CN110489973A - A kind of intelligent contract leak detection method, device and storage medium based on Fuzz - Google Patents

A kind of intelligent contract leak detection method, device and storage medium based on Fuzz Download PDF

Info

Publication number
CN110489973A
CN110489973A CN201910723918.1A CN201910723918A CN110489973A CN 110489973 A CN110489973 A CN 110489973A CN 201910723918 A CN201910723918 A CN 201910723918A CN 110489973 A CN110489973 A CN 110489973A
Authority
CN
China
Prior art keywords
intelligent contract
loophole
code
fuzz
test data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910723918.1A
Other languages
Chinese (zh)
Inventor
崔翔
刘井强
谭庆丰
孙彦斌
苏申
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou University
Original Assignee
Guangzhou University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou University filed Critical Guangzhou University
Priority to CN201910723918.1A priority Critical patent/CN110489973A/en
Publication of CN110489973A publication Critical patent/CN110489973A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/362Software debugging
    • G06F11/3628Software debugging of optimised code
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q40/00Finance; Insurance; Tax strategies; Processing of corporate or income taxes
    • G06Q40/04Trading; Exchange, e.g. stocks, commodities, derivatives or currency exchange

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Business, Economics & Management (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Accounting & Taxation (AREA)
  • Finance (AREA)
  • Quality & Reliability (AREA)
  • Computing Systems (AREA)
  • Development Economics (AREA)
  • Economics (AREA)
  • Marketing (AREA)
  • Strategic Management (AREA)
  • Technology Law (AREA)
  • General Business, Economics & Management (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention discloses a kind of intelligent contract leak detection method, device and storage medium based on Fuzz.The described method includes: extracting function variable and its types of variables according to intelligent contract code construction abstract syntax tree, and by abstract syntax tree;According to function variable and its types of variables, Fuzz test data set is generated;Wherein, Fuzz test data set is a data set comprising all typess of variables;The adaptation Fuzz test data that Fuzz test data is concentrated is used as to the input variable of intelligent contract code one by one, intelligent contract code operation is driven, and be monitored to the output variable of intelligent contract code, determines that there are loopholes if exception occurs in output variable;Wherein, adaptation Fuzz test data is that Fuzz test data concentrates all Fuzz test datas identical with the types of variables of input variable.The present invention can not only provide effective detection data for intelligent contract code, moreover it is possible to which the unknown loophole that intelligent contract is detected by monitoring output variable further increases the efficiency of Hole Detection.

