CN111177730A - A method and device for detecting and preventing problems in an ethereum smart contract - Google Patents
A method and device for detecting and preventing problems in an ethereum smart contract Download PDFInfo
- Publication number
- CN111177730A CN111177730A CN201911314940.7A CN201911314940A CN111177730A CN 111177730 A CN111177730 A CN 111177730A CN 201911314940 A CN201911314940 A CN 201911314940A CN 111177730 A CN111177730 A CN 111177730A
- Authority
- CN
- China
- Prior art keywords
- code
- contract
- prevention
- codes
- detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
本发明提出了一种以太坊智能合约问题检测和预防方法与装置,该方法的输入是用户给定的以太坊智能合约源代码。首先格式化源代码,整理代码的格式。然后根据不同问题的特征确定对应的正则表达式及检测规则,并确定预防重入漏洞和整数溢出漏洞的代码语句构造方法,再使用定义的正则表达式对格式化后的代码进行匹配,通过匹配定位可能存在问题的代码语句。对于整数溢出漏洞和重入漏洞两种智能合约中的严重安全问题,本方法通过正则表达式定位可能存在问题的语句,然后通过程序插桩技术达成预防这两种问题产生的效果。在检测智能合约问题时,本方法可以获得优良的准确率、查全率和检测效率,并且可以覆盖当前绝大部分的智能合约问题种类。
The present invention provides a method and device for detecting and preventing problems in an ethereum smart contract. The input of the method is the ethereum smart contract source code given by a user. Format the source code first, and organize the formatting of the code. Then determine the corresponding regular expressions and detection rules according to the characteristics of different problems, and determine the code statement construction method to prevent reentrancy vulnerabilities and integer overflow vulnerabilities, and then use the defined regular expressions to match the formatted code. Locate potentially problematic code statements. For two serious security problems in smart contracts, integer overflow vulnerability and reentrancy vulnerability, this method uses regular expressions to locate potentially problematic statements, and then uses program instrumentation technology to achieve the effect of preventing these two problems. When detecting smart contract problems, this method can obtain excellent accuracy, recall and detection efficiency, and can cover most of the current smart contract problems.
Description
Technical Field
The invention relates to a code problem detection and prevention method, in particular to a problem detection and prevention method based on regular expressions and program instrumentation for an Ether intelligent contract, and belongs to the field of block chain security.
Background
Etherhouses are the largest blockchain supporting smart contracts, with market values in excess of 160 billions of dollars. An intelligent contract is an autonomous program that runs on a blockchain platform. They are typically developed in several high-level languages and then compiled into bytecode. Once the bytecode of the intelligent contract is deployed to the blockchain, anyone can call its function, but cannot change the bytecode. Unfortunately, inevitably, many intelligent contracts contain errors, but these errors cannot be fixed because of the irreparable modification of the data on the blockchain. It is therefore particularly important to have automated tools that can help developers thoroughly detect problems with smart contracts before deploying their bytecode to blockchains.
Static code analysis is the mainstream method for detecting the security of the EtherFang intelligent contracts at present, and tools for detecting the problems in the intelligent contracts are proposed at present. However, most of them can only handle the bytecode of the intelligent contract. Although the direct analysis of the intelligent contract bytecode can bring excellent accuracy, the detection efficiency is low, and the problem of most kinds of current intelligent contracts in the ether workshop cannot be covered. Therefore, an automatic tool is needed, which can quickly detect the problem of the intelligent contracts of the ether houses, and can cover the current most kinds of intelligent contracts of the ether houses, and on the basis, the automatic contract detection method also has good accuracy. Although Tikhomirov et al recently proposed a method for detecting and preventing the problem of an intelligent house contract based on lexical analysis, syntactic analysis and XPath for processing the source code of the intelligent house contract, their methods still have some drawbacks: they cannot accurately characterize the smart contract question statements; they cannot detect some problems that have serious threats to the security of the intelligent contracts of the etherhouses, such as reentry vulnerabilities and integer overflow vulnerabilities; their methods are based on lexical analysis, syntactic analysis and Xpath, which makes their methods still not very efficient to detect.
Disclosure of Invention
The purpose of the invention is as follows: considering that data on blockchains has the property of being non-modifiable, the severity of smart contract problems is much more severe than in other areas. The invention provides a regular expression and program instrumentation based Ethenhouse intelligent contract problem detection and prevention method and device, aiming at the Ethenhouse intelligent contract developed by using a solid language, and achieving the purpose of detecting and preventing the generation of problems by using a defined regular expression, detection rule and prevention code construction method for describing different problem characteristics.
