Slice-GCN:基于程序切片与图神经网络的智能合约漏洞检测方法  

作　　者：张人娄 吴胜[1] 张浩[1] 刘方宇 ZHANG Renlou;WU Sheng;ZHANG Hao;LIU Fangyu(College of Computer Science and Technology,Jiangsu Normal University,Xuzhou 211116,China)

机构地区：[1]江苏师范大学计算机科学与技术学院,徐州211116

出　　处：《信息安全学报》2025年第1期105-118,共14页Journal of Cyber Security

基　　金：江苏师范大学科研与实践创新项目(No.2022XKT1548)资助。

摘　　要：智能合约是一段由计算机代码构成的程序。随着智能合约数量的暴涨,如何利用漏洞检测方法来提升智能合约的安全性显得更加重要。已有的符号执行、模糊测试与形式化验证等漏洞检测方法自动化程度低,而基于序列模型的深度学习方法由于对智能合约源代码的特征挖掘不足导致检测结果的精度偏低。因此,本文提出一个基于程序切片与图神经网络的以太坊智能合约(简称智能合约)漏洞检测方法Slice-GCN。该方法先对程序进行代码预处理简化程序,再使用基于图可达性和数据流方程的程序切片方法对预处理后的程序进行切片,并将切片结果输入长短期记忆网络(LSTM)中提取智能合约的程序语义特征。接着,简化程序依赖图后将其输入图卷积神经网络中,并提取智能合约的程序结构特征。然后,将智能合约的程序语义特征和结构特征拼接后输入多层感知机(MLP)中,并对智能合约进行漏洞检测。在提出Slice-GCN方法的基础上,针对重入攻击、时间戳依赖及整数溢出三类漏洞,本文对Slice-GCN方法与Oyente、Osiris和Soliditycheck三款智能漏洞检测工具进行了对比实验,并且通过消融实验分析了程序切片、图神经网络及图收缩比例对实验结果的影响。实验结果表明本文提出的方法在各类指标上均有较大提升,能有效提升检测准确度和精度,降低误报率,同时在检测速度上也明显优于传统的智能合约漏洞检测工具。A smart contract is a program made up of computer code.With the skyrocketing number of smart contracts,how to use vulnerability detection methods to improve the security of smart contracts becomes more important.Existing vulnerability detection methods such as symbolic execution,fuzz testing,and formal verification have a low degree of automation,while deep learning methods based on sequence models have low detection accuracy due to insufficient feature mining of smart contract source code.Therefore,this paper proposes a vulnerability detection method Slice-GCN for Ethereum smart contracts(smart contracts for short)based on program slices and graph neural networks.This method first preprocesses the code of the program to simplify the program,and then uses the program slicing method based on graph accessibility and data flow equations to slice the preprocessed program,and input the slicing results into the long short-term memory network(LSTM)to extract the program semantic features of the smart contract.Then,the simplified program dependency graph is fed into the graph convolutional neural network,and the program structure features of the smart contract are extracted.Then,the program semantic features and structural features of the smart contract are spliced and input into the multi-layer perceptron(MLP),and the smart contract is tested for vulnerabilities.On the basis of proposing the Slice-GCN method,aiming at the reentrancy attack,timestamp dependency and integer overflow three types of vulnerabilities,this paper compared the Slice-GCN method with three smart contract vulnerability detection tools Oyente,Osiris and Soliditycheck,and passed the ablation experiments analyze the effects of program slicing,graph neural network,and graph shrinkage ratio on the experimental results.The experimental results show that the method proposed in this paper has greatly improved various indicators,can effectively improve the detection accuracy and precision,and reduce the false positive rate.At the same time,the detection spe

关 键 词：智能合约 漏洞检测 图神经网络 程序切片 

分 类 号：TP311[自动化与计算机技术—计算机软件与理论]