基于以太坊状态数据库的攻击与防御方案

doi:10.11959/j.issn.2096-109x.2022013

网络与信息安全学报 ›› 2022, Vol. 8 ›› Issue (2): 64-72.doi: 10.11959/j.issn.2096-109x.2022013

• 专栏：网络攻击与防御技术 • 上一篇下一篇

基于以太坊状态数据库的攻击与防御方案

高镇¹, 张东彬¹, 田潇²

¹ 天津大学电气自动化与信息工程学院，天津 300072
² 南京慧链和信数字信息科技研究院，江苏南京 210012

修回日期:2022-02-15 出版日期:2022-04-15 发布日期:2022-04-01
作者简介:高镇（1982− ），男，河北张家口人，天津大学副教授，主要研究方向为容错信号处理与区块链技术与应用
张东彬（1998− ），男，河南平顶山人，天津大学硕士生，主要研究方向为区块链平台的安全分析
田潇（1992− ），男，江苏南京人，南京慧链和信数字信息科技研究院工程师，主要研究方向为区块链平台的共识算法与隐私计算
基金资助:
天津市自然科学基金(19JCYBJC15700)

Defense scheme for the world state based attack in Ethereum

Zhen GAO¹, Dongbin ZHANG¹, Xiao TIAN²

¹ School of Electrical and Information Engineering, Tianjin University, Tianjin 300072, China
² Nanjing Research Institute for Huilian Digital Information Technology, Nanjing 210012, China

Revised:2022-02-15 Online:2022-04-15 Published:2022-04-01
Supported by:
The Natural Science Foundation of Tianjin(19JCYBJC15700)

摘要/Abstract

摘要：

以太坊是第二代区块链平台的典型代表，其最大特点是能够通过智能合约来支持功能丰富的分布式应用。另外，为了提高交易验证效率，以太坊使用了本地数据库来存储账户状态，并基于区块头内的状态树根保证状态数据的完整性。但是研究工作表明，本地数据库存在被篡改的安全隐患，且攻击者可以基于被篡改的账户状态发出非法交易，从而牟取不正当利益。简要描述了这类针对本地状态数据库的安全漏洞，并分析了攻击成功的前提条件；在此基础上，与工作量证明共识机制下两种常见的安全威胁进行了对比，发现在攻击者控制相同挖矿算力的条件下，基于状态数据库的攻击带来的安全风险更高，攻击成功概率趋近于 100%。为应对存在的安全威胁，提出了一套切实可行的攻击检测与防御方案，并在以太坊源码的基础上加入了二次验证与数据恢复过程。通过单机多线程的实验测试评估了所提方案的可行性与复杂度。实验结果表明：改进后的以太坊系统具备了针对状态数据库篡改的容错能力，且该方案同样适用于超级账本等其他基于本地数据库进行交易验证的区块链平台。此外，通过统计二次验证的时间和哈希计算次数，证明了所提方案带来的时间与计算开销并不显著，对现有系统的性能影响不大，具有良好的适用性。

关键词: 以太坊, 状态数据库, 状态篡改, 非法交易, 攻击检测, 攻击防御, 篡改容错

Abstract:

Ethereum is taken as the representative platform of the second generation of blockchain system.Ethereum can support development of different distributed applications by running smart contracts.Local database is used to store the account state (named world state) for efficient validation of transactions, and the state root is stored in the block header to guarantee the integrity of the state.However, some researches revealed that the local database could be easily tempered with, and attackers can issue illegal transactions based on the modified account state to obtain illegitimate benefits.This world-state based security problem was introduced, and the preconditions for attack were analyzed.Compared with the two common security threats under the PoW (proof of work) consensus, it was found that when the attacker controls the same mining computing power, the world-state based attack brought higher risk, and the success rate approached 100%.In order to deal with this threat, a practical scheme for attack detection and defense was proposed accordingly.The secondary verification and data recovery process were added to the Ethereum source code.The feasibility and complexity of the proposed scheme was evaluated with single-machine multi-threading experiments.The proposed scheme improves Ethereum’s tolerance to malicious tampering of account state, and is applicable to other blockchain platforms applying local database for transaction validation, such as Hyperledger Fabric.In addition, the time and computational overhead brought by the proposed scheme are not prominent, so it has good applicability and induces acceptable impact on the performance of original system.

Key words: Ethereum, world state, state modification, invalid transactions, attack detection, attack defense, fault tolerance to state modification

中图分类号:

TP311.1

高镇, 张东彬, 田潇. 基于以太坊状态数据库的攻击与防御方案[J]. 网络与信息安全学报, 2022, 8(2): 64-72.

Zhen GAO, Dongbin ZHANG, Xiao TIAN. Defense scheme for the world state based attack in Ethereum[J]. Chinese Journal of Network and Information Security, 2022, 8(2): 64-72.