The technical scheme is as follows: in order to achieve the purpose, the invention adopts the following technical scheme:
a method for detecting and preventing problems of an Ether intelligent contract comprises the following steps:
step 1: acquiring an Ether house intelligent contract to be detected, and formatting a source code;
step 2: determining corresponding regular expressions and detection rules according to the characteristics of different problems, and determining a construction method of a code statement for preventing reentry vulnerabilities and integer overflow vulnerabilities;
and step 3: sending the formatted codes to different problem detection programs, and detecting different kinds of intelligent contract problems by the problem detection programs according to the regular expressions and the detection rules defined in the step 2;
and 4, step 4: for reentry vulnerabilities, sending the formatted codes to a reentry vulnerability prevention program, positioning code sentences possibly introduced with reentry vulnerabilities by the reentry vulnerability prevention program according to the regular expression defined in the step 2, constructing prevention codes to be inserted according to contract contents, and finally inserting the prevention codes into the intelligent contracts;
and 5: for the integer overflow vulnerability, sending the formatted codes to an integer overflow vulnerability prevention program, positioning code statements possibly introducing the integer overflow vulnerability by the integer overflow vulnerability prevention program according to the regular expression defined in the step 2, constructing a prevention code to be inserted according to contract contents, and finally inserting the prevention code into an intelligent contract;
step 6: and outputting the detection or prevention result of at least one step from the step 3 to the step 5 to the user according to the selected function of the user.
Preferably, the ethernet intelligent contract source code used as input in step 1 is written using ethernet intelligent contract programming language Solidity.
Preferably, the types of intelligent contract problems in step 2 include at least one of strictly comparing contract deposits, unprocessed exceptions, denial of service by external addresses, identity verification using tx. origin, missing constructors, locked money, unsafe type inference, use of Byte [ ], expensive cycles, timestamp dependencies, non-standard token interfaces, use of floating point numbers, private visibility, redundant denial of payment, compiler version problems, non-standard programming styles, integer division, non-explicit visibility; each problem is characterized by at least one regular expression.
Preferably, the step 3 comprises the following steps:
step 31: reading an intelligent contract file storing a formatting code;
step 32: sending the formatted codes to different kinds of problem detection programs;
step 33: each problem detection program saves the formatting codes as a character string array, traverses line by line, and matches the line of codes by using a regular expression and a detection rule defined for the problem; if the match is successful, the code of the line is determined to contain the problem; if the matching fails, the code of the line is determined not to contain the problem;
step 34: and (4) counting the problem types and the number according to the detection results of all the problem detection programs in the step (33), and determining the number of lines of each problem.
Preferably, the inserting the code in the step 4 prevents the generation of a re-entry vulnerability, and specifically includes:
step 41: reading a file storing a formatted intelligent contract source code;
step 42: sending the formatted codes to a reentry vulnerability generation preventing program;
step 43: the method comprises the steps that a reentry vulnerability generation program is prevented from saving a formatting code into a character string array;
step 44: traversing the array row by the program for preventing the reentry vulnerability generation, positioning code sentences which possibly introduce the reentry vulnerability according to the regular expression and the detection rule defined in the step 2, if the sentences exist in the codes, turning to the step 45, otherwise, turning to the step 5;
step 45: for each line of code statements which can introduce reentry holes, firstly, traversing formatted codes line by line from the beginning, searching a first account variable recording account addresses and address holding token quantity relations, and acquiring the name of the account variable; then, obtaining the address of the received Ethernet currency from a code statement which possibly introduces a reentry vulnerability; finally, according to the address of the received Ethernet currency and the name of the ledger variable, a preventive code to be inserted into the contract is constructed;
step 46: firstly, constructing a function calling chain according to a function calling relation in a contract; the precautionary code constructed in step 45 is then inserted into a different location in the call chain according to the function call chain.
Preferably, the step 5 comprises the following steps:
step 51: reading a file storing a formatted intelligent contract source code;
step 52: storing the formatted code as a character string array;
step 53: traversing the character string array line by line, positioning the integer arithmetic statement by using the regular expression and the detection rule defined in the step 2, if the integer arithmetic statement is matched with the character string array, constructing a prevention code according to the matched integer arithmetic statement, and then inserting the prevention code in front of and behind the integer arithmetic statement; if not, the scan matches the next row.
