CN115292172A - Method for improving intelligent contract detection coverage rate, electronic equipment and storage medium - Google Patents

Method for improving intelligent contract detection coverage rate, electronic equipment and storage medium Download PDF

Info

Publication number
CN115292172A
CN115292172A CN202210917294.9A CN202210917294A CN115292172A CN 115292172 A CN115292172 A CN 115292172A CN 202210917294 A CN202210917294 A CN 202210917294A CN 115292172 A CN115292172 A CN 115292172A
Authority
CN
China
Prior art keywords
taint
intelligent contract
input parameters
instruction
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210917294.9A
Other languages
Chinese (zh)
Other versions
CN115292172B (en
Inventor
董剑
计松言
任潇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Harbin Institute of Technology
Original Assignee
Harbin Institute of Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Harbin Institute of Technology filed Critical Harbin Institute of Technology
Priority to CN202210917294.9A priority Critical patent/CN115292172B/en
Publication of CN115292172A publication Critical patent/CN115292172A/en
Application granted granted Critical
Publication of CN115292172B publication Critical patent/CN115292172B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/3668Software testing
    • G06F11/3672Test management
    • G06F11/3676Test management for coverage analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/3668Software testing
    • G06F11/3672Test management
    • G06F11/3684Test management for test design, e.g. generating new test cases
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/3668Software testing
    • G06F11/3672Test management
    • G06F11/3688Test management for test execution, e.g. scheduling of test suites
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/27Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q40/00Finance; Insurance; Tax strategies; Processing of corporate or income taxes
    • G06Q40/04Trading; Exchange, e.g. stocks, commodities, derivatives or currency exchange

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Business, Economics & Management (AREA)
  • Quality & Reliability (AREA)
  • Databases & Information Systems (AREA)
  • Computing Systems (AREA)
  • Finance (AREA)
  • Accounting & Taxation (AREA)
  • Economics (AREA)
  • General Business, Economics & Management (AREA)
  • Technology Law (AREA)
  • Strategic Management (AREA)
  • Marketing (AREA)
  • Data Mining & Analysis (AREA)
  • Development Economics (AREA)
  • Stored Programmes (AREA)
  • Debugging And Monitoring (AREA)

Abstract

A method for improving intelligent contract detection coverage rate, electronic equipment and a storage medium belong to the technical field of Ether house intelligent contract security. The problem that the branch coverage rate of the existing intelligent contract detection tool is low is solved. The method extracts byte codes and ABI of the intelligent contract as input parameters of the function; generating a test case, then executing the fuzzy test of the intelligent contract, adopting a specific instruction in the intelligent contract as a dirty point source, identifying the input parameter of the function, marking the input parameter as a dirty point, and storing dirty point information; defining a taint propagation strategy, setting uncovered branch statements in the fuzzy test process of executing the intelligent contract as taint collection identification, recording taint information contained in the statements, then selecting mutated input parameters, fixing other input parameters to be unchanged, carrying out mutation on test cases, executing the intelligent contract by the obtained mutated test case set, and carrying out fuzzy test until preset time is reached or all branches are met. The invention has high branch coverage rate.

