基于静态分析的Fabric智能合约安全检测  被引量：2

作　　者：吕朋辉 张金娈 王瑜[1] 杨柳青 汪晗 王雅哲[1] 周启惠[1,2] LV Penghui;ZHANG Jinluan;WANG Yu;YANG Liuqing;WANG Han;WANG Yazhe;ZHOU Qihui(Institute of Information Engineering,Chinese Academy of Sciences,Beijing,100093,China;School of Cyber Security,University of Chinese Academy of Sciences,Beijing,100049,China;NARI Group Corporation/State Grid Electric Power Research Institute,Nanjing,210061,China;NARI Technology Co.Ltd.Beijing Energy Technology Branch,Beijing,100085,China)

机构地区：[1]中国科学院信息工程研究所,北京100093 [2]中国科学院大学网络空间安全学院,北京100049 [3]南瑞集团有限公司(国网电力科学研究院有限公司),南京210061 [4]国电南瑞科技股份有限公司北京能源科技分公司,北京100085

出　　处：《网络新媒体技术》2022年第1期57-66,共10页Network New Media Technology

基　　金：国家重点研发计划,(编号:2018YFB1702700)。

摘　　要：Fabric区块链作为广受欢迎的联盟链框架,其智能合约多采用Golang通用高级语言开发,而智能合约在开发过程中容易引入安全漏洞,部署后会产生潜在的安全隐患。虽然Golang语言通用的代码存在静态审计工具,但是该工具不能有效识别与智能合约中与区块链系统架构相关的安全风险。为了应对上述情况,本文研究总结了Fabric区块链智能合约的非确定性、逻辑安全和数据隐私安全三大类安全漏洞,并提出了针对Fabric智能合约安全检测的静态分析方法,同时设计了基于静态分析方法的智能合约安全检测工具。相比于Chaincode scanner和富士通智能合约安全检测工具在数据隐私安全检测方面的不足,该工具可覆盖检测非确定性、逻辑安全和数据隐私安全3大风险类型及对应13种安全风险项,准确定位风险项位置,可为智能合约开发人员提出可视化开发指导建议。Fabric, as a popular permissioned blockchain framework, and its smart contracts are mostly developed in Golang programming language that is universal high-level language. Due to the lack of mature development specifications for smart contracts and the uneven level of developers, so developers tend to ignore the security of smart contracts, which may cause potential security risks after deployment. Although there are several general static audit tool for Golang language code, they cannot effectively identify the security risks associated with the characteristics of smart contracts. In order to solve the above problems, this article summarizes the three types of security vulnerabilities in the Fabric blockchain smart contract: non-determinism, logical security, and data privacy security. at the same time, a static analysis method is proposed for the security detection of Fabric smart contracts, and the smart contract security detection tool based on static detection and analysis technology is designed for smart contracts developed in Golang language. Compared with Chaincode scanner and Fujitsu smart contract security detection tools that are insufficient in risk items detection of data privacy security, this tool can detect 13 security risk items of the three smart contract risk types of non-determinism, logical security and data privacy security, locate the position of these risk items accurately, and provide corresponding development guidance suggestions for smart contract developers.

关 键 词：Fabric区块链 智能合约 Go语言 静态分析 

分 类 号：TP311.13[自动化与计算机技术—计算机软件与理论] TP393.08[自动化与计算机技术—计算机科学与技术]