基于字节码关键路径的智能合约漏洞检测  被引量：5

作　　者：印桂生[1] 高乐 庄园 李俊 YIN Guisheng;GAO Le;ZHUANG Yuan;LI Jun(School of Computer Science and Technology, Harbin Engineering University, Harbin 150001, China;National Industrial Information Security Development Research Center, Beijing 100040, China)

机构地区：[1]哈尔滨工程大学计算机科学与技术学院,黑龙江哈尔滨150001 [2]国家工业信息安全发展研究中心,北京100040

出　　处：《哈尔滨工程大学学报》2022年第2期255-261,共7页Journal of Harbin Engineering University

基　　金：基础科研计划项目(KY10600200019);工业互联网创新发展工程(KY10600210006).

摘　　要：目前智能合约漏洞检测技术手段单一,多数方法只针对合约的源代码,鲜有面向智能合约其他类型的安全检测。本文在仅给定智能合约二进制代码的情况下,针对最高频的可重入漏洞、委托调用漏洞和时间戳依赖漏洞,设计并实现了一种基于关键路径的智能合约漏洞检测方法。基于合约字节码构建智能合约执行控制流图;根据智能合约漏洞特点定义关键指令及规则,生成关键路径;最后采用规则匹配实现漏洞检测。通过对以太坊网络上8000个智能合约进行实验测试,结果表明:该方法可有效检测上述3类漏洞,准确度高达93.75%。The vulnerability detection technology for a smart contract is relatively simple and ineffective.The existing works mainly focus on the source code of a smart contract;few of these explore the binary code detection of a smart contract.In this paper,we present a method to detect Ethereum smart contract vulnerabilities specific to a contract bytecode.This paper proposes a critical path-based method for smart contract vulnerability detection.The method aims at detecting the three most common smart contract vulnerabilities:reentrancy,delegate call,and timestamp dependence.We generate the control flow graph of a smart contract according to the contract bytecode execution.Then,considering the characteristic of smart contract vulnerability,we define the key instructions and detection rules to generate the critical path.Finally,we realize vulnerability detection by checking whether the path matches our defined rules.The experiment tested 8000 smart contracts from the Ethereum network.The results showed that our proposed method can effectively detect the above three types of smart contract vulnerabilities,with a vulnerability detection accuracy of up to 93.75%.

关 键 词：区块链 智能合约 安全分析 漏洞检测 二进制代码 字节码 关键指令 关键路径 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]