Description

Method for improving intelligent contract detection coverage rate, electronic equipment and storage medium
Technical Field
The invention belongs to the technical field of Ether house intelligent contract security, and particularly relates to a method for improving intelligent contract detection coverage rate, electronic equipment and a storage medium.
Background
In recent years, etherhouse has developed rapidly due to the creative deployment of smart contracts into blockchains, with total market value becoming second largest encryption currency next to bitcoin only. An intelligent contract is a well-crafted program that can be executed on a blockchain. It allows trusted transactions and protocols to be performed between different anonymous parties without the need for third parties. These transactions and protocols are traceable, irreversible, and transparent. Thus, smart contracts are widely used to manage valuable digital assets.
However, due to the graph-based completeness, the Solidity development time is short, and errors are easy to occur compared with the traditional programming language, so that the intelligent contract becomes one of the weakest links in the block chain security. In addition, the purpose of introducing the intelligent contracts into the block chain is to ensure the credibility of the intelligent contracts by using the characteristics of the block chain, but the characteristics are violated due to the existence of vulnerabilities of the intelligent contracts, so that the intelligent contracts are meaningless. To solve this problem, the ethernet branches hard, which not only causes economic loss, but also causes a huge debate about the non-variability of the block chain. Therefore, security checks are particularly necessary before intelligent contract deployment of the uplink.
Some tools for testing intelligent contract vulnerabilities have been proposed, and one important method used in these tools is fuzz testing. Fuzz testing is scalable and efficient compared to symbolic execution. Fuzzy testing relies on runtime information, and currently advanced tools such as contictfuzzer, sFuzz and the like all use fuzzy testing technology, which has been developed as the mainstream technology of intelligent contract testing and vulnerability detection. Although the existing intelligent contract fuzzy tester makes great progress in vulnerability detection, data flow in a program is not considered, input parameters are changed randomly, and the difficult-to-cover conditional statements such as deep nesting constraints and the like cannot be effectively met, so that the lower detection efficiency and the branch coverage rate are caused, and the deep conditional branches are difficult to cover. More seriously, if the smart contract fuzzy tester cannot check these hard-to-cover conditional statements, they may provide opponents with the opportunity to inject a bug and then launch an attack after the smart contract is deployed
Disclosure of Invention
The invention aims to solve the problem of low branch coverage rate of the existing intelligent contract detection tool, and provides a method for improving the intelligent contract detection coverage rate, electronic equipment and a storage medium.
In order to realize the purpose, the invention is realized by the following technical scheme:
a method for improving intelligent contract detection coverage rate comprises the following steps:
s1, using byte codes and ABI of an intelligent contract as input;
s2, generating a test case: generating a plurality of transactions according to the ABI in the step S1, calling a function in the intelligent contract for each transaction, wherein input parameters of functions related to the transactions are randomly generated, combining the transactions, and generating a calling sequence of the functions, namely a test case;
s3, executing fuzzy test of the intelligent contract: setting an initial seed set to be empty according to the byte codes of the intelligent contract executed by the test cases generated in the step S2, adding the test cases into the seed set when one test case is executed to a new branch, adding the test cases which are closest to the uncovered branch into the seed set for the uncovered branch, wherein the definition of the distance utilizes absolute distance, and executing the dynamic taint analysis in the step S4;
s4, dynamic taint analysis: adopting a CALDATALOAD instruction in the intelligent contract as a sewage source, identifying the input parameters of the functions in the step S2, marking the input parameters of each function as a sewage point, and storing sewage point information; defining a taint propagation strategy, tracking taint propagation in the fuzzy test process of executing the intelligent contract, and recording taint information contained in a branch statement encountered on an execution path; setting uncovered branch statements in the fuzzy test process of executing the intelligent contract as taint sink identifications and recording taint information contained in the statements;
s5, selecting mutated input parameters: defining a selection strategy of input parameters subjected to mutation in the intelligent contract fuzzy test process, searching an input parameter set subjected to mutation according to the result of the dynamic taint analysis in the step S4, if the input parameter set exists, performing the mutation on the input parameter set, and if the input parameter set subjected to mutation does not exist, merging input parameters included in taints involved in branches according to taint information included in branch statements encountered on a recorded execution path and taint information included in uncovered branches to serve as the input parameter set subjected to mutation;
s6, according to the input parameter set subjected to mutation obtained in the step S5, mutating the test cases in the seed set corresponding to the branches, fixing other input parameters, reducing invalid mutation, mutating the test cases in the seed set, and setting a mutating strategy according to AFL;
s7, executing an intelligent contract according to the mutated test case set obtained in the step S6, and performing fuzzy test;
and S8, repeating the processes of the steps S4 to S7 until the fuzz testing process reaches the preset time or all branches are met.
Further, if the source code of the intelligent contract is provided in step S1, the source code of the intelligent contract is compiled into byte code and ABI.
