计算机科学

计算机科学 ›› 2021, Vol. 48 ›› Issue (11): 89-101.doi: 10.11896/jsjkx.210600064

• 区块链技术* 上一篇    下一篇

基于正则表达式、程序插桩和代码替换的以太坊智能合约bug检测和修复方法

肖锋1, 张鹏程1, 罗夏朴2   

  1. 1 河海大学计算机与信息学院 南京211100
    2 香港理工大学电子计算学系 香港999077
  • 收稿日期:2021-06-04 修回日期:2021-07-02 出版日期:2021-11-15 发布日期:2021-11-10
  • 通讯作者: 张鹏程(pchzhang@hhu.edu.cn)
  • 作者简介:harleyxiao@foxmail.com
  • 基金资助:
    中央高校基本科研业务费专项资金(B210203107);国家自然科学基金(6157217);江苏省自然科学基金(BK20191297)

Ethereum Smart Contract Bug Detection and Repair Approach Based on Regular Expressions, Program Instrumentation and Code Replacement

XIAO Feng1, ZHANG Peng-cheng1, LUO Xia-pu2   

  1. 1 College of Computer and Information,Hohai University,Nanjing 211100,China
    2 Department of Computing,The Hong Kong Polytechnic University,Hong Kong 999077,China
  • Received:2021-06-04 Revised:2021-07-02 Online:2021-11-15 Published:2021-11-10
  • About author:XIAO Feng,born in 1997,master.His main research interests include smart contract security and software engineering.
    ZHANG Peng-cheng,born in 1981,professor,is a senior memeber of China Computer Federation.His main research interests include software engineering,service computing and data mining.
  • Supported by:
    Fundamental Research Funds for the Central Universities(B210203107),National Natural Science Foundation of China(6157217) and Natural Science Foundation of the Higher Education Institutions of Jiangsu Province, China(BK20191297).

PDF (PC)

1054

摘要: 作为当前最大的支持智能合约的区块链平台,数以百万计的智能合约被部署在以太坊上。由于即使发现包含bug也无法修改已部署的智能合约,因此对于开发人员而言,在部署合约前修复合约中的bug至关重要。当前研究人员已经提出了许多智能合约分析工具,用于检测合约中的bug。这些工具要么使用基于以太坊虚拟机字节码的符号执行来检测bug,要么将源代码转换为中间表示形式后再检测bug。然而,基于符号执行的工具通常无法覆盖合约中的大部分bug;将源代码转换为中间表示形式会对检测速度产生负面影响。此外,现有的工具都只能检测bug,而无法根据检测结果自动修复bug。为了解除以上限制,提出了一种名为SolidityCheck的方法,该方法通过使用正则表达式、程序插桩和语句替换等技术,实现快速检测合约中的bug并自动修复其中某些种类bug的目的。文中进行了一系列实验来评估SolidityCheck,实验结果表明,与现有方法相比,SolidityCheck在多个指标上显示出了优异的性能。

关键词: Solidity, 程序插桩, 以太坊, 正则表达式, 智能合约

Abstract: As the largest blockchain platform supporting smart contracts,millions of smart contracts have been deployed on Ethereum.Since the deployed smart contracts cannot be modified even if the contracts contain bugs,it is critical for developers to eliminate bugs prior to the deployment.Many smart contract analysis tools have been proposed.These tools either use bytecode-based symbolic execution to detect bugs,or convert the source code to an intermediate representation and then detect bugs.The tools based on symbolic execution usually cannot cover many types of bugs in source code.Converting the source code to an intermediate representation negatively impacts the detection speed.Moreover,these tools are bug detectors,which cannot automatically fix bugs based on analysis results.To address these limitations,we propose an approach named SolidityCheck,which employs regular expressions,program instrumentation and statement replacement in source code to quickly detect bugs and fix certain types of bugs.We conduct extensive experiments to evaluate SolidityCheck.The experimental results show that,compared with existing approaches,SolidityCheck demonstrates excellent performances on multiple indicators.

