计算机科学 ›› 2022, Vol. 49 ›› Issue (8): 294-305.doi: 10.11896/jsjkx.220500069

• 信息安全 • 上一篇    下一篇

以太坊智能合约模糊测试技术研究综述

黄松1, 杜金虎1, 王兴亚1,2, 孙金磊1   

  1. 1 陆军工程大学指挥控制工程学院 南京 210007
    2 南京工业大学计算机科学与技术学院 南京 211816
  • 收稿日期:2022-05-07 修回日期:2022-06-10 发布日期:2022-08-02
  • 通讯作者: 杜金虎(dujinhu@aeu.edu.cn)
  • 作者简介:(huangsong@aeu.edu.cn)
  • 基金资助:
    国家重点研发计划项目(2018YFB1403400);装备综合研究项目(LJ20212C011118);江苏省高等学校自然科学研究面上项目(21KJB520027);江苏省高等学校教育技术研究会高校教育信息化研究课题重点课题(2021JSETKT023);教育部产学合作协同育人项目(202002180001)

Survey of Ethereum Smart Contract Fuzzing Technology Research

HUANG Song1, DU Jin-hu1, WANG Xing-ya1,2, SUN Jin-lei1   

  1. 1 Institute of Command and Control Engineering,Army Engineering University of PLA,Nanjing 210007,China
    2 College of Computer Science and Technology,Nanjing Tech University,Nanjing 211816,China
  • Received:2022-05-07 Revised:2022-06-10 Published:2022-08-02
  • About author:HUANG Song,born in 1970,Ph.D, professor,Ph.D supervisor,is a senior member of China Computer Federation.His main research interests include software testing and software reliability.
    DU Jin-hu,born in 1998,postgraduate.His main research interests include smart contract security and fuzzing.
  • Supported by:
    National Key R & D Program of China(2018YFB1403400),Comprehensive Research on Equipment Items(LJ20212C011118),General Project of Basic Natural Science in Colleges and Universities of Jiangsu Province(21KJB520027),Key Project of University Education Information Research(2021JSETKT023) and Project of University-Industry Collaborative Education(202002180001).

摘要: 运行在区块链平台之上的智能合约,完成了不同参与者之间协议的达成和自动执行,同时也管理了大量的数字资产,智能合约漏洞的频繁爆出,造成了难以估量的经济损失。模糊测试是一种有效的动态漏洞检测技术,已经被应用于智能合约安全研究。文中分析了现有综述工作对智能合约模糊测试的总结不足的问题,并提出了智能合约模糊测试的基本框架;以目前智能合约安全研究中最广泛的以太坊智能合约为例,介绍了与智能合约紧密相关的账户机制和交易结构,总结了智能合约区别于传统程序的特点;阐述了智能合约的漏洞,并对这些智能合约模糊测试技术覆盖的漏洞进行了比较;进一步地,从单交易和交易序列两个方面对已有智能合约模糊测试技术的输入生成进行了分析;从函数层面、交易层面和交易序列层面对测试输入变异进行了总结;对已有智能合约模糊测试技术的测试预言使用进行了简述;另外,还总结了智能合约模糊测试的技术评价指标。最后,提出了当前智能合约模糊测试技术研究面临的问题,并对未来的研究方向进行了展望。

关键词: 测试预言, 模糊测试, 输入变异, 输入生成, 以太坊智能合约

Abstract: Smart contracts running on the blockchain platform completethe establishment and automatic execution of a greements between different participants,and also manage a large number of digital assets.The frequent exposure of smart contract loopholes has caused incalculable economic losses.Fuzzing is an effective dynamic vulnerability detection technique that has been applied to smart contract security research.This paper analyzes the problem of insufficient summarization of smart contract fuzzing in existing review work,and proposes a basic framework for smart contract fuzzing.Taking Ethereum smart contracts as an example,which are currently the most widely studied in smart contract security,the account mechanism and transaction structure closely related to smart contracts are introduced,and the characteristics of smart contracts that are different from traditional programs are summarized.The vulnerabilities of smart contracts are expounded,and the vulnerabilities covered by these smart contract fuzzing techniques are compared.Furthermore,the input generation of the existing smart contract fuzzing technology is analyzed from the aspects of single transaction and transaction sequence.The input mutation is summarized from the functional level,transaction level and transaction sequence level.The use of test oracles for existing smart contract fuzzing techniques is briefly described.In addition,the corresponding technical evaluation indicators are also summarized.Finally,the problems faced by smart contract fuzzing are proposed,and the future research directions are prospected.

