计算机科学 ›› 2022, Vol. 49 ›› Issue (11A): 211200182-8.doi: 10.11896/jsjkx.211200182
陈乔松1, 何小阳1, 许文杰1, 邓欣1, 王进1, 朴昌浩2
CHEN Qiao-song1, HE Xiao-yang1, XU Wen-jie1, DENG Xin1, WANG Jin1, PIAO Chang-hao2
摘要: 随着区块链中智能合约的安全问题日益突出,智能合约的漏洞检测任务逐渐成为研究的热点。然而,目前的智能合约重入漏洞检测技术主要是符号执行、静态分析、形式化验证和模糊测试等传统的检测方法,这些检测方法不仅存在较高的误报率和漏报率,而且检测精度较低。同时,基于深度学习的方法也有其独特的局限性。针对这些问题,文中提出了一种将预训练技术与传统的专家知识相融合的检测方法,同时将智能合约进行切片处理,以此减小无关数据对模型的影响。文中聚焦于重入漏洞的检测,在203716份合约数据集上进行实验。实验结果表明,基于预训练技术和专家知识的智能合约重入漏洞检测方法具有96.2%的精确率、97.7%的召回率以及96.9%的F1分数,检测效果均优于现有的检测方法。
中图分类号:
[1]MEHAR M I,SHIER C L,GIAMBATTISTA A,et al.Under-standing a revolutionary and flawed grand experiment in blockchain:the DAO attack[J].Journal of Cases on Information Technology(JCIT),2019,21(1):19-32. [2]SLOWMIST HACKED[OL].https://hacked.slowmi-st.io/en/ [3]LUU L,CHU D H,OLICKEL H,et al.Making smart contracts smarter[C]//Proceedings of the 2016 ACM SIGSAC conference on computer and communications security.New York:Association for Computing Machinery,2016:254-269. [4]TORRES C F,SCHÜTTE J,STATE R.Osiris:Hunting for integer bugs in ethereum smart contracts[C]//Proceedings of the 34th Annual Computer Security Applications Conference.New York:Association for Computing Machinery,2018:664-676. [5]MUELLER B,HONIG J,PARASARAM N,et al.ConsenSys/mythril [OL].https://github.com/ConsenSys/mythril. [6]NIKOLIĆ I,KOLLURI A,SERGEY I,et al.Finding the greedy,prodigal,and suicidal contracts at scale[C]//Proceedings of the 34th Annual Computer Security Applications Conference.New York:Association for Computing Machinery,2018:653-663. [7]MOSSBERG M,MANZANO F,HENNENFENT E,et al.Manticore:A user-friendly symbolic execution framework for binaries and smart contracts[C]//2019 34th IEEE/ACM International Conference on Automated Software Engineering(ASE).New York:IEEE Press,2019:1186-1189. [8]TSANKOV P,DAN A,DRACHSLER-COHEN D,et al.Securify:Practical security analysis of smart contracts[C]//Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security.New York:Association for Computing Machinery,2018:67-82. [9]KALRA S,GOEL S,DHAWAN M,et al.Zeus:Analyzing safety of smart contracts[C]//Ndss.2018:1-12. [10]FEIST J,GRIECO G,GROCE A.Slither:a static analysisframework for smart contracts[C]//2019 IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain(WETSEB).New York:IEEE Press,2019:8-15. [11]TIKHOMIROV S,VOSKRESENSKAYA E,IVANITSKIY I,et al.Smartcheck:Staticanalysis of ethereum smart contracts[C]//Proceedings of the 1st International Workshop on Emerging Trends in Software Engineering for Blockchain.New York:Association for Computing Machinery,2018:9-16. [12]JIANG B,LIU Y,CHAN W K.Contractfuzzer:Fuzzing smart contracts for vulnerability detection[C]//2018 33rd IEEE/ACM International Conference on Automated Software Engineering(ASE).New York:IEEE Press,2018:259-269. [13]FERREIRA J F,CRUZ P,DURIEUX T,et