计算机科学

计算机科学 ›› 2021, Vol. 48 ›› Issue (11): 79-88.doi: 10.11896/jsjkx.210600117

• 区块链技术* 上一篇    下一篇

智能合约漏洞检测工具研究综述

涂良琼, 孙小兵, 张佳乐, 蔡杰, 李斌, 薄莉莉   

  1. 扬州大学信息工程学院 江苏 扬州225127
  • 收稿日期:2021-06-16 修回日期:2021-08-12 出版日期:2021-11-15 发布日期:2021-11-10
  • 通讯作者: 孙小兵(xbsun@yzu.edu.cn)
  • 作者简介:tulq1336@163.com
  • 基金资助:
    国家自然科学基金(61872312,61972335,62002309);南京大学计算机软件新技术国家重点实验室资助项目(KFKT2020B15,KFKT2020B16);扬州大学高端人才支持计划(2019);江苏省“六大人才高峰”高层次人才项目(RJFW-053);江苏省“333”工程中青年科学技术带头人项目;扬州大学畜牧学学科特区学科交叉课题支持项目(yzuxk202015);江苏省高等学校自然科学研究面上项目(20KJB520024)

Survey of Vulnerability Detection Tools for Smart Contracts

TU Liang-qiong, SUN Xiao-bing, ZHANG Jia-le, CAI Jie, LI Bin, BO Li-li   

  1. School of Information Engineering,Yangzhou University,Yangzhou,Jiangsu 225127,China
  • Received:2021-06-16 Revised:2021-08-12 Online:2021-11-15 Published:2021-11-10
  • About author:TU Liang-qiong,born in 1996,postgra-duate.Her main research interests include smart contract security and so on.
    SUN Xiao-bing,born in 1985,Ph.D,professor,is a senior member of China Computer Federation.His main research interests include software analysis,maintenance and evolution.
  • Supported by:
    National Natural Science Foundation of China(61872312,61972335,62002309),Open Funds of State Key Laboratory for Novel Software Technology of Nanjing University(KFKT2020B15,KFKT2020B16),Yangzhou University Top-level Talents Support Program (2019),Six Talent Peaks Project in Jiangsu Province (RJFW-053),Jiangsu “333” Project,Cross-Disciplinary Project of the Animal Science Special Discipline of Yangzhou University (yzuxk202015) and Natural Science Foundation of the Jiangsu Higher Education Institutions of China (20KJB520024).

PDF (PC)

1975

摘要: 智能合约是区块链平台实现交易的重要组件,为多方交易间信任问题提供了一种有效的解决方案。智能合约不仅管理高价值代币还具有不可更改等特性,导致近年来智能合约多次遭受安全威胁。目前出现了大量关于智能合约安全性的研究,其中智能合约漏洞检测成为主要关注点。文中系统分析了智能合约安全问题,从是否执行合约的角度将漏洞检测工具分为静态检测工具和动态检测工具,并对检测工具进行对比分析,重点分析现有检测工具的漏洞检测能力,介绍了16种检测技术的原理及优缺点;最后,对如何提高智能合约安全性进行展望,提出了3个可能提高智能合约安全性的研究方向。

关键词: 漏洞检测, 区块链, 智能合约

Abstract: Smart contract is an important component of blockchain platform to realize transactions,which provides an effective solution to the trust problem between multi-party transactions.Smart contracts not only manage high value tokens but also have the characteristics of immutable,which lead to the security threats of smart contracts many times in recent years.At present,a lot of researches have devoted to the security of smart contracts,among which the vulnerability detection of smart contracts has become the main concern.This paper analyzes the security of smart contract systematically.From the perspective of whether to execute the smart contract,vulnerability detection tools are divided into static detection tools and dynamic detection tools.In particular,the vulnerability detection ability of existing detection tools is analyzed,and the principles,advantages and disadvantages of 16 detection technologies are discussed.Finally,the paper gives a prospect of how to improve the security of intelligent contract,and puts forward three research directions which may improve the security of smart contract.