Description

A kind of intelligent contract leak detection method, device and storage medium based on Fuzz
Technical field
The present invention relates to block chain security fields more particularly to a kind of intelligent contract leak detection method based on Fuzz, Device and storage medium.
Background technique
In recent years, with the development of block chain, intelligent contract (i.e. block chain, digital contract or executing contract automatically) is answered With also more and more extensive.This format allows to be converted in contract the computer code of storage and duplication, it is by operation block The monitor closely of the huge computer network of chain.But the loophole as existing for intelligent contract itself, it is difficult to guarantee credibility, Safety problem has become the core key for restricting its development.
" a kind of supermatic intelligent forms of contract chemical examination card system and method " is advised according to intelligent contract functional requirement Model essay shelves establish Formal Verification rule model library, and carry out automation modeling to contract source code using automation modeling tool To carry out formal proof;" a kind of intelligent contract aacode defect detection system and method for automation " uses static code analysis The mode combined is traversed with dynamic route, in addition independent open-ended security model library and rule match library, check defect generation Code;" intelligent contract leak detection method, device and electronic equipment " is by DAG loop detection, the detection of loop time-out, logic inspection It surveys, the logic reasonability of contract itself can be verified, detect intelligent contract combinatorial problem.
The above method is for examining to intelligent forms of contract rule/specific loophole of defect code/combinatorial problem It surveys, i.e., is to be suitable for being carried out according to known bugs rule to improve the work that known bugs detection efficiency and accuracy are done The monitoring of loophole feature.However, the detection for unknown loophole, does not propose effective thinking and solution.
Summary of the invention
Technical problem to be solved by the present invention lies in, provide a kind of intelligent contract leak detection method based on Fuzz, Device and storage medium can not only provide effective detection data for intelligent contract code, moreover it is possible to become by monitoring output Amount detects the unknown loophole of intelligent contract, further increases the efficiency of Hole Detection.
In order to solve the above-mentioned technical problem, the invention proposes a kind of intelligent contract leak detection method based on Fuzz, It include: to extract function variable and its variable according to intelligent contract code construction abstract syntax tree, and by the abstract syntax tree Type;According to the function variable and its types of variables, Fuzz test data set is generated;Wherein, the Fuzz test data set The data set for including all typess of variables for one;The adaptation Fuzz test data that the Fuzz test data is concentrated is one by one As the input variable of the intelligent contract code, the intelligent contract code operation is driven, and to the intelligent contract code Output variable be monitored, if the output variable occur it is abnormal if determine that there are loopholes;Wherein, the adaptation Fuzz test Data are that the Fuzz test data concentrates all Fuzz test datas identical with the types of variables of the input variable.
Further, the intelligent contract leak detection method based on Fuzz further include: loophole if it exists, then to the intelligence Contract code carries out loophole matching, obtains loophole matching result;According to the loophole matching result, in the intelligent contract code Middle extraction association code carries out validating vulnerability, obtains validating vulnerability result;It is tested according to the loophole matching result and the loophole Card is as a result, generate Hole Detection report.
Further, the loophole matching result, including according to the input variable and the output variable and loophole mould Type carries out matching resulting loophole type;Wherein, vulnerability model is to be abstracted resulting vulnerability model according to loophole type.
Further, the loophole type includes reenterability and race condition attack, integer overflow, unauthorized access, refuses Exhausted service, logic error, information leakage and function misuse one or more of them combination.
Further, the loophole matching result, comprising: positioning and the vulnerability model in the intelligent contract code The matched association code;Wherein, the association code includes the input variable and the output variable.
Further, described according to the loophole matching result, it extracts association code and carries out validating vulnerability, obtain loophole and test Card extracts the association code in the intelligent contract code as a result, specifically, according to the loophole matching result;By institute The adaptation Fuzz test data for stating Fuzz test data concentration is used as the input variable of the association code one by one, drives the pass Join code operation, and the output variable of the association code is monitored;According to the input variable, the output variable and Vulnerability model carries out validating vulnerability to the loophole matching result, obtains validating vulnerability result;Wherein, vulnerability model is basis Loophole type is abstracted resulting vulnerability model.
It is further, described to be reported according to the loophole matching result and the validating vulnerability as a result, generating Hole Detection, Specifically, according to the loophole matching result and the validating vulnerability as a result, judging whether there is loophole;Loophole if it exists, then Path, code snippet and loophole type where loophole file are stored to database, and generate Hole Detection report;If it does not exist Loophole then sends safety instruction, the loophole matching result and the validating vulnerability result is stored to database, and generate leakage Hole examining report.
The invention also provides a kind of intelligent contract Hole Detection device based on Fuzz, comprising: code preprocessing module, For extracting function variable and its variable class according to intelligent contract code construction abstract syntax tree, and by the abstract syntax tree Type;Data generation module, for generating Fuzz test data set according to the function variable and its types of variables;Wherein, described Fuzz test data set is a data set comprising all typess of variables;Code drive module, for surveying the Fuzz Adaptation Fuzz test data in examination data set is used as the input variable of the intelligent contract code one by one, and the intelligence is driven to close About code is run, and is monitored to the output variable of the intelligent contract code, is sentenced if exception occurs in the output variable Surely there is loophole;Wherein, the adaptation Fuzz test data is the change of Fuzz test data concentration and the input variable Measure the identical all Fuzz test datas of type.
Further, the intelligent contract Hole Detection device based on Fuzz further include: loophole matching module, for if it exists Loophole then carries out loophole matching to the intelligent contract code, obtains loophole matching result;Validating vulnerability module is used for basis The loophole matching result extracts association code in the intelligent contract code and carries out validating vulnerability, obtains validating vulnerability knot Fruit;Report generation module, for being reported according to the loophole matching result and the validating vulnerability as a result, generating Hole Detection.
Implement the embodiment of the present invention to have the following beneficial effects:
