智能合约安全漏洞检测研究进展  被引量：1

作　　者：崔展齐 杨慧文 陈翔[2] 王林章[3] CUI Zhan-Qi;YANG Hui-Wen;CHEN Xiang;WANG Lin-Zhang(School of Computer Science,Beijing Information Science and Technology University,Beijing 100101,China;School of Information Science and Technology,Nantong University,Nantong 226019,China;State Key Laboratory for Novel Software Technology(Nanjing University),Nanjing 210023,China)

机构地区：[1]北京信息科技大学计算机学院,北京100101 [2]南通大学信息科学技术学院,江苏南通226019 [3]计算机软件新技术全国重点实验室(南京大学),江苏南京210023

出　　处：《软件学报》2024年第5期2235-2267,共33页Journal of Software

基　　金：江苏省前沿引领技术基础研究专项(BK202002001);国家自然科学基金(61702041);北京信息科技大学“勤信人才”培育计划(QXTCP C201906)。

摘　　要：智能合约是运行在区块链合约层的计算机程序,能够管理区块链上的加密数字货币和数据,实现多样化的业务逻辑,扩展了区块链的应用.由于智能合约中通常涉及大量资产,吸引了大量攻击者试图利用其中的安全漏洞获得经济利益.近年来,随着多起智能合约安全事件的发生(例如TheDAO、Parity安全事件等),针对智能合约的安全漏洞检测技术成为国内外研究热点.提出智能合约安全漏洞检测的研究框架,分别从漏洞发现与识别、漏洞分析与检测、数据集与评价指标这3个方面分析现有检测方法研究进展.首先,梳理安全漏洞信息收集的基本流程,将已知漏洞根据基础特征归纳为13种漏洞类型并提出智能合约安全漏洞分类框架;然后,按照符号执行、模糊测试、机器学习、形式化验证和静态分析5类检测技术对现有研究进行分析,并讨论各类技术的优势及局限性;第三,整理常用的数据集和评价指标;最后,对智能合约安全漏洞检测的未来研究方向提出展望.Smart contracts are computer programs running in the contract layer of the blockchain,which can be used to manage cryptocurrencies and data on the blockchain,realize diverse business logic,and expand the application of the blockchain.A large number of assets are stored in smart contracts,which attract attackers to steal the assets and obtain economic benefits via security vulnerabilities.In recent years,with the frequent occurrence of smart contract security incidents(such as TheDAO and Parity security incidents),the security vulnerability detection technique for smart contracts has become a hot research topic.This study proposes a research framework for detecting security vulnerabilities of smart contracts and analyzes the research progress of existing vulnerability detection techniques from three aspects:vulnerability discovery and identification,vulnerability analysis and detection,and dataset and evaluation indicators.Firstly,the basic process of collecting security vulnerability information is sorted out,and the security vulnerabilities are classified into 13 types according to their basic characteristics.A classification framework for security vulnerabilities of smart contracts is proposed Secondly,existing techniques are studied in terms of symbolic execution,fuzzing testing,machine learning,formal verification,and static analysis,and the advantages and limitations of each technique are analyzed.Thirdly,the commonly used datasets and evaluation indicators are summarized.Finally,potential research directions for security vulnerability detection of smart contracts in the future are discussed.

关 键 词：区块链 智能合约 安全漏洞 漏洞检测 

分 类 号：TP311[自动化与计算机技术—计算机软件与理论]