计算机工程与应用 ›› 2024, Vol. 60 ›› Issue (5): 307-320.DOI: 10.3778/j.issn.1002-8331.2211-0142

• 工程与应用 • 上一篇    下一篇

基于模糊测试的智能合约正确性检测

王嘉诚,蒋佳佳,赵佳豪,张玉书,王良民   

  1. 1.南京航空航天大学 计算机科学与技术学院/人工智能学院/软件学院,南京 211106
    2.东南大学 网络空间安全学院,南京 211106
  • 出版日期:2024-03-01 发布日期:2024-03-01

Correctness Detection of Smart Contract Based on Fuzzing

WANG Jiacheng, JIANG Jiajia, ZHAO Jiahao, ZHANG Yushu, WANG Liangmin   

  1. 1.College of Computer Science and Technology/College of Artificial Intelligence/College of Software, Nanjing University of Aeronautics and Astronautics, Nanjing 211106, China
    2.School of Cyber Science and Engineering, Southeast University, Nanjing 211106, China
  • Online:2024-03-01 Published:2024-03-01

摘要: 智能合约的发展处于初期阶段,底层编程语言和应用平台的不同使得智能合约的设计缺少规范,极易出现漏洞,造成损失。针对以太坊区块链平台上智能合约存在的安全漏洞问题,提出了一种基于模糊测试的智能合约正确性检测方法。该方法根据智能合约内容及规范生成模糊输入,并根据模糊输入在以太坊虚拟机内执行智能合约,监控合约在执行过程中的行为,生成多个日志文件,提取日志文件中的关键信息,对测试用例进行触发测试,从而得到智能合约所包含漏洞的情况,实现正确性检测。在实验过程中,该方法针对416个智能合约中的七类常见漏洞进行了漏洞检测,标记出了19个存在漏洞的智能合约。经过人工审计分析发现,在这19个被标记的不正确智能合约中,有18个智能合约确实存在安全漏洞。实验结果表明所提方法能够以较高的准确率识别智能合约中包含的漏洞,从而检测智能合约的正确性。

关键词: 智能合约, 漏洞检测, 模糊测试, 正确性检测, 以太坊

Abstract: The development of smart contracts is in its early stages. Different underlying programming languages and application platforms make the design of smart contracts lack specifications, which is prone to loopholes and losses. For the security vulnerability of smart contracts on Ethereum, it proposes a method for correctness detection of smart contracts based on fuzzing. This method generates fuzzy inputs based on the content and specifications of the smart contract, executes the smart contract in Ethereum virtual machine according to the fuzzy inputs, monitors the behavior of the contract in the execution process, generates multiple log files, extracts key information from the log files, triggers the test cases to get the vulnerabilities contained in the smart contract, and achieves the correctness detection. During the experiment, it detects 416 smart contracts for seven common vulnerability types and identifies 19 smart contracts as vulnerabilities. According to the analysis of artificial auditing, 18 of the 19 marked incorrect contracts do have security vulnerabilities. The experimental results show that the proposes method can identify the vulnerabilities contained in the smart contract with high accuracy, to detect the correctness of the smart contract.

Key words: smart contract, vulnerability detection, fuzzing, correctness detection, Ethereum