The embodiment of the present invention can not only provide effective detection data for intelligent contract code, moreover it is possible to pass through monitoring Output variable detects the unknown loophole of intelligent contract, further increases the efficiency of Hole Detection.
The invention also provides a kind of computer readable storage medium, the computer readable storage medium includes storage Computer program, wherein equipment where controlling the computer readable storage medium in computer program operation executes Intelligent contract leak detection method based on Fuzz as described above.
Detailed description of the invention
Fig. 1 is the process signal of intelligent contract leak detection method of one of the first embodiment of the invention based on Fuzz Figure;
Fig. 2 is the process signal of intelligent contract leak detection method of one of the second embodiment of the invention based on Fuzz Figure;
Fig. 3 is the flow diagram of the preferred embodiment in second embodiment of the invention;
Fig. 4 is the flow diagram of another preferred embodiment in second embodiment of the invention;
Fig. 5 is the structural representation of intelligent contract Hole Detection device of one of the third embodiment of the invention based on Fuzz Figure;
Fig. 6 is the structural schematic diagram of the preferred embodiment in third embodiment of the invention.
Specific embodiment
Below in conjunction with the attached drawing in the present invention, the technical solution in the present invention is clearly and completely described, is shown So, described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.Based on the reality in the present invention Example is applied, every other embodiment obtained by those of ordinary skill in the art without making creative efforts all belongs to In the scope of protection of the invention.
It should be noted that the step in text is numbered, only for facilitating the explanation of specific embodiment, not as restriction step Execute the effect of sequencing.Method provided in this embodiment can be executed by relevant server, and hereafter with server As being illustrated for executing subject.
First embodiment.Please refer to Fig. 1.
As shown in Figure 1, a kind of intelligent contract leak detection method based on Fuzz that first embodiment provides, including step S1~S3:
S1, according to intelligent contract code construction abstract syntax tree, and by the abstract syntax tree extract function variable and Its types of variables.
S2, according to the function variable and its types of variables, generate Fuzz test data set;Wherein, the Fuzz test Data set is a data set comprising all typess of variables.
S3, it regard the adaptation Fuzz test data that the Fuzz test data is concentrated as the intelligent contract code one by one Input variable drives the intelligent contract code operation, and is monitored to the output variable of the intelligent contract code, if institute Stating the abnormal then judgement of output variable appearance, there are loopholes;Wherein, the adaptation Fuzz test data is the Fuzz test data Concentrate all Fuzz test datas identical with the types of variables of the input variable.
In specific embodiment, according to intelligent contract code construction abstract syntax tree (AST, Abstract Syntax Tree), i.e., the abstract syntax tree is converted by the intelligent contract code.By converting abstract language for intelligent contract code Method tree can delete redundant code and independent code, be conducive to subsequent analysis intelligence contract code therefrom to extract intelligent contract All function variables and its types of variables that code includes improve code analysis efficiency.
In a preferred embodiment, since intelligent contract code is generally write using Solidity language, language It is similar to JavaScript in method, therefore abstract syntax tree can be constructed to Solidity using the method for JavaScript.
In specific embodiment, according to the function variable and its types of variables, Fuzz test data set is generated, is made The Fuzz test data set that must be generated is a data set comprising all typess of variables.
It is understood that when input variable operation intelligence of the Fuzz test data as intelligent contract code will be adapted to When contract code, due to the data type phase of the data type and the input variable of intelligent contract code of adaptation Fuzz test data Together, it ensure that the normal operation of intelligent contract code, so that operation can be used in intelligent contract Hole Detection each time.Therefore, By providing effective test data for intelligent contract code, the efficiency of Hole Detection can be improved.
Fuzz is a kind of form of safe penetration test and bug excavation method, between manual test and automatic test it Between, it is inserted into application program by constructing a series of random " bad " data, whether determining program exception occurs, potential to find Bug.
In specific embodiment, by monitoring the output variable of the intelligent contract code, it is same to be equivalent to monitoring Different output variables corresponding to all adaptation Fuzz test datas, allow to the variation according to output variable under execution route Situation judges whether output variable is abnormal, that is, whether there is loophole.
It is understood that run intelligent contract code using adaptation Fuzz test data and monitor its output variable, it can It runs intelligent contract code effectively repeatedly to detect intelligent contract code vulnerabilities, improves the accuracy and efficiency of Hole Detection.Together When, do not limit to existing vulnerability detection rule, detection judgement is carried out to the anomalous variation of abnormal output variable and output variable, it is real The unknown loophole for now detecting intelligent contract, further increases the efficiency of Hole Detection.
In conclusion the embodiment of the present invention can not only provide effective detection data for intelligent contract code, also The unknown loophole that intelligent contract can be detected by monitoring output variable, further increases the efficiency of Hole Detection.
Second embodiment, the embodiment based on first embodiment.Please refer to Fig. 2-4.
As shown in Fig. 2, a kind of intelligent contract leak detection method based on Fuzz that first embodiment provides, further includes step Rapid S4~S6:
S4, if it exists loophole then carry out loophole matching to the intelligent contract code, obtain loophole matching result.
S5, according to the loophole matching result, extract association code in the intelligent contract code and carry out validating vulnerability, Obtain validating vulnerability result.
S6, it is reported according to the loophole matching result and the validating vulnerability as a result, generating Hole Detection.
In specific embodiment, the loophole matching result, including according to the input variable and the output variable It carries out matching resulting loophole type with vulnerability model;Wherein, vulnerability model is that resulting loophole mould is abstracted according to loophole type Type.
In the present embodiment, if it is determined that the intelligence contract code there are loopholes, then the intelligent contract code is carried out Loophole matching.By the parsing operation intelligent contract code, and respectively in the input variable of the intelligent contract code and defeated Out variable be arranged breakpoint so that it is subsequent code is run multiple times when the adaptation Fuzz can be inputted at the input variable breakpoint Test data, and the intelligent contract code after continuing to run at the input variable breakpoint, in the output variable breakpoint Place is monitored the output variable.To according to the input variable and the output variable and vulnerability model progress Match, obtains loophole matching result.
It should be noted that can use Ethereum virtual machine (EVM) parsing operation intelligent contract code.
In specific embodiment, the loophole type includes reenterability and race condition attack, integer overflow, gets over Power access, refusal service, logic error, information leakage and function misuse one or more of them combination.