Key words: Ethereum, Program instrumentation, Regular expressions, Smart contract, Solidity

中图分类号: 

  • TP311.5
[1]WOOD G.Ethereum:A secure decentralised generalised transac-tion ledger[J].Ethereum Project Yellow Paper,2014,151:1-32.
[2]LUU L, CHU D H, OLICKEL H,et al.Making smart contracts smarter[C]//Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security.ACM,2016:254-269.
[3]TIKHOMIROV S, VOSKRESENSKAYA E, IVANITSKIY I,et al. SmartCheck:static analysis of ethereum smart contracts[C]//1st International Workshop.IEEE Computer Society,2018.
[4]NIKOLIC I, KOLLURI A, SERGEY I,et al.Finding' thegreedy,prodigal,and suicidal contracts at scale[C]//Procee-dings of the 34th Annual Computer Security Applications Confe-rence.ACM,2018:653-663.
[5]ZHAO X,CHEN Z,XIN C,et al.The DAO attack paradoxes in propositional logic[C]//2017 4th International Conference on Systems and Informatics (ICSAI).IEEE,2017.
[6]DESTEFANIS G,BRACCIALI A,MARCHESI M,et al.Smart Contracts Vulnerabilities:A Call for Blockchain Software Engineering?[C]//IWBOSE.IEEE,2018.
[7]SAYEED S,MARCO-GISBERT H,CAIRA T.Smart Contract:Attacks and Protections[J].IEEE Access,2020,8,24416-24427.
[8]GRISHCHENKO I,MAFFEI M,SCHNEIDEWIND C.A se-mantic framework for the security analysis of ethereum smart contracts[C]//International Conference on Principles of Security and Trust.Cham:Springer,2018:243-269.
[9]ALBERT E,CORREAS J,GORDILLO P,et al.SAFEVM:A Safety Verifier for Ethereum Smart Contracts[C]//28th ACM SIGSOFT International Symposium.ACM,2019.
[10]ZHANG M,ZHANG P,LUO X,et al.Source Code Obfuscation for Smart Contracts[C]//2020 27th Asia-Pacific Software Engineering Conference (APSEC).2020.
[11]FERREIRA C,SCHÜTTE T.Osiris:Hunting for Integer Bugs in Ethereum Smart Contracts[C]//34th Annual Computer Security Applications Conference (ACSAĆ18).San Juan,Puerto Rico,USA,2018.
[12]TSANKOV P,DAN A,DRACHSLER-COHEN D,et al.Securify:Practical security analysis of smart contracts[C]//Procee-dings of the 2018 ACM SIGSAC Conference on Computer and Communications Security.2018:67-82.
[13]CHEN T,LI X,LUO X,et al.Under-Optimized Smart Contracts Devour Your Money[C]//SANER(IEEE International Confe-rence on Software Analysis,Evolution,and Reengineering) 2017.IEEE,2017.
[14]BRAGAGNOLO S,ROCHA H,DENKER M,et al.SmartIn-spect:Solidity Smart Contract Inspector[C]//International Workshop on Blockchain Oriented Software Engineering.IEEE Computer Society,2018:9-18.
[15]DURIEUX T,FERREIRA J F,ABREU R,et al.Empirical review of automated analysis tools on 47587 Ethereum smart contracts[C]//42nd International Conference on Software Engineering(ICSE'20).2020.
[16]LU N,WANG B,ZHANG Y,et al.NeuCheck:A more practical Ethereum smart contract security analysis tool[J].Software:Practice and Experience,2019,2,187-194.
[17]PARIZI R M,DEHGHANTANHA A,CHOO K K R,et al.Empirical vulnerability analysis of automated smart contracts security testing on blockchains[C]//the 28th Annual International Conference on Computer Science and Software Enginee-ring.IBM Corp.,2018.
