计算机科学

计算机科学 ›› 2023, Vol. 50 ›› Issue (4): 317-322.doi: 10.11896/jsjkx.220300063

• 信息安全 • 上一篇    下一篇

基于抽象语法树裁剪的智能合约漏洞检测研究

刘泽润, 郑红, 邱俊杰   

  1. 华东理工大学信息科学与工程学院 上海 200237
  • 收稿日期:2022-03-07 修回日期:2022-08-23 出版日期:2023-04-15 发布日期:2023-04-06
  • 通讯作者: 郑红(zhenghong@ecust.edu.cn)
  • 作者简介:(zerunliu@qq.com)
  • 基金资助:
    国家自然科学基金(61472139);产学研项目:区块链关键技术研究(H300-41819)

Smart Contract Vulnerability Detection Based on Abstract Syntax Tree Pruning

LIU Zerun, ZHENG Hong, QIU Junjie   

  1. School of Information Science and Engineering,East China University of Science and Technology,Shanghai 200237,China
  • Received:2022-03-07 Revised:2022-08-23 Online:2023-04-15 Published:2023-04-06
  • About author:LIU Zerun,born in 1998,postgraduate,is a member of China Computer Federation.His main research interests include blockchain and deep learning.
    ZHENG Hong,born in 1973,Ph.D,associate professor,postgraduate supervisor,is a member of China Computer Federation.Her main research interests include blockchain and deep learning.
  • Supported by:
    National Natural Science Foundation of China(61472139) and Industry University Research Project: Research on Key Technologies of Blockchain(H300-41819).

PDF (PC)

702

摘要: 随着区块链技术的发展,智能合约在不同领域都得到了广泛的应用,以太坊成为了最大的智能合约平台。同时,频发的智能合约漏洞造成了巨大的经济损失,智能合约漏洞检测成为了研究焦点,而以往的智能合约漏洞检测工具不能很好地利用合约源代码的语法信息。针对智能合约的可重入漏洞,首先,提出了一种基于深度学习的漏洞检测工具——SCDefender,以智能合约Solidity源代码的抽象语法树形式作为研究对象,使用基于树的卷积神经网络进行漏洞检测。其次,提出了抽象语法树裁剪算法以去除与漏洞检测任务无关的节点,保留抽象语法树中的关键信息。SCDefender漏洞检测的精确度、召回率和F1值分别为81.43%,92.12%和86.45%,具有较好的漏洞检测效果。消融实验表明,抽象语法树裁剪算法对SCDefender的漏洞检测任务具有重大贡献。

关键词: 区块链, 智能合约, 漏洞检测, 抽象语法树, 深度学习

Abstract: With the development of blockchain technology,smart contracts have been widely used in various fields,and Ethereum has become the largest smart contract platform.At the same time,the frequent smart contract vulnerabilities have caused huge economic losses.The vulnerability detection of smart contract has become the focus of research,while the previous smart contract vulnerability detection tools can not make good use of the syntax information of the contract source code.Aiming at the re-entrancy vulnerability of smart contract,firstly,this paper proposes SCDefender,a vulnerability detection tool based on deep learning.Taking the abstract syntax tree form of the Solidity source code of smart contract as the research object,the tree-based convolutional neural networks is used for vulnerability detection.Secondly,an abstract syntax tree pruning algorithm is proposed to remove the nodes irrelevant to the vulnerability detection task and retain the key information in the abstract syntax tree.The accuracy,recall rate and F1 value of SCDefender vulnerability detection is 81.43%,92.12% and 86.45% respectively,which has a good vulnerability detection effect.Ablation experiments show that the abstract syntax tree pruning algorithm has an important contribution to the vulnerability detection task of SCDefender.

Key words: Blockchain, Smart contract, Vulnerability detection, Abstract syntax tree, Deep learning

中图分类号: 

