摘要
智能合约是一段部署在区块链上的程序,为分布式交易提供了可能。然而,由于智能合约携带的金融属性及部署后不可改变的特性,使其成为黑客攻击的目标。因此,为保证合约的安全性,需对漏洞合约进行修复。然而,现有合约漏洞修复方案存在修复成功率低、无法处理复杂合约等问题,为此提出一种支持内嵌数据处理的合约漏洞修复方案。该方案首先研究并形式化以太坊虚拟机动态装载机制,并基于内存拷贝指令构建内嵌数据定位算法,解析并反编译智能合约字节码结构;接着基于蹦床机制对智能合约字节码进行重写,并修正因重写而产生的内嵌数据地址偏移;最终实现智能合约的漏洞修复。基于所提方案实现原型工具SCRepair,部署于本地测试网络Ganache以对其进行性能测试,并与现有漏洞修复工具EVMPatch和Smartshield进行比较。实验结果表明,相比于EVMPatch,SCRepair的合约字节码重写成功率提升了约26.9%,并有着更好的执行重写稳定性,受编译器版本的较影响小;相比于Smartshield,SCRepair能够更好地处理复杂合约。
Smart contracts are programs deployed on the blockchain that enable distributed transactions.However,due to the financial attributes and immutable characteristics of smart contracts,they become targets of hacker attacks.Therefore,to ensure the security of contracts,it is necessary to repair vulnerable contracts.However,existing contract vulnerability repair schemes have problems such as low repair success rate and inability to handle complex contracts.To this end,a contract vulnerability repair scheme supporting inline data processing is proposed in this paper.The proposed scheme first studies and formalizes the dynamic loading mechanism of the Ethereum virtual machine,and constructs an inline data location algorithm based on memory copy instructions to parse and decompile the smart contract bytecode structure;then the smart contract bytecode is rewritten based on the trampoline mechanism,and the inline data address offset caused by rewriting is corrected,and finally the smart contract vulnerability repair is implemented.A prototype tool named SCRepair is implemented based on the proposed scheme,which is deployed on the local test network Ganache for performance testing,and compared with existing vulnerability repair tools EVMPatch and Smartshield.Experimental results show that the SCRepair improves the bytecode rewrite success rate by 26.9%when compared with the EVMPatch.Besides,the SCRepair has a better rewrite execution stability,and is less affected by the compiler version;the SCRepair can handle complex contracts better when compared with the Smartshield.
作者
彭泳翔
刘志全
王立波
吴永东
马建峰
陈宁
PENG Yongxiang;LIU Zhiquan;WANG Libo;WU Yongdong;MA Jianfeng;CHEN Ning(College of Information Science and Technology,Jinan University,Guangzhou 510632,China;Guangdong Provincial Key Laboratory of Cyber and Information Security Vulnerability Research,Guangzhou 510643,China;School of Cyber Engineering,XidianUniversity,Xi’an 710071,China)
出处
《西安电子科技大学学报》
EI
CAS
CSCD
北大核心
2024年第1期178-186,共9页
Journal of Xidian University
基金
国家自然科学基金(62032025,61932011,62272195)
广东省网络与信息安全漏洞研究重点实验室项目(2020B1212060081)
广东省重点研发计划(2020B0101090002)
广东省基础与应用基础研究基金(2022A1515010299,2020A1515110364)
广州市科技计划项目(202201010421)
中央高校基本科研业务费专项资金(21622402)。
关键词
区块链
智能合约
字节码重写
反编译
蹦床
blockchain
smart contract
bytecode rewriting
decompilation
trampoline