Key words: Blockchain, Smart contract, Vulnerability detection

中图分类号: 

  • TP311
[1]SCHÄR F.Decentralized finance:On blockchain-and smart contract-based financial markets[J].FRB of St.Louis Review,2021,103(2):153-174.
[2]MOOSAVI J,NAENI L M,FATHOLLAHI-FARD A M,et al.Blockchain in supply chain management:a review,bibliometric,and network analysis[C]// Environmental Science and Pollution Research.2021:1-15.
[3]JIANG Y,ZHONG Y,GE X.Smart contract-based data commodity transactions for industrial Internet of Things[J].IEEE Access,2019,7:180856-180866.
[4]LI Q,WANG L.Research on the information sharing in thelinkage between manufacturing and logistics industry based on blockchain[J].Journal of Physics,2021,1774(1):012055.
[5]AL-JOBOURY I M,AL-HEMIARY E H.Automated Decentra-lized IoT Based Blockchain Using Ethereum Smart Contract for Healthcare[C]// Enhanced Telemedicine and e-Health:Advanced IoT Enabled Soft Computing Framework.2021:179-198.
[6]GRIGGS K N,OSSIPOVA O,KOHLIOS C P,et al.Healthcare blockchain system using smart contracts for secure automated remote patient monitoring[J].Journal of Medical Systems,2018,42(7):1-7.
[7]BUTERIN V.Critical update re:Dao vulnerability[OL].(2016-06-17).https://blog.ethereum.org/2016/06/17/critical-update-re-daovulnerability/.
[8]The Multi-sig Hack:A Postmortem.Blockchain Infrastructurefor the Decentralised Web[OL].https://www.parity.io/the-multi-sig-hack-apostmortem/,Jul.2017.
[9]KASHISYN D.A Postmortem on the Parity Multi-Sig Library Self-Destruct[OL].(2017-09-15).https://www.parity.io/a-postmortem-on-the-parity-multi-sig-library-self-destruct.
[10]LAUMEISTER M.BitListen,2019[OL].https://www.bitlisten.com/.
[11]WOOD G.Ethereum:A secure decentralised generalized tran-saction ledger [OL].https://gavwood.com/paper.pdf.
[12]CHEN W L,ZHENG Z B.Blockchain Data Analysis:A Review of Status,Trends and Challenges[J].Journal of Computer Research and Development,2018,55(9):1853-1870.
[13]FENG X,WANG Q,ZHU X,et al.Bug searching in smart contract[J].arXiv:1905.00799,2019.
[14]LIU J,LIU Z.A survey on security verification of blockchainsmart contracts[J].IEEE Access,2019,7:77894-77904.
[15]NI Y D,ZHANG C,YIN T T.A Survey of Smart Contract Vul-nerability Research[J].Journal of Cyber Security,2020,5(3):78-99.
[16] LÓPEZ V A,CASTEDO A T,SANDOVAL O A L,et al.Smart Contracts:A Review of Security Threats Alongside an Analysis of Existing Solutions[J].Entropy,2020,22(2):203.
[17]DEMIR M,ALALFI M,TURETKEN O,et al.Security smells in smart contracts[C]//2019 IEEE 19th International Confe-rence on Software Quality, Reliability and Security Companion(QRS-C).IEEE,2019:442-449.
[18]SZABO N.Formalizing and Securng Relationships on PublicNetworks[J].First Monday,1997,2(9):1-21.
[19]DANNENC.Solidity Programming[M]//Introducing Ethereum and Solidity.Berkeley,CA:Apress,2017:69-88.
[20]Vyper-Vyper documentation[OL].https://vyper.readthe-docs.io/en/latest/.
[21]Idris | A Language with Dependent Types[OL].https://www.idris-lang.org/.
[22]Rust | A Language with Dependent Types[OL]. https://www.rust-lang.org/.
[23]ATZEI N,BARTOLETTI M,CIMOLI T.A survey of attacks on ethereum smart contracts (sok)[C]//International Confe-rence on Principles of Security and Trust.Berlin:Springer,2017:164-186.
[24]DIKA A.Ethereum smart contracts:Security vulnerabilities and security tools[D].Trondheim :Norwegian University of Science and Technology,2017.
[25]CAI J,ZHOU P,HE J,et al.A software vulnerability detection method based on static analysis and dynamic symbolic execution[J].Computer Engineering & Science,2016,38(12):2536-2541.