图/表 9

图1

图2

图3

图4

图5

表1

图6

图7

图8

参考文献 23

[1]	BUTERIN V . Ethereum white paper[J]. GitHub repository, 2013,1: 22-23.
[2]	KEHRLI J . Blockchain 2.0-from bitcoin transactions to smart contract applications[R]. 2016.
[3]	NAKAMOTO S . Bitcoin:a peer-to-peer electronic cash system[R]. Manubot, 2019.
[4]	CHEN T , LI Z H , ZHU Y X ,et al. Understanding Ethereum via graph analysis[J]. ACM Transactions on Internet Technology, 2020,20(2): 1-32.
[5]	WOOD G . Ethereum:a secure decentralized generalized transaction ledger[J]. Ethereum Project Yellow Paper, 2014,151(2014): 1-32.
[6]	BASHIR I . Mastering blockchain[M]. Packt Publishing Ltd, 2017.
[7]	WANG S , OUYANG L W , YUAN Y ,et al. Blockchain-enabled smart contracts:architecture,applications,and future trends[J]. IEEE Transactions on Systems,Man,and Cybernetics:Systems, 2019,49(11): 2266-2277.
[8]	K.O.R.O’reilly,gems protocol[EB].
[9]	NIZAMUDDIN N , SALAH K , AZAD M A ,et al. Decentralized document version control using Ethereum blockchain and IPFS[J]. Computers ＆ Electrical Engineering, 2019,76: 183-197.
[10]	NAWAZ A , PE?A QUERALTA J , GUAN J X ,et al. Edge computing to secure IoT data ownership and trade with the Ethereum blockchain[J]. Sensors, 2020,20(14): 3965.
[11]	EYAL I , SIRER E G . Majority is not enough:bitcoin mining is vulnerable[M]// Financial Cryptography and Data Security. Berlin,Heidelberg: Springer Berlin Heidelberg, 2014: 436-454.
[12]	ROSENFELD M . Analysis of hashrate-based double spending[J]. arXiv preprint arXiv:1402.2009, 2014.
[13]	GAO Z , ZHANG D B , ZHANG J Z . A security problem in small scale private Ethereum network[C]// Proceedings of International Conference on Blockchain and Trustworthy Systems. 2020: 231-242.
[14]	ACH L M , MIHALJEVIC B , ZAGAR M . Comparative analysis of blockchain consensus algorithms[C]// Proceedings of 2018 41st International Convention on Information and Communication Technology,Electronics and Microelectronics (MIPRO). 2018: 1545-1550.
[15]	BISSIAS G , THIBODEAU D , LEVINE B N . Bonded mining:Difficulty adjustment by miner commitment[M]// Data Privacy Management,Cryptocurrencies and Blockchain Technology. Springer,Cham, 2019: 372-390.
[16]	BONNEAU J , MILLER A , CLARK J ,et al. SoK:research perspectives and challenges for bitcoin and cryptocurrencies[C]// Proceedings of 2015 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 2015: 104-121.
[17]	WEBER I , GRAMOLI V , PONOMAREV A ,et al. On availability for blockchain-based systems[C]// Proceedings of 2017 IEEE 36th Symposium on Reliable Distributed Systems. 2017: 64-73.
[18]	EZ M , FORNARI G , VARDANEGA T . The scalability challenge of Ethereum:an initial quantitative analysis[C]// Proceedings of 2019 IEEE International Conference on Service-Oriented System Engineering. 2019: 167-176.
[19]	RADBURY D . The problem with bitcoin[J]. Computer Fraud ＆Security, 2013,2013(11): 5-8.
[20]	ENG C , NIU J Y . Selfish mining in ethereum[C]// Proceedings of 2019 IEEE 39th International Conference on Distributed Computing Systems. 2019: 1306-1316.
[21]	ANG J , LEE H N . Profitable double-spending attacks[J]. Applied Sciences, 2020,10(23): 8477.
[22]	AYEED S , MARCO-GISBERT H , . Assessing blockchain consensus and security mechanisms against the 51% attack[J]. Applied Sciences, 2019,9(9): 1788.
[23]	GAO Z , ZHANG D B , ZHANG J Z . A security problem caused by the state database in Hyperledger Fabric[C]// Proceedings of International Conference on Frontiers in Cyber Security. 2020: 361-372.

类型	参数
CPU	Intel(R) Core(TM) i5-11400 CPU
RAM	16.00 GB
运行系统	Microsoft Windows 10 Home Edition 64-bit
节点个数	3

基于以太坊状态数据库的攻击与防御方案

Defense scheme for the world state based attack in Ethereum

在线阅读

pdf下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 9

参考文献 23

相关文章 6

Metrics

推荐阅读 0

[1]	蔡召, 荆涛, 任爽. 以太坊钓鱼诈骗检测技术综述[J]. 网络与信息安全学报, 2023, 9(2): 21-32.
[2]	张文博, 陈思敏, 魏立斐, 宋巍, 黄冬梅. 基于形式化方法的智能合约验证研究综述[J]. 网络与信息安全学报, 2022, 8(4): 12-28.
[3]	高凡, 王健, 刘吉强. 基于动态浏览器指纹的链接检测技术研究[J]. 网络与信息安全学报, 2022, 8(4): 144-156.
[4]	李丽娟, 李曼, 毕红军, 周华春. 基于混合深度学习的多类型低速率DDoS攻击检测方法[J]. 网络与信息安全学报, 2022, 8(1): 73-85.
[5]	赵淦森,谢智健,王欣明,何嘉浩,张成志,林成创,ZihengZhou,陈冰川,ChunmingRong. ContractGuard：面向以太坊区块链智能合约的入侵检测系统[J]. 网络与信息安全学报, 2020, 6(2): 35-55.
[6]	陈飞,毕小红,王晶晶,刘渊. DDoS攻击防御技术发展综述[J]. 网络与信息安全学报, 2017, 3(10): 16-24.