Further, in step S4, the CALLDATALOAD instruction reads the parameters of the function from the data part of the transaction and pushes the parameters to the top of the stack, the operand of the CALLDATALOAD instruction is the offset of the parameters in the data, the instruction is used as a source of dirty, when the program executes to the instruction, a dirty is introduced into the program, dirty information is stored in the form of key-value, the key is the position of the top of the stack, the value is the offset of the input parameters, and the value is used to distinguish different input parameters.
Further, the specific implementation method for defining the propagation strategy of the taint in step S4 includes the following steps:
s4.1, according to different data storage types of stack, memory and storage in the Etherhouse virtual machine, naming the data storage types as stain information 1, stain information 2 and stain information 3, and in order to describe the spread process of stains, considering the spread of stains in different data storage types, maintaining the stain information stored in the structure by three different key-value pairs;
s4.2, adopting a polluted taint propagation strategy, marking an operation result as taint data when taint data exists in an operand of the instruction, and marking the taint as a mark owned by the operand;
and S4.3, when the POP instruction is called, removing the taint data from the stack, and deleting the taint information corresponding to the taint data.
Further, the method for implementing the dynamic taint analysis in step S4 includes the following steps:
s4.4, defining the JUMPI instruction as a dirty point sink;
s4.5, detecting the taint information of the inflow condition, then storing the taint information of the related input parameters into a data structure of a key-value pair, named as Jumpi taint information, wherein the key of the data structure is a program counter corresponding to a JUMPI instruction, and the value is a taint set related to the inflow condition;
and S4.6, storing the dependency relationship of branch statements in the same function, and screening input parameters needing mutation, wherein the input parameters are named as domination taint information, the key of the data structure is a program counter corresponding to the JUMPI instruction, and the value is a set of program counters related to an execution path.
Further, the specific implementation method for defining the selection strategy of the input parameters subjected to mutation in the intelligent contract fuzzy test process in the step S5 comprises the following steps:
s5.1, according to the result of the dynamic taint analysis in the step S4, finding an input parameter set contained in the uncovered branch statement, and marking the input parameter set as Q, wherein Q is a value in Jumpi taint information corresponding to a key by using a program counter of a current instruction;
s5.2, according to the result of the dynamic taint analysis in the step S4, finding all conditional statements related to the execution path, marking the conditional statements as P, namely P is a value in dominant taint information corresponding to a key by taking a program counter of a current instruction as the key, and taking a union set of input parameters contained in the statements contained in the P, and marking the input parameters as N, namely N is a union set of values in Jumpi taint information corresponding to the key by taking the program counter contained in the P as the program counter;
s5.3, defining the mutation strategy of input parameter selection to select the mutated input parameter set to be Q \ N, changing the input parameters which are not in N and fixing the input parameters in N, and reducing invalid mutations.
Further, the input parameter set mutated in step S5 is Q uen.
The electronic equipment comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the steps of the method for improving the intelligent contract detection coverage rate when executing the computer program.
A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the method of improving coverage of smart contract inspections.
The invention has the beneficial effects that:
the invention provides a method for improving the coverage rate of intelligent contract detection, and provides a dynamic taint analysis method combined with the characteristics of an Ethernet virtual machine, so that the input parameter selection of an intelligent contract function is realized according to the provided input parameter selection strategy, and more contract codes are executed to reduce the false alarm rate of the existing fuzzy tester by covering more branch constraints which are difficult to meet. The detection of the invention is based on the byte code level of the intelligent contract, thus not only the intelligent contract providing the source code but also the intelligent contract providing the byte code can be detected. The invention can be applied to the field of intelligent contract security audit, provides a guide for development and testing personnel aiming at the condition that the existing intelligent contract development is not standard and easily generates loopholes, detects whether the written contract has security risks or not, and plays a vital role in improving the security of the intelligent contract and the block chain.
Drawings
Fig. 1 is a schematic flow chart of a method for improving intelligent contract detection coverage according to the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in further detail below with reference to the accompanying drawings and the detailed description. It is to be understood that the embodiments described herein are illustrative only and are not limiting, i.e., that the embodiments described are only a few embodiments, rather than all, of the present invention. The components of the embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations, and the present invention may have other embodiments.
Thus, the following detailed description of specific embodiments of the present invention presented in the accompanying drawings is not intended to limit the scope of the invention as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be derived by a person skilled in the art from the detailed description of the invention without inventive step, are within the scope of protection of the invention.
In order to further understand the contents, features and effects of the present invention, the following embodiments are illustrated and described in detail with reference to fig. 1:
the first embodiment is as follows:
a method for improving intelligent contract detection coverage rate comprises the following steps:
s1, using byte codes and ABI of an intelligent contract as input;
further, if the source code of the intelligent contract is provided in the step S1, compiling the source code of the intelligent contract into byte codes and ABIs;
