计算机科学 ›› 2021, Vol. 48 ›› Issue (11): 89-101.doi: 10.11896/jsjkx.210600064
肖锋1, 张鹏程1, 罗夏朴2
XIAO Feng1, ZHANG Peng-cheng1, LUO Xia-pu2
摘要: 作为当前最大的支持智能合约的区块链平台,数以百万计的智能合约被部署在以太坊上。由于即使发现包含bug也无法修改已部署的智能合约,因此对于开发人员而言,在部署合约前修复合约中的bug至关重要。当前研究人员已经提出了许多智能合约分析工具,用于检测合约中的bug。这些工具要么使用基于以太坊虚拟机字节码的符号执行来检测bug,要么将源代码转换为中间表示形式后再检测bug。然而,基于符号执行的工具通常无法覆盖合约中的大部分bug;将源代码转换为中间表示形式会对检测速度产生负面影响。此外,现有的工具都只能检测bug,而无法根据检测结果自动修复bug。为了解除以上限制,提出了一种名为SolidityCheck的方法,该方法通过使用正则表达式、程序插桩和语句替换等技术,实现快速检测合约中的bug并自动修复其中某些种类bug的目的。文中进行了一系列实验来评估SolidityCheck,实验结果表明,与现有方法相比,SolidityCheck在多个指标上显示出了优异的性能。
中图分类号:
[1]WOOD G.Ethereum:A secure decentralised generalised transac-tion ledger[J].Ethereum Project Yellow Paper,2014,151:1-32. [2]LUU L, CHU D H, OLICKEL H,et al.Making smart contracts smarter[C]//Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security.ACM,2016:254-269. [3]TIKHOMIROV S, VOSKRESENSKAYA E, IVANITSKIY I,et al. SmartCheck:static analysis of ethereum smart contracts[C]//1st International Workshop.IEEE Computer Society,2018. [4]NIKOLIC I, KOLLURI A, SERGEY I,et al.Finding' thegreedy,prodigal,and suicidal contracts at scale[C]//Procee-dings of the 34th Annual Computer Security Applications Confe-rence.ACM,2018:653-663. [5]ZHAO X,CHEN Z,XIN C,et al.The DAO attack paradoxes in propositional logic[C]//2017 4th International Conference on Systems and Informatics (ICSAI).IEEE,2017. [6]DESTEFANIS G,BRACCIALI A,MARCHESI M,et al.Smart Contracts Vulnerabilities:A Call for Blockchain Software Engineering?[C]//IWBOSE.IEEE,2018. [7]SAYEED S,MARCO-GISBERT H,CAIRA T.Smart Contract:Attacks and Protections[J].IEEE Access,2020,8,24416-24427. [8]GRISHCHENKO I,MAFFEI M,SCHNEIDEWIND C.A se-mantic framework for the security analysis of ethereum smart contracts[C]//International Conference on Principles of Security and Trust.Cham:Springer,2018:243-269. [9]ALBERT E,CORREAS J,GORDILLO P,et al.SAFEVM:A Safety Verifier for Ethereum Smart Contracts[C]//28th ACM SIGSOFT International Symposium.ACM,2019. [10]ZHANG M,ZHANG P,LUO X,et al.Source Code Obfuscation for Smart Contracts[C]//2020 27th Asia-Pacific Software Engineering Conference (APSEC).2020. [11]FERREIRA C,SCHÜTTE T.Osiris:Hunting for Integer Bugs in Ethereum Smart Contracts[C]//34th Annual Computer Security Applications Conference (ACSAĆ18).San Juan,Puerto Rico,USA,2018. [12]TSANKOV P,DAN A,DRACHSLER-COHEN D,et al.Securify:Practical security analysis of smart contracts[C]//Procee-dings of the 2018 ACM SIGSAC Conference on Computer and Communications Security.2018:67-82. [13]CHEN T,LI X,LUO X,et al.Under-Optimized Smart Contracts Devour Your Money[C]//SANER(IEEE International Confe-rence on Software Analysis,Evolution,and Reengineering) 2017.IEEE,2017. [14]BRAGAGNOLO S,ROCHA H,DENKER M,et al.SmartIn-spect:Solidity Smart Contract Inspector[C]//International Workshop on Blockchain Oriented Software Engineering.IEEE Computer Society,2018:9-18. [15]DURIEUX T,FERREIRA J F,ABREU R,et al.Empirical review of automated analysis tools on 47587 Ethereum smart contracts[C]//42nd International Conference on Software Engineering(ICSE'20).2020. [16]LU N,WANG B,ZHANG Y,et al.NeuCheck:A