It is understood that reenterability and race condition attack, integer overflow, unauthorized access, refusal service, logic mistake Accidentally, information leakage and function misuse are common intelligent contract security breaches.The present embodiment passes through corresponding with Common Security Vulnerability Vulnerability model matched, can quickly determine the loophole type of unknown loophole detected, i.e., whether be it is one of or A variety of security breaches further increase the efficiency of Hole Detection.Meanwhile being conducive to help to program or code audit personnel needle as early as possible Respective handling measure is taken to security breaches.
In specific embodiment, the loophole matching result, comprising: positioning and institute in the intelligent contract code State the matched association code of vulnerability model;Wherein, the association code includes the input variable and the output variable.
It is understood that according to loophole matching result, positioning and the vulnerability model in the intelligent contract code The matched association code is conducive to do further detection for the association code to improve the accuracy of Hole Detection.
As shown in figure 3, the step S5 specifically includes step S51~S53 in a preferred embodiment:
S51, according to the loophole matching result, extract the association code in the intelligent contract code.
S52, it regard the adaptation Fuzz test data that the Fuzz test data is concentrated as the defeated of the association code one by one Enter variable, drives the association code to run, and be monitored to the output variable of the association code.
S53, according to the input variable, the output variable and vulnerability model, the loophole matching result is leaked Hole verifying, obtains validating vulnerability result;Wherein, vulnerability model is to be abstracted resulting vulnerability model according to loophole type.
In specific embodiment, according to the loophole matching result, i.e., according to the association code of positioning, in institute It states and extracts the association code in intelligent contract code and do further detection.
In the present embodiment, the association code is run by parsing, and respectively in the input variable of the association code With output variable be arranged breakpoint so that it is subsequent code is run multiple times when the adaptation can be inputted at the input variable breakpoint Fuzz test data, and the association code after continuing to run at the input variable breakpoint, in the output variable breakpoint Place is monitored the output variable.Thus according to the input variable, the output variable and vulnerability model, to the leakage Hole matching result carries out validating vulnerability, obtains validating vulnerability result.
It should be noted that can use Ethereum virtual machine (EVM) parsing operation intelligent contract code.
It is understood that carrying out independent test to the association code by extracting the association code to verify Loophole matching result is stated, is equivalent to and secondary detection is carried out to unknown loophole detected, further improve the standard of Hole Detection True property.
As shown in figure 4, the step S6 specifically includes step S61~S62 in another preferred embodiment:
S61, according to the loophole matching result and the validating vulnerability as a result, judging whether there is loophole.
S62, if it exists loophole then store path, code snippet and loophole type where loophole file to database, and Generate Hole Detection report;Alternatively, loophole if it does not exist, then send safety instruction, by the loophole matching result and the leakage Hole verification result is stored to database, and generates Hole Detection report.
It is understood that generate different Hole Detection reports for different Hole Detection results, can for programming or Code audit personnel provide intuitive useful examining report, are conducive to help to program or code audit personnel are directed to intelligent conjunction as early as possible About loophole takes respective handling measure.
In conclusion the embodiment of the present invention, by carrying out loophole matching to unknown loophole detected to determine loophole Type can further increase the efficiency of Hole Detection, then be operated by validating vulnerability, carry out to the association code of the loophole Independent test, improves the accuracy of Hole Detection, to be conducive to help to program or code audit personnel are directed to intelligent contract Loophole takes respective handling measure.
3rd embodiment.Please refer to Fig. 5-6.
As shown in figure 5, a kind of intelligent contract Hole Detection device based on Fuzz that 3rd embodiment provides, comprising: generation Code preprocessing module 31, for extracting letter according to intelligent contract code construction abstract syntax tree, and by the abstract syntax tree Number variable and its types of variables;Data generation module 32, for generating Fuzz and surveying according to the function variable and its types of variables Try data set;Wherein, the Fuzz test data set is a data set comprising all typess of variables;Code drive module 33, the adaptation Fuzz test data for concentrating the Fuzz test data is used as the input of the intelligent contract code one by one Variable drives the intelligent contract code operation, and is monitored to the output variable of the intelligent contract code, if described defeated Occurrences are abnormal out then determines that there are loopholes;Wherein, the adaptation Fuzz test data is Fuzz test data concentration All Fuzz test datas identical with the types of variables of the input variable.
In specific embodiment, the code preprocessing module 31 is by converting abstract language for intelligent contract code Method tree can delete redundant code and independent code, be conducive to subsequent analysis intelligence contract code therefrom to extract intelligent contract All function variables and its types of variables that code includes improve code analysis efficiency.
In a preferred embodiment, since intelligent contract code is generally write using Solidity language, language It is similar to JavaScript in method, therefore abstract syntax tree can be constructed to Solidity using the method for JavaScript.
In specific embodiment, data generation module 32 is generated according to the function variable and its types of variables Fuzz test data set, so that the Fuzz test data set generated is a data set comprising all typess of variables.
It is understood that when input variable operation intelligence of the Fuzz test data as intelligent contract code will be adapted to When contract code, due to the data type phase of the data type and the input variable of intelligent contract code of adaptation Fuzz test data Together, it ensure that the normal operation of intelligent contract code, so that operation can be used in intelligent contract Hole Detection each time.Therefore, By providing effective test data for intelligent contract code, the efficiency of Hole Detection can be improved.
Fuzz is a kind of form of safe penetration test and bug excavation method, between manual test and automatic test it Between, it is inserted into application program by constructing a series of random " bad " data, whether determining program exception occurs, potential to find Bug.
In specific embodiment, code drive module 33 passes through the output variable for monitoring the intelligent contract code, Different output variables corresponding to all adaptation Fuzz test datas under the same execution route of monitoring are equivalent to, basis is allowed to The situation of change of output variable judges whether output variable is abnormal, that is, whether there is loophole.