  • TP309
[1]SZABO N.Smart contracts:building blocks for digital markets[J].EXTROPY:The Journal of Transhumanist Thought,1996,16(18):2-20.
[2]NAKAMOTO S.Bitcoin:a peer-to-peer electronic cash system[EB/OL].https://bitcoin.org/bitcoin.pdf.
[3]WOOD G.Ethereum:A secure decentralised generalised transac-tion ledger[J].Ethereum Project Yellow Paper,2014,151(2014):1-32.
[4]SIEGEL D.Understanding the dao attack[EB/OL].https://www.coindesk.com/understanding-dao-hack-journalists.
[5]MEHAR M I,SHIER C L,GIAMBATTISTA A,et al.Understanding a revolutionary and flawed grand experiment in blockchain:the DAO attack[J].Journal of Cases on Information Technology(JCIT),2019,21(1):19-32.
[6]ATZEI N,BARTOLETTI M,CIMOLI T.A survey of attacks on ethereum smart contracts(sok)[C]//International Conference on Principles of Security and Trust.Berlin:Springer,2017:164-186.
[7]DESTEFANIS G,MARCHESI M,ORTU M,et al.Smart contracts vulnerabilities:a call for blockchain software engineering?[C]//2018 International Workshop on Blockchain Oriented Software Engineering(IWBOSE).IEEE,2018:19-25.
[8]SUN J,HUANG S,ZHENG C,et al.Mutation testing for integer overflow in ethereum smart contracts[J].Tsinghua Science and Technology,2021,27(1):27-40.
[9]TIAN F.A supply chain traceability system for food safetybased on HACCP,blockchain & Internet of things[C]//2017 International Conference on Service Systems and Service Management.IEEE,2017:1-6.
[10]NIKOLIĆ I,KOLLURI A,SERGEY I,et al.Finding the gree-dy,prodigal,and suicidal contracts at scale[C]//Proceedings of the 34th Annual Computer Security Applications Conference.2018:653-663.
[11]JIANG B,LIU Y,CHAN W K.Contractfuzzer:Fuzzing smart contracts for vulnerability detection[C]//2018 33rd IEEE/ACM International Conference on Automated Software Engineering(ASE).IEEE,2018:259-269.
[12]TORRES C F,IANNILLO A K,GERVAIS A,et al.ConFuz-zius:A Data Dependency-Aware Hybrid Fuzzer for Smart Contracts[C]//2021 IEEE European Symposium on Security and Privacy(EuroS&P).IEEE,2021:103-119.
[13]MOU L,LI G,ZHANG L,et al.Convolutional neural networks over tree structures for programming language processing[C]//Thirtieth AAAI Conference on Artificial Intelligence.2016:1287-1293.
[14]WANG W,SONG J,XU G,et al.Contractward:Automated vulnerability detection models for ethereum smart contracts[J].IEEE Transactions on Network Science and Engineering,2020,8(2):1133-1144.
[15]ASHIZAWA N,YANAI N,CRUZ J P,et al.Eth2Vec:learning contract-wide code representations for vulnerability detection on ethereum smart contracts[C]//Proceedings of the 3rd ACM International Symposium on Blockchain and Secure Critical Infrastructure.2021:47-59.
[16]ZHUANG Y,LIU Z,QIAN P,et al.Smart Contract Vulnerabi-lity Detection using Graph Neural Network[C]//IJCAI.2020:3283-3290.
[17]GAO Z,JAYASUNDARA V,JIANG L,et al.Smartembed:A tool for clone and bug detection in smart contracts through structural code embedding[C]//2019 IEEE International Conference on Software Maintenance and Evolution(ICSME).IEEE,2019:394-397.
[18]WU H,ZHANG Z,WANG S,et al.Peculiar:Smart Contract Vulnerability Detection Based on Crucial Data Flow Graph and Pre-training Techniques[C]//2021 IEEE 32nd International Symposium on Software Reliability Engineering(ISSRE).IEEE.2021:378-389.
[19]DANNEN C.Introducing Ethereum and solidity[M].Berkeley:Apress,2017.
[20]MIKOLOV T,CHEN K,CORRADO G,et al.Efficient estimation of word representations in vector space[J].arXiv:1301.3781,2013.