[18]HUANG J C.Program Instrumentation and Software Testing[J].Computer,1978,11(4):25-32.
[19]HE P,YU G,ZHANG Y F,et al.Survey on Blockchain Technology and Its Application Prospect[J].Computer Science,2017,44(4):1-7,15.
[20]ATZEI N,BARTOLETTI M,CIMOLI T.A Survey of Attacks on Ethereum Smart Contracts (SoK)[C]//International Confe-rence on Principles of Security & Trust.Berlin:Springer,2017.
[21]ZHANG P,XIAO F, LUO X.A Framework and DataSet forBugs in Ethereum Smart Contracts[C]//the 36th 2020 IEEE International Conference on Software Maintenance and Evolution (ICSME).2020.
[22]Ethereum,2020:Solidity official documents[EB/OL].(2020-04-27) [2020-05-03].https://solidity.readthedocs.io/en/v0.5.10/.
[23]Openzeppelin,2020:Representative,problematic smart contracts[EB/OL].(2019-10-14) [2021-05-27].https://ethernaut.openzeppelin.com.
[24]SMARX,2021:The game of ethereum smart contract security[EB/OL].(2020-05-05) [2021-06-03].https://capturetheether.com/.
[25]AKCA S,RAJAN A,PENG C.SolAnalyser:A Framework for Analysing and Testing Smart Contracts[C]//2019 26th Asia-Pacific Software Engineering Conference (APSEC).2019.
[26]GRISHCHENKO I,MAFFEI M,SCHNEIDEWIND C.A Se-mantic Framework for the Security Analysis of Ethereum Smart Contracts[C]//International Conference on Principles of Secu-rity & Trust.Cham:Springer,2018.
[27]Zeppelin,2021:Safemath[EB/OL].(2019-05-20) [2021-06-03].https://github.com/OpenZeppelin/openzeppelin-solidity/blob/master/contracts/math/SafeMath.sol.
[28]T.of Bits,2021:Vulnerable smart contracts[EB/OL].(2019-06-27) [2021-06-03].https://github.com/crytic/not-so-smart-contracts.
[29]Smart Contract Security,2021:Smart contract weakness classification and test cases[EB/OL].(2020-04-22) [2021-06-02].https://swcregistry.io/.
[30]Ethereum,2021:Remix-ethereum ide[EB/OL].(2019-06-27)[2021-06-03].https://github.com/ethereum/remix-ide.
[31]Consen Sys,2021:Security analysis tool for evm bytecode.supports smart contracts built for ethereum,quorum,vechain,roostock,tron and other evm-compatible blockchains[EB/OL].(2020-06-23) [2021-06-01].https://github.com/ConsenSys/mithril.
[32]melonproject,2021:An analysis tool for smart contracts[EB/OL].(2019-08-30) [2021-05-24].https://github.com/melonproject/oyente.
[33]protofile,2021:This is an open source project for linting solidity code[EB/OL].(2019-10-17) [2021-06-03].https://github.com/protofire/solhint.
[34]C.A.ICE center,2021:Securify:security scanner for ethereum smart contracts[EB/OL].(2019-06-27) [2021-06-03].https://securify.chainsecurity.com/.
[35]smartdec,2021:Smartcheck,a static analysis tool that detects vulnerabilities and bugs in solidity programs (ethereum-based smart contracts)[EB/OL].(2019-05-20) [2021-06-03].https://tool.smartdec.net/.
[36]christoftorres,2021:A tool to detect integer bugs in ethereum smart contracts[EB/OL].(2019-10-10) [2021-06-03].https://github.com/christoftorres/Osiris.