It is understood that run intelligent contract code using adaptation Fuzz test data and monitor its output variable, it can It runs intelligent contract code effectively repeatedly to detect intelligent contract code vulnerabilities, improves the accuracy and efficiency of Hole Detection.Together When, do not limit to existing vulnerability detection rule, detection judgement is carried out to the anomalous variation of abnormal output variable and output variable, it is real The unknown loophole for now detecting intelligent contract, further increases the efficiency of Hole Detection.
As shown in fig. 6, in a preferred embodiment, the intelligent contract Hole Detection device based on Fuzz further include: Loophole matching module 34 then carries out loophole matching to the intelligent contract code for loophole if it exists, obtains loophole matching knot Fruit;Validating vulnerability module 35, for according to the loophole matching result, extracted in the intelligent contract code association code into Row validating vulnerability obtains validating vulnerability result;Report generation module 36, for according to the loophole matching result and the loophole Verification result generates Hole Detection report.
In specific embodiment, the loophole matching result, including according to the input variable and the output variable It carries out matching resulting loophole type with vulnerability model;Wherein, vulnerability model is that resulting loophole mould is abstracted according to loophole type Type.
In the present embodiment, if it is determined that the intelligence contract code there are loopholes, then the intelligent contract code is carried out Loophole matching.By the parsing operation intelligent contract code, and respectively in the input variable of the intelligent contract code and defeated Out variable be arranged breakpoint so that it is subsequent code is run multiple times when the adaptation Fuzz can be inputted at the input variable breakpoint Test data, and the intelligent contract code after continuing to run at the input variable breakpoint, in the output variable breakpoint Place is monitored the output variable.To according to the input variable and the output variable and vulnerability model progress Match, obtains loophole matching result.
It should be noted that can use Ethereum virtual machine (EVM) parsing operation intelligent contract code.
In specific embodiment, the loophole type includes reenterability and race condition attack, integer overflow, gets over Power access, refusal service, logic error, information leakage and function misuse one or more of them combination.
It is understood that reenterability and race condition attack, integer overflow, unauthorized access, refusal service, logic mistake Accidentally, information leakage and function misuse are common intelligent contract security breaches.The present embodiment passes through corresponding with Common Security Vulnerability Vulnerability model matched, can quickly determine the loophole type of unknown loophole detected, i.e., whether be it is one of or A variety of security breaches further increase the efficiency of Hole Detection.Meanwhile being conducive to help to program or code audit personnel needle as early as possible Respective handling measure is taken to security breaches.
In specific embodiment, the loophole matching result, comprising: positioning and institute in the intelligent contract code State the matched association code of vulnerability model;Wherein, the association code includes the input variable and the output variable.
It is understood that according to loophole matching result, positioning and the vulnerability model in the intelligent contract code The matched association code is conducive to do further detection for the association code to improve the accuracy of Hole Detection.
In specific embodiment, the validating vulnerability module 35, comprising: extracting unit, for according to the loophole Matching result extracts the association code in the intelligent contract code;Detection unit is used for the Fuzz test data The adaptation Fuzz test data of concentration is used as the input variable of the association code one by one, and the association code is driven to run, and The output variable of the association code is monitored;Authentication unit, for according to the input variable, the output variable and Vulnerability model carries out validating vulnerability to the loophole matching result, obtains validating vulnerability result;Wherein, vulnerability model is basis Loophole type is abstracted resulting vulnerability model.
In specific embodiment, according to the loophole matching result, i.e., according to the association code of positioning, in institute It states and extracts the association code in intelligent contract code and do further detection.
In the present embodiment, the association code is run by parsing, and respectively in the input variable of the association code With output variable be arranged breakpoint so that it is subsequent code is run multiple times when the adaptation can be inputted at the input variable breakpoint Fuzz test data, and the association code after continuing to run at the input variable breakpoint, in the output variable breakpoint Place is monitored the output variable.Thus according to the input variable, the output variable and vulnerability model, to the leakage Hole matching result carries out validating vulnerability, obtains validating vulnerability result.
It should be noted that can use Ethereum virtual machine (EVM) parsing operation intelligent contract code.
It is understood that carrying out independent test to the association code by extracting the association code to verify Loophole matching result is stated, is equivalent to and secondary detection is carried out to unknown loophole detected, further improve the standard of Hole Detection True property.
In specific embodiment, the report generation module 36, comprising: judging unit, for according to the loophole Matching result and the validating vulnerability are as a result, judge whether there is loophole;Report generation unit then will for loophole if it exists Path, code snippet and loophole type are stored to database where loophole file, and generate Hole Detection report;Alternatively, if not There are loopholes, then send safety instruction, and the loophole matching result and the validating vulnerability result are stored to database, and raw It is reported at Hole Detection.
It is understood that generate different Hole Detection reports for different Hole Detection results, can for programming or Code audit personnel provide intuitive useful examining report, are conducive to help to program or code audit personnel are directed to intelligent conjunction as early as possible About loophole takes respective handling measure.
In conclusion the embodiment of the present invention, can provide effective detection data for intelligent contract code, so that logical It crosses monitoring output variable and realizes the unknown loophole for detecting intelligent contract.Meanwhile by carrying out loophole to unknown loophole detected Matching can further increase the efficiency of Hole Detection to determine loophole type, then be operated by validating vulnerability, to the loophole Association code carry out independent test, the accuracy of Hole Detection is improved, to be conducive to help to program or code audit people Member takes respective handling measure for intelligent contract loophole.
The above is a preferred embodiment of the present invention, it is noted that for those skilled in the art For, various improvements and modifications may be made without departing from the principle of the present invention, these improvements and modifications are also considered as Protection scope of the present invention.
It is that can pass through those of ordinary skill in the art will appreciate that realizing all or part of the process in above-described embodiment Computer program is completed to instruct relevant hardware, and the program can be stored in a computer-readable storage medium, The program is when being executed, it may include such as the process of the various embodiments described above.Wherein, the storage medium can for magnetic disk, CD, only Read storage memory (Read-Only Memory, ROM) or random access memory (Random Access Memory, RAM) Deng.

