基于深度学习和信息反馈的智能合约模糊测试方法

Smart Contract Fuzzing Based on Deep Learning and Information Feedback

主流区块链平台以太坊上频繁发现由不安全编程引起的智能合约安全漏洞。为了提高模糊测试对合约代码的覆盖率,以更全面地检测安全漏洞,提出了一种智能合约模糊测试方法。首先构造智能合约交易序列数据集,再基于深度学习构建智能合约交易生成模型以生成模糊测试初始种子;然后根据覆盖率和分支距离信息,对智能合约进行信息反馈引导的模糊测试,提出了特定的测试用例染色体编码方式,并设计实现了相应的交叉和变异算子。所提方法能有效覆盖智能合约的深层次状态以及严格条件守卫的分支代码。在500个智能合约上进行实验,结果表明,所提方法的代码覆盖率为93.73%,漏洞检测率为93.93%,与ILF,sFuzz, Echidna方法相比,所提方法的代码覆盖率提高了3.80%~25.49%,漏洞检测率提高了4.64%~24.02%。所提方法有助于提升以太坊智能合约安全测试的有效性,具有参考价值。

Vulnerabilities of smart contracts caused by insecure programming have been frequently discovered on the mainstream blockchain platform Ethereum.In order to improve the coverage of contracts by fuzzing and detect security vulnerabilities more comprehensively,this paper proposes a smart contract fuzzing.First,constructing Ethereum smart contract transaction sequence data set,then building smart contract generation model based on deep learning to generate initial seeds for fuzzing.Then,accor-ding to the information of coverage and branch distance,conduct information feedback-guided fuzzing on smart contracts,a speci-fic chromosome encoding method for test cases is proposed,and corresponding crossover operators and mutation operators are designed and implemented.The method can effectively cover the deep state of smart contracts and branch code guarded by strict conditions.Experiments on 500 smart contracts show that the code coverage rate of this method is 93.73%,and the vulnerability detection rate is 93.93%.Compare with the ILF,sFuzz,and Echidna methods,the code coverage rate of this method increases by 3.80%~25.49%,the vulnerability detection rate increases by 4.64%~24.02%.This method helps to improve the effectiveness of Ethereum smart contract security testing and is worthy of reference for the industry.