[26]TIKHOMIROV S,VOSKRESENSKAYA E,IVANITSKIY I,et al.Smartcheck:Static analysis of ethereum smart contracts[C]//Proceedings of the 1st International Workshop on Emerging Trends in Software Engineering for Blockchain.2018:9-16.
[27]FEIST J,GRIECO G,GROCE A.Slither:a static analysisframework for smart contracts[C]//2019 IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB).IEEE,2019:8-15.
[28]BRENT L,JURISEVIC A,KONG M,et al.Vandal:A scalable security analysis framework for smart contracts[J].arXiv:1809.03981,2018.
[29]KALRA S,GOEL S,DHAWAN M,et al.ZEUS:AnalyzingSafety of Smart Contracts[C]//Ndss.2018:1-12.
[30]GURFINKEL A,KAHSAI T,KOMURAVELLI A,et al.The SeaHorn verification framework[C]//International Conference on Computer Aided Verification.Cham:Springer,2015:343-361.
[31]TORRES C F,SCHÜTTE J,STATE R.Osiris:Hunting for integer bugs in ethereum smart contracts[C]//Proceedings of the 34th Annual Computer Security Applications Conference.2018:664-676.
[32]CHANG J,GAO B,XIAO H,et al.sCompile:Critical path identification and analysis for smart contracts[C]//International Conference on Formal Engineering Methods.Cham:Springer,2019:286-304.
[33]TSANKOV P,DAN A,DRACHSLER-COHEN D,et al.Securify:Practical security analysis of smart contracts[C]//Procee-dings of the 2018 ACM SIGSAC Conference on Computer and Communications Security.2018:67-82.
[34]PARK D,ZHANG Y,SAXENA M,et al.A formal verification tool for Ethereum VM bytecode[C]//Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering.2018:912-915.
[35]BHARGAVAN K,DELIGNAT-LAVAUD A,FOURNET C,et al.Formal verification of smart contracts:Short paper[C]//Proceedings of the 2016 ACM Workshop on Programming Languages and Analysis for Security.2016:91-96.
[36]GRISHCHENKO I,MAFFEI M,SCHNEIDEWIND C.Asemantic framework for the security analysis of ethereum smart contracts[C]//International Conference on Principles of Security and Trust.Cham:Springer,2018:243-269.
[37]SIDNEY A,MYRIAM B,MAKSYM B,et al.Towards Verifying Ethereum Smart Contract Bytecode in Isabelle/HOL[C]//Proceedings of the 7th ACM International Conference on Certified Programs and Proofs (CPP 2018).2018.
[38]LI Z J,ZHANG J X,LIAO X K,et al.Survey of Software Vulnerability Detection Techniques[J].Chinese Journal of Compu-ters,2015,38(4):717-732.
[39]LUU L,CHU D H,OLICKEL H,et al.Making smart contracts smarter[C]//Proceedings of the 2016 ACM SIGSAC Confe-rence on Computer and Communications Security.2016:254-269.
[40]MOSSBERG M,MANZANO F,HENNENFENT E,et al.Manticore:A user-friendly symbolic execution framework for binaries and smart contracts[C]//2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE).IEEE,2019:1186-1189.
[41]JIANG B,LIU Y,CHAN W K.Contractfuzzer:Fuzzing smart contracts for vulnerability detection[C]//2018 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE).IEEE,2018:259-269.
[42]LIU C,LIU H,CAO Z,et al.Reguard:finding reentrancy bugs in smart contracts[C]//2018 IEEE/ACM 40th International Conference on Software Engineering:Companion (ICSE-Companion).IEEE,2018:65-68.
[43]GAO J,LIU H,LIU C,et al.Easyflow:Keep ethereum away from overflow[C]//2019 IEEE/ACM 41st International Conference on Software Engineering:Companion Proceedings (ICSE-Companion).IEEE,2019:23-26.
[44]CHEN J,XIA X,LO D,et al.Defining smart contract defects on ethereum[J].arXiv:1905.01467,2020.
[45]FROWIS M,BOHME R.In code we trust?Measuring the control flow immutability of all smart contracts deployed on Ethe-reum[J].LNCS,2017,10436:357-372.
[46]SAYEED S,MARCO-GISBERT H,CAIRA T.Smart Contract:Attacks and Protections[J].IEEE Access,2020,8:24416-24427.