al.SmartBugs:aframework to analyze solidity smart contracts[C]//Proceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering.New York:Association for Computing Machinery,2020:1349-1352. [14]DANNEN C.Solidity programming[M]//Introducing Ethereum and Solidity.Apress,Berkeley,CA,2017:69-88. [15]DEVLIN J,CHANG M W,LEE K,et al.Bert:Pre-training of deep bidirectional transformers for language understanding[J].arXiv:1810.04805,2018. [16]RADFORD A,NARASIMHAN K,SALIMANS T,et al.Improving language understanding by generative pre-training [OL].https://s3-us-west-2.amazonaws.com/openai-assets/research-covers/language-unsuper-vised/language_understanding_paper.pdf. [17]VASWANI A,SHAZEER N,PARMAR N,et al.Attention isall you need[J].Advances in Neural Information Processing Systems,2017,30. [18]FENG Z,GUO D,TANG D,et al.Codebert:A pre-trained mo-del for programming and natural languages[J].arXiv:2002.08155,2020. [19]GUO D,REN S,LU S,et al.Graphcodebert:Pre-training code representations with data flow[J].arXiv:2009.08366,2020. [20]LI Z,ZOU D,XU S,et al.SySeVR:A framework for using deep learning to detect software vulnerabilities[J].arXiv:1807.06756,2021. [21]WU H,ZHANG Z,WANG S,et al.Peculiar:Smart Contract Vulnerability Detection Based on Crucial Data Flow Graph and Pre-training Techniques[C]//2021 IEEE 32nd International Symposium on Software Reliability Engineering(ISSRE).New York:IEEE Press,378-389. [22]NGUYEN T D,PHAM L H,SUN J.sGUARD:Towards Fixing Vulnerable Smart Contracts Automatically[J].arXiv:2101.01917,2021. [23]LIU Z,QIAN P,WANG X,et al.Combining graph neural networks with expert knowledge for smart contract vulnerability detection[J].arXiv:2107.11598,2021. [24]TORRES C F,STEICHEN M.The art of the scam:Demystifying honeypots in ethereum smart contracts[C]//28th {USENIX} security symposium({USENIX} security 19).Santa Clara:USENIX Association,2019:1591-1607. [25]ZHUANG Y,LIU Z,QIAN P,et al.Smart Contract Vulnerabi-lity Detection using Graph Neural Network[C]//IJCAI.2020:3283-3290. [26]XING C,CHEN Z,CHEN L,et al.A new scheme of vulnerability analysis in smart contract with machine learning[J].Wireless Networks,2020:1-10. [27]TANN W J W,HAN X J,GUPTA S S,et al.Towards safersmart contracts:A sequence learning approach to detecting security threats[J].arXiv:1811.06632,2018. [28]NARAYANA K L,SATHIYAMURTHY K.Automation andsmart materials in detecting smart contracts vulnerabilities in Blockchain using deep learning[OL].https://www.sciencedirect.com/science/article/pii/S2214785321030273. [29]JEON S,LEE G,KIM H,et al.SmartConDetect:Highly Accurate Smart Contract Code Vulnerability Detection Mechanism using BERT[OL].https://seclab.skku.edu/wp-content/uploads/2021/08/PLP_7_SmartConDetect_-Highly-Accurate-Smart-Contract-Code-Vulnerability-Detection-Mechanism-using-BERT-Sowon-Jeon.pdf. |