Claims (10)

1. a kind of intelligent contract leak detection method based on Fuzz characterized by comprising
Function variable and its variable class are extracted according to intelligent contract code construction abstract syntax tree, and by the abstract syntax tree Type;
According to the function variable and its types of variables, Fuzz test data set is generated;Wherein, the Fuzz test data set is One includes the data set of all typess of variables;
Input of the adaptation Fuzz test data that the Fuzz test data is concentrated one by one as the intelligent contract code becomes Amount drives the intelligent contract code operation, and is monitored to the output variable of the intelligent contract code, if the output Occurrences are abnormal then to determine that there are loopholes;Wherein, the adaptation Fuzz test data be the Fuzz test data concentrate with The identical all Fuzz test datas of the types of variables of the input variable.
2. the intelligent contract leak detection method according to claim 1 based on Fuzz, which is characterized in that further include:
Loophole if it exists then carries out loophole matching to the intelligent contract code, obtains loophole matching result;
According to the loophole matching result, association code is extracted in the intelligent contract code and carries out validating vulnerability, is leaked Hole verification result;
According to the loophole matching result and the validating vulnerability as a result, generating Hole Detection report.
3. the intelligent contract leak detection method according to claim 2 based on Fuzz, which is characterized in that the loophole With as a result, including carrying out matching resulting loophole type with vulnerability model according to the input variable and the output variable;Its In, vulnerability model is to be abstracted resulting vulnerability model according to loophole type.
4. the intelligent contract leak detection method according to claim 3 based on Fuzz, which is characterized in that the loophole class Type includes reenterability and race condition attack, integer overflow, unauthorized access, refusal service, logic error, information leakage and letter Number misuse one or more of them combination.
5. the intelligent contract leak detection method according to claim 2 based on Fuzz, which is characterized in that the loophole With result, comprising:
Positioning and the matched association code of the vulnerability model in the intelligent contract code;Wherein, the association generation Code includes the input variable and the output variable.
6. the intelligent contract leak detection method according to claim 2 based on Fuzz, which is characterized in that described according to institute State loophole matching result, extract association code and carry out validating vulnerability, obtain validating vulnerability as a result, specifically,
According to the loophole matching result, the association code is extracted in the intelligent contract code;
The adaptation Fuzz test data that the Fuzz test data is concentrated is used as to the input variable of the association code one by one, is driven The association code operation is moved, and the output variable of the association code is monitored;
According to the input variable, the output variable and vulnerability model, validating vulnerability is carried out to the loophole matching result, is obtained To validating vulnerability result;Wherein, vulnerability model is to be abstracted resulting vulnerability model according to loophole type.
7. the intelligent contract leak detection method according to claim 2 based on Fuzz, which is characterized in that described according to institute Loophole matching result and the validating vulnerability are stated as a result, generating Hole Detection report, specifically,
According to the loophole matching result and the validating vulnerability as a result, judging whether there is loophole;
Path, code snippet and loophole type where loophole file are then stored to database, and generate loophole by loophole if it exists Examining report;Alternatively, loophole if it does not exist, then send safety instruction, by the loophole matching result and the validating vulnerability knot Fruit stores to database, and generates Hole Detection report.
8. a kind of intelligent contract Hole Detection device based on Fuzz characterized by comprising
Code preprocessing module, for being mentioned according to intelligent contract code construction abstract syntax tree, and by the abstract syntax tree Take function variable and its types of variables;
Data generation module, for generating Fuzz test data set according to the function variable and its types of variables;Wherein, institute Stating Fuzz test data set is a data set comprising all typess of variables;
Code drive module, the adaptation Fuzz test data for concentrating the Fuzz test data are used as the intelligence one by one The input variable of contract code, drives the intelligent contract code operation, and to the output variable of the intelligent contract code into Row monitoring determines that there are loopholes if exception occurs in the output variable;Wherein, the adaptation Fuzz test data is described Fuzz test data concentrates all Fuzz test datas identical with the types of variables of the input variable.
9. the intelligent contract Hole Detection device according to claim 8 based on Fuzz, which is characterized in that further include:
Loophole matching module then carries out loophole matching to the intelligent contract code, obtains loophole matching for loophole if it exists As a result;
Validating vulnerability module, for according to the loophole matching result, extracted in the intelligent contract code association code into Row validating vulnerability obtains validating vulnerability result;
Report generation module, for being reported according to the loophole matching result and the validating vulnerability as a result, generating Hole Detection.
10. a kind of computer readable storage medium, which is characterized in that the computer readable storage medium includes the calculating of storage Machine program, wherein equipment where controlling the computer readable storage medium in computer program operation is executed as weighed Benefit requires 1 to 7 described in any item intelligent contract leak detection methods based on Fuzz.
CN201910723918.1A 2019-08-06 2019-08-06 A kind of intelligent contract leak detection method, device and storage medium based on Fuzz Pending CN110489973A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910723918.1A CN110489973A (en) 2019-08-06 2019-08-06 A kind of intelligent contract leak detection method, device and storage medium based on Fuzz

