摘要
智能合约是一种基于区块链平台运行,为缔约的多方提供安全可信赖能力的去中心化应用程序。智能合约在去中心化应用场景中扮演着重要的角色,被广泛地应用于股权众筹、游戏、保险、物联网等多个领域,但同时也面临着严重的安全风险。相比于普通程序而言,智能合约的安全性不仅影响合约参与多方的公平性,还影响合约所管理的庞大数字资产的安全性。因此,对智能合约的安全性及相关安全漏洞开展研究显得尤为重要。本文系统分析了智能合约的特性及其带来的全新安全风险;提出了智能合约安全的三层威胁模型,即来自于高级语言、虚拟机、区块链三个层面的安全威胁;并以世界上最大的智能合约平台——以太坊为例,详细介绍了15类主要漏洞;并总结了智能合约安全研究在漏洞方面的进展和挑战,包括自动漏洞挖掘、自动漏洞利用和安全防御三个方面的研究内容;最后,本文对智能合约未来安全研究进行了展望,提出了两个潜在的发展方向。
Smart contract is a decentralized application that operates on a blockchain platform,providing secure and reliable capabilities to contract participants.Smart contracts play an important role in decentralized application scenarios.They are widely used in many fields,such as equity crowdfunding,games,insurance,and the Internet of Things,making them attractive to attackers.Compared to traditional programs,the security of smart contracts affects not only the fairness of contracts but also the safety of high volume digital assets on the blockchain managed by contracts.Therefore,analyzing the security of smart contracts and associated vulnerabilities is crucial.In this paper,we analyzed the characteristics of smart contracts and new security risks they bring.We propose a three-layer threat model,i.e.,threats from high-level languages,virtual machines,and the blockchain,for characterizing smart contract security.We use the world’s largest smart contract platform Ethereum as an example to illustrate 15 types of common vulnerabilities in smart contracts.We then summarize the main challenges and progress of smart contract security research on vulnerability,including automated vulnerability detection,automated exploit generation and mitigations for smart contracts.At the end of this paper,we highlight the future of smart contract security research,and proposed two potential research directions.
作者
倪远东
张超
殷婷婷
NI Yuandong;ZHANG Chao;YIN Tingting(Institute for Network Science and Cyberspace,Tsinghua University,Beijing 100084,China)
出处
《信息安全学报》
CSCD
2020年第3期78-99,共22页
Journal of Cyber Security
基金
自然科学基金(No.61772308,No.61972224,No.U1736209)项目资助。
关键词
智能合约
区块链
安全
漏洞
blockchain
smart contract
security
vulnerability