网络与信息安全学报 ›› 2023, Vol. 9 ›› Issue (1): 1-17.doi: 10.11959/j.issn.2096-109x.2023001
• 综述 • 下一篇
余北缘, 任珊瑶, 刘建伟
修回日期:
2022-12-24
出版日期:
2023-02-25
发布日期:
2023-02-01
作者简介:
余北缘(1996- ),男,北京人,北京航空航天大学博士生,主要研究方向为网络应用安全基金资助:
Beiyuan YU, Shanyao REN, Jianwei LIU
Revised:
2022-12-24
Online:
2023-02-25
Published:
2023-02-01
Supported by:
摘要:
自中本聪提出比特币以来,区块链技术得到了跨越式发展,特别是在数字资产转移及电子货币支付方面。以太坊引入智能合约代码,使其具备了同步及保存智能合约程序执行状态,自动执行交易条件并消除对中介机构需求,Web3.0 开发者可利用以太坊提供的通用可编程区块链平台构建更加强大的去中心化应用。公链系统具备的特点,如无须中央节点控制、通过智能合约保障交互数据公开透明、用户数据由用户个人控制等,使得它在区块链技术发展的过程中吸引了更多的用户关注。然而,随着区块链技术的普及和应用,越来越多的用户将自己的数字资产存储在区块链上。由于缺少权威机构的监管及治理,以太坊等公链系统正逐步成为黑客窃取数字资产的媒介。黑客利用区块链实施诈骗及钓鱼攻击,盗取用户所持有的数字资产来获取利益。帮助读者建立区块链资产安全的概念,从源头防范利用区块链实施的资产窃取攻击。通过整理总结黑客利用区块链环境实施的资产窃取攻击方案,抽象并归纳威胁模型的研究方法,有效研究了各类攻击的特征及实施场景。通过深入分析典型攻击方法,比较不同攻击的优缺点,回答了攻击能够成功实施的根本原因。在防御技术方面,针对性结合攻击案例及攻击实施场景介绍了钓鱼检测、代币授权检测、代币锁定、去中心化代币所属权仲裁、智能合约漏洞检测、资产隔离、供应链攻击检测、签名数据合法性检测等防御方案。对于每一类防御方案,给出其实施的基本流程及方案,明确了各防护方案能够在哪类攻击场景下为用户资产安全提供防护。
中图分类号:
余北缘, 任珊瑶, 刘建伟. 区块链资产窃取攻击与防御技术综述[J]. 网络与信息安全学报, 2023, 9(1): 1-17.
Beiyuan YU, Shanyao REN, Jianwei LIU. Overview of blockchain assets theft attacks and defense technology[J]. Chinese Journal of Network and Information Security, 2023, 9(1): 1-17.
[1] | VITALIK B . A next-generation smart contract and decentralized application platform[R]. 2014. |
[2] | ZETZSCHE D A , ARNER D W , BUCKLEY R P . Decentralized finance[J]. Journal of Financial Regulation, 2020,6(2): 172-203. |
[3] | WANG Q , LI R , WANG Q ,et al. Non-fungible token (NFT):Overview,evaluation,opportunities and challenges[J]. arXiv preprint arXiv:2105.07447. 2021. |
[4] | BONNEAU J , MILLER A , CLARK J ,et al. SoK:research perspectives and challenges for bitcoin and cryptocurrencies[C]// Proceedings of 2015 IEEE Symposium on Security and Privacy. 2015: 104-121. |
[5] | REBECCA , YANG . Public and private blockchain in construction business process and information integration[J]. Automation in Construction, 2020,118:103276. |
[6] | ANDOLA N , RAGHAV , YADAV V K ,et al. Anonymity on blockchain based e-cash protocols—A survey[J]. Computer Science Review, 2021,40:100394. |
[7] | MUKHOPADHYAY U , SKJELLUM A , HAMBOLU O ,et al. A brief survey of cryptocurrency systems[C]// Proceedings of 2016 14th Annual Conference on Privacy,Security and Trust (PST). 2017: 745-752. |
[8] | HIGBEE A . The role of crypto-currency in cybercrime[J]. Computer Fraud & Security, 2018(7): 13-15. |
[9] | REDDY E , MINNAAR A . Cryptocurrency:a tool and target for cybercrime[J]. Acta Criminologica:African Journal of Criminology& Victimology, 2018,31(3): 71-92. |
[10] | CHENG Z , HOU X , LI R ,et al. Towards a first step to understand the cryptocurrency stealing attack on Ethereum[C]// 22nd International Symposium on Research in Attacks,Intrusions and Defenses (RAID 2019). 2019: 47-60. |
[11] | DINGLEDINE R , MATHEWSON N , SYVERSON P . Tor:the second-generation onion router[R]. Naval Research Lab. 2004. |
[12] | ENTRIKEN W , SHIRLEY D , EVANS ,et al. Eip-721:Erc-721 non-fungible token standard[S]. Ethereum Improvement Proposals, 2018. |
[13] | RADOMSKI W , COOKE A , CASTONGUAY P ,et al. Eip 1155:Erc-1155 multi token standard[S]. Ethereum, 2018. |
