基于预训练技术和专家知识的重入漏洞检测

doi:10.11896/jsjkx.211200182

摘要/Abstract

摘要： 随着区块链中智能合约的安全问题日益突出,智能合约的漏洞检测任务逐渐成为研究的热点。然而,目前的智能合约重入漏洞检测技术主要是符号执行、静态分析、形式化验证和模糊测试等传统的检测方法,这些检测方法不仅存在较高的误报率和漏报率,而且检测精度较低。同时,基于深度学习的方法也有其独特的局限性。针对这些问题,文中提出了一种将预训练技术与传统的专家知识相融合的检测方法,同时将智能合约进行切片处理,以此减小无关数据对模型的影响。文中聚焦于重入漏洞的检测,在203716份合约数据集上进行实验。实验结果表明,基于预训练技术和专家知识的智能合约重入漏洞检测方法具有96.2%的精确率、97.7%的召回率以及96.9%的F1分数,检测效果均优于现有的检测方法。

关键词: 区块链, 智能合约, 漏洞检测, 预训练技术, 专家知识

Abstract: As the security issues of smart contracts in blockchain become increasingly prominent,the vulnerability detection tasks of smart contracts have gradually become a research hotspot.However,the current smart contract reentrancy vulnerability detection technologies are mainly traditional detection methods such as symbolic execution,static analysis,formal verification and fuzzing.These detection methods not only have high false positive rate and false negative rate,but also have low detection accuracy.At the same time,methods based on deep learning also have their unique limitations.In response to these problems,this paper proposes a detection method that combines pre-training technology and traditional expert knowledge,and at the same time slices smart contracts to reduce the impact of irrelevant data on the model.This paper focuses on the detection of reentrancy vulnerability and conducts experiments on 203716 contract data sets.Experimental results show that the smart contract reentrancy vulnerability detection method based on pre-training technology and expert knowledge has an accuracy rate of 96.2%,a recall rate of 97.7% and a F1 score of 96.9%,which are better than existing detection methods.

Key words: Blockchain, Smart contract, Vulnerability detection, Pre-training technology, Expert knowledge

中图分类号:

TP311

陈乔松, 何小阳, 许文杰, 邓欣, 王进, 朴昌浩. 基于预训练技术和专家知识的重入漏洞检测[J]. 计算机科学, 2022, 49(11A): 211200182-8. https://doi.org/10.11896/jsjkx.211200182

CHEN Qiao-song, HE Xiao-yang, XU Wen-jie, DENG Xin, WANG Jin, PIAO Chang-hao. Reentrancy Vulnerability Detection Based on Pre-training Technology and Expert Knowledge[J]. Computer Science, 2022, 49(11A): 211200182-8. https://doi.org/10.11896/jsjkx.211200182

