多头注意力机制的图同构网络智能合约源码漏洞检测

doi:10.3778/j.issn.1002-8331.2307-0402

摘要/Abstract

摘要： 针对智能合约源码转化为字节码后部分语法、语义丢失，且现有漏洞检测方法精度低、误报率高，特别是对重入漏洞和时间戳漏洞的检测能力有限等问题，提出一种多头注意力机制的图同构网络智能合约源码漏洞检测方法。使用智能合约源码，结合重入漏洞和时间戳漏洞特点构建图结构并将其规范化；将规范化后的图结构数据投入图同构网络进行迭代训练，利用该网络强大的节点表示和图表示能力进行漏洞检测；在图同构网络的基础上增加多头注意力机制，进一步增强图同构网络的节点表示能力。实验结果显示该方法对重入漏洞和时间戳漏洞检测准确率达到93.08%和92.30%，相较于普通图同构网络方法分别提升1.44和2.00个百分点。证明该方法对相关漏洞的检测能力要优于其他检测工具。

关键词: 智能合约, 漏洞检测, 重入漏洞, 时间戳漏洞, 图同构网络, 多头注意力机制

Abstract: Addressing the challenge of losing syntax and semantics during the conversion of smart contract source code into bytecode, and the existing vulnerability detection methods have low accuracy and high false alarm rate, especially the detection ability of reentrancy vulnerability and timestamp vulnerability is limited, a graph isomorphism network smart contract source code vulnerability detection method with multi-head attention mechanism is proposed. Firstly, the graph structure is constructed and normalized using the smart contract source code while incorporating the distinctive characteristics of reentrancy and timestamp vulnerabilities. Subsequently, the normalized graph structure data is input into the graph isomorphism network for iterative training, harnessing the network’s robust node representation and graph representation capabilities for vulnerability detection. Lastly, this method introduces the multi-head attention mechanism as an enhancement layer to further augment the node representation ability of the graph isomorphism network. Experimental results demonstrate that the proposed method achieves a detection accuracy of 93.08% for reentrancy vulnerabilities and 92.30% for timestamp vulnerabilities. These figures represent improvements of 1.44 and 2.00 percentage points, respectively, when compared to the common graph isomorphism network method. These results firmly establish the superiority of proposed method in terms of detection capability over other existing detection tools.

Key words: smart contract, vulnerability detection, reentrancy vulnerability, timestamp vulnerability, graph isomorphism network, multi-head attention mechanism

师自通, 师智斌, 刘冬明, 雷海卫, 龚晓元. 多头注意力机制的图同构网络智能合约源码漏洞检测[J]. 计算机工程与应用, 2024, 60(7): 258-265.

SHI Zitong, SHI Zhibin, LIU Dongming, LEI Haiwei, GONG Xiaoyuan. Smart Contract Source Code Vulnerability Detection of Graph Isomorphism Network with Multi-Head Attention Mechanism[J]. Computer Engineering and Applications, 2024, 60(7): 258-265.

