计算机科学 ›› 2021, Vol. 48 ›› Issue (11): 79-88.doi: 10.11896/jsjkx.210600117
涂良琼, 孙小兵, 张佳乐, 蔡杰, 李斌, 薄莉莉
TU Liang-qiong, SUN Xiao-bing, ZHANG Jia-le, CAI Jie, LI Bin, BO Li-li
摘要: 智能合约是区块链平台实现交易的重要组件,为多方交易间信任问题提供了一种有效的解决方案。智能合约不仅管理高价值代币还具有不可更改等特性,导致近年来智能合约多次遭受安全威胁。目前出现了大量关于智能合约安全性的研究,其中智能合约漏洞检测成为主要关注点。文中系统分析了智能合约安全问题,从是否执行合约的角度将漏洞检测工具分为静态检测工具和动态检测工具,并对检测工具进行对比分析,重点分析现有检测工具的漏洞检测能力,介绍了16种检测技术的原理及优缺点;最后,对如何提高智能合约安全性进行展望,提出了3个可能提高智能合约安全性的研究方向。
中图分类号:
[1]SCHÄR F.Decentralized finance:On blockchain-and smart contract-based financial markets[J].FRB of St.Louis Review,2021,103(2):153-174. [2]MOOSAVI J,NAENI L M,FATHOLLAHI-FARD A M,et al.Blockchain in supply chain management:a review,bibliometric,and network analysis[C]// Environmental Science and Pollution Research.2021:1-15. [3]JIANG Y,ZHONG Y,GE X.Smart contract-based data commodity transactions for industrial Internet of Things[J].IEEE Access,2019,7:180856-180866. [4]LI Q,WANG L.Research on the information sharing in thelinkage between manufacturing and logistics industry based on blockchain[J].Journal of Physics,2021,1774(1):012055. [5]AL-JOBOURY I M,AL-HEMIARY E H.Automated Decentra-lized IoT Based Blockchain Using Ethereum Smart Contract for Healthcare[C]// Enhanced Telemedicine and e-Health:Advanced IoT Enabled Soft Computing Framework.2021:179-198. [6]GRIGGS K N,OSSIPOVA O,KOHLIOS C P,et al.Healthcare blockchain system using smart contracts for secure automated remote patient monitoring[J].Journal of Medical Systems,2018,42(7):1-7. [7]BUTERIN V.Critical update re:Dao vulnerability[OL].(2016-06-17).https://blog.ethereum.org/2016/06/17/critical-update-re-daovulnerability/. [8]The Multi-sig Hack:A Postmortem.Blockchain Infrastructurefor the Decentralised Web[OL].https://www.parity.io/the-multi-sig-hack-apostmortem/,Jul.2017. [9]KASHISYN D.A Postmortem on the Parity Multi-Sig Library Self-Destruct[OL].(2017-09-15).https://www.parity.io/a-postmortem-on-the-parity-multi-sig-library-self-destruct. [10]LAUMEISTER M.BitListen,2019[OL].https://www.bitlisten.com/. [11]WOOD G.Ethereum:A secure decentralised generalized tran-saction ledger [OL].https://gavwood.com/paper.pdf. [12]CHEN W L,ZHENG Z B.Blockchain Data Analysis:A Review of Status,Trends and Challenges[J].Journal of Computer Research and Development,2018,55(9):1853-1870. [13]FENG X,WANG Q,ZHU X,et al.Bug searching in smart contract[J].arXiv:1905.00799,2019. [14]LIU J,LIU Z.A survey on security verification of blockchainsmart contracts[J].IEEE Access,2019,7:77894-77904. [15]NI Y D,ZHANG C,YIN T T.A Survey of Smart Contract Vul-nerability Research[J].Journal of Cyber Security,2020,5(3):78-99. [16] LÓPEZ V A,CASTEDO A T,SANDOVAL O A L,et al.Smart Contracts:A Review of Security Threats Alongside an Analysis of Existing Solutions[J].Entropy,2020,22(2):203. [17]DEMIR M,ALALFI M,TURETKEN O,et al.Security smells in smart contracts[C]//2019 IEEE 19th International Confe-rence on Software Quality, Reliability and Security Companion(QRS-C).IEEE,2019:442-449. [18]SZABO N.Formalizing and Securng Relationships on PublicNetworks[J].First Monday,1997,2(9):1-21. [19]DANNENC.Solidity Programming[M]//Introducing Ethereum and