Preferably, in step 6, the detection report generated in step 3, or the intelligent contract generated in step 4 for preventing reentry of vulnerabilities, or the intelligent contract generated in step 5 for preventing integer overflow vulnerabilities, is output to the user according to the function selected by the user.
The invention relates to an intelligent Ethernet room contract problem detection and prevention device which comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein the computer program realizes the intelligent Ethernet room contract problem detection and prevention method when being loaded to the processor.
Has the advantages that: the method for detecting and preventing the problems of the Ether house intelligent contracts provided by the invention can be suitable for intelligent contracts written by using the Ether house intelligent contract high-level programming language Solidity. In the problem detection part, detecting the intelligent contract problem through the defined regular expressions and detection rules for describing different problem code statement characteristics; in the problem prevention part, code sentences which possibly introduce problems are positioned through defined regular expressions and detection rules which describe different problem code sentence characteristics, and then prevention codes are constructed and inserted into contracts to achieve the purpose of preventing the problems from being generated. Compared with the prior art, the method has higher problem coverage rate and better detection efficiency when detecting or preventing the problem of the intelligent house contract, and also has better detection accuracy. The invention can be used for rapidly detecting the problem of the intelligent contracts of the Ether workshop, or when the intelligent contracts of the Ether workshop are manually audited, the invention can be used for providing guidance for manual auditing after the contracts are scanned and audited.
Drawings
FIG. 1 is an overall step diagram of an embodiment of the present invention;
FIG. 2 is a flowchart of a method according to an embodiment of the present invention.
Detailed Description
The present invention is further illustrated by the following examples, which are intended to be purely exemplary and are not intended to limit the scope of the invention, as various equivalent modifications of the invention will occur to those skilled in the art upon reading the present disclosure and fall within the scope of the appended claims.
As shown in fig. 1, the method for detecting and preventing problems of an intelligent ethernet contract based on regular expressions and program instrumentation, disclosed in the embodiments of the present invention, mainly includes 6 steps:
step 1: acquiring an Ether house intelligent contract to be detected, and formatting a source code;
step 2: determining corresponding regular expressions and detection rules according to the characteristics of different problems, and determining a construction method of a code statement for preventing reentry vulnerabilities and integer overflow vulnerabilities;
and step 3: sending the formatted codes to different problem detection programs, and detecting different kinds of intelligent contract problems by the problem detection programs according to the regular expressions and the detection rules defined in the step 2;
and 4, step 4: for reentrant holes, the method aims to prevent reentrant holes from being generated. Sending the formatted codes to a program for preventing reentry vulnerabilities, positioning code sentences possibly introduced with reentry vulnerabilities by the program for preventing reentry vulnerabilities according to the regular expression defined in the step 2, constructing preventive codes to be inserted according to contract contents, and finally inserting the preventive codes into an intelligent contract;
and 5: for integer overflow holes, the method aims to prevent the integer overflow holes from being generated. Sending the formatted codes to an integer overflow vulnerability prevention program, positioning code sentences possibly introducing integer overflow vulnerabilities by the integer overflow vulnerability prevention program according to the regular expressions defined in the step 2, constructing prevention codes to be inserted according to contract contents, and finally inserting the prevention codes into an intelligent contract;
step 6: and outputting the detection or prevention result of at least one step from the step 3 to the step 5 to the user according to the selected function of the user.
The detailed steps of the method for detecting and preventing the problem of the intelligent Ethern contracts based on the regular expressions and the program instrumentation, disclosed by the embodiment of the invention, are described by taking the example of the intelligent Ethern contracts written in the Solidity language and disclosed by any part of the Ethern browsers, and specifically comprise the following steps:
step 1: acquiring an Ethern intelligent contract written by using a Solidity language, and formatting a source code, wherein the specific process is as follows:
step 11: any piece of EtherFang intelligent contract written by using the Solidiy language is selected from an EtherFang browser official network (https:// etherscan. io/verifiedContacts /), the source code of the contract is copied and saved locally as a file in the sol format.
