以太坊Solidity智能合约漏洞检测方法综述  被引量：11

作　　者：张潆藜 马佳利 刘子昂 刘新[1] 周睿[1] ZHANG Ying-li;MA Jia-li;LIU Zi-ang;LIU Xin;ZHOU Rui(School of Information Science&Engineering,Lanzhou University,Lanzhou 730000,China)

机构地区：[1]兰州大学信息科学与工程学院,兰州730000

出　　处：《计算机科学》2022年第3期52-61,共10页Computer Science

基　　金：国家重点研发计划(2020YFC0832500);甘肃省科技重大专项创新联合体项目(项目号1);国家自然科学基金(61402210);青海省科技计划(2020-GX-164);教育部-中国移动科研基金项目(MCM20170206);兰州大学中央高校基本科研业务费专项资金(lzujbky-2021-sp47,lzujbky-2020-sp02,lzujbky-2019-kb51,lzujbky-2018-k12)。

摘　　要：以太坊Solidity智能合约基于区块链技术,作为一种旨在以信息化方式传播、验证或执行的计算机协议,为各类分布式应用服务提供了基础。虽然落地还不足6年,但因其安全漏洞事件频繁爆发,且造成了巨大的经济损失,使得其安全性检查方面的研究备受关注。首先基于以太坊相关技术对智能合约的一些特殊机制和运行原理进行介绍,并根据智能合约的自身特性对一些出现频率较高的智能合约漏洞进行分析,然后从符号执行、模糊测试、形式化验证和污点分析等方面分类阐述了传统的主流智能合约漏洞检测工具。此外,为了应对层出不穷的新型漏洞以及提高漏洞检测效率的需求,将近年来基于机器学习的漏洞检测技术依据其问题转化方式的不同做了分类总结,并从文本处理、非欧几里得图和标准图像3个角度进行了简要介绍。最后,针对两类检测方向的不足之处,提出了建立相关标准化、规范化信息库以及衡量指标的建议。Based on blockchain technology,Ethereum Solidity smart contract as a computer protocol is designed to spread,verify,or execute contracts in an informative way,and it provides a foundation for various distributed application services.Although implemented for less than six years,its security problems have frequently broken out and caused substantial financial losses,which attracts more attention in the security inspection research.This paper firstly introduces some specific mechanisms and operating principles of smart contracts based on Ethereum related techniques,and analyzes some smart contract vulnerabilities occurring frequently and deriving from the characteristics of smart contracts.Then,this paper explains the traditional mainstream smart contract vulnerability detecting tools in terms of symbolic execution,fuzzing,formal verification,and taint analysis.In addition,in order to cope with the endless new vulnerabilities and the need to improve the efficiency of detection,vulnerabilities detection based on machine learning in recent years is classified and summarized according to the various ways of problem transformation in three perspectives including text processing,non-Euclidean graph and standard image.Finally,this paper proposes to formulate more extensive and accurate standardized information database and measurement indicators towards the insufficiency of the detection methods in two directions.

关 键 词：智能合约 区块链 安全漏洞 漏洞检测工具 机器学习 

分 类 号：TP311[自动化与计算机技术—计算机软件与理论]