[14] | ANDRYUKHIN A A , . Phishing attacks and preventions in blockchain based projects[C]// Proceedings of 2019 International Conference on Engineering Technologies and Computer Science (EnT). 2019: 15-19. |
[15] | SALAHDINE F , KAABOUCH N . Social engineering attacks:A survey[J]. Future Internet, 2019,11(4): 89. |
[16] | ANDRYUKHIN A A . Methods of protecting decentralized autonomous organizations from crashes and attacks[J]. Proceedings of the Institute for System Programming of the RAS, 2018,30(3): 149-164. |
[17] | ATZEI N , BARTOLETTI M , CIMOLI T . A survey of attacks on ethereum smart contracts SoK[C]// Proceedings of the 6th International Conference on Principles of Security and Trust - Volume 10204. 2017: 164-186. |
[18] | BHARGAVAN K , DELIGNAT-LAVAUD A , FOURNET C ,et al. Formal verification of smart contracts:Short paper[C]// Proceedings of the 2016 ACM Workshop on Programming Languages and Analysis for Security. 2016: 91-96. |
[19] | GURI M , . BeatCoin:leaking private keys from air-gapped cryptocurrency wallets[C]// Proceedings of 2018 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber,Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData). 2019: 1308-1316. |
[20] | IVANOV N , YAN Q B . EthClipper:a clipboard meddling attack on hardware wallets with address verification evasion[C]// Proceedings of 2021 IEEE Conference on Communications and Network Security (CNS). 2022: 191-199. |
[21] | HE D J , LI S H , LI C ,et al. Security analysis of cryptocurrency wallets in android-based applications[J]. IEEE Network, 2020,34(6): 114-119. |
[22] | LIN D , WU J J , YUAN Q ,et al. T-EDGE:Temporal weighted MultiDiGraph embedding for ethereum transaction network analysis[J]. Frontiers in Physics, 2020,8:204. |
[23] | CHEN W , GUO X , CHEN Z ,et al. Phishing scam detection on ethereum:towards financial security for blockchain ecosystem[C]// IJCAI. 2020: 4506-4512. |
[24] | ZHANG D J , CHEN J Y , LU X S . Blockchain phishing scam detection via multi-channel graph classification[C]// International Conference on Blockchain and Trustworthy Systems. 2021: 241-256. |
[25] | TSANKOV P , DAN A , DRACHSLER-COHEN D ,et al. Securify:Practical security analysis of smart contracts[C]// Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. 2018: 67-82. |
[26] | ZHUANG Y , LIU Z G , QIAN P ,et al. Smart contract vulnerability detection using graph neural network[C]// IJCAI. 2020: 3283-3290. |
[27] | LIAO J W , TSAI T T , HE C K ,et al. SoliAudit:smart contract vulnerability assessment based on machine learning and fuzz testing[C]// Proceedings of 2019 Sixth International Conference on Internet of Things:Systems,Management and Security (IOTSMS). 2019: 458-465. |
[28] | WANG D B , FENG H , WU S W ,et al. Penny wise and pound foolish:quantifying the risk of unlimited approval of ERC20 tokens on ethereum[C]// Proceedings of 25th International Symposium on Research in Attacks,Intrusions and Defenses. 2022: 99-114. |
[29] | HE Z Y , LIAO Z , LUO F ,et al. TokenCat:detect flaw of authentication on ERC20 tokens[C]// Proceedings of ICC 2022 - IEEE International Conference on Communications. 2022: 4999-5004. |