Step 12: reading in the intelligent contract source code line by line, and storing the source code in a character string array. The array is traversed row by row, and the code lines with only line feed symbols in one line are discarded. And traversing the character string array after discarding the empty row line by line, and replacing the annotation content with a space character if the annotation content is contained in a certain row. And traversing the character string array with the filtered annotations and the empty lines line by line, and deleting redundant spaces of each line. Traversing the character string array with the empty lines, the comments and the redundant spaces filtered out line by line, splicing the contents of each line into a character string, and then discarding the character string array. Traversing character strings character by character, and replacing all line feed characters with blank spaces;
step 13: the character string after replacing the line break is traversed character by character, and when a semicolon (;), left curly brace ({) or right curly brace (}) is encountered, a line break is inserted after the semicolon (;), left curly brace ({) or right curly brace (}). And 14, outputting the character string processed in the step 23 into a sol format file (Ether intelligent contract file) with a naming rule of 'original file name _ format.sol', and finishing code formatting after the step
Step 2: according to the characteristics of different problems, determining corresponding regular expressions and detection rules, and determining a construction method of code sentences for preventing reentry vulnerabilities and integer overflow vulnerabilities, wherein the specific process is as follows:
step 21: according to the types and the characteristics of the problems of the existing Ether house intelligent contracts, regular expressions for describing different problem statement characteristics are compiled, and a detection rule for detecting each problem is formulated.
For example, an ethernet house may force the transmission of ethernet currency to any address, so the function of the contract should not depend on the ethernet currency balance of the contract being at some fixed value. Because an attacker can force to send ethernet coins to the contract, stating the problem as "strictly comparing contract deposits", a code statement that compares the deposits in an if statement or a requre statement (which terminates execution when the condition determination portion is false) is described using the regular expression "Λ (\ s) ((if) | (white) | (velocity) | (d)) + (ether)) | (\\ d) + (\ s) (\\ s) (} s) (\ s) (-) - (which is strictly comparing deposits" which results in a "strictly comparing deposit" problem.
For another example, in an ethernet intelligent contract, a constructor runs when the contract is deployed, and a value is usually assigned to key information of the contract in the constructor. The function with the same name as the contract can be used as the constructor in the ether house, and the constructor key word can also be used for declaring the constructor, and the damage of the constructor or the wrong spelling of the constructor name can cause the key information of the contract to be falsified. Therefore, the detection rule formulated according to the problem feature is: after acquiring the contract name, detecting whether a function declared by using a constructor or a function with the same name as the contract is contained in the contract. If yes, the problem is not caused; if not, this problem exists.
The problem types and corresponding problem descriptions detected by the embodiment of the invention are shown in table 1, and the problem types, the problem detection rules and the corresponding regular expressions are shown in table 2 (including reentry vulnerabilities and integer overflow vulnerabilities).
TABLE 1 problem categories and descriptions
TABLE 2 problem detection rules and regular expressions
Step 22: and determining a construction method of an inserted code for preventing the reentry vulnerability and the integer overflow vulnerability according to the problem characteristics of the Ethernet intelligent contract reentry vulnerability and the integer overflow vulnerability. For example, an integer overflow hole exists in an ethernet, and in order to prevent the integer overflow hole from being generated, the operation result of each sentence of integer operation code should be checked. Therefore, the invention captures each sentence of integer operation code through the regular expression, constructs the check code by intercepting the variable name in the code, and inserts the check code into the proper position in the contract to achieve the effect of preventing the integer overflow vulnerability from being generated. Specifically, the construction method of the inserted code for preventing the re-entry vulnerability and the integer overflow vulnerability is respectively shown in step 4 and step 5.
And step 3: if the function selected by the user is to detect the problem in the intelligent contract, matching the problem statement by using the regular expressions which are written in the step 2 and describe different problem characteristics and the formulated detection rule, and specifically comprising the following steps:
step 31: reading an intelligent contract file storing a formatting code;
step 32: sending the formatted codes to different kinds of problem detection programs;
step 33: each problem detection program saves the formatted code as an array of strings, traverses line by line, matches this line of code using the regular expression (see table 2) and detection rules defined for this problem. If the match is successful, the code of the line is determined to contain the problem; if the matching fails, the code of the line is determined not to contain the problem;
step 34: and (4) counting the problem types and the number according to the detection results of all the problem detection programs in the step (33), and determining the number of lines of each problem.
