组件,为多方交易间信任问题提供了一种有效的解决方案。智能合约不仅管理高价值代币还具有不可更改等特性,导致近年来智能合约多次遭受安全威胁。目前出现了大量关于智能合约安全性的研究,其中智能合约漏洞检测成为主要关注点。文中系统分析了智能合约安全问题,从是否执行合约的角度将漏洞检测工具分为静态检测工具和动态检测工具,并对检测工具进行对比分析,重点分析现有检测工具的漏洞检测能力,介绍了16种检测技术的原理及优缺点;最后,对如何提高智能合约安全性进行展望,提出了3个可能提高智能合约安全性的研究方向。
中图分类号:
[1]SCHÄR F.Decentralized finance:On blockchain-and smart contract-based financial markets[J].FRB of St.Louis Review,2021,103(2):153-174. [2]MOOSAVI J,NAENI L M,FATHOLLAHI-FARD A M,et al.Blockchain in supply chain management:a review,bibliometric,and network analysis[C]// Environmental Science and Pollution Research.2021:1-15. [3]JIANG Y,ZHONG Y,GE X.Smart contract-based data commodity transactions for industrial Internet of Things[J].IEEE Access,2019,7:180856-180866. [4]LI Q,WANG L.Research on the information sharing in thelinkage between manufacturing and logistics industry based on blockchain[J].Journal of Physics,2021,1774(1):012055. [5]AL-JOBOURY I M,AL-HEMIARY E H.Automated Decentra-lized IoT Based Blockchain Using Ethereum Smart Contract for Healthcare[C]// Enhanced Telemedicine and e-Health:Advanced IoT Enabled Soft Computing Framework.2021:179-198. [6]GRIGGS K N,OSSIPOVA O,KOHLIOS C P,et al.Healthcare blockchain system using smart contracts for secure automated remote patient monitoring[J].Journal of Medical Systems,2018,42(7):1-7. [7]BUTERIN V.Critical update re:Dao vulnerability[OL].(2016-06-17).https://blog.ethereum.org/2016/06/17/critical-update-re-daovulnerability/. [8]The Multi-sig Hack:A Postmortem.Blockchain Infrastructurefor the Decentralised Web[OL].https://www.parity.io/the-multi-sig-hack-apostmortem/,Jul.2017. [9]KASHISYN D.A Postmortem on the Parity Multi-Sig Library Self-Destruct[OL].(2017-09-15).https://www.parity.io/a-postmortem-on-the-parity-multi-sig-library-self-destruct. [10]LAUMEISTER M.BitListen,2019[OL].https://www.bitlisten.com/. [11]WOOD G.Ethereum:A secure decentralised generalized tran-saction ledger [OL].https://gavwood.com/paper.pdf. [12]CHEN W L,ZHENG Z B.Blockchain Data Analysis:A Review of Status,Trends and Challenges[J].Journal of Computer Research and Development,2018,55(9):1853-1870. [13]FENG X,WANG Q,ZHU X,et al.Bug searching in smart contract[J].arXiv:1905.00799,2019. [14]LIU J,LIU Z.A survey on security verification of blockchainsmart contracts[J].IEEE Access,2019,7:77894-77904. [15]NI Y D,ZHANG C,YIN T T.A Survey of Smart Contract Vul-nerability Research[J].Journal of Cyber Security,2020,5(3):78-99. [16] LÓPEZ V A,CASTEDO A T,SANDOVAL O A L,et al.Smart Contracts:A Review of Security Threats Alongside an Analysis of Existing Solutions[J].Entropy,2020,22(2):203. [17]DEMIR M,ALALFI M,TURETKEN O,et al.Security smells in smart contracts[C]//2019 IEEE 19th International Confe-rence on Software Quality, Reliability and Security Companion(QRS-C).IEEE,2019:442-449. [18]SZABO N.Formalizing and Securng Relationships on PublicNetworks[J].First Monday,1997,2(9):1-21. [19]DANNENC.Solidity Programming[M]//Introducing Ethereum and Solidity.Berkeley,CA:Apress,2017:69-88. [20]Vyper-Vyper documentation[OL].https://vyper.readthe-docs.io/en/latest/. [21]Idris | A Language with Dependent Types[OL].https://www.idris-lang.org/. [22]Rust | A Language with Dependent Types[OL]. https://www.rust-lang.org/. [23]ATZEI N,BARTOLETTI M,CIMOLI T.A survey of attacks on ethereum smart contracts (sok)[C]//International Confe-rence on Principles of Security and Trust.Berlin:Springer,2017:164-186. [24]DIKA A.Ethereum smart contracts:Security vulnerabilities and security tools[D].Trondheim :Norwegian University of Science and Technology,2017. [25]CAI J,ZHOU P,HE J,et al.A software vulnerability detection method based on static analysis and dynamic symbolic