[30] | CAO Z , ZHEN Y , FAN G ,et al. TokenPatronus:a decentralized NFT anti-theft mechanism[J]. arXiv preprint arXiv:2208.05168. |
[31] | WANG K L , WANG Q C , BONEH D . ERC-20R and ERC-721R:reversible transactions on ethereum[J]. arXiv preprint arXiv:2208.00543. |
[32] | GUAN L , LIN J Q , LUO B ,et al. Protecting private keys against memory disclosure attacks using hardware transactional memory[C]// Proceedings of 2015 IEEE Symposium on Security and Privacy. 2015: 3-19. |
[33] | MALAN D J , . CS50 sandbox:Secure execution of untrusted code[C]// Proceedings of SIGCSE '13:Proceeding of the 44th ACM Technical symposium on Computer science education. 2013: 141-146. |
[34] | OHM M , SYKOSCH A , MEIER M . Towards detection of software supply chain attacks by forensic artifacts[C]// Proceedings of the 15th International Conference on Availability,Reliability and Security. 2020: 1-6. |
[35] | ZIBIN , ZHENG . An overview on smart contracts:Challenges,advances and platforms[J]. Future Generation Computer Systems, 2020,105: 475-491. |
[36] | PEREZ D , LIVSHITS B . Smart contract vulnerabilities:Does anyone care[J]. arXiv preprint arXiv:1902.06710. |
[37] | VUJI?I? D , JAGODI? D , RAN?I? S . Blockchain technology,bitcoin,and Ethereum:a brief overview[C]// Proceedings of 2018 17th International Symposium INFOTEH-JAHORINA (INFOTEH). 2018: 1-6. |
[38] | LEE W M . Using the MetaMask chrome extension[M]// Beginning Ethereum Smart Contracts Programming. Berkeley,CA: Apress, 2019: 93-126. |
[39] | PANDA S K , SATAPATHY S C . An investigation into smart contract deployment on ethereum platform using Web3.js and solidity using blockchain[C]// Data Engineering and Intelligent Computing. 2021: 549-561. |
[40] | KHAN A G , ZAHID A H , HUSSAIN M ,et al. Security of cryptocurrency using hardware wallet and QR code[C]// Proceedings of 2019 International Conference on Innovative Computing (ICIC). 2020: 1-10. |
[41] | KOBLITZ N , MENEZES A , VANSTONE S . The state of elliptic curve cryptography[J]. Designs,Codes and Cryptography, 2000,19(2/3): 173-193. |
[42] | PERCIVAL C , JOSEFSSON S . The scrypt password-based key derivation function (RFC7914)[S]. 2016. |
[43] | PRAITHEESHAN P , XIN Y W , PAN L ,et al. Attainable hacks on keystore files in ethereum wallets—A systematic analysis[C]// International Conference on Future Network Systems and Security. 2019: 99-117. |
[44] | DASGUPTA D , SHREIN J M , GUPTA K D . A survey of blockchain from security perspective[J]. Journal of Banking and Financial Technology, 2019,3(1): 1-17. |
[45] | CAI W , WANG Z H , ERNST J B ,et al. Decentralized applications:the blockchain-empowered software system[J]. IEEE Access, 2018,6: 53019-53033. |
[46] | KIM S K , MA Z E , MURALI S ,et al. Measuring ethereum network peers[C]// Proceedings of the Internet Measurement Conference 2018. 2018: 91-104. |
[47] | PIERRO G A , ROCHA H . The influence factors on ethereum transaction fees[C]// Proceedings of 2019 IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB). 2019: 24-31. |
[48] | ATHULYA A A , PRAVEEN K . Towards the detection of phishing attacks[C]// Proceedings of 2020 4th International Conference on Trends in Electronics and Informatics (ICOEI)(48184). 2020: 337-343. |