And 4, step 4: if the function selected by the user is to prevent the reentry vulnerability in the intelligent contract, the sentence which is possibly introduced with the reentry vulnerability is positioned by using a regular expression which describes the characteristics of the sentence which is possibly introduced with the reentry vulnerability and a formulated detection rule, and then the goal of preventing the reentry vulnerability is achieved by inserting a prevention code, and the specific steps are as follows:
step 41: reading a file storing a formatted intelligent contract source code;
step 42: sending the formatted codes to a reentry vulnerability generation preventing program;
step 43: the method comprises the steps that a reentry vulnerability generation program is prevented from saving a formatting code into a character string array;
step 44: and (3) traversing the array row by the program for preventing the reentrant vulnerability generation, positioning code statements possibly introducing the reentrant vulnerability according to the regular expression written in the step (2) and the formulated detection rule, and calling the statements possibly introducing the reentrant vulnerability as dangerous statements. If the code has a sentence with the characteristic described by the regular expression, turning to step 45, otherwise, turning to step 5;
step 45: a code statement that re-enters a bug may be introduced for each row. Firstly, traversing formatted codes line by line from the beginning, searching a first variable recording the relation between account addresses and the number of tokens held by the addresses, calling the variable as an account book variable, and acquiring a variable name of the account book variable; then, obtaining the address of the received Ethernet currency from a code statement which possibly introduces a reentry vulnerability; finally, a preventive code to be inserted into the contract is constructed based on the address of the received ethernet currency and the name of the ledger variable. The following four types of codes were constructed in total, see table 3:
TABLE 3 constructing code to prevent reentry vulnerabilities
Step 46: firstly, according to the function call relation in the contract, a function call chain is constructed, and the construction method of the call chain is illustrated, if the following codes exist in one contract:
that is, function B is called in function a, and function C is called in function B, and function C contains a dangerous statement. Thus, a chain-like function call relationship is generated, and for convenience of description, the following definitions are defined: the function at the head of the function call chain (function a in this example) is the chain head function and the function at the tail of the function call chain (function C in this example) is the chain tail function; in the function calling chain, a function which does not contain a dangerous statement in the function body is an indirect calling function, and a function which contains the dangerous statement in the function body is a direct calling function; the prevention code constructed in step 45 is then inserted into a different location in the call chain, according to the above definition. The location of the various types of preventive code insertions is described in table 4.
TABLE 4 insertion location for reentrant vulnerability code prevention
| Code type | Insertion position |
| A | Function body first line for directly calling function or chain head function |
| B | Directly calling the previous line of dangerous statement in function |
| C | Directly calling one line behind dangerous statement in function |
| D | First line of contract body |
And 5: if the function selected by the user is to prevent integer overflow vulnerability in the intelligent contract, the sentence possibly introducing integer overflow vulnerability is positioned through the regular expression and the detection rule written in the step 2 and describing the characteristics of the sentence possibly introducing integer overflow vulnerability, and then the purpose of preventing the integer overflow vulnerability is achieved by inserting a prevention code, and the specific steps are as follows:
step 51: reading a file storing a formatted intelligent contract source code;
step 52: storing the formatted code as a character string array;
step 53: and traversing the character string array line by line, and positioning the integer operation statement by using the regular expression and the detection rule written in the step 2. If the integer arithmetic statement is matched with the integer arithmetic statement, constructing a prevention code according to the matched integer arithmetic statement, constructing the prevention code according to the difference of the acquired integer arithmetic code, inserting the prevention code before and after the integer arithmetic code, and showing the insertion positions of the acquired integer arithmetic code, the constructed prevention code and the prevention code in a table 5; if not, the scan matches the next row.
Table 5 correspondence of integer arithmetic codes, constructed preventive codes, and insertion positions of preventive codes captured
Step 6: and summarizing the detection result into a detection report according to the function selected by the user, or returning an intelligent contract for preventing the reentry vulnerability after the prevention code is inserted, or an intelligent contract for preventing the integer overflow vulnerability after the prevention code is inserted to the user.
Based on the same inventive concept, the device for detecting and preventing the problem of the intelligent Ethernet house contract disclosed by the embodiment of the invention comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein the computer program realizes the method for detecting and preventing the problem of the intelligent Ethernet house contract when being loaded to the processor.
Claims (8)
1. A method for detecting and preventing problems of an Ether intelligent contract is characterized by comprising the following steps:
step 1: acquiring an Ether house intelligent contract to be detected, and formatting a source code;
step 2: determining corresponding regular expressions and detection rules according to the characteristics of different problems, and determining a construction method of a code statement for preventing reentry vulnerabilities and integer overflow vulnerabilities;
and step 3: sending the formatted codes to different problem detection programs, and detecting different kinds of intelligent contract problems by the problem detection programs according to the regular expressions and the detection rules defined in the step 2;
and 4, step 4: for reentry vulnerabilities, sending the formatted codes to a reentry vulnerability prevention program, positioning code sentences possibly introduced with reentry vulnerabilities by the reentry vulnerability prevention program according to the regular expression defined in the step 2, constructing prevention codes to be inserted according to contract contents, and finally inserting the prevention codes into the intelligent contracts;
and 5: for the integer overflow vulnerability, sending the formatted codes to an integer overflow vulnerability prevention program, positioning code statements possibly introducing the integer overflow vulnerability by the integer overflow vulnerability prevention program according to the regular expression defined in the step 2, constructing a prevention code to be inserted according to contract contents, and finally inserting the prevention code into an intelligent contract;
step 6: and outputting the detection or prevention result of at least one step from the step 3 to the step 5 to the user according to the selected function of the user.
2. The method for detecting and preventing problems of Etherhouse intelligent contracts according to claim 1, wherein the source codes of the Etherhouse intelligent contracts as input in step 1 are written using the Etherhouse intelligent contract programming language Solidity.
3. The Etherhouse intelligent contract problem detection and prevention method of claim 1, wherein said categories of intelligent contract problems in step 2 include at least one of strictly comparing contract deposits, unprocessed exceptions, denial of service by external addresses, authentication using tx. Each problem is characterized by at least one regular expression.
4. The method for detecting and preventing problems of the Etherhouse intelligent contracts according to claim 1, wherein the step 3 comprises the following steps:
step 31: reading an intelligent contract file storing a formatting code;
step 32: sending the formatted codes to different kinds of problem detection programs;
step 33: each problem detection program saves the formatting codes as a character string array, traverses line by line, and matches the line of codes by using a regular expression and a detection rule defined for the problem; if the match is successful, the code of the line is determined to contain the problem; if the matching fails, the code of the line is determined not to contain the problem;
step 34: and (4) counting the problem types and the number according to the detection results of all the problem detection programs in the step (33), and determining the number of lines of each problem.
5. The method for detecting and preventing problems of the intelligent Etherhouse contracts according to claim 1, wherein the step 4 of inserting codes to prevent the generation of reentry vulnerabilities specifically comprises the following steps:
step 41: reading a file storing a formatted intelligent contract source code;
step 42: sending the formatted codes to a reentry vulnerability generation preventing program;
step 43: the method comprises the steps that a reentry vulnerability generation program is prevented from saving a formatting code into a character string array;
step 44: traversing the array row by the program for preventing the reentry vulnerability generation, positioning code sentences which possibly introduce the reentry vulnerability according to the regular expression and the detection rule defined in the step 2, if the sentences exist in the codes, turning to the step 45, otherwise, turning to the step 5;
step 45: for each line of code statements which can introduce reentry holes, firstly, traversing formatted codes line by line from the beginning, searching a first account variable recording account addresses and address holding token quantity relations, and acquiring the name of the account variable; then, obtaining the address of the received Ethernet currency from a code statement which possibly introduces a reentry vulnerability; finally, according to the address of the received Ethernet currency and the name of the ledger variable, a preventive code to be inserted into the contract is constructed;
step 46: firstly, constructing a function calling chain according to a function calling relation in a contract; the precautionary code constructed in step 45 is then inserted into a different location in the call chain according to the function call chain.
6. The method for detecting and preventing problems in Etherhouse intelligent contracts according to claim 1, wherein said step 5 comprises the steps of:
step 51: reading a file storing a formatted intelligent contract source code;
step 52: storing the formatted code as a character string array;
step 53: traversing the character string array line by line, positioning the integer arithmetic statement by using the regular expression and the detection rule defined in the step 2, if the integer arithmetic statement is matched with the character string array, constructing a prevention code according to the matched integer arithmetic statement, and then inserting the prevention code in front of and behind the integer arithmetic statement; if not, the scan matches the next row.
7. The method for detecting and preventing problems of the intelligent Etherhouse contract based on the regular expression and the program instrumentation according to claim 1, wherein the detection report generated in the step 3, or the intelligent contract generated in the step 4 for preventing reentry vulnerabilities, or the intelligent contract generated in the step 5 for preventing integer overflow vulnerabilities, is output to the user according to the function selected by the user.