Key words: Ethereum smart contract, Fuzzing, Input generation, Input mutation, Test oracle

中图分类号: 

  • TP311
[1]NICK S.The Idea of Smart Contract[EB/OL].https://www.fon.hum.uva.nl/rob/Courses/InformationInSpeech/CDROM/Literature/LOTwinterschool2006/szabo.best.vwh.net/idea.html.
[2]NAKAMOTO S.Bitcoin:A peer-to-peer electronic cash system[EB/OL]. https://bitcoin.org/bitcoin.pdf.
[3]SUNYAEV A.Distributed ledger technology[M]//InternetComputing.Cham:Springer,2020:265-299.
[4]TAPSCOTT A,TAPSCOTT D.How blockchain is changing finance[J].Harvard Business Review,2017,1(9):2-5.
[5]MIN T,WANG H,GUO Y,et al.Blockchain games:A survey[C]//2019 IEEE Conference on Games(CoG).IEEE,2019:1-8.
[6]REYNA A,MARTÍN C,CHEN J,et al.On blockchain and its integration with IoT.Challenges and opportunities[J].Future Generation Computer Systems,2018,88:173-190.
[7]RAIKWAR M,MAZUMDAR S,RUJ S,et al.A blockchainframework for insurance processes[C]//2018 9th IFIP International Conference on New Technologies,Mobility and Security(NTMS).IEEE,2018:1-4.
[8]WOOD G.Ethereum:A secure decentralised generalised transa-ction ledger[J].Ethereum Project Yellow Paper,2014,151(2014):1-32.
[9]Etherscan.Total Ether Supply[EB/OL].https://cn.etherscan.com/stat/supply.
[10]CSDN.The reason for the Ethereum fork:the famous The DAO event [EB/OL].https://blog.csdn.net/mrRqAEr7ci9s2v0/article/details/84949088.
[11]Zhihu.Analysis of Parity MultiSig Wallet Freezing[EB/OL].https://zhuanlan.zhihu.com/p/31000130?from_voters_page=true.
[12]LI J,ZHAO B,ZHANG C.Fuzzing:a survey[J].Cybersecurity,2018,1(1):1-13.
[13]KAKSONEN R,LAAKSO M,TAKANEN A.Software security assessment through specification mutations and fault injection[M]//Communications and Multimedia Security Issues of the New Century.Boston:Springer,2001:173-183.
[14]SCHUMILO S,ASCHERMANN C,GAWLIK R,et al.kafl:Hardware-assisted feedback fuzzing for {OS} kernels[C]//26th {USENIX} Security Symposium({USENIX} Security 17).2017:167-182.
[15]ZHENG Y,DAVANIAN A,YIN H,et al.FIRM-AFL:high-throughput greybox fuzzing of iot firmware via augmented process emulation[C]//28th {USENIX} Security Symposium({USENIX} Security 19).2019:1099-1114.
[16]LIU B,ZHANG C,GONG G,et al.{FANS}:Fuzzing Android Native System Services via Automated Interface Analysis[C]//29th {USENIX} Security Symposium({USENIX} Security 20).2020:307-323.
[17]JIANG B,LIU Y,CHAN W K.Contractfuzzer:Fuzzing smart contracts for vulnerability detection[C]//2018 33rd IEEE/ACM International Conference on Automated Software Engineering(ASE).IEEE,2018:259-269.
[18]Consensys.Homepage of Consensys [EB/OL].https://www.consensys.net/.
[19]WÜSTHOLZ V,CHRISTAKIS M.Harvey:A greybox fuzzerfor smart contracts[C]//Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering.2020:1398-1409.
[20]Trail of Bits.Homepage of Trailofbits[EB/OL].https://www.trailofbits.com/.
[21]GRIECO G,SONG W,CYGAN A,et al.Echidna:effective,usable,and fast fuzzing for smart contracts[C]//Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis.2020:557-560.
[22]GROCE A,GRIECO G.echidna-parade:a tool for diverse multicore smart contract fuzzing[C]//Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis.2021:658-661.