参考文献

[1] SZABO N. Formalizing and securing relationships on public networks[J]. First Monday, 1997, 2(9): 1-21.
[2] LI J X, WU J G, CHEN L. Block-secure: blockchain based scheme for secure P2P cloud storage[J]. Information Sciences, 2018, 465: 219-231.
[3] TOLMACH P, LI Y, LIN S W, et al. A survey of smart contract formal specification and verification[J]. ACM Computing Surveys (CSUR), 2021, 54(7): 1-38.
[4] 付梦琳, 吴礼发, 洪征, 等. 智能合约安全漏洞挖掘技术研究[J]. 计算机应用, 2019, 39(7): 1959-1966.
FU M L, WU L F, HONG Z, et al. Research on vulnerability mining technique for smart contracts[J]. Journal of Computer Applications, 2019, 39(7): 1959-1966.
[5] TIKHOMIROV S, VOSKRESENSKAYA E, IVANITSKIY I, et al. SmartCheck: static analysis of Ethereum smart contracts[C]//Proceedings of the 2018 IEEE/ACM 1st International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB), Gpthenburg, 2018: 9-16.
[6] Mythril: security analysis tool for EVM bytecode[EB/OL]. [2023-05-01]. https://github.com/ConsenSys/mythril.
[7] LUU L, CHU D H, OLICKEL H, et al. Making smart contracts smarter[C]//Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM Press, 2016: 254-269.
[8] MOSSBERG M, MANZANO F, HENNENFENT E, et al. Manticore: a user-friendly symbolic execution framework for binaries and smart contracts[C]//Proceedings of the 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE). New York: IEEE Press, 2019: 1186-1189.
[9] TSANKOV P, DAN A, DRACHSLER C D, et al. Securify: practical security analysis of smart contracts[C]//Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (CCS). New York: ACM Press, 2018: 67-82.
[10] SCARSELLI F, GORI M, TSOI A C, et al. The graph neural network model[J]. IEEE Transactions on Neural Networks, 2009, 20(1): 61-80.
[11] LI Y J, TARLOW D, BROCKSCHMIDT M, et al. Gated graph sequence neural networks[C]//International Conference on Learning Representations (ICLR), 2016.
[12] THOMAS N K, MAX W. Semi-supervised classifification with graph convolutional networks[C]//International Conference on Learning Representations (ICLR), 2017.
[13] VELI?KOVI? P, CUCURULL G, CASANOVA A, et al. Graph attention networks[C]//International Conference on Learning Representations (ICLR), 2018.
[14] XU K, HU W, LESKOVEC J, et al. How powerful are graph neural networks?[C]//International Conference on Learning Representations (ICLR), 2019.
[15] QIAN P, LIU Z G, ZHUANG Y, et al. Smart contract vulnerability detection using graph neural network[C]//Proceedings of IJCAI, 2020: 3283-3290.
[16] FAN Y Q, SHANG S Y, XU D. Smart contract vulnerability detection based on dual attention graph convolutional network[C]//International Conference on Collaborative Computing: Networking, Applications and Worksharing, 2021.
[17] 赵波, 上官晨晗, 彭小燕, 等. 基于语义感知图神经网络的智能合约字节码漏洞检测方法[J]. 工程科学与技术, 2022, 54(2): 49-55.
ZHAO B, SHANGGUAN C H, PENG X Y, et al. Semantic-aware graph neural network for smart contract bytecode vulnerability detection[J]. Advanced Engineering Sciences, 2022, 54(2): 49-55.
[18] ALLAMANIS M, BROCKSCHMIDT M, KHADEMI M. Learning to represent programs with graphs[C]//International Conference on Learning Representations(ICLR), 2018.
[19] HAMILTON W L, YING R, LESKOVEC J. Inductive representation learning on large graphs[C]//Advances in Neural Information Processing Systems (NIPS), 2017: 1025-1035.
[20] XU K, LI C T, TIAN Y L, et al. Representation learning on graphs with jumping knowledge networks[C]//International Conference on Machine Learning (ICML), 2018: 5453-5462.
[21] DURIEUX T, FERREIRA J F, ABREU R, et al. Empirical review of automated analysis tools on 47, 587 Ethereum smart contracts[C]//Proceedings of the 2020 IEEE/ACM 42nd International Conference on Software Engineering (ICSE), Seoul, 2020: 530-541.
[22] LIU T J. Smart contract dataset[DB/OL]. [2023-05-01]. https://tianchi.aliyun.com/dataset/127443.
[23] FEIST J, GRIECO G, GROCE A. Slither: a static analysis framework for smart contracts[C]//Proceedings of the 2019 IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB), Montreal, 2019: 8-15.
[24] ETHEREUM. Remix-Ethereum browser-based compiler and IDE[EB/OL]. [2023-05-01]. https://remix.ethereum.org.