8. An ethernet intelligent contract problem detection and prevention apparatus comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the computer program when loaded into the processor implements the ethernet intelligent contract problem detection and prevention method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911314940.7A CN111177730A (en) | 2019-12-19 | 2019-12-19 | A method and device for detecting and preventing problems in an ethereum smart contract |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911314940.7A CN111177730A (en) | 2019-12-19 | 2019-12-19 | A method and device for detecting and preventing problems in an ethereum smart contract |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111177730A true CN111177730A (en) | 2020-05-19 |
Family
ID=70653934
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911314940.7A Pending CN111177730A (en) | 2019-12-19 | 2019-12-19 | A method and device for detecting and preventing problems in an ethereum smart contract |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111177730A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111680290A (en) * | 2020-06-02 | 2020-09-18 | 浙江大学 | A code instrumentation framework system based on Ethereum virtual machine |
| CN113051624A (en) * | 2021-03-19 | 2021-06-29 | 南京航空航天大学 | Intelligent contract information flow integrity verification method and system based on type detection |
| CN113051574A (en) * | 2021-03-11 | 2021-06-29 | 哈尔滨工程大学 | Vulnerability detection method for intelligent contract binary code |
| CN114331396A (en) * | 2021-12-28 | 2022-04-12 | 中国科学技术大学 | Method and system for automatic extraction of protocol security attributes for Ethereum smart contracts |
| CN116663012A (en) * | 2023-05-31 | 2023-08-29 | 烟台大学 | A detection method, system and device for cross-contract vulnerabilities |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109063477A (en) * | 2018-07-18 | 2018-12-21 | 成都链安科技有限公司 | A kind of intelligent contract aacode defect detection system and method for automation |
| CN109460663A (en) * | 2018-11-12 | 2019-03-12 | 北京知道创宇信息技术有限公司 | A kind of intelligence contract auditing method, device and its storage medium |
| CN109800175A (en) * | 2019-02-20 | 2019-05-24 | 河海大学 | A kind of ether mill intelligence contract reentry leak detection method based on code pitching pile |
| CN109948345A (en) * | 2019-03-20 | 2019-06-28 | 杭州拜思科技有限公司 | A kind of method, the system of intelligence contract Hole Detection |
| CN110096439A (en) * | 2019-04-26 | 2019-08-06 | 河海大学 | A kind of method for generating test case towards solidity language |
| US20190305959A1 (en) * | 2018-04-02 | 2019-10-03 | Ca, Inc. | Announcement smart contracts to announce software release |
-
2019
- 2019-12-19 CN CN201911314940.7A patent/CN111177730A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20190305959A1 (en) * | 2018-04-02 | 2019-10-03 | Ca, Inc. | Announcement smart contracts to announce software release |
| CN109063477A (en) * | 2018-07-18 | 2018-12-21 | 成都链安科技有限公司 | A kind of intelligent contract aacode defect detection system and method for automation |
| CN109460663A (en) * | 2018-11-12 | 2019-03-12 | 北京知道创宇信息技术有限公司 | A kind of intelligence contract auditing method, device and its storage medium |
| CN109800175A (en) * | 2019-02-20 | 2019-05-24 | 河海大学 | A kind of ether mill intelligence contract reentry leak detection method based on code pitching pile |
| CN109948345A (en) * | 2019-03-20 | 2019-06-28 | 杭州拜思科技有限公司 | A kind of method, the system of intelligence contract Hole Detection |
| CN110096439A (en) * | 2019-04-26 | 2019-08-06 | 河海大学 | A kind of method for generating test case towards solidity language |
Non-Patent Citations (7)
| Title |
|---|
| ARDIT DIKA ET AL.: "Security Vulnerabilities in Ethereum Smart Contracts", 《2018 IEEE INTERNATIONAL CONFERENCE ON INTERNET OF THINGS (ITHINGS) AND IEEE GREEN COMPUTING AND COMMUNICATIONS (GREENCOM) AND IEEE CYBER, PHYSICAL AND SOCIAL COMPUTING (CPSCOM) AND IEEE SMART DATA (SMARTDATA)》 * |
| ATZEI, N ET AL.: "A Survey of Attacks on Ethereum Smart Contracts (SoK)", 《PRINCIPLES OF SECURITY AND TRUST (POST 2017)》 * |
| C. F. TORRES ET AL.: "Osiris: Hunting for integer bugs in ethereum smart contracts", 《PROCEEDINGS OF THE 34TH ANNUAL COMPUTER SECURITY APPLICATIONS CONFERENCE》 * |
| PENGCHENG ZHANG ET AL.: "SolidityCheck:Quickly Detecting Smart Contract Problems Through Regular Expressions", 《HTTPS://ARXIV.ORG/ABS/1911.09425V2》 * |