[47]CHEN X,LIAO P,ZHANG Y,et al.Understanding Code Reuse in Smart Contracts[C]//2021 IEEE International Conference on Software Analysis,Evolution and Reengineering (SANER).IEEE,2021:470-479.
[48]PIERRO G A,TONELLI R.Analysis of Source Code Duplication in Ethreum Smart Contracts[C]//2021 IEEE International Conference on Software Analysis,Evolution and Reengineering (SANER).IEEE,2021:701-707.
[49]PEREZ D,LIVSHITS B.Smart contract vulnerabilities:Doesanyone care?[J].arXiv:1902.06710,2019.
[50]WANG Z,DAI W,CHOO K K R,et al.FSFC:An input filter-based secure framework for smart contract[J].Journal of Network and Computer Applications,2020,154:102530.
[51]TANN W J W,HAN X J,GUPTA S S,et al.Towards safersmart contracts:A sequence learning approach to detecting security threats[J].arXiv:1811.06632,2018.
[1] 王子凯, 朱健, 张伯钧, 胡凯.
区块链与智能合约并行方法研究与实现
Research and Implementation of Parallel Method in Blockchain and Smart Contract
计算机科学, 2022, 49(9): 312-317. https://doi.org/10.11896/jsjkx.210800102
[2] 黄松, 杜金虎, 王兴亚, 孙金磊.
以太坊智能合约模糊测试技术研究综述
Survey of Ethereum Smart Contract Fuzzing Technology Research
计算机科学, 2022, 49(8): 294-305. https://doi.org/10.11896/jsjkx.220500069
[3] 李博, 向海昀, 张宇翔, 廖浩德.
面向食品溯源场景的PBFT优化算法应用研究
Application Research of PBFT Optimization Algorithm for Food Traceability Scenarios
计算机科学, 2022, 49(6A): 723-728. https://doi.org/10.11896/jsjkx.210800018
[4] 周航, 姜河, 赵琰, 解相朋.
适用于各单元共识交易的电力区块链系统优化调度研究
Study on Optimal Scheduling of Power Blockchain System for Consensus Transaction ofEach Unit
计算机科学, 2022, 49(6A): 771-776. https://doi.org/10.11896/jsjkx.210600241
[5] 傅丽玉, 陆歌皓, 吴义明, 罗娅玲.
区块链技术的研究及其发展综述
Overview of Research and Development of Blockchain Technology
计算机科学, 2022, 49(6A): 447-461. https://doi.org/10.11896/jsjkx.210600214
[6] 高健博, 张家硕, 李青山, 陈钟.
RegLang:一种面向监管的智能合约编程语言
RegLang:A Smart Contract Programming Language for Regulation
计算机科学, 2022, 49(6A): 462-468. https://doi.org/10.11896/jsjkx.210700016
[7] 卫宏儒, 李思月, 郭涌浩.
基于智能合约的秘密重建协议
Secret Reconstruction Protocol Based on Smart Contract
计算机科学, 2022, 49(6A): 469-473. https://doi.org/10.11896/jsjkx.210700033
[8] 毛典辉, 黄晖煜, 赵爽.
符合监管合规性的自动合成新闻检测方法研究
Study on Automatic Synthetic News Detection Method Complying with Regulatory Compliance
计算机科学, 2022, 49(6A): 523-530. https://doi.org/10.11896/jsjkx.210300083
[9] 王思明, 谭北海, 余荣.
面向6G可信可靠智能的区块链分片与激励机制
Blockchain Sharding and Incentive Mechanism for 6G Dependable Intelligence
计算机科学, 2022, 49(6): 32-38. https://doi.org/10.11896/jsjkx.220400004
[10] 孙浩, 毛瀚宇, 张岩峰, 于戈, 徐石成, 何光宇.
区块链跨链技术发展及应用
Development and Application of Blockchain Cross-chain Technology
计算机科学, 2022, 49(5): 287-295. https://doi.org/10.11896/jsjkx.210800132
[11] 阳真, 黄松, 郑长友.
基于区块链与改进CP-ABE的众测知识产权保护技术研究
Study on Crowdsourced Testing Intellectual Property Protection Technology Based on Blockchain and Improved CP-ABE
计算机科学, 2022, 49(5): 325-332. https://doi.org/10.11896/jsjkx.210900075
[12] 任畅, 赵洪, 蒋华.
一种量子安全拜占庭容错共识机制
Quantum Secured-Byzantine Fault Tolerance Blockchain Consensus Mechanism
计算机科学, 2022, 49(5): 333-340. https://doi.org/10.11896/jsjkx.210400154
[13] 冯了了, 丁滟, 刘坤林, 马科林, 常俊胜.
区块链BFT共识算法研究进展
Research Advance on BFT Consensus Algorithms
计算机科学, 2022, 49(4): 329-339. https://doi.org/10.11896/jsjkx.210700011
[14] 王鑫, 周泽宝, 余芸, 陈禹旭, 任昊文, 蒋一波, 孙凌云.
一种面向电能量数据的联邦学习可靠性激励机制
Reliable Incentive Mechanism for Federated Learning of Electric Metering Data
计算机科学, 2022, 49(3): 31-38. https://doi.org/10.11896/jsjkx.210700195
[15] 张潆藜, 马佳利, 刘子昂, 刘新, 周睿.
以太坊Solidity智能合约漏洞检测方法综述
Overview of Vulnerability Detection Methods for Ethereum Solidity Smart Contracts
计算机科学, 2022, 49(3): 52-61. https://doi.org/10.11896/jsjkx.210700004
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发