execution[J].Computer Engineering & Science,2016,38(12):2536-2541. [26]TIKHOMIROV S,VOSKRESENSKAYA E,IVANITSKIY I,et al.Smartcheck:Static analysis of ethereum smart contracts[C]//Proceedings of the 1st International Workshop on Emerging Trends in Software Engineering for Blockchain.2018:9-16. [27]FEIST J,GRIECO G,GROCE A.Slither:a static analysisframework for smart contracts[C]//2019 IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB).IEEE,2019:8-15. [28]BRENT L,JURISEVIC A,KONG M,et al.Vandal:A scalable security analysis framework for smart contracts[J].arXiv:1809.03981,2018. [29]KALRA S,GOEL S,DHAWAN M,et al.ZEUS:AnalyzingSafety of Smart Contracts[C]//Ndss.2018:1-12. [30]GURFINKEL A,KAHSAI T,KOMURAVELLI A,et al.The SeaHorn verification framework[C]//International Conference on Computer Aided Verification.Cham:Springer,2015:343-361. [31]TORRES C F,SCHÜTTE J,STATE R.Osiris:Hunting for integer bugs in ethereum smart contracts[C]//Proceedings of the 34th Annual Computer Security Applications Conference.2018:664-676. [32]CHANG J,GAO B,XIAO H,et al.sCompile:Critical path identification and analysis for smart contracts[C]//International Conference on Formal Engineering Methods.Cham:Springer,2019:286-304. [33]TSANKOV P,DAN A,DRACHSLER-COHEN D,et al.Securify:Practical security analysis of smart contracts[C]//Procee-dings of the 2018 ACM SIGSAC Conference on Computer and Communications Security.2018:67-82. [34]PARK D,ZHANG Y,SAXENA M,et al.A formal verification tool for Ethereum VM bytecode[C]//Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering.2018:912-915. [35]BHARGAVAN K,DELIGNAT-LAVAUD A,FOURNET C,et al.Formal verification of smart contracts:Short paper[C]//Proceedings of the 2016 ACM Workshop on Programming Languages and Analysis for Security.2016:91-96. [36]GRISHCHENKO I,MAFFEI M,SCHNEIDEWIND C.Asemantic framework for the security analysis of ethereum smart contracts[C]//International Conference on Principles of Security and Trust.Cham:Springer,2018:243-269. [37]SIDNEY A,MYRIAM B,MAKSYM B,et al.Towards Verifying Ethereum Smart Contract Bytecode in Isabelle/HOL[C]//Proceedings of the 7th ACM International Conference on Certified Programs and Proofs (CPP 2018).2018. [38]LI Z J,ZHANG J X,LIAO X K,et al.Survey of Software Vulnerability Detection Techniques[J].Chinese Journal of Compu-ters,2015,38(4):717-732. [39]LUU L,CHU D H,OLICKEL H,et al.Making smart contracts smarter[C]//Proceedings of the 2016 ACM SIGSAC Confe-rence on Computer and Communications Security.2016:254-269. [40]MOSSBERG M,MANZANO F,HENNENFENT E,et al.Manticore:A user-friendly symbolic execution framework for binaries and smart contracts[C]//2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE).IEEE,2019:1186-1189. [41]JIANG B,LIU Y,CHAN W K.Contractfuzzer:Fuzzing smart contracts for vulnerability detection[C]//2018 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE).IEEE,2018:259-269. [42]LIU C,LIU H,CAO Z,et al.Reguard:finding reentrancy bugs in smart contracts[C]//2018 IEEE/ACM 40th International Conference on Software Engineering:Companion (ICSE-Companion).IEEE,2018:65-68. [43]GAO J,LIU H,LIU C,et al.Easyflow:Keep ethereum away from overflow[C]//2019 IEEE/ACM 41st International Conference on Software Engineering:Companion Proceedings (ICSE-Companion).IEEE,2019:23-26. [44]CHEN J,XIA X,LO D,et al.Defining smart contract defects on ethereum[J].arXiv:1905.01467,2020. [45]FROWIS M,BOHME R.In code we trust?Measuring the control flow immutability of all smart contracts deployed on Ethe-reum[J].LNCS,2017,10436:357-372. [46]SAYEED S,MARCO-GISBERT H,CAIRA T.Smart Contract:Attacks and Protections[J].IEEE Access,2020,8:24416-24427. [47]CHEN X,LIAO P,ZHANG Y,et al.Understanding Code Reuse in Smart Contracts[C]//2021 IEEE International Conference on Software Analysis,Evolution and Reengineering (SANER).IEEE,2021:470-479. [48]PIERRO G A,TONELLI R.Analysis of Source Code Duplication in Ethreum Smart Contracts[C]//2021 IEEE International Conference on Software Analysis,Evolution and Reengineering (SANER).IEEE,2021:701-707. [49]PEREZ D,LIVSHITS B.Smart contract vulnerabilities:Doesanyone care?