[49] | GABRILOVICH E , GONTMAKHER A . The homograph attack[J]. Communications of the ACM, 2002,45(2): 128. |
[50] | YU B Y , LI P , LIU J W ,et al. Advanced analysis of email sender spoofing attack and related security problems[C]// Proceedings of 2022 IEEE 9th International Conference on Cyber Security and Cloud Computing (CSCloud)/2022 IEEE 8th International Conference on Edge Computing and Scalable Cloud (EdgeCom). 2022: 80-85. |
[51] | SALAHDINE F , KAABOUCH N . Social engineering attacks:A survey[J]. Future Internet, 2019,11(4): 89. |
[52] | LI A , LONG F . Detecting standard violation errors in smart contracts[J]. arXiv preprint arXiv:1812.07702. 2018. |
[53] | MEHAR M I , SHIER C L , GIAMBATTISTA A ,et al. Understanding a revolutionary and flawed grand experiment in blockchain[J]. Journal of Cases on Information Technology, 2019,21(1): 19-32. |
[54] | Oxford Analytica. Binance breach underlines risks for crypto ecosystem[R]. Emerald Expert Briefings, 2022. |
[55] | ABDELLATIF T , BROUSMICHE K L . Formal verification of smart contracts based on users and blockchain behaviors models[C]// Proceedings of 2018 9th IFIP International Conference on New Technologies,Mobility and Security (NTMS). 2018: 1-5. |
[56] | ROZARIO A M , THOMAS C . Reengineering the audit with blockchain and smart contracts[J]. Journal of Emerging Technologies in Accounting, 2019,16(1): 21-35. |
[57] | OHM M , PLATE H , SYKOSCH A ,et al. Backstabber’s knife collection:A review of open source software supply chain attacks[C]// International Conference on Detection of Intrusions and Malware,and Vulnerability Assessment. 2020: 23-43. |
[58] | ROBINSON A , CORCORAN C , WALDO J . New risks in ransomware:supply chain attacks and cryptocurrency[J]. Science,Technology,and Public Policy Program Reports. 2022. |
[59] | ARAPINIS M , GKANIATSOU A , KARAKOSTAS D ,et al. A formal treatment of hardware wallets[C]// International Conference on Financial Cryptography and Data Security. 2019: 426-445. |
[60] | ZAHAN N , ZIMMERMANN T , GODEFROID P ,et al. What are weak links in the npm supply chain[C]// Proceedings of 2022 IEEE/ACM 44th International Conference on Software Engineering:Software Engineering in Practice (ICSE-SEIP). 2022: 331-340. |
[61] | MELI M , MCNIECE M R , REAVES B . How bad can it git? characterizing secret leakage in public github repositories[C]//NDSS. |
[62] | GUTOSKI G , STEBILA D . Hierarchical deterministic bitcoin wallets that tolerate key leakage[C]// International Conference on Financial Cryptography and Data Security. 2015: 497-504. |
[63] | RAHIM R , NURDIYANTO H , SALEH A A ,et al. Keylogger application to monitoring users activity with exact string matching algorithm[J]. Journal of Physics:Conference Series, 2018,954:012008. |
[64] | BLOCKI J , HARSHA B , ZHOU S . On the economics of offline password cracking[C]// Proceedings of 2018 IEEE Symposium on Security and Privacy (SP). 2018: 853-871. |
[65] | WANG D , CHENG H B , WANG P ,et al. Zipf’s law in passwords[J]. IEEE Transactions on Information Forensics and Security, 2017,12(11): 2776-2791. |
[66] | ZHANG X , DU W L . Attacks on Android clipboard[C]// International Conference on Detection of Intrusions and Malware,and Vulnerability Assessment. 2014: 72-91. |