s2, generating a test case: generating a plurality of transactions according to the ABI of the step S1, calling a function in an intelligent contract for each transaction, wherein input parameters of functions related to the transactions are randomly generated, combining the transactions, and generating a calling sequence of the function, namely a test case;
s3, executing fuzzy test of the intelligent contract: setting an initial seed set to be empty according to the byte codes of the intelligent contract executed by the test cases generated in the step S2, adding the test cases into the seed set when one test case is executed to a new branch, adding the test cases which are closest to the uncovered branch into the seed set for the uncovered branch, wherein the definition of the distance utilizes absolute distance, and executing the dynamic taint analysis in the step S4;
s4, dynamic taint analysis: adopting a CALDATALOAD instruction in the intelligent contract as a sewage source, identifying the input parameters of the functions in the step S2, marking the input parameters of each function as a sewage point, and storing sewage point information; defining a taint propagation strategy, tracking taint propagation in the fuzzy test process of executing the intelligent contract, and recording taint information contained in a branch statement encountered on an execution path; setting uncovered branch statements in the fuzzy test process of executing the intelligent contract as taint sink identifications and recording taint information contained in the statements;
further, in step S4, the CALLDATALOAD instruction reads parameters of a function from the data part of the transaction and pushes the parameters to the top of the stack, the operand of the CALLDATALOAD instruction is an offset of the parameters in the data, the instruction is used as a source of dirty data, when the program executes to the instruction, a dirty spot is introduced into the program, dirty spot information is stored in the form of key-value, the key is a position of the top of the stack, the value is an offset of an input parameter, and the value is used for distinguishing different input parameters;
further, the specific implementation method of the propagation policy for defining taint in step S4 includes the following steps:
s4.1, according to different data storage types of stack, memory and storage in the Etherhouse virtual machine, naming the data storage types as stain information 1, stain information 2 and stain information 3, and in order to describe the spread process of stains, considering the spread of stains in different data storage types, maintaining the stain information stored in the structure by three different key-value pairs;
s4.2, adopting a polluted taint propagation strategy, marking an operation result as taint data when taint data exists in an operand of the instruction, and marking the taint as a mark owned by the operand;
s4.3, when a POP instruction is called, and the taint data are removed from the stack, the taint information corresponding to the taint data is deleted;
the data structure of the taint information is shown in table 1:
table 1 data structure of taint information
Figure BDA0003776155950000051
Further, an Ethernet Virtual Machine (EVM) provides three different types of storage for intelligent contract programs, namely stack, memory, and storage. stack stores local variables of the function; the memory is mainly used for temporary memory of larger data in the execution process; storage is the only persistent store that stores state variables in the smart contract. Due to the nature of EVM storage, dynamic taint analysis needs to consider the problem of taint information across stack, memory, and storage. In order to accurately describe the propagation process of the taint, the propagation of the taint in different types of storage needs to be considered, and for this reason, three different key-value pair structures are maintained to store taint information. The EVM defines about 142 byte codes, each byte code possesses different operations, and a taint propagation strategy which is too polluted is used in the taint propagation process, namely when taint data exists in an operand of an instruction, an operation result is marked as taint data, and the taint is marked as an operand-owned mark. Note that since there may be more than one operand of an instruction, the dirty flags for each dirty operand may also be different from each other, and the dirty flags of the result may accumulate (possess multiple dirty flags);
further, the method for implementing the dynamic taint analysis in step S4 includes the following steps:
s4.4, defining the JUMPI instruction as a dirty point sink;
s4.5, detecting the taint information of the inflow condition, then storing the taint information of the related input parameters into a data structure of a key-value pair, named as Jumpi taint information, wherein the key of the data structure is a program counter corresponding to a JUMPI instruction, and the value is a taint set related to the inflow condition;
s4.6, storing the dependency relationship of branch statements in the same function, screening input parameters needing mutation, and naming the input parameters as domination taint information, wherein the key of the data structure is a program counter corresponding to a JUMPI instruction, and the value is a set of program counters related to an execution path;
TABLE 2 data Structure for storing taint information required when selecting parameters
Figure BDA0003776155950000061
Further, in the EVM bytecode, the jump instruction is used to determine the execution condition, so that once the jump instruction is called, this means that the current program will execute to the conditional statement, so this instruction is defined as the dirty point sink;
s5, selecting mutated input parameters: defining a selection strategy of input parameters subjected to mutation in the intelligent contract fuzzy test process, searching an input parameter set subjected to mutation according to the result of the dynamic stain analysis in the step S4, if the input parameter set exists, the input parameter set is subjected to mutation, and if the input parameter set subjected to mutation does not exist, taking a union set of input parameters included in stains involved in branches as an input parameter set subjected to mutation according to stain information included in branch statements encountered on a recorded execution path and stain information included in uncovered branches;
further, the specific implementation method for defining the selection strategy of the mutated input parameters in the intelligent contract fuzzy test process in the step S5 comprises the following steps:
s5.1, according to the result of the dynamic taint analysis in the step S4, finding an input parameter set contained in the uncovered branch statement, and marking the input parameter set as Q, wherein Q is a value in Jumpi taint information corresponding to a key by using a program counter of a current instruction;
