CN110737901A - Logic vulnerability analysis method for network transaction service interaction process in design stage - Google Patents

Logic vulnerability analysis method for network transaction service interaction process in design stage Download PDF

Info

Publication number
CN110737901A
CN110737901A CN201910957063.9A CN201910957063A CN110737901A CN 110737901 A CN110737901 A CN 110737901A CN 201910957063 A CN201910957063 A CN 201910957063A CN 110737901 A CN110737901 A CN 110737901A
Authority
CN
China
Prior art keywords
network
transaction
logic
interaction process
service interaction
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910957063.9A
Other languages
Chinese (zh)