[67] | LI Y J , LI H W , LV Z Z ,et al. Deterrence of intelligent DDoS via multi-hop traffic divergence[C]// Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. 2021: 923-939. |
[68] | DO XUAN C , DAO M H . A novel approach for APT attack detection based on combined deep learning model[J]. Neural Computing and Applications, 2021,33(20): 13251-13264. |
[69] | POINTCHEVAL D , STERN J . Provably secure blind signature schemes[M]// Lecture Notes in Computer Science. 1996: 252-265. |
[70] | BASIT A , ZAFAR M , LIU X ,et al. A comprehensive survey of AI-enabled phishing attacks detection techniques[J]. Telecommunication Systems, 2021,76(1): 139-154. |
[71] | MAO J , BIAN J D , TIAN W Q ,et al. Phishing page detection via learning classifiers from page layout feature[J]. EURASIP Journal on Wireless Communications and Networking, 2019(1): 43. |
[72] | CHEN Y H , CHEN J L . AI@ntiPhish—Machine learning mechanisms for cyber-phishing attack[J]. IEICE Transactions on Information and Systems, 2019,E102.D(5): 878-887. |
[73] | ANSARI K H , KULKARNI U . Implementation of ethereum request for comment (ERC20) Token[C]// Proceedings of the 3rd International Conference on Advances in Science & Technology (ICAST). 2020. |
[74] | KIPF T N , WELLING M . Semi-supervised classification with graph convolutional networks[J]. arXiv preprint arXiv:1609.02907. 2016. |
[75] | GILAD Y , HERZBERG A , SHULMAN H . Off-path hacking:The illusion of challenge-response authentication[C]// Proceedings of IEEE Security & Privacy. 2013: 68-77. |
[76] | SEOL J , JIN S , LEE D ,et al. A trusted IaaS environment with hardware security module[J]. IEEE Transactions on Services Computing, 2016,9(3): 343-356. |
[77] | VU D L , PASHCHENKO I , MASSACCI F ,et al. Towards using source code repositories to identify software supply chain attacks[C]// Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. 2020: 2093-2095. |
[1] | 蔡召, 荆涛, 任爽. 以太坊钓鱼诈骗检测技术综述[J]. 网络与信息安全学报, 2023, 9(2): 21-32. |
[2] | 王贺立, 闫巧. 基于交易记录特征的自私挖矿检测方案[J]. 网络与信息安全学报, 2023, 9(2): 104-114. |
[3] | 唐飞, 甘宁, 阳祥贵, 王金洋. 基于区块链与国密SM9的抗恶意KGC无证书签名方案[J]. 网络与信息安全学报, 2022, 8(6): 9-19. |
[4] | 林丹, 林凯欣, 吴嘉婧, 郑子彬. 基于字节码的以太坊智能合约分类方法[J]. 网络与信息安全学报, 2022, 8(5): 111-120. |
[5] | 陈立全, 李潇, 杨哲懿, 钱思杰. 基于区块链的高透明度PKI认证协议[J]. 网络与信息安全学报, 2022, 8(4): 1-11. |
[6] | 张文博, 陈思敏, 魏立斐, 宋巍, 黄冬梅. 基于形式化方法的智能合约验证研究综述[J]. 网络与信息安全学报, 2022, 8(4): 12-28. |
[7] | 刘峰, 杨杰, 齐佳音. 区块链密码学隐私保护技术综述[J]. 网络与信息安全学报, 2022, 8(4): 29-44. |
[8] | 宋晓玲, 刘勇, 董景楠, 黄勇飞. 元宇宙中区块链的应用与展望[J]. 网络与信息安全学报, 2022, 8(4): 45-65. |
[9] | 金琳, 田有亮. 基于区块链的多权限属性隐藏电子病历共享方案[J]. 网络与信息安全学报, 2022, 8(4): 66-76. |
[10] | 姜鹏坤, 张问银, 王九如, 黄善云, 宋万水. 基于正常交易掩盖下的区块链隐蔽通信方案[J]. 网络与信息安全学报, 2022, 8(4): 77-86. |
[11] | 翟宝琴, 王健, 韩磊, 刘吉强, 何嘉豪, 刘天皓. 基于信任值的车联网分层共识优化协议[J]. 网络与信息安全学报, 2022, 8(3): 142-153. |
[12] | 余佳仁, 田有亮, 林晖. 基于信誉管理模型的矿工类型鉴别机制设计[J]. 网络与信息安全学报, 2022, 8(1): 128-138. |
[13] | 高振升, 曹利峰, 杜学绘. 基于区块链的访问控制技术研究进展[J]. 网络与信息安全学报, 2021, 7(6): 68-87. |
[14] | 杨冠群, 刘荫, 徐浩, 邢宏伟, 张建辉, 李恩堂. 基于区块链的电网可信分布式身份认证系统[J]. 网络与信息安全学报, 2021, 7(6): 88-98. |
[15] | 杨明, 胡学先, 张启慧, 魏江宏, 刘文芬. 基于信誉评估机制和区块链的移动网络联邦学习方案[J]. 网络与信息安全学报, 2021, 7(6): 99-112. |
阅读次数 | ||||||
全文 |
|
|||||
摘要 |
|
|||||
|