s5.2, according to the result of the dynamic taint analysis in the step S4, finding all conditional statements related to the execution path, marking the conditional statements as P, namely P is a value in dominant taint information corresponding to a key by taking a program counter of a current instruction as the key, and taking a union set of input parameters contained in the statements contained in the P, and marking the input parameters as N, namely N is a union set of values in Jumpi taint information corresponding to the key by taking the program counter contained in the P as the program counter;
s5.3, defining a mutation strategy of input parameter selection to select a mutated input parameter set to be Q \ N, changing input parameters which are not in N and fixing the input parameters in N, and reducing invalid mutations;
further, the input parameter set mutated in step S5 is Q uen;
s6, according to the input parameter set subjected to mutation obtained in the step S5, mutating the test cases in the seed set corresponding to the branches, fixing other input parameters, reducing invalid mutation, mutating the test cases in the seed set, and setting a mutating strategy according to AFL;
s7, executing an intelligent contract according to the mutated test case set obtained in the step S6, and performing fuzzy test;
and S8, repeating the processes of the steps S4 to S7 until the fuzz testing process reaches the preset time or all branches are met.
The invention provides a dynamic taint analysis method combined with the characteristics of an Ether virtual machine, realizes the input parameter selection of an intelligent contract function according to the provided input parameter selection strategy, and reduces the false alarm rate of the existing fuzzy tester by covering more branch constraints which are difficult to meet and executing more contract codes. The detection of the invention is based on the byte code level of the intelligent contract, so that the intelligent contract providing the source code and the intelligent contract providing the byte code can be detected. The invention can be applied to the field of intelligent contract security audit, provides a guide for development and testing personnel aiming at the condition that the existing intelligent contract development is not standard and easily generates a vulnerability, detects whether the compiled contract has a security risk or not, and plays a vital role in improving the security of the intelligent contract and the block chain.
The second embodiment is as follows:
the electronic device is characterized by comprising a memory and a processor, wherein the memory stores a computer program, and the processor executes the computer program to implement the steps of the method for improving the coverage rate of intelligent contract detection according to the embodiment.
The computer device of the present invention may be a device including a processor, a memory, and the like, for example, a single chip microcomputer including a central processing unit and the like. And the processor is used for implementing the steps of the recommendation method capable of modifying the relationship-driven recommendation data based on the CREO software when executing the computer program stored in the memory.
The Processor may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic, discrete hardware components, etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The memory may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required by at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may store data (such as audio data, a phonebook, etc.) created according to the use of the cellular phone, and the like. In addition, the memory may include high speed random access memory, and may also include non-volatile memory, such as a hard disk, a memory, a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), at least one magnetic disk storage device, a Flash memory device, or other volatile solid state storage device.
The third concrete implementation mode:
a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements a method for improving coverage of intelligent contract detections, according to one embodiment.
The computer readable storage medium of the present invention may be any form of storage medium that can be read by a processor of a computer device, including but not limited to non-volatile memory, ferroelectric memory, etc., and the computer readable storage medium has stored thereon a computer program that, when the computer program stored in the memory is read and executed by the processor of the computer device, can implement the above-mentioned steps of the CREO-based software that can modify the modeling method of the relationship-driven modeling data.
The computer program comprises computer program code which may be in the form of source code, object code, an executable file or some intermediate form, etc. The computer-readable medium may include: any entity or device capable of carrying the computer program code, recording medium, U.S. disk, removable hard disk, magnetic diskette, optical disk, computer Memory, read-Only Memory (ROM), random Access Memory (RAM), electrical carrier wave signal, telecommunications signal, and software distribution medium, etc. It should be noted that the computer readable medium may contain content that is subject to appropriate increase or decrease as required by legislation and patent practice in jurisdictions, for example, in some jurisdictions, computer readable media does not include electrical carrier signals and telecommunications signals as is required by legislation and patent practice.
It is noted that relational terms such as "first" and "second," and the like, may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising one of 8230; \8230;" 8230; "does not exclude the presence of additional like elements in a process, method, article, or apparatus that comprises the element.
While the application has been described above with reference to specific embodiments, various modifications may be made and equivalents may be substituted for elements thereof without departing from the scope of the application. In particular, the various features of the embodiments disclosed herein may be used in any combination that is not inconsistent with the structure, and the failure to exhaustively describe such combinations in this specification is merely for brevity and resource conservation. Therefore, it is intended that the application not be limited to the particular embodiments disclosed, but that the application will include all embodiments falling within the scope of the appended claims.