[23]LIU C,LIU H,CAO Z,et al.Reguard:finding reentrancy bugs in smart contracts[C]//2018 IEEE/ACM 40th International Conference on Software Engineering:Companion(ICSE-Companion).IEEE,2018:65-68.
[24]HE J,BALUNOVIĆ M,AMBROLADZE N,et al.Learning tofuzz from symbolic execution with application to smart contracts[C]//Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security.2019:531-548.
[25]LIAO J W,TSAI T T,HE C K,et al.Soliaudit:smart contract vulnerability assessment based on machine learning and fuzz testing[C]//2019 Sixth International Conference on Internet of Things:Systems,Management and Security(IOTSMS).IEEE,2019:458-465.
[26]WANG H,LIU Y,LI Y,et al.Oracle-supported dynamic exploit generation for smart contracts[J].IEEE Transactions on Dependable and Secure Computing,2022,19(3):1795-1809.
[27]ZHANG Q,WANG Y,LI J,et al.Ethploit:From fuzzing to efficient exploit generation against smart contracts[C]//2020 IEEE 27th International Conference on Software Analysis,Evolution and Reengineering(SANER).IEEE,2020:116-126.
[28]NGUYEN T D,PHAM L H,SUN J,et al.sfuzz:An efficientadaptive fuzzer for solidity smart contracts[C]//Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering.2020:778-788.
[29]CHOI J,KIM D,KIM S,et al.SMARTIAN:Enhancing Smart Contract Fuzzing with Static and Dynamic Data-Flow Analyses[C]//2021 36th IEEE/ACM International Conference on Automated Software Engineering(ASE).IEEE,2021:227-239.
[30]ZHOU T,LIU K,LI L,et al.SmartGift:Learning to Generate Practical Inputs for Testing Smart Contracts[C]//2021 IEEE International Conference on Software Maintenance and Evolution(ICSME).IEEE,2021:23-34.
[31]ALMAKHOUR M,SLIMAN L,SAMHAT A E,et al.Verification of smart contracts:A survey[J/OL].Pervasive and Mobile Computing,2020,67:101227.https://doi.org/10.1016/j.pmcj.2020.101227.
[32]TOLMACH P,LI Y,LIN S W,et al.A survey of smart contract formal specification and verification[J].ACM Computing Surveys(CSUR),2021,54(7):1-38.
[33]PRAITHEESHAN P,PAN L,YU J,et al.Security analysismethods on ethereum smart contract vulnerabilities:a survey[J].arXiv:1908.08605,2019.
[34]VUJIČIĆ D,JAGODIĆ D,RANDIĆ S.Blockchain technology,bitcoin,and Ethereum:A brief overview[C]//2018 17th International Symposium Infoteh-jahorina(Infoteh).IEEE,2018:1-6.
[35]Ethereum.Solidity[EB/OL].https://docs.soliditylang.org/en/v0.8.13/.
[36]Ben Edgington.LLL Complier Documentation[EB/OL].https://lll-docs.readthedocs.io/en/latest/lll_introduction.html.
[37]Ethereum.Serpent[EB/OL].https://github.com/ethereum/se-rpent.
[38]Vyperlang.Pythonic Smart Contract Language for the EVM[EB/OL].https://github.com/vyperlang/vyper.
[39]CornellBlockchain.Bamboo:a morphing smart contract language[EB/OL].https://github.com/cornellblockchain/bamboo.
[40]DASP.Decentralized Application Security Project(or DASP)Top 10 of 2018[EB/OL].https://www.dasp.co/#item-7.
[41]NccGroup.Homepage of NccGroup[EB/OL].https://www.nccgroup.com/.
[42]ATZEI N,BARTOLETTI M,CIMOLI T.A survey of attacks on ethereum smart contracts(sok)[C]//International Confe-rence on Principles of Security and Trust.Berlin:Springer,2017:164-186.