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910723918.1A CN110489973A (en) 2019-08-06 2019-08-06 A kind of intelligent contract leak detection method, device and storage medium based on Fuzz

Publications (1)

Publication Number Publication Date
CN110489973A true CN110489973A (en) 2019-11-22

Family

ID=68549978

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910723918.1A Pending CN110489973A (en) 2019-08-06 2019-08-06 A kind of intelligent contract leak detection method, device and storage medium based on Fuzz

Country Status (1)

Country Link
CN (1) CN110489973A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111158692A (en) * 2019-12-09 2020-05-15 华南师范大学 Method, system and storage medium for ordering similarity of intelligent contract functions
CN111310191A (en) * 2020-02-12 2020-06-19 广州大学 Block chain intelligent contract vulnerability detection method based on deep learning
CN111753306A (en) * 2020-05-29 2020-10-09 西安深信科创信息技术有限公司 Intelligent contract vulnerability detection method and device, electronic equipment and storage medium
CN112560114A (en) * 2021-02-22 2021-03-26 支付宝(杭州)信息技术有限公司 Method and device for calling intelligent contract
WO2024001929A1 (en) * 2022-06-27 2024-01-04 中国人民银行数字货币研究所 Intelligent contract vulnerability detection method and apparatus, and device

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105468531A (en) * 2015-12-25 2016-04-06 北京金山安全软件有限公司 Vulnerability mining method and device and electronic equipment
CN105512562A (en) * 2015-12-01 2016-04-20 珠海市君天电子科技有限公司 Vulnerability mining method and device and electronic equipment
CN106131041A (en) * 2016-07-29 2016-11-16 北京匡恩网络科技有限责任公司 A kind of industry control network safety detection device and unknown leak detection method
CN107169358A (en) * 2017-05-24 2017-09-15 中国人民解放军信息工程大学 Code homology detection method and its device based on code fingerprint
CN107273751A (en) * 2017-06-21 2017-10-20 北京计算机技术及应用研究所 Security breaches based on multi-mode matching find method online
CN108549538A (en) * 2018-04-11 2018-09-18 深圳市腾讯网络信息技术有限公司 A kind of code detection method, device, storage medium and test terminal
CN108614707A (en) * 2018-04-27 2018-10-02 深圳市腾讯网络信息技术有限公司 Static code inspection method, device, storage medium and computer equipment
CN109255240A (en) * 2018-07-18 2019-01-22 北京明朝万达科技股份有限公司 A kind of loophole treating method and apparatus
CN109446814A (en) * 2018-09-30 2019-03-08 北京金山安全软件有限公司 Vulnerability detection method and device
CN109948345A (en) * 2019-03-20 2019-06-28 杭州拜思科技有限公司 A kind of method, the system of intelligence contract Hole Detection

