计算机科学

计算机科学 ›› 2023, Vol. 50 ›› Issue (10): 336-342.doi: 10.11896/jsjkx.220900183

• 信息安全 • 上一篇    下一篇

基于本体推理的智能合约漏洞检测系统

陈瑞翔1, 焦健1, 王若华2   

  1. 1 北京信息科技大学计算机学院 北京100101
    2 中国电信股份有限公司六盘水分公司 贵州 六盘水553001
  • 收稿日期:2022-09-18 修回日期:2023-03-06 出版日期:2023-10-10 发布日期:2023-10-10
  • 通讯作者: 焦健(jiaojian@bistu.edu.cn)
  • 作者简介:(2021020637@bistu.edu.cn)
  • 基金资助:
    国家自然科学基金(61872044)

Smart Contract Vulnerability Detection System Based on Ontology Reasoning

CHEN Ruixiang1, JIAO Jian1, WANG Ruohua2   

  1. 1 College of Computer Science,Beijing Information Science and Technology University,Beijing 100101,China
    2 Liupanshui Company of China Telecom Co.Ltd.,Liupanshui,Guizhou 553001,China
  • Received:2022-09-18 Revised:2023-03-06 Online:2023-10-10 Published:2023-10-10
  • About author:CHEN Ruixiang,born in 1997,postgraduate,is a member of China Computer Federation.His main research interests include network security and blockchain.JIAO Jian,born in 1978,Ph.D,professor,is a member of China Computer Federation.His main research interests include network security and blockchain.
  • Supported by:
    National Natural Science Foundation of China(61872044).

PDF (PC)

1569

摘要: 随着区块链的不断发展,基于以太坊的智能合约越发受到各界的广泛关注,但随之而来的是其面临着更多的安全威胁。针对以太坊智能合约的安全问题,出现了各种漏洞检测方法,如符号执行、形式化验证、深度学习等,但现有的检测方法能检测到的漏洞类型大多不全面,缺乏可解释性。针对这些问题,设计并实现了针对Solidity高级语言层面的基于本体推理的智能合约漏洞检测系统。该系统先把智能合约源码解析为抽象语法树,再进行合约信息抽取,利用抽取到的数据信息构建智能合约漏洞检测本体,并使用推理机进行本体推理。实验选取了其他检测工具与本系统进行对比,并使用这几种工具对100份智能合约样本进行检测。实验结果表明,所提系统的检测效果良好,能检测多种类型的智能合约漏洞,并能给出其漏洞的相关信息。

关键词: 智能合约, 漏洞检测, 以太坊, 区块链, 本体推理

Abstract: Withthe development of the blockchain,smart contract based on Ethereum has attracted more and more attention from all walks of life,but it has also faced more security threats.For the security problems of Ethereum smart contracts,various vulnerability detection methods have emerged,such as symbolic execution,formal verification,deep learning and other technologies.However,most of the existing methods have incomplete detection types and lack interpretability.To solve these problems,a smart contract vulnerability detection system based on ontology reasoning for Solidity high-level language level is designed and implemented.The smart contract vulnerability source code is parsed into an abstract syntax tree,and the information is extracted.The extracted information is used to construct the vulnerability detection ontology,and the reasoning engine is used to infer the ontology vulnerability.In the experiment,other detection tools are selected to compare with this system,and these tools are used to detect 100 intelligent combined source samples.The results show that the system has a good detection effect,it can detect va-rious types of smart contract loopholes and can give the information about the cause of the vulnerability.

Key words: Smart contract, Vulnerability detection, Ethereum, Blockchain, Ontology reasoning

中图分类号: 

  • TP309
[1]WU H,ZHANG Z,WANG S,et al.Peculiar:Smart contractvulnerability detection based on crucial data flow graph and pre-training techniques[C]//2021 IEEE 32nd International Sympo-sium on Software Reliability Engineering(ISSRE).IEEE,2021:378-389.
[2]LIU Z,QIAN P,WANG X,et al.Smart contract vulnerability detection:from pure neural network to interpretable graph feature and expert pattern fusion[J].arXiv:2106.09282,2021.
[3]ZHOU E,HUA S,PI B,et al.Security assurance for smart contract[C]//2018 9th IFIP International Conference on New Technologies,Mobility and Security(NTMS).IEEE,2018:1-5.
[4]WANG B,CHU H,ZHANG P,et al.Smart Contract Vulnerability Detection Using Code Representation Fusion[C]//2021 28th Asia-Pacific Software Engineering Conference(APSEC).IEEE,2021:564-565.
[5]FEIST J,GRIECO G,GROCE A.Slither:a static analysisframework for smart contracts[C]//2019 IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain(WETSEB).IEEE,2019:8-15.
[6]BEOSIN-VAAS.Smart Contract Formal Verification Platform[EB/OL].[2022-06-17].https://vaas.beosin.com/#/home.
[7]NI Y D,ZHANG C,YIN T T.A Review of Smart Contract Security Vulnerability Research[J].Journal of Cyber Security,2020,5(3):78-99.
[8]FU M L,WU L F,HONG Z,et al.Research on vulnerability mining technique for smart contracts[J].Journal of Computer Applications,2019,39(7):1959-1966.
[9]NIKOLIĆ I,KOLLURI A,SERGEY I,et al.Finding the gree-dy,prodigal,and suicidal contracts at scale[C]//Proceedings of the 34th Annual Computer Security Applications Conference.2018:653-663.
[10]LUU L,CHU D H,OLICKEL H,et al.Making smart contracts smarter[C]//Proceedings of the 2016 ACM SIGSAC Confe-rence on Computer and Communications Security.2016:254-269.
[11]GRISHCHENKO I,MAFFEI M,SCHNEIDEWIND C.A se-mantic framework for the security analysis of ethereum smart contracts[C]//International Conference on Principles of Security and Trust.Cham:Springer,2018:243-269.
[12]KALRA S,GOEL S,DHAWAN M,et al.Zeus:analyzing safety of smart contracts[C]//NDSS.2018:1-12.
[13]QIAN P,LIU Z,HE Q,et al.Towards automated reentrancy detection for smart contracts based on sequential models[J].IEEE Access,2020,8:19685-19695.
[14]ZHUANG Y,LIU Z,QIAN P,et al.Smart Contract Vulnerabi-lity Detection using Graph Neural Network[C]//IJCAI.2020:3283-3290.
[15]AST Explorer online tools [EB/OL].[2022-06-23].https://astexplorer.net/.
[16]Protégé official website [EB/OL].[2022-07-21].https://protege.stanford.edu/products.php.
[17]Protégé cellfie-plugin [EB/OL].[2022-07-21].https://github.com/protegeproject/cellfie-plugin.
[18]NIKOLIĆ I,KOLLURI A,SERGEY I,et al.Finding the gree-dy,prodigal,and suicidal contracts at scale[C]//Proceedings of the 34th Annual Computer Security Applications Conference.2018:653-663.
[19]Beauty Chain Integer Overflow [EB/OL].[2022-06-27].https://www.36kr.com/p/1722463027201.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发