参考文献

[1]MEHAR M I,SHIER C L,GIAMBATTISTA A,et al.Under-standing a revolutionary and flawed grand experiment in blockchain:the DAO attack[J].Journal of Cases on Information Technology(JCIT),2019,21(1):19-32.
[2]SLOWMIST HACKED[OL].https://hacked.slowmi-st.io/en/
[3]LUU L,CHU D H,OLICKEL H,et al.Making smart contracts smarter[C]//Proceedings of the 2016 ACM SIGSAC conference on computer and communications security.New York:Association for Computing Machinery,2016:254-269.
[4]TORRES C F,SCHÜTTE J,STATE R.Osiris:Hunting for integer bugs in ethereum smart contracts[C]//Proceedings of the 34th Annual Computer Security Applications Conference.New York:Association for Computing Machinery,2018:664-676.
[5]MUELLER B,HONIG J,PARASARAM N,et al.ConsenSys/mythril [OL].https://github.com/ConsenSys/mythril.
[6]NIKOLIĆ I,KOLLURI A,SERGEY I,et al.Finding the greedy,prodigal,and suicidal contracts at scale[C]//Proceedings of the 34th Annual Computer Security Applications Conference.New York:Association for Computing Machinery,2018:653-663.
[7]MOSSBERG M,MANZANO F,HENNENFENT E,et al.Manticore:A user-friendly symbolic execution framework for binaries and smart contracts[C]//2019 34th IEEE/ACM International Conference on Automated Software Engineering(ASE).New York:IEEE Press,2019:1186-1189.
[8]TSANKOV P,DAN A,DRACHSLER-COHEN D,et al.Securify:Practical security analysis of smart contracts[C]//Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security.New York:Association for Computing Machinery,2018:67-82.
[9]KALRA S,GOEL S,DHAWAN M,et al.Zeus:Analyzing safety of smart contracts[C]//Ndss.2018:1-12.
[10]FEIST J,GRIECO G,GROCE A.Slither:a static analysisframework for smart contracts[C]//2019 IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain(WETSEB).New York:IEEE Press,2019:8-15.
[11]TIKHOMIROV S,VOSKRESENSKAYA E,IVANITSKIY I,et al.Smartcheck:Staticanalysis of ethereum smart contracts[C]//Proceedings of the 1st International Workshop on Emerging Trends in Software Engineering for Blockchain.New York:Association for Computing Machinery,2018:9-16.
[12]JIANG B,LIU Y,CHAN W K.Contractfuzzer:Fuzzing smart contracts for vulnerability detection[C]//2018 33rd IEEE/ACM International Conference on Automated Software Engineering(ASE).New York:IEEE Press,2018:259-269.
[13]FERREIRA J F,CRUZ P,DURIEUX T,et al.SmartBugs:aframework to analyze solidity smart contracts[C]//Proceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering.New York:Association for Computing Machinery,2020:1349-1352.
[14]DANNEN C.Solidity programming[M]//Introducing Ethereum and Solidity.Apress,Berkeley,CA,2017:69-88.
[15]DEVLIN J,CHANG M W,LEE K,et al.Bert:Pre-training of deep bidirectional transformers for language understanding[J].arXiv:1810.04805,2018.
[16]RADFORD A,NARASIMHAN K,SALIMANS T,et al.Improving language understanding by generative pre-training [OL].https://s3-us-west-2.amazonaws.com/openai-assets/research-covers/language-unsuper-vised/language_understanding_paper.pdf.
[17]VASWANI A,SHAZEER N,PARMAR N,et al.Attention isall you need[J].Advances in Neural Information Processing Systems,2017,30.
[18]FENG Z,GUO D,TANG D,et al.Codebert:A pre-trained mo-del for programming and natural languages[J].arXiv:2002.08155,2020.
[19]GUO D,REN S,LU S,et al.Graphcodebert:Pre-training code representations with data flow[J].arXiv:2009.08366,2020.
[20]LI Z,ZOU D,XU S,et al.SySeVR:A framework for using deep learning to detect software vulnerabilities[J].arXiv:1807.06756,2021.
[21]WU H,ZHANG Z,WANG S,et al.Peculiar:Smart Contract Vulnerability Detection Based on Crucial Data Flow Graph and Pre-training Techniques[C]//2021 IEEE 32nd International Symposium on Software Reliability Engineering(ISSRE).New York:IEEE Press,378-389.
[22]NGUYEN T D,PHAM L H,SUN J.sGUARD:Towards Fixing Vulnerable Smart Contracts Automatically[J].arXiv:2101.01917,2021.
[23]LIU Z,QIAN P,WANG X,et al.Combining graph neural networks with expert knowledge for smart contract vulnerability detection[J].arXiv:2107.11598,2021.
[24]TORRES C F,STEICHEN M.The art of the scam:Demystifying honeypots in ethereum smart contracts[C]//28th {USENIX} security symposium({USENIX} security 19).Santa Clara:USENIX Association,2019:1591-1607.
[25]ZHUANG Y,LIU Z,QIAN P,et al.Smart Contract Vulnerabi-lity Detection using Graph Neural Network[C]//IJCAI.2020:3283-3290.
[26]XING C,CHEN Z,CHEN L,et al.A new scheme of vulnerability analysis in smart contract with machine learning[J].Wireless Networks,2020:1-10.
[27]TANN W J W,HAN X J,GUPTA S S,et al.Towards safersmart contracts:A sequence learning approach to detecting security threats[J].arXiv:1811.06632,2018.
[28]NARAYANA K L,SATHIYAMURTHY K.Automation andsmart materials in detecting smart contracts vulnerabilities in Blockchain using deep learning[OL].https://www.sciencedirect.com/science/article/pii/S2214785321030273.
[29]JEON S,LEE G,KIM H,et al.SmartConDetect:Highly Accurate Smart Contract Code Vulnerability Detection Mechanism using BERT[OL].https://seclab.skku.edu/wp-content/uploads/2021/08/PLP_7_SmartConDetect_-Highly-Accurate-Smart-Contract-Code-Vulnerability-Detection-Mechanism-using-BERT-Sowon-Jeon.pdf.