Claims (9)

1. A method for improving intelligent contract detection coverage rate is characterized in that: the method comprises the following steps:
s1, byte codes and ABI of an intelligent contract are used as input;
s2, generating a test case: generating a plurality of transactions according to the ABI of the step S1, calling a function in an intelligent contract for each transaction, wherein input parameters of functions related to the transactions are randomly generated, combining the transactions, and generating a calling sequence of the function, namely a test case;
s3, executing fuzzy test of the intelligent contract: setting an initial seed set to be empty according to the byte codes of the intelligent contract executed by the test cases generated in the step S2, adding the test cases into the seed set when one test case is executed to a new branch, adding the test cases which are closest to the uncovered branch into the seed set for the uncovered branch, wherein the definition of the distance utilizes absolute distance, and executing the dynamic taint analysis in the step S4;
s4, dynamic taint analysis: adopting a CALDATALOAD instruction in the intelligent contract as a dirty point source, identifying the input parameters of the functions in the step S2, marking the input parameters of each function as dirty points, and storing dirty point information; defining a taint propagation strategy, tracking taint propagation in the fuzzy test process of executing the intelligent contract, and recording taint information contained in a branch statement encountered on an execution path; setting uncovered branch statements in the fuzzy test process of executing the intelligent contract as taint sinks to identify and recording taint information contained in the statements;
s5, selecting mutated input parameters: defining a selection strategy of input parameters subjected to mutation in the intelligent contract fuzzy test process, searching an input parameter set subjected to mutation according to the result of the dynamic taint analysis in the step S4, if the input parameter set exists, performing the mutation on the input parameter set, and if the input parameter set subjected to mutation does not exist, merging input parameters included in taints involved in branches according to taint information included in branch statements encountered on a recorded execution path and taint information included in uncovered branches to serve as the input parameter set subjected to mutation;
s6, according to the input parameter set subjected to mutation obtained in the step S5, mutating the test cases in the seed set corresponding to the branches, fixing other input parameters, reducing invalid mutation, mutating the test cases in the seed set, and setting a mutating strategy according to AFL;
s7, executing an intelligent contract according to the mutated test case set obtained in the step S6, and performing fuzzy test;
and S8, repeating the processes of the steps S4 to S7 until the fuzz testing process reaches the preset time or all branches are met.
2. The method of claim 1, wherein the method further comprises the step of: if the source code of the intelligent contract is provided in the step S1, compiling the source code of the intelligent contract into byte codes and ABIs.
3. A method for improving intelligent contract detection coverage as claimed in claim 1 or 2, wherein: in step S4, the CALLDATALOAD instruction reads parameters of a function from the data part of the transaction and pushes the parameters to the top of the stack, the operand of the CALLDATALOAD instruction is an offset of the parameters in the data, the instruction is used as a dirty point source, when the program is executed to the instruction, a dirty point is introduced into the program, dirty point information is stored in the form of key-value, the key is the position of the top of the stack, the value is the offset of the input parameters, and the value is used to distinguish different input parameters.
4. A method for improving intelligent contract detection coverage as defined in claim 3, wherein: the specific implementation method for defining the taint propagation strategy in the step S4 comprises the following steps:
s4.1, according to different data storage types of stack, memory and storage in the Etherhouse virtual machine, naming the data storage types as stain information 1, stain information 2 and stain information 3, and in order to describe the spread process of stains, considering the spread of stains in different data storage types, maintaining the stain information stored in the structure by three different key-value pairs;
s4.2, adopting a polluted taint propagation strategy, marking an operation result as taint data when taint data exists in an operand of the instruction, and marking the taint as a mark owned by the operand;
s4.3, when the POP instruction is called, and the taint data are removed from the stack, the taint information corresponding to the taint data is deleted.
5. The method for improving coverage of intelligent contract detections according to claim 4, wherein: the specific implementation method of the dynamic taint analysis in the step S4 comprises the following steps:
s4.4, defining the JUMPI instruction as a dirty point sink;
s4.5, detecting the taint information of the inflow condition, then storing the taint information of the related input parameters into a data structure of a key-value pair, named as Jumpi taint information, wherein the key of the data structure is a program counter corresponding to a JUMPI instruction, and the value is a taint set related to the inflow condition;
and S4.6, storing the dependency relationship of branch statements in the same function, and screening input parameters needing mutation, wherein the input parameters are named as domination taint information, the key of the data structure is a program counter corresponding to the JUMPI instruction, and the value is a set of program counters related to an execution path.
6. The method of claim 5, wherein the method further comprises the step of: s5, the specific implementation method for defining the selection strategy of the input parameters subjected to mutation in the intelligent contract fuzzy test process comprises the following steps:
s5.1, according to the result of the dynamic taint analysis in the step S4, finding an input parameter set contained in the uncovered branch statement, and recording the input parameter set as Q, wherein Q is a value in Jumpi taint information corresponding to a program counter of a current instruction serving as a key;
s5.2, according to the result of the dynamic taint analysis in the step S4, finding all conditional statements related to the execution path, marking the conditional statements as P, namely P is a value in dominant taint information corresponding to a key by taking a program counter of a current instruction as the key, and taking a union set of input parameters contained in the statements contained in the P, and marking the input parameters as N, namely N is a union set of values in Jumpi taint information corresponding to the key by taking the program counter contained in the P as the program counter;
s5.3, defining a mutation strategy for selecting the input parameters to select a mutated input parameter set Q \ N, changing the input parameters which are not in the N and fixing the input parameters in the N, and reducing invalid mutations.
7. The method of claim 6, wherein the method further comprises the step of: the input parameter set mutated in step S5 is Q uen.
8. Electronic device, characterized in that it comprises a memory and a processor, the memory storing a computer program, the processor implementing the steps of a method for improving coverage of smart contract detections according to any one of claims 1 to 7 when executing the computer program.
9. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out a method of improving coverage of smart contract detections according to any one of claims 1 to 7.
CN202210917294.9A 2022-08-01 2022-08-01 Method for improving intelligent contract detection coverage rate, electronic equipment and storage medium Active CN115292172B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210917294.9A CN115292172B (en) 2022-08-01 2022-08-01 Method for improving intelligent contract detection coverage rate, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210917294.9A CN115292172B (en) 2022-08-01 2022-08-01 Method for improving intelligent contract detection coverage rate, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN115292172A true CN115292172A (en) 2022-11-04
CN115292172B CN115292172B (en) 2023-03-10