[21]FERREIRA J F,CRUZ P,DURIEUX T,et al.SmartBugs:aframework to analyze solidity smart contracts[C]//Proceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering.2020:1349-1352.
[22]VAN DER MAATEN L,HINTON G.Visualizing data using t-SNE[J].Journal of Machine Learning Research,2008,9(11):2579-2605.
[23]TIKHOMIROV S,VOSKRESENSKAYA E,IVANITSKIY I,et al.Smartcheck:Static analysis of ethereum smart contracts[C]//Proceedings of the 1st International Workshop on Emerging Trends in Software Engineering for Blockchain.2018:9-16.
[1] 雪峰豪, 蒋海波, 唐聃.
深度学习在健康医疗中的应用研究综述
Review of Deep Learning Applications in Healthcare
计算机科学, 2023, 50(4): 1-15. https://doi.org/10.11896/jsjkx.220600166
[2] 韩雪明, 贾彩燕, 李轩涯, 张鹏飞.
传播树结构结点及路径双注意力谣言检测模型
Dual-attention Network Model on Propagation Tree Structures for Rumor Detection
计算机科学, 2023, 50(4): 22-31. https://doi.org/10.11896/jsjkx.220200037
[3] 王娅丽, 张凡, 余增, 李天瑞.
基于交互注意力和图卷积网络的方面级情感分析
Aspect-level Sentiment Classification Based on Interactive Attention and Graph Convolutional Network
计算机科学, 2023, 50(4): 196-203. https://doi.org/10.11896/jsjkx.220100105
[4] 裴翠, 范贵生, 虞慧群, 岳一鸣.
基于拍卖的边缘云期限感知任务卸载策略
Auction-based Edge Cloud Deadline-aware Task Offloading Strategy
计算机科学, 2023, 50(4): 241-248. https://doi.org/10.11896/jsjkx.211200194
[5] 何杰, 蔡瑞杰, 尹小康, 陆炫廷, 刘胜利.
面向Cisco IOS-XE的Web命令注入漏洞检测
Detection of Web Command Injection Vulnerability for Cisco IOS-XE
计算机科学, 2023, 50(4): 343-350. https://doi.org/10.11896/jsjkx.220100113
[6] 董永峰, 黄港, 薛婉若, 李林昊.
融合IRT的图注意力深度知识追踪模型
Graph Attention Deep Knowledge Tracing Model Integrated with IRT
计算机科学, 2023, 50(3): 173-180. https://doi.org/10.11896/jsjkx.211200134
[7] 华晓凤, 冯娜, 于俊清, 何云峰.
基于规则推理的足球视频任意球射门事件检测
Shooting Event Detection of Free Kick in Soccer Video Based on Rule Reasoning
计算机科学, 2023, 50(3): 181-190. https://doi.org/10.11896/jsjkx.220300062
[8] 梅鹏程, 杨吉斌, 张强, 黄翔.
一种基于三维卷积的声学事件联合估计方法
Sound Event Joint Estimation Method Based on Three-dimension Convolution
计算机科学, 2023, 50(3): 191-198. https://doi.org/10.11896/jsjkx.220500259
[9] 白雪飞, 马亚楠, 王文剑.
基于特征融合的边缘引导乳腺超声图像分割方法
Segmentation Method of Edge-guided Breast Ultrasound Images Based on Feature Fusion
计算机科学, 2023, 50(3): 199-207. https://doi.org/10.11896/jsjkx.211200294
[10] 刘航, 普园媛, 吕大华, 赵征鹏, 徐丹, 钱文华.
极化自注意力约束颜色溢出的图像自动上色
Polarized Self-attention Constrains Color Overflow in Automatic Coloring of Image
计算机科学, 2023, 50(3): 208-215. https://doi.org/10.11896/jsjkx.220100149
[11] 陈亮, 王璐, 李生春, 刘昌宏.
基于深度学习的可视化仪表板生成技术研究
Study on Visual Dashboard Generation Technology Based on Deep Learning
计算机科学, 2023, 50(3): 238-245. https://doi.org/10.11896/jsjkx.230100064
[12] 张译, 吴秦.
特征增强损失与前景注意力人群计数网络
Crowd Counting Network Based on Feature Enhancement Loss and Foreground Attention
计算机科学, 2023, 50(3): 246-253. https://doi.org/10.11896/jsjkx.220100219
[13] 应宗浩, 吴槟.
深度学习模型的后门攻击研究综述
Backdoor Attack on Deep Learning Models:A Survey
计算机科学, 2023, 50(3): 333-350. https://doi.org/10.11896/jsjkx.220600031
[14] 邹芸竹, 杜圣东, 滕飞, 李天瑞.
一种基于多模态深度特征融合的视觉问答模型
Visual Question Answering Model Based on Multi-modal Deep Feature Fusion
计算机科学, 2023, 50(2): 123-129. https://doi.org/10.11896/jsjkx.211200303
[15] 王鹏宇, 台文鑫, 刘芳, 钟婷, 罗绪成, 周帆.
基于数据增强的自监督飞行航迹预测
Self-supervised Flight Trajectory Prediction Based on Data Augmentation
计算机科学, 2023, 50(2): 130-137. https://doi.org/10.11896/jsjkx.211200016
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发