[J].arXiv:1902.06710,2019. [50]WANG Z,DAI W,CHOO K K R,et al.FSFC:An input filter-based secure framework for smart contract[J].Journal of Network and Computer Applications,2020,154:102530. [51]TANN W J W,HAN X J,GUPTA S S,et al.Towards safersmart contracts:A sequence learning approach to detecting security threats[J].arXiv:1811.06632,2018. |
[1] | 王子凯, 朱健, 张伯钧, 胡凯. 区块链与智能合约并行方法研究与实现 Research and Implementation of Parallel Method in Blockchain and Smart Contract 计算机科学, 2022, 49(9): 312-317. https://doi.org/10.11896/jsjkx.210800102 |
[2] | 黄松, 杜金虎, 王兴亚, 孙金磊. 以太坊智能合约模糊测试技术研究综述 Survey of Ethereum Smart Contract Fuzzing Technology Research 计算机科学, 2022, 49(8): 294-305. https://doi.org/10.11896/jsjkx.220500069 |
[3] | 李博, 向海昀, 张宇翔, 廖浩德. 面向食品溯源场景的PBFT优化算法应用研究 Application Research of PBFT Optimization Algorithm for Food Traceability Scenarios 计算机科学, 2022, 49(6A): 723-728. https://doi.org/10.11896/jsjkx.210800018 |
[4] | 周航, 姜河, 赵琰, 解相朋. 适用于各单元共识交易的电力区块链系统优化调度研究 Study on Optimal Scheduling of Power Blockchain System for Consensus Transaction ofEach Unit 计算机科学, 2022, 49(6A): 771-776. https://doi.org/10.11896/jsjkx.210600241 |
[5] | 傅丽玉, 陆歌皓, 吴义明, 罗娅玲. 区块链技术的研究及其发展综述 Overview of Research and Development of Blockchain Technology 计算机科学, 2022, 49(6A): 447-461. https://doi.org/10.11896/jsjkx.210600214 |
[6] | 高健博, 张家硕, 李青山, 陈钟. RegLang:一种面向监管的智能合约编程语言 RegLang:A Smart Contract Programming Language for Regulation 计算机科学, 2022, 49(6A): 462-468. https://doi.org/10.11896/jsjkx.210700016 |
[7] | 卫宏儒, 李思月, 郭涌浩. 基于智能合约的秘密重建协议 Secret Reconstruction Protocol Based on Smart Contract 计算机科学, 2022, 49(6A): 469-473. https://doi.org/10.11896/jsjkx.210700033 |
[8] | 毛典辉, 黄晖煜, 赵爽. 符合监管合规性的自动合成新闻检测方法研究 Study on Automatic Synthetic News Detection Method Complying with Regulatory Compliance 计算机科学, 2022, 49(6A): 523-530. https://doi.org/10.11896/jsjkx.210300083 |
[9] | 王思明, 谭北海, 余荣. 面向6G可信可靠智能的区块链分片与激励机制 Blockchain Sharding and Incentive Mechanism for 6G Dependable Intelligence 计算机科学, 2022, 49(6): 32-38. https://doi.org/10.11896/jsjkx.220400004 |
[10] | 孙浩, 毛瀚宇, 张岩峰, 于戈, 徐石成, 何光宇. 区块链跨链技术发展及应用 Development and Application of Blockchain Cross-chain Technology 计算机科学, 2022, 49(5): 287-295. https://doi.org/10.11896/jsjkx.210800132 |
[11] | 阳真, 黄松, 郑长友. 基于区块链与改进CP-ABE的众测知识产权保护技术研究 Study on Crowdsourced Testing Intellectual Property Protection Technology Based on Blockchain and Improved CP-ABE 计算机科学, 2022, 49(5): 325-332. https://doi.org/10.11896/jsjkx.210900075 |
[12] | 任畅, 赵洪, 蒋华. 一种量子安全拜占庭容错共识机制 Quantum Secured-Byzantine Fault Tolerance Blockchain Consensus Mechanism 计算机科学, 2022, 49(5): 333-340. https://doi.org/10.11896/jsjkx.210400154 |
[13] | 冯了了, 丁滟, 刘坤林, 马科林, 常俊胜. 区块链BFT共识算法研究进展 Research Advance on BFT Consensus Algorithms 计算机科学, 2022, 49(4): 329-339. https://doi.org/10.11896/jsjkx.210700011 |
[14] | 王鑫, 周泽宝, 余芸, 陈禹旭, 任昊文, 蒋一波, 孙凌云. 一种面向电能量数据的联邦学习可靠性激励机制 Reliable Incentive Mechanism for Federated Learning of Electric Metering Data 计算机科学, 2022, 49(3): 31-38. https://doi.org/10.11896/jsjkx.210700195 |
[15] | 张潆藜, 马佳利, 刘子昂, 刘新, 周睿. 以太坊Solidity智能合约漏洞检测方法综述 Overview of Vulnerability Detection Methods for Ethereum Solidity Smart Contracts 计算机科学, 2022, 49(3): 52-61. https://doi.org/10.11896/jsjkx.210700004 |
|