[37]crytic,2021:Static analyzer for solidity[EB/OL].(2019-10-10) [2021-06-03].https://github.com/crytic/slither.
[38]FEIST J,GREICO G,GROCE A.Slither:A Static AnalysisFramework For Smart Contracts[C]//2019 IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB).IEEE,2019.
[1] 王子凯, 朱健, 张伯钧, 胡凯.
区块链与智能合约并行方法研究与实现
Research and Implementation of Parallel Method in Blockchain and Smart Contract
计算机科学, 2022, 49(9): 312-317. https://doi.org/10.11896/jsjkx.210800102
[2] 黄松, 杜金虎, 王兴亚, 孙金磊.
以太坊智能合约模糊测试技术研究综述
Survey of Ethereum Smart Contract Fuzzing Technology Research
计算机科学, 2022, 49(8): 294-305. https://doi.org/10.11896/jsjkx.220500069
[3] 傅丽玉, 陆歌皓, 吴义明, 罗娅玲.
区块链技术的研究及其发展综述
Overview of Research and Development of Blockchain Technology
计算机科学, 2022, 49(6A): 447-461. https://doi.org/10.11896/jsjkx.210600214
[4] 高健博, 张家硕, 李青山, 陈钟.
RegLang:一种面向监管的智能合约编程语言
RegLang:A Smart Contract Programming Language for Regulation
计算机科学, 2022, 49(6A): 462-468. https://doi.org/10.11896/jsjkx.210700016
[5] 卫宏儒, 李思月, 郭涌浩.
基于智能合约的秘密重建协议
Secret Reconstruction Protocol Based on Smart Contract
计算机科学, 2022, 49(6A): 469-473. https://doi.org/10.11896/jsjkx.210700033
[6] 张潆藜, 马佳利, 刘子昂, 刘新, 周睿.
以太坊Solidity智能合约漏洞检测方法综述
Overview of Vulnerability Detection Methods for Ethereum Solidity Smart Contracts
计算机科学, 2022, 49(3): 52-61. https://doi.org/10.11896/jsjkx.210700004
[7] 刘峰, 张嘉淏, 周俊杰, 利牧, 孔德莉, 杨杰, 齐佳音, 周爱民.
基于改进哈希时间锁的区块链跨链资产交互协议
Novel Hash-time-lock-contract Based Cross-chain Token Swap Mechanism of Blockchain
计算机科学, 2022, 49(1): 336-344. https://doi.org/10.11896/jsjkx.210600170
[8] 郭显, 王雨悦, 冯涛, 曹来成, 蒋泳波, 张迪.
基于区块链的工业控制系统角色委派访问控制机制
Blockchain-based Role-Delegation Access Control for Industrial Control System
计算机科学, 2021, 48(9): 306-316. https://doi.org/10.11896/jsjkx.210300235
[9] 王向宇, 杨挺.
智能合约定义路由目录服务器
Routing Directory Server Defined by Smart Contract
计算机科学, 2021, 48(6A): 504-508. https://doi.org/10.11896/jsjkx.200700210
[10] 郭上铜, 王瑞锦, 张凤荔.
区块链技术原理与应用综述
Summary of Principle and Application of Blockchain
计算机科学, 2021, 48(2): 271-281. https://doi.org/10.11896/jsjkx.200800021
[11] 陈自民, 卢艺文, 郭燕.
基于区块并行的以太坊智能合约高速重放
High-speed Replay of Ethereum Smart Contracts Based on Block Parallel
计算机科学, 2021, 48(2): 289-294. https://doi.org/10.11896/jsjkx.200500105
[12] 代闯闯, 栾海晶, 杨雪莹, 过晓冰, 陆忠华, 牛北方.
区块链技术研究综述
Overview of Blockchain Technology
计算机科学, 2021, 48(11A): 500-508. https://doi.org/10.11896/jsjkx.201200163
[13] 凌飞, 陈世平.
基于区块链的企业联盟共享数字积分管理机制
Shared Digital Credits Management Mechanism of Enterprise Alliance Based on Blockchain
计算机科学, 2021, 48(11A): 533-539. https://doi.org/10.11896/jsjkx.201200170
[14] 王辉, 陈博, 刘玉祥.
基于区块链的人事档案管理系统研究
Research on Personnel File Management System Based on Blockchain
计算机科学, 2021, 48(11A): 713-718. https://doi.org/10.11896/jsjkx.210300051
[15] 涂良琼, 孙小兵, 张佳乐, 蔡杰, 李斌, 薄莉莉.
智能合约漏洞检测工具研究综述
Survey of Vulnerability Detection Tools for Smart Contracts
计算机科学, 2021, 48(11): 79-88. https://doi.org/10.11896/jsjkx.210600117
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发