more practical Ethereum smart contract security analysis tool[J].Software:Practice and Experience,2019,2,187-194. [17]PARIZI R M,DEHGHANTANHA A,CHOO K K R,et al.Empirical vulnerability analysis of automated smart contracts security testing on blockchains[C]//the 28th Annual International Conference on Computer Science and Software Enginee-ring.IBM Corp.,2018. [18]HUANG J C.Program Instrumentation and Software Testing[J].Computer,1978,11(4):25-32. [19]HE P,YU G,ZHANG Y F,et al.Survey on Blockchain Technology and Its Application Prospect[J].Computer Science,2017,44(4):1-7,15. [20]ATZEI N,BARTOLETTI M,CIMOLI T.A Survey of Attacks on Ethereum Smart Contracts (SoK)[C]//International Confe-rence on Principles of Security & Trust.Berlin:Springer,2017. [21]ZHANG P,XIAO F, LUO X.A Framework and DataSet forBugs in Ethereum Smart Contracts[C]//the 36th 2020 IEEE International Conference on Software Maintenance and Evolution (ICSME).2020. [22]Ethereum,2020:Solidity official documents[EB/OL].(2020-04-27) [2020-05-03].https://solidity.readthedocs.io/en/v0.5.10/. [23]Openzeppelin,2020:Representative,problematic smart contracts[EB/OL].(2019-10-14) [2021-05-27].https://ethernaut.openzeppelin.com. [24]SMARX,2021:The game of ethereum smart contract security[EB/OL].(2020-05-05) [2021-06-03].https://capturetheether.com/. [25]AKCA S,RAJAN A,PENG C.SolAnalyser:A Framework for Analysing and Testing Smart Contracts[C]//2019 26th Asia-Pacific Software Engineering Conference (APSEC).2019. [26]GRISHCHENKO I,MAFFEI M,SCHNEIDEWIND C.A Se-mantic Framework for the Security Analysis of Ethereum Smart Contracts[C]//International Conference on Principles of Secu-rity & Trust.Cham:Springer,2018. [27]Zeppelin,2021:Safemath[EB/OL].(2019-05-20) [2021-06-03].https://github.com/OpenZeppelin/openzeppelin-solidity/blob/master/contracts/math/SafeMath.sol. [28]T.of Bits,2021:Vulnerable smart contracts[EB/OL].(2019-06-27) [2021-06-03].https://github.com/crytic/not-so-smart-contracts. [29]Smart Contract Security,2021:Smart contract weakness classification and test cases[EB/OL].(2020-04-22) [2021-06-02].https://swcregistry.io/. [30]Ethereum,2021:Remix-ethereum ide[EB/OL].(2019-06-27)[2021-06-03].https://github.com/ethereum/remix-ide. [31]Consen Sys,2021:Security analysis tool for evm bytecode.supports smart contracts built for ethereum,quorum,vechain,roostock,tron and other evm-compatible blockchains[EB/OL].(2020-06-23) [2021-06-01].https://github.com/ConsenSys/mithril. [32]melonproject,2021:An analysis tool for smart contracts[EB/OL].(2019-08-30) [2021-05-24].https://github.com/melonproject/oyente. [33]protofile,2021:This is an open source project for linting solidity code[EB/OL].(2019-10-17) [2021-06-03].https://github.com/protofire/solhint. [34]C.A.ICE center,2021:Securify:security scanner for ethereum smart contracts[EB/OL].(2019-06-27) [2021-06-03].https://securify.chainsecurity.com/. [35]smartdec,2021:Smartcheck,a static analysis tool that detects vulnerabilities and bugs in solidity programs (ethereum-based smart contracts)[EB/OL].(2019-05-20) [2021-06-03].https://tool.smartdec.net/. [36]christoftorres,2021:A tool to detect integer bugs in ethereum smart contracts[EB/OL].(2019-10-10) [2021-06-03].https://github.com/christoftorres/Osiris. [37]crytic,2021:Static analyzer for solidity[EB/OL].(2019-10-10) [2021-06-03].https://github.com/crytic/slither. [38]FEIST J,GREICO G,GROCE A.Slither:A Static AnalysisFramework For Smart Contracts[C]//2019 IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB).IEEE,2019. |