| S. BANESCU ET AL.: "Code obfuscation against symbolic execution attacks", 《32ND ANNUAL COMPUTER SECURITY APPLICATIONS CONFERENCE (ACSAC 2016)》 * |
| 曾晶晶: "区块链应用系统若干脆弱性分析与评测", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
| 赵淦森: "智能合约安全综述:漏洞分析", 《广州大学学报(自然科学版)》 * |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111680290A (en) * | 2020-06-02 | 2020-09-18 | 浙江大学 | A code instrumentation framework system based on Ethereum virtual machine |
| WO2021243740A1 (en) * | 2020-06-02 | 2021-12-09 | 浙江大学 | Code instrumentation framework system based on ethereum virtual machine |
| CN111680290B (en) * | 2020-06-02 | 2023-04-11 | 浙江大学 | A code instrumentation framework system based on Ethereum virtual machine |
| CN113051574A (en) * | 2021-03-11 | 2021-06-29 | 哈尔滨工程大学 | Vulnerability detection method for intelligent contract binary code |
| CN113051574B (en) * | 2021-03-11 | 2023-03-21 | 哈尔滨工程大学 | Vulnerability detection method for intelligent contract binary code |
| CN113051624A (en) * | 2021-03-19 | 2021-06-29 | 南京航空航天大学 | Intelligent contract information flow integrity verification method and system based on type detection |
| CN113051624B (en) * | 2021-03-19 | 2024-05-07 | 南京航空航天大学 | Intelligent contract information flow integrity verification method and system based on type detection |
| CN114331396A (en) * | 2021-12-28 | 2022-04-12 | 中国科学技术大学 | Method and system for automatic extraction of protocol security attributes for Ethereum smart contracts |
| CN116663012A (en) * | 2023-05-31 | 2023-08-29 | 烟台大学 | A detection method, system and device for cross-contract vulnerabilities |
| CN116663012B (en) * | 2023-05-31 | 2023-11-03 | 烟台大学 | Cross-contract vulnerability detection method, system and equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111177730A (en) | A method and device for detecting and preventing problems in an ethereum smart contract | |
| CN102054149B (en) | Method for extracting malicious code behavior characteristic | |
| Nikolić et al. | Finding the greedy, prodigal, and suicidal contracts at scale | |
| CN113497809B (en) | MIPS framework vulnerability mining method based on control flow and data flow analysis | |
| CN109885479B (en) | Software fuzzy test method and device based on path record truncation | |
| JP2023545140A (en) | Methods and systems for supporting smart contracts in blockchain networks | |
| CN112256271B (en) | A security detection system for blockchain smart contracts based on static analysis | |
| US12393696B2 (en) | Apparatus and method for analyzing vulnerabilities of smart contract code | |
| CN102339252A (en) | Static state detecting system based on XML (Extensive Makeup Language) middle model and defect mode matching | |
| Sun et al. | When gpt meets program analysis: Towards intelligent detection of smart contract logic vulnerabilities in gptscan | |
| Wu et al. | Mutation testing for ethereum smart contract | |
| CN103257919B (en) | Inspection method and device for script programs | |
| Zhang et al. | BDA: practical dependence analysis for binary executables by unbiased whole-program path sampling and per-path abstract interpretation | |
| Sotirov | Automatic vulnerability detection using static source code analysis | |
| CN114996126B (en) | Vulnerability detection method and system for EOSIO intelligent contracts | |
| US20120023486A1 (en) | Verification of Information-Flow Downgraders | |
| US11995192B2 (en) | System for static analysis of binary executable code and source code using fuzzy logic and method thereof | |
| CN116775040B (en) | Pile inserting method for realizing code vaccine and application testing method based on code vaccine | |
| CN116841906A (en) | Intelligent contract detection method and device and electronic equipment | |
| KR20250080722A (en) | Vulnerability analysis methods, recording media and devices for performing them | |
| CN118860406A (en) | Vulnerability detection method, device, computer equipment and readable storage medium | |
| Brödel | Preventing automatic code plagiarism generation through token string normalization | |
| Yu et al. | Possibility of cost reduction by mutant clustering according to the clustering scope | |
| CN117614681A (en) | Method, system, equipment and storage medium for detecting re-entry vulnerability of intelligent contract | |
| CN116680705A (en) | Rust program defect automatic detection method and system based on feature extraction |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200519 |