Family

ID=83826232

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210917294.9A Active CN115292172B (en) 2022-08-01 2022-08-01 Method for improving intelligent contract detection coverage rate, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN115292172B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117009980A (en) * 2023-08-10 2023-11-07 哈尔滨工业大学 Guided fuzzy test method for intelligent contract vulnerability detection
CN117009979A (en) * 2023-08-10 2023-11-07 哈尔滨工业大学 Intelligent contract vulnerability detection method capable of processing contract information

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110399730A (en) * 2019-07-24 2019-11-01 上海交通大学 Inspection method, system and the medium of intelligent contract loophole
CN111259395A (en) * 2020-01-16 2020-06-09 图灵人工智能研究院(南京)有限公司 Method and device for acquiring utilization program of intelligent contract and storage medium
CN113448870A (en) * 2021-07-19 2021-09-28 东南大学 Intelligent contract reentry defect detection method based on dynamic execution information analysis
CN113609489A (en) * 2021-07-21 2021-11-05 三峡大学 Distributed detection method for intelligent contract conflict in industrial block chain
CN113836009A (en) * 2021-09-14 2021-12-24 广东新安怀科技发展有限公司 Intelligent contract fuzzy test method and system based on reinforcement learning
CN113971135A (en) * 2021-11-08 2022-01-25 西安邮电大学 Coverage-guided intelligent contract test case generation method
CN114153746A (en) * 2021-12-20 2022-03-08 北京航空航天大学 Intelligent contract testing method based on symbolic execution and fuzziness
CN114707152A (en) * 2022-02-23 2022-07-05 北京邮电大学 Security vulnerability detection method and device for alliance chain intelligent contract