[1] | 王子凯, 朱健, 张伯钧, 胡凯. 区块链与智能合约并行方法研究与实现 Research and Implementation of Parallel Method in Blockchain and Smart Contract 计算机科学, 2022, 49(9): 312-317. https://doi.org/10.11896/jsjkx.210800102 |
[2] | 黄松, 杜金虎, 王兴亚, 孙金磊. 以太坊智能合约模糊测试技术研究综述 Survey of Ethereum Smart Contract Fuzzing Technology Research 计算机科学, 2022, 49(8): 294-305. https://doi.org/10.11896/jsjkx.220500069 |
[3] | 傅丽玉, 陆歌皓, 吴义明, 罗娅玲. 区块链技术的研究及其发展综述 Overview of Research and Development of Blockchain Technology 计算机科学, 2022, 49(6A): 447-461. https://doi.org/10.11896/jsjkx.210600214 |
[4] | 高健博, 张家硕, 李青山, 陈钟. RegLang:一种面向监管的智能合约编程语言 RegLang:A Smart Contract Programming Language for Regulation 计算机科学, 2022, 49(6A): 462-468. https://doi.org/10.11896/jsjkx.210700016 |
[5] | 卫宏儒, 李思月, 郭涌浩. 基于智能合约的秘密重建协议 Secret Reconstruction Protocol Based on Smart Contract 计算机科学, 2022, 49(6A): 469-473. https://doi.org/10.11896/jsjkx.210700033 |
[6] | 毛典辉, 黄晖煜, 赵爽. 符合监管合规性的自动合成新闻检测方法研究 Study on Automatic Synthetic News Detection Method Complying with Regulatory Compliance 计算机科学, 2022, 49(6A): 523-530. https://doi.org/10.11896/jsjkx.210300083 |
[7] | 李博, 向海昀, 张宇翔, 廖浩德. 面向食品溯源场景的PBFT优化算法应用研究 Application Research of PBFT Optimization Algorithm for Food Traceability Scenarios 计算机科学, 2022, 49(6A): 723-728. https://doi.org/10.11896/jsjkx.210800018 |
[8] | 周航, 姜河, 赵琰, 解相朋. 适用于各单元共识交易的电力区块链系统优化调度研究 Study on Optimal Scheduling of Power Blockchain System for Consensus Transaction ofEach Unit 计算机科学, 2022, 49(6A): 771-776. https://doi.org/10.11896/jsjkx.210600241 |
[9] | 王思明, 谭北海, 余荣. 面向6G可信可靠智能的区块链分片与激励机制 Blockchain Sharding and Incentive Mechanism for 6G Dependable Intelligence 计算机科学, 2022, 49(6): 32-38. https://doi.org/10.11896/jsjkx.220400004 |
[10] | 孙浩, 毛瀚宇, 张岩峰, 于戈, 徐石成, 何光宇. 区块链跨链技术发展及应用 Development and Application of Blockchain Cross-chain Technology 计算机科学, 2022, 49(5): 287-295. https://doi.org/10.11896/jsjkx.210800132 |
[11] | 阳真, 黄松, 郑长友. 基于区块链与改进CP-ABE的众测知识产权保护技术研究 Study on Crowdsourced Testing Intellectual Property Protection Technology Based on Blockchain and Improved CP-ABE 计算机科学, 2022, 49(5): 325-332. https://doi.org/10.11896/jsjkx.210900075 |
[12] | 任畅, 赵洪, 蒋华. 一种量子安全拜占庭容错共识机制 Quantum Secured-Byzantine Fault Tolerance Blockchain Consensus Mechanism 计算机科学, 2022, 49(5): 333-340. https://doi.org/10.11896/jsjkx.210400154 |
[13] | 冯了了, 丁滟, 刘坤林, 马科林, 常俊胜. 区块链BFT共识算法研究进展 Research Advance on BFT Consensus Algorithms 计算机科学, 2022, 49(4): 329-339. https://doi.org/10.11896/jsjkx.210700011 |
[14] | 王鑫, 周泽宝, 余芸, 陈禹旭, 任昊文, 蒋一波, 孙凌云. 一种面向电能量数据的联邦学习可靠性激励机制 Reliable Incentive Mechanism for Federated Learning of Electric Metering Data 计算机科学, 2022, 49(3): 31-38. https://doi.org/10.11896/jsjkx.210700195 |
[15] | 张潆藜, 马佳利, 刘子昂, 刘新, 周睿. 以太坊Solidity智能合约漏洞检测方法综述 Overview of Vulnerability Detection Methods for Ethereum Solidity Smart Contracts 计算机科学, 2022, 49(3): 52-61. https://doi.org/10.11896/jsjkx.210700004 |
|