Solidity.Berkeley,CA:Apress,2017:69-88. [20]Vyper-Vyper documentation[OL].https://vyper.readthe-docs.io/en/latest/. [21]Idris | A Language with Dependent Types[OL].https://www.idris-lang.org/. [22]Rust | A Language with Dependent Types[OL]. https://www.rust-lang.org/. [23]ATZEI N,BARTOLETTI M,CIMOLI T.A survey of attacks on ethereum smart contracts (sok)[C]//International Confe-rence on Principles of Security and Trust.Berlin:Springer,2017:164-186. [24]DIKA A.Ethereum smart contracts:Security vulnerabilities and security tools[D].Trondheim :Norwegian University of Science and Technology,2017. [25]CAI J,ZHOU P,HE J,et al.A software vulnerability detection method based on static analysis and dynamic symbolic execution[J].Computer Engineering & Science,2016,38(12):2536-2541. [26]TIKHOMIROV S,VOSKRESENSKAYA E,IVANITSKIY I,et al.Smartcheck:Static analysis of ethereum smart contracts[C]//Proceedings of the 1st International Workshop on Emerging Trends in Software Engineering for Blockchain.2018:9-16. [27]FEIST J,GRIECO G,GROCE A.Slither:a static analysisframework for smart contracts[C]//2019 IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB).IEEE,2019:8-15. [28]BRENT L,JURISEVIC A,KONG M,et al.Vandal:A scalable security analysis framework for smart contracts[J].arXiv:1809.03981,2018. [29]KALRA S,GOEL S,DHAWAN M,et al.ZEUS:AnalyzingSafety of Smart Contracts[C]//Ndss.2018:1-12. [30]GURFINKEL A,KAHSAI T,KOMURAVELLI A,et al.The SeaHorn verification framework[C]//International Conference on Computer Aided Verification.Cham:Springer,2015:343-361. [31]TORRES C F,SCHÜTTE J,STATE R.Osiris:Hunting for integer bugs in ethereum smart contracts[C]//Proceedings of the 34th Annual Computer Security Applications Conference.2018:664-676. [32]CHANG J,GAO B,XIAO H,et al.sCompile:Critical path identification and analysis for smart contracts[C]//International Conference on Formal Engineering Methods.Cham:Springer,2019:286-304. [33]TSANKOV P,DAN A,DRACHSLER-COHEN D,et al.Securify:Practical security analysis of smart contracts[C]//Procee-dings of the 2018 ACM SIGSAC Conference on Computer and Communications Security.2018:67-82. [34]PARK D,ZHANG Y,SAXENA M,et al.A formal verification tool for Ethereum VM bytecode[C]//Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering.2018:912-915. [35]BHARGAVAN K,DELIGNAT-LAVAUD A,FOURNET C,et al.Formal verification of smart contracts:Short paper[C]//Proceedings of the 2016 ACM Workshop on Programming Languages and Analysis for Security.2016:91-96. [36]GRISHCHENKO I,MAFFEI M,SCHNEIDEWIND C.Asemantic framework for the security analysis of ethereum smart contracts[C]//International Conference on Principles of Security and Trust.Cham:Springer,2018:243-269. [37]SIDNEY A,MYRIAM B,MAKSYM B,et al.Towards Verifying Ethereum Smart Contract Bytecode in Isabelle/HOL[C]//Proceedings of the 7th ACM International Conference on Certified Programs and Proofs (CPP 2018).2018. [38]LI Z J,ZHANG J X,LIAO X K,et al.Survey of Software Vulnerability Detection Techniques[J].Chinese Journal of Compu-ters,2015,38(4):717-732. [39]LUU L,CHU D H,OLICKEL H,et al.Making smart contracts smarter[C]//Proceedings of the 2016 ACM SIGSAC Confe-rence on