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105512562A (en) * 2015-12-01 2016-04-20 珠海市君天电子科技有限公司 Vulnerability mining method and device and electronic equipment
CN105468531A (en) * 2015-12-25 2016-04-06 北京金山安全软件有限公司 Vulnerability mining method and device and electronic equipment
CN106131041A (en) * 2016-07-29 2016-11-16 北京匡恩网络科技有限责任公司 A kind of industry control network safety detection device and unknown leak detection method
CN107169358A (en) * 2017-05-24 2017-09-15 中国人民解放军信息工程大学 Code homology detection method and its device based on code fingerprint
CN107273751A (en) * 2017-06-21 2017-10-20 北京计算机技术及应用研究所 Security breaches based on multi-mode matching find method online
CN108549538A (en) * 2018-04-11 2018-09-18 深圳市腾讯网络信息技术有限公司 A kind of code detection method, device, storage medium and test terminal
CN108614707A (en) * 2018-04-27 2018-10-02 深圳市腾讯网络信息技术有限公司 Static code inspection method, device, storage medium and computer equipment
CN109255240A (en) * 2018-07-18 2019-01-22 北京明朝万达科技股份有限公司 A kind of loophole treating method and apparatus
CN109446814A (en) * 2018-09-30 2019-03-08 北京金山安全软件有限公司 Vulnerability detection method and device
CN109948345A (en) * 2019-03-20 2019-06-28 杭州拜思科技有限公司 A kind of method, the system of intelligence contract Hole Detection

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
付梦琳等: "《智能合约安全漏洞挖掘技术研究》", 《计算机应用》 *

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111158692A (en) * 2019-12-09 2020-05-15 华南师范大学 Method, system and storage medium for ordering similarity of intelligent contract functions
CN111158692B (en) * 2019-12-09 2023-05-02 华南师范大学 Ordering method, ordering system and storage medium for intelligent contract function similarity
CN111310191A (en) * 2020-02-12 2020-06-19 广州大学 Block chain intelligent contract vulnerability detection method based on deep learning
CN111310191B (en) * 2020-02-12 2022-12-23 广州大学 Block chain intelligent contract vulnerability detection method based on deep learning
CN111753306A (en) * 2020-05-29 2020-10-09 西安深信科创信息技术有限公司 Intelligent contract vulnerability detection method and device, electronic equipment and storage medium
CN111753306B (en) * 2020-05-29 2022-08-05 西安深信科创信息技术有限公司 Intelligent contract vulnerability detection method and device, electronic equipment and storage medium
CN112560114A (en) * 2021-02-22 2021-03-26 支付宝(杭州)信息技术有限公司 Method and device for calling intelligent contract
CN112560114B (en) * 2021-02-22 2022-01-11 支付宝(杭州)信息技术有限公司 Method and device for calling intelligent contract
WO2024001929A1 (en) * 2022-06-27 2024-01-04 中国人民银行数字货币研究所 Intelligent contract vulnerability detection method and apparatus, and device

Similar Documents

Publication Publication Date Title
CN110489973A (en) A kind of intelligent contract leak detection method, device and storage medium based on Fuzz
CN110266669A (en) A kind of Java Web frame loophole attacks the method and system of general detection and positioning
CN111008376B (en) Mobile application source code safety audit system based on code dynamic analysis
CN109948345A (en) A kind of method, the system of intelligence contract Hole Detection
CN104766015B (en) A kind of buffer-overflow vulnerability dynamic testing method based on function call
Ngo et al. Heuristics-based infeasible path detection for dynamic test data generation
Ma et al. Pluto: Exposing vulnerabilities in inter-contract scenarios
Partenza et al. Automatic identification of vulnerable code: Investigations with an ast-based neural network
WO2000072145A1 (en) Analyzing an extended finite state machine system model
Kulczynski et al. ZaligVinder: A generic test framework for string solvers
CN111309589A (en) Code security scanning system and method based on code dynamic analysis
Dutta et al. Enhancing test cases generated by concolic testing
Zhang A framework of vulnerable code dataset generation by open-source injection
Gilliam et al. Addressing software security and mitigations in the life cycle
CN115271714A (en) Automatic safety evaluation method of block chain consensus mechanism
Clegg et al. An Empirical Study to Determine if Mutants Can Effectively Simulate Students' Programming Mistakes to Increase Tutors' Confidence in Autograding
Lal et al. Intelligent Testing in Software Industry
Alakeel Using Fuzzy Logic Techniques for Assertion‐Based Software Testing Metrics
Tziatzios Model-based testing for SQL databases
Zhang et al. GoDetector: Detecting concurrent bug in go
Liu et al. Static back-stack transition analysis for android
Wang et al. Research on Railway DevSecOps System Construction Based on “People-Process-Technology”
Jayalath et al. Towards secure software engineering
CN114282226B (en) Single multi-vulnerability code detection method and system
Najjari et al. Presentation of a pattern to counteract the attacks of XSS Malware

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20191122

RJ01 Rejection of invention patent application after publication