相关文章 15

[1]	王子凯, 朱健, 张伯钧, 胡凯. 区块链与智能合约并行方法研究与实现 Research and Implementation of Parallel Method in Blockchain and Smart Contract 计算机科学, 2022, 49(9): 312-317. https://doi.org/10.11896/jsjkx.210800102
[2]	黄松, 杜金虎, 王兴亚, 孙金磊. 以太坊智能合约模糊测试技术研究综述 Survey of Ethereum Smart Contract Fuzzing Technology Research 计算机科学, 2022, 49(8): 294-305. https://doi.org/10.11896/jsjkx.220500069
[3]	傅丽玉, 陆歌皓, 吴义明, 罗娅玲. 区块链技术的研究及其发展综述 Overview of Research and Development of Blockchain Technology 计算机科学, 2022, 49(6A): 447-461. https://doi.org/10.11896/jsjkx.210600214
[4]	高健博, 张家硕, 李青山, 陈钟. RegLang:一种面向监管的智能合约编程语言 RegLang:A Smart Contract Programming Language for Regulation 计算机科学, 2022, 49(6A): 462-468. https://doi.org/10.11896/jsjkx.210700016
[5]	卫宏儒, 李思月, 郭涌浩. 基于智能合约的秘密重建协议 Secret Reconstruction Protocol Based on Smart Contract 计算机科学, 2022, 49(6A): 469-473. https://doi.org/10.11896/jsjkx.210700033
[6]	毛典辉, 黄晖煜, 赵爽. 符合监管合规性的自动合成新闻检测方法研究 Study on Automatic Synthetic News Detection Method Complying with Regulatory Compliance 计算机科学, 2022, 49(6A): 523-530. https://doi.org/10.11896/jsjkx.210300083
[7]	李博, 向海昀, 张宇翔, 廖浩德. 面向食品溯源场景的PBFT优化算法应用研究 Application Research of PBFT Optimization Algorithm for Food Traceability Scenarios 计算机科学, 2022, 49(6A): 723-728. https://doi.org/10.11896/jsjkx.210800018
[8]	周航, 姜河, 赵琰, 解相朋. 适用于各单元共识交易的电力区块链系统优化调度研究 Study on Optimal Scheduling of Power Blockchain System for Consensus Transaction ofEach Unit 计算机科学, 2022, 49(6A): 771-776. https://doi.org/10.11896/jsjkx.210600241
[9]	王思明, 谭北海, 余荣. 面向6G可信可靠智能的区块链分片与激励机制 Blockchain Sharding and Incentive Mechanism for 6G Dependable Intelligence 计算机科学, 2022, 49(6): 32-38. https://doi.org/10.11896/jsjkx.220400004
[10]	孙浩, 毛瀚宇, 张岩峰, 于戈, 徐石成, 何光宇. 区块链跨链技术发展及应用 Development and Application of Blockchain Cross-chain Technology 计算机科学, 2022, 49(5): 287-295. https://doi.org/10.11896/jsjkx.210800132
[11]	阳真, 黄松, 郑长友. 基于区块链与改进CP-ABE的众测知识产权保护技术研究 Study on Crowdsourced Testing Intellectual Property Protection Technology Based on Blockchain and Improved CP-ABE 计算机科学, 2022, 49(5): 325-332. https://doi.org/10.11896/jsjkx.210900075
[12]	任畅, 赵洪, 蒋华. 一种量子安全拜占庭容错共识机制 Quantum Secured-Byzantine Fault Tolerance Blockchain Consensus Mechanism 计算机科学, 2022, 49(5): 333-340. https://doi.org/10.11896/jsjkx.210400154
[13]	冯了了, 丁滟, 刘坤林, 马科林, 常俊胜. 区块链BFT共识算法研究进展 Research Advance on BFT Consensus Algorithms 计算机科学, 2022, 49(4): 329-339. https://doi.org/10.11896/jsjkx.210700011
[14]	王鑫, 周泽宝, 余芸, 陈禹旭, 任昊文, 蒋一波, 孙凌云. 一种面向电能量数据的联邦学习可靠性激励机制 Reliable Incentive Mechanism for Federated Learning of Electric Metering Data 计算机科学, 2022, 49(3): 31-38. https://doi.org/10.11896/jsjkx.210700195
[15]	张潆藜, 马佳利, 刘子昂, 刘新, 周睿. 以太坊Solidity智能合约漏洞检测方法综述 Overview of Vulnerability Detection Methods for Ethereum Solidity Smart Contracts 计算机科学, 2022, 49(3): 52-61. https://doi.org/10.11896/jsjkx.210700004

Metrics

Viewed

Full text

Abstract

Cited

Shared

Discussed