[1] | 王子凯, 朱健, 张伯钧, 胡凯. 区块链与智能合约并行方法研究与实现 Research and Implementation of Parallel Method in Blockchain and Smart Contract 计算机科学, 2022, 49(9): 312-317. https://doi.org/10.11896/jsjkx.210800102 |
[2] | 黄松, 杜金虎, 王兴亚, 孙金磊. 以太坊智能合约模糊测试技术研究综述 Survey of Ethereum Smart Contract Fuzzing Technology Research 计算机科学, 2022, 49(8): 294-305. https://doi.org/10.11896/jsjkx.220500069 |
[3] | 傅丽玉, 陆歌皓, 吴义明, 罗娅玲. 区块链技术的研究及其发展综述 Overview of Research and Development of Blockchain Technology 计算机科学, 2022, 49(6A): 447-461. https://doi.org/10.11896/jsjkx.210600214 |
[4] | 高健博, 张家硕, 李青山, 陈钟. RegLang:一种面向监管的智能合约编程语言 RegLang:A Smart Contract Programming Language for Regulation 计算机科学, 2022, 49(6A): 462-468. https://doi.org/10.11896/jsjkx.210700016 |
[5] | 卫宏儒, 李思月, 郭涌浩. 基于智能合约的秘密重建协议 Secret Reconstruction Protocol Based on Smart Contract 计算机科学, 2022, 49(6A): 469-473. https://doi.org/10.11896/jsjkx.210700033 |
[6] | 张潆藜, 马佳利, 刘子昂, 刘新, 周睿. 以太坊Solidity智能合约漏洞检测方法综述 Overview of Vulnerability Detection Methods for Ethereum Solidity Smart Contracts 计算机科学, 2022, 49(3): 52-61. https://doi.org/10.11896/jsjkx.210700004 |
[7] | 刘峰, 张嘉淏, 周俊杰, 利牧, 孔德莉, 杨杰, 齐佳音, 周爱民. 基于改进哈希时间锁的区块链跨链资产交互协议 Novel Hash-time-lock-contract Based Cross-chain Token Swap Mechanism of Blockchain 计算机科学, 2022, 49(1): 336-344. https://doi.org/10.11896/jsjkx.210600170 |
[8] | 郭显, 王雨悦, 冯涛, 曹来成, 蒋泳波, 张迪. 基于区块链的工业控制系统角色委派访问控制机制 Blockchain-based Role-Delegation Access Control for Industrial Control System 计算机科学, 2021, 48(9): 306-316. https://doi.org/10.11896/jsjkx.210300235 |
[9] | 王向宇, 杨挺. 智能合约定义路由目录服务器 Routing Directory Server Defined by Smart Contract 计算机科学, 2021, 48(6A): 504-508. https://doi.org/10.11896/jsjkx.200700210 |
[10] | 郭上铜, 王瑞锦, 张凤荔. 区块链技术原理与应用综述 Summary of Principle and Application of Blockchain 计算机科学, 2021, 48(2): 271-281. https://doi.org/10.11896/jsjkx.200800021 |
[11] | 陈自民, 卢艺文, 郭燕. 基于区块并行的以太坊智能合约高速重放 High-speed Replay of Ethereum Smart Contracts Based on Block Parallel 计算机科学, 2021, 48(2): 289-294. https://doi.org/10.11896/jsjkx.200500105 |
[12] | 代闯闯, 栾海晶, 杨雪莹, 过晓冰, 陆忠华, 牛北方. 区块链技术研究综述 Overview of Blockchain Technology 计算机科学, 2021, 48(11A): 500-508. https://doi.org/10.11896/jsjkx.201200163 |
[13] | 凌飞, 陈世平. 基于区块链的企业联盟共享数字积分管理机制 Shared Digital Credits Management Mechanism of Enterprise Alliance Based on Blockchain 计算机科学, 2021, 48(11A): 533-539. https://doi.org/10.11896/jsjkx.201200170 |
[14] | 王辉, 陈博, 刘玉祥. 基于区块链的人事档案管理系统研究 Research on Personnel File Management System Based on Blockchain 计算机科学, 2021, 48(11A): 713-718. https://doi.org/10.11896/jsjkx.210300051 |
[15] | 涂良琼, 孙小兵, 张佳乐, 蔡杰, 李斌, 薄莉莉. 智能合约漏洞检测工具研究综述 Survey of Vulnerability Detection Tools for Smart Contracts 计算机科学, 2021, 48(11): 79-88. https://doi.org/10.11896/jsjkx.210600117 |
|