Computer and Communications Security.2016:254-269. [40]MOSSBERG M,MANZANO F,HENNENFENT E,et al.Manticore:A user-friendly symbolic execution framework for binaries and smart contracts[C]//2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE).IEEE,2019:1186-1189. [41]JIANG B,LIU Y,CHAN W K.Contractfuzzer:Fuzzing smart contracts for vulnerability detection[C]//2018 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE).IEEE,2018:259-269. [42]LIU C,LIU H,CAO Z,et al.Reguard:finding reentrancy bugs in smart contracts[C]//2018 IEEE/ACM 40th International Conference on Software Engineering:Companion (ICSE-Companion).IEEE,2018:65-68. [43]GAO J,LIU H,LIU C,et al.Easyflow:Keep ethereum away from overflow[C]//2019 IEEE/ACM 41st International Conference on Software Engineering:Companion Proceedings (ICSE-Companion).IEEE,2019:23-26. [44]CHEN J,XIA X,LO D,et al.Defining smart contract defects on ethereum[J].arXiv:1905.01467,2020. [45]FROWIS M,BOHME R.In code we trust?Measuring the control flow immutability of all smart contracts deployed on Ethe-reum[J].LNCS,2017,10436:357-372. [46]SAYEED S,MARCO-GISBERT H,CAIRA T.Smart Contract:Attacks and Protections[J].IEEE Access,2020,8:24416-24427. [47]CHEN X,LIAO P,ZHANG Y,et al.Understanding Code Reuse in Smart Contracts[C]//2021 IEEE International Conference on Software Analysis,Evolution and Reengineering (SANER).IEEE,2021:470-479. [48]PIERRO G A,TONELLI R.Analysis of Source Code Duplication in Ethreum Smart Contracts[C]//2021 IEEE International Conference on Software Analysis,Evolution and Reengineering (SANER).IEEE,2021:701-707. [49]PEREZ D,LIVSHITS B.Smart contract vulnerabilities:Doesanyone care?[J].arXiv:1902.06710,2019. [50]WANG Z,DAI W,CHOO K K R,et al.FSFC:An input filter-based secure framework for smart contract[J].Journal of Network and Computer Applications,2020,154:102530. [51]TANN W J W,HAN X J,GUPTA S S,et al.Towards safersmart contracts:A sequence learning approach to detecting security threats[J].arXiv:1811.06632,2018. |
[1] | 郭显, 王雨悦, 冯涛, 曹来成, 蒋泳波, 张迪. 基于区块链的工业控制系统角色委派访问控制机制[J]. 计算机科学, 2021, 48(9): 306-316. |
[2] | 王日宏, 周航, 徐泉清, 张立锋. 用于联盟链的非拜占庭容错共识算法[J]. 计算机科学, 2021, 48(9): 317-323. |
[3] | 张小艳, 李秦伟, 付福杰. 基于数字承诺的区块链交易金额保密验证方法[J]. 计算机科学, 2021, 48(9): 324-329. |
[4] | 周艺华, 贾玉欣, 贾立圆, 方嘉博, 侍伟敏. 基于红黑树的共享电子病历数据完整性验证方案[J]. 计算机科学, 2021, 48(9): 330-336. |
[5] | 刘嘉琪, 刘贝丽, 彭韬, 段江, 康立, 陈智. 基于区块链的音频版权存证模型[J]. 计算机科学, 2021, 48(6A): 438-442. |
[6] | 唐飞, 陈云龙, 冯卓. 基于区块链和代理重加密的电子处方共享方案[J]. 计算机科学, 2021, 48(6A): 498-503. |
[7] | 王向宇, 杨挺. 智能合约定义路由目录服务器[J]. 计算机科学, 2021, 48(6A): 504-508. |
[8] | 李嘉明, 赵阔, 屈挺, 刘晓翔. 基于知识图谱的区块链物联网领域研究分析[J]. 计算机科学, 2021, 48(6A): 563-567. |
[9] | 李明磊, 黄晖, 陆余良, 朱凯龙. SymFuzz:一种复杂路径条件下的漏洞检测技术[J]. 计算机科学, 2021, 48(5): 25-31. |
[10] | 郭上铜, 王瑞锦, 张凤荔. 区块链技术原理与应用综述[J]. 计算机科学, 2021, 48(2): 271-281. |
[11] | 陈自民, 卢艺文, 郭燕. 基于区块并行的以太坊智能合约高速重放[J]. 计算机科学, 2021, 48(2): 289-294. |
[12] | 王卫红, 陈震宇. 基于改进区块链的智能制造安全模型[J]. 计算机科学, 2021, 48(2): 295-302. |
[13] | 季钰翔, 黄建华, 王喆, 郑红, 唐瑞琮. 基于信任度匹配的改进PBFT共识算法[J]. 计算机科学, 2021, 48(2): 303-310. |
[14] | 闫凯伦, 张继连. 一种可用于数据和模型分享的模型链[J]. 计算机科学, 2021, 48(2): 311-316. |
[15] | 毛瀚宇, 聂铁铮, 申德荣, 于戈, 徐石成, 何光宇. 区块链即服务平台关键技术及发展综述[J]. 计算机科学, 2021, 48(11): 4-11. |
|