[43]CHEN J,XIA X,LO D,et al.Defining smart contract defects on ethereum[J].IEEE Transactions on Software Engineering,2022,48(1):327-345.
[44]ZALEWSKI M.American fuzzy lop[EB/OL].https://github.com/google/AFL.
[45]CHOI J,JANG J,HAN C,et al.Grey-box concolic testing on binary code[C]//2019 IEEE/ACM 41st International Conference on Software Engineering(ICSE).IEEE,2019:736-747.
[46]BARR E T,HARMAN M,MCMINN P,et al.The oracle problem in software testing:A survey[J].IEEE transactions on software engineering,2014,41(5):507-525.
[47]AMMANN P,OFFUTT J.Introduction to software testing[M].Cambridge:Cambridge University Press,2016.
[48]LUU L,CHU D H,OLICKEL H,et al.Making smart contracts smarter[C]//Proceedings of the 2016 ACM SIGSAC Confe-rence on Computer and Communications Security.2016:254-269.
[49]MOSSBERG M,MANZANO F,HENNENFENT E,et al.Manticore:A user-friendly symbolic execution framework for binaries and smart contracts[C]//2019 34th IEEE/ACM International Conference on Automated Software Engineering(ASE).IEEE,2019:1186-1189.
[50]MUELLER B.Mythril-Security analysis tool for EVM bytecode[EB/OL].https://github.com/ConsenSys/mythril.
[51]TOLMACH P,LI Y,LIN S W,et al.A survey of smart contract formal specification and verification[J].ACM Computing Surveys(CSUR),2021,54(7):1-38.
[1] 胡志濠, 潘祖烈.
基于QRNN的网络协议模糊测试用例过滤方法
Testcase Filtering Method Based on QRNN for Network Protocol Fuzzing
计算机科学, 2022, 49(5): 318-324. https://doi.org/10.11896/jsjkx.210300281
[2] 李明磊, 黄晖, 陆余良, 朱凯龙.
SymFuzz:一种复杂路径条件下的漏洞检测技术
SymFuzz:Vulnerability Detection Technology Under Complex Path Conditions
计算机科学, 2021, 48(5): 25-31. https://doi.org/10.11896/jsjkx.200600128
[3] 李毅豪, 洪征, 林培鸿.
基于深度优先搜索的模糊测试用例生成方法
Fuzzing Test Case Generation Method Based on Depth-first Search
计算机科学, 2021, 48(12): 85-93. https://doi.org/10.11896/jsjkx.200800178
[4] 赵赛, 刘昊, 王雨峰, 苏航, 燕季薇.
Android组件间通信的模糊测试方法
Fuzz Testing of Android Inter-component Communication
计算机科学, 2020, 47(11A): 303-309. https://doi.org/10.11896/jsjkx.200100122
[5] 李佳莉, 陈永乐, 李志, 孙利民.
基于协议状态图遍历的RTSP协议漏洞挖掘
Mining RTSP Protocol Vulnerabilities Based on Traversal of Protocol State Graph
计算机科学, 2018, 45(9): 171-176. https://doi.org/10.11896/j.issn.1002-137X.2018.09.028
[6] 张亚丰,洪征,吴礼发,周振吉,孙贺.
基于状态的工控协议Fuzzing测试技术
Protocol State Based Fuzzing Method for Industrial Control Protocols
计算机科学, 2017, 44(5): 132-140. https://doi.org/10.11896/j.issn.1002-137X.2017.05.024
[7] 程诚,周彦晖.
基于模糊测试和遗传算法的XSS漏洞挖掘
Findding XSS Vulnerabilities Based on Fuzzing Test and Genetic Algorithm
计算机科学, 2016, 43(Z6): 328-331. https://doi.org/10.11896/j.issn.1002-137X.2016.6A.078
[8] 张雄,李舟军.
模糊测试技术研究综述
Survey of Fuzz Testing Technology
计算机科学, 2016, 43(5): 1-8. https://doi.org/10.11896/j.issn.1002-137X.2016.05.001
[9] 张亚军,李舟军,廖湘科,蒋瑞成,李海峰.
自动化白盒模糊测试技术研究
Survey of Automated Whitebox Fuzz Testing
计算机科学, 2014, 41(2): 7-10.
[10] 侯莹,洪征,潘增,吴礼发.
基于模型的Fuzzing测试脚本自动化生成
Model Based Automatic Fuzzing Script Generation
计算机科学, 2013, 40(3): 206-209.
[11] 马晓东 董威 王戟 齐治昌.
程序时序属性的自动测试

计算机科学, 2004, 31(6): 132-134.
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!