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110399730A (en) * 2019-07-24 2019-11-01 上海交通大学 Inspection method, system and the medium of intelligent contract loophole
CN111259395A (en) * 2020-01-16 2020-06-09 图灵人工智能研究院(南京)有限公司 Method and device for acquiring utilization program of intelligent contract and storage medium
CN113448870A (en) * 2021-07-19 2021-09-28 东南大学 Intelligent contract reentry defect detection method based on dynamic execution information analysis
CN113609489A (en) * 2021-07-21 2021-11-05 三峡大学 Distributed detection method for intelligent contract conflict in industrial block chain
CN113836009A (en) * 2021-09-14 2021-12-24 广东新安怀科技发展有限公司 Intelligent contract fuzzy test method and system based on reinforcement learning
CN113971135A (en) * 2021-11-08 2022-01-25 西安邮电大学 Coverage-guided intelligent contract test case generation method
CN114153746A (en) * 2021-12-20 2022-03-08 北京航空航天大学 Intelligent contract testing method based on symbolic execution and fuzziness
CN114707152A (en) * 2022-02-23 2022-07-05 北京邮电大学 Security vulnerability detection method and device for alliance chain intelligent contract

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
涂良琼等: "《智能合约漏洞检测工具研究综述》", 《计算机科学》 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117009980A (en) * 2023-08-10 2023-11-07 哈尔滨工业大学 Guided fuzzy test method for intelligent contract vulnerability detection
CN117009979A (en) * 2023-08-10 2023-11-07 哈尔滨工业大学 Intelligent contract vulnerability detection method capable of processing contract information
CN117009980B (en) * 2023-08-10 2024-03-15 哈尔滨工业大学 Guided fuzzy test method for intelligent contract vulnerability detection
CN117009979B (en) * 2023-08-10 2024-03-22 哈尔滨工业大学 Intelligent contract vulnerability detection method capable of processing contract information

Also Published As

Publication number Publication date
CN115292172B (en) 2023-03-10

Similar Documents

Publication Publication Date Title
CN115292172B (en) Method for improving intelligent contract detection coverage rate, electronic equipment and storage medium
Wang et al. Detecting nondeterministic payment bugs in ethereum smart contracts
Linares-Vásquez et al. An empirical study on android-related vulnerabilities
Dingman et al. Defects and vulnerabilities in smart contracts, a classification using the NIST bugs framework
Chang et al. Inputs of coma: Static detection of denial-of-service vulnerabilities
CN112749389B (en) Detection method and device for detecting vulnerability of intelligent contract damage sensitive data
Demir et al. Security smells in smart contracts
Liao et al. SmartDagger: a bytecode-based static analysis approach for detecting cross-contract vulnerability
Ghaleb et al. eTainter: detecting gas-related vulnerabilities in smart contracts
CN112000952B (en) Author organization characteristic engineering method of Windows platform malicious software
CN112711760B (en) Detection method and device for detecting vulnerability of intelligent contract malicious elimination reentry influence
CN115659358B (en) Intelligent contract fuzzy test method and device
Liao et al. Smartstate: Detecting state-reverting vulnerabilities in smart contracts via fine-grained state-dependency analysis
Bodell III et al. Proxy hunting: understanding and characterizing proxy-based upgradeable smart contracts in blockchains
He et al. Tokenaware: Accurate and efficient bookkeeping recognition for token smart contracts
Fang et al. Beyond “Protected” and “Private”: An Empirical Security Analysis of Custom Function Modifiers in Smart Contracts
Feichtner et al. Obfuscation-resilient code recognition in Android apps
JP2005234661A (en) Access policy creation system, method and program
US11250127B2 (en) Binary software composition analysis
CN115168861A (en) Data security verification method, device, equipment and storage medium
Zhou et al. Stop pulling my rug: Exposing rug pull risks in crypto token to investors
Huang et al. Revealing Hidden Threats: An Empirical Study of Library Misuse in Smart Contracts
Sas et al. Automatic detection of sources and sinks in arbitrary java libraries
Zhang et al. BiAn: smart contract source code obfuscation
CN117009980B (en) Guided fuzzy test method for intelligent contract vulnerability detection

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant