通信学报 ›› 2023, Vol. 44 ›› Issue (10): 164-176.doi: 10.11959/j.issn.1000-436x.2023190
• 学术论文 • 上一篇
陈锦富1,2, 王震鑫1,2, 蔡赛华1,2, 冯乔伟1,2, 陈宇豪1,2, 许容天1,2, Patrick Kwaku Kudjo3
修回日期:
2023-09-05
出版日期:
2023-10-01
发布日期:
2023-10-01
作者简介:
陈锦富(1978− ),男,江西赣州人,博士,江苏大学教授、博士生导师,主要研究方向为软件测试、软件安全和可信软件基金资助:
Jinfu CHEN1,2, Zhenxin WANG1,2, Saihua CAI1,2, Qiaowei FENG1,2, Yuhao CHEN1,2, Rongtian XU1,2, KwakuKudjo Patrick3
Revised:
2023-09-05
Online:
2023-10-01
Published:
2023-10-01
Supported by:
摘要:
针对现有测试方法的缺陷,提出了一种基于蜕变测试的区块链智能合约漏洞检测方法,其能针对区块链智能合约中具体的功能生成针对性的测试用例,从而检测区块链智能合约中存在的漏洞。针对可能出现的安全漏洞,设计了不同的蜕变关系并进行蜕变测试。通过验证源测试用例和后续测试用例之间是否满足蜕变关系,判断智能合约是否存在相关的安全漏洞。实验结果表明,所提方法可以有效地检测出智能合约中存在的安全漏洞。
中图分类号:
陈锦富, 王震鑫, 蔡赛华, 冯乔伟, 陈宇豪, 许容天, Patrick Kwaku Kudjo. 基于蜕变测试的区块链智能合约漏洞检测方法[J]. 通信学报, 2023, 44(10): 164-176.
Jinfu CHEN, Zhenxin WANG, Saihua CAI, Qiaowei FENG, Yuhao CHEN, Rongtian XU, KwakuKudjo Patrick. Vulnerability detection method for blockchain smart contracts based on metamorphic testing[J]. Journal on Communications, 2023, 44(10): 164-176.
表9
实验验证的合约实例与存在的漏洞"
合约编号 | 合约名称 | 漏洞类型 | 合约来源 |
1 | Reentrance | 重入攻击/加法溢出 | Etherscan |
2 | Bitcoin Red | 减法溢出 | CVE-2018-11687 |
3 | EtherStore | 重入攻击 | Etherscan |
4 | PolyAi | 减法溢出 | CVE-2018-11812 |
5 | Internet Node Token | 加法溢出 | CVE-2018-11811 |
6 | Bank | 重入攻击 | Etherscan |
7 | Beauty Ecosystem Coin | 乘法溢出 | CVE-2018-10299 |
8 | Victim | 重入攻击 | Etherscan |
9 | Playkey | 加法溢出 | CVE-2018-11809 |
10 | Token Example | 加法溢出 | Etherscan |
[1] | CLACK C D , BAKSHI V A , BRAINE L . Smart contract templates:foundations,design landscape and research directions[J]. arXiv Preprint,arXiv:1608.00771, 2016. |
[2] | GRISHCHENKO I , MAFFEI M , SCHNEIDEWIND C . A semantic framework for the security analysis of ethereum smart contracts[C]// International Conference on Principles of Security and Trust. Cham:Springer, 2018: 243-269. |
[3] | ATZEI N , BARTOLETTI M , CIMOLI T . A survey of attacks on ethereum smart contracts SoK[C]// Proceedings of the 6th International Conference on Principles of Security and Trust. New York:ACM Press, 2017: 164-186. |
[4] | 邵奇峰, 金澈清, 张召 ,等. 区块链技术:架构及进展[J]. 计算机学报, 2018,41(5): 969-988. |
SHAO Q F , JIN C Q , ZHANG Z ,et al. Blockchain:architecture and research progress[J]. Chinese Journal of Computers, 2018,41(5): 969-988. | |
[5] | CECCHETTI E , YAO S Q , NI H B ,et al. Compositional security for reentrant applications[C]// Proceedings of 2021 IEEE Symposium on Security and Privacy (SP). Piscataway:IEEE Press, 2021: 1249-1267. |
[6] | ALBERT E , CORREAS J , GORDILLO P ,et al. GASOL:gas analysis and optimization for Ethereum smart contracts[C]// International Conference on Tools and Algorithms for the Construction and Analysis of Systems. Cham:Springer, 2020: 118-125. |
[7] | ZHANG Y Y , MA S Q , LI J R ,et al. SMARTSHIELD:automatic smart contract protection made easy[C]// Proceedings of 2020 IEEE 27th International Conference on Software Analysis,Evolution and Reengineering (SANER). Piscataway:IEEE Press, 2020: 23-34. |
[8] | RODLER M , LI W T , KARAME G O ,et al. Sereum:protecting existing smart contracts against re-entrancy attacks[C]// Proceedings of 2019 Network and Distributed System Security Symposium. Reston:Internet Society, 2019: 24-27. |
[9] | 倪远东, 张超, 殷婷婷 . 智能合约安全漏洞研究综述[J]. 信息安全学报, 2020,5(3): 78-99. |
NI Y D , ZHANG C , YIN T T . A survey of smart contract vulnerability research[J]. Journal of Cyber Security, 2020,5(3): 78-99. | |
[10] | KALRA S , GOEL S , DHAWAN M ,et al. ZEUS:analyzing safety of smart contracts[C]// Proceedings of 2018 Network and Distributed System Security Symposium. Reston:Internet Society, 2018: 1-15. |
[11] | GROCE A , FEIST J , GRIECO G ,et al. What are the actual flaws in important smart contracts (and how can we find them)?[C]// International Conference on Financial Cryptography and Data Security. Cham:Springer, 2020: 634-653. |
[12] | 杨慧文, 崔展齐, 陈翔 ,等. 基于软件度量的Solidity智能合约缺陷预测方法[J]. 软件学报, 2022,33(5): 1587-1611. |
YANG H W , CUI Z Q , CHEN X ,et al. Defect prediction for solidity smart contracts based on software measurement[J]. Journal of Software, 2022,33(5): 1587-1611. | |
[13] | 钱鹏, 刘振广, 何钦铭 ,等. 智能合约安全漏洞检测技术研究综述[J]. 软件学报, 2021,33(8): 3059-3085. |
QIAN P , LIU Z G , HE Q M ,et al. Smart contract vulnerability detection technique:a survey[J]. Journal of Software, 2021,33(8): 3059-3085. | |
[14] | TIKHOMIROV S , VOSKRESENSKAYA E , IVANITSKIY I ,et al. SmartCheck:static analysis of Ethereum smart contracts[C]// Proceedings of 2018 IEEE/ACM 1st International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB). Piscataway:IEEE Press, 2018: 9-16. |
[15] | TSANKOV P , DAN A , DRACHSLER-COHEN D ,et al. Securify:practical security analysis of smart contracts[C]// Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2018: 67-82. |
[16] | BADRUDDOJA S , DANTU R , HE Y Y ,et al. Making smart contracts smarter[C]// Proceedings of 2021 IEEE International Conference on Blockchain and Cryptocurrency (ICBC). Piscataway:IEEE Press, 2021: 1-3. |
[17] | FEIST J , GRIECO G , GROCE A . Slither:a static analysis framework for smart contracts[C]// Proceedings of 2019 IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB). Piscataway:IEEE Press, 2019: 8-15. |
[18] | ANAND S , BURKE E K , CHEN T Y ,et al. An orchestrated survey of methodologies for automated software test case generation[J]. Journal of Systems and Software, 2013,86(8): 1978-2001. |
[19] | CHEN T Y , KUO F C , LIU H ,et al. Metamorphic testing:a review of challenges and opportunities[J]. ACM Computing Surveys, 2018,51(1): 1-27. |
[20] | FENG Y , TORLAK E , BODIK R . Precise attack synthesis for smart contracts[J]. arXiv Preprint,arXiv:1902.06067, 2019. |
[21] | GRIECO G , SONG W , CYGAN A ,et al. Echidna:effective,usable,and fast fuzzing for smart contracts[C]// Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis. New York:ACM Press, 2020: 557-560. |
[22] | XIE X Y , JOSHUA W K H , CHEN T Y . Testing and validating machine learning classifiers by metamorphic testing[J]. Journal of Systems and Software, 2011,84(4): 544-558. |
[23] | CHEN T Y , CHEUNG S C , YIU S M . Metamorphic testing:a new approach for generating next test cases[J]. arXiv Preprint,arXiv:2002.12543, 2020. |
[24] | CHINEN Y , YANAI N , CRUZ J P ,et al. RA:hunting for re-entrancy attacks in Ethereum smart contracts via static analysis[C]// Proceedings of 2020 IEEE International Conference on Blockchain (Blockchain). Piscataway:IEEE Press, 2020: 327-336. |
[25] | 惠战伟 . 蜕变测试技术研究[D]. 南京:解放军理工大学, 2015. |
HUI Z W . Metamorphic testing techniques research[D]. Nanjing:PLA University of Science and Technology, 2015. | |
[26] | CHEN T Y , YU Y T . On the relationship between partition and random testing[J]. IEEE Transactions on Software Engineering, 1994,20(12): 977-980. |
[27] | REN M , YIN Z J , MA F C ,et al. Empirical evaluation of smart contract testing:what is the best choice?[C]// Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis. New York:ACM Press, 2021: 566-579. |
[28] | SUN C A , FU A , POON P L ,et al. METRIC+:a metamorphic relation identification technique based on input plus output domains[J]. IEEE Transactions on Software Engineering, 2021,47(9): 1764-1785. |
[1] | 李致远, 徐丙磊, 周颖仪. 基于图神经网络的账户余额模型区块链地址分类方法[J]. 通信学报, 2023, 44(9): 115-126. |
[2] | 陈越, 郝增航, 魏江宏, 胡学先, 杨冬梅. 支持陷门撤销和编辑次数限制的可编辑区块链[J]. 通信学报, 2023, 44(7): 100-113. |
[3] | 张海波, 曹钰坤, 刘开健, 王汝言. 车联网中基于区块链的分布式信任管理方案[J]. 通信学报, 2023, 44(5): 148-157. |
[4] | 冯涛, 陈李秋, 方君丽, 石建明. 基于本地化差分隐私和属性基可搜索加密的区块链数据共享方案[J]. 通信学报, 2023, 44(5): 224-233. |
[5] | 刘雪娇, 钟强, 夏莹杰. 基于双层分片区块链的车联网跨信任域高效认证方案[J]. 通信学报, 2023, 44(5): 213-223. |
[6] | 夏莹杰, 朱思雨, 刘雪娇. 区块链架构下具有条件隐私的车辆编队跨信任域高效群组认证研究[J]. 通信学报, 2023, 44(4): 111-123. |
[7] | 刘雪娇, 曹天聪, 夏莹杰. 区块链架构下高效的车联网跨域数据安全共享研究[J]. 通信学报, 2023, 44(3): 186-197. |
[8] | 经普杰, 王良民, 董学文, 张玉书, 王骞, Muhammad Sohail. 分层跨链结构:一种面向区块链系统监管的可行架构[J]. 通信学报, 2023, 44(3): 93-104. |
[9] | 戴千一, 张斌, 郭松, 徐开勇. 基于多分类器集成的区块链网络层异常流量检测方法[J]. 通信学报, 2023, 44(3): 66-80. |
[10] | 蒋丽, 谢胜利, 田辉. 面向数字孪生边缘网络的区块链分片及资源自适应优化机制[J]. 通信学报, 2023, 44(3): 12-23. |
[11] | 黄冬艳, 李琨. 多地址的时间型区块链隐蔽通信方法研究[J]. 通信学报, 2023, 44(2): 148-159. |
[12] | 王苗苗, 芮兰兰, 徐思雅. 面向文化资源可信共享的多因子身份认证方案[J]. 通信学报, 2023, 44(10): 34-45. |
[13] | 李雷孝, 杜金泽, 林浩, 高昊昱, 杨艳艳, 高静. 区块链网络隐蔽信道研究进展[J]. 通信学报, 2022, 43(9): 209-223. |
[14] | 冯霞, 崔凯平, 谢晴晴, 王良民. VANET中基于区块链的分布式匿名认证方案[J]. 通信学报, 2022, 43(9): 134-147. |
[15] | 杨亚涛, 刘德莉, 刘培鹤, 曾萍, 肖嵩. BFV-Blockchainvoting:支持BFV全同态加密的区块链电子投票系统[J]. 通信学报, 2022, 43(9): 100-111. |
阅读次数 | ||||||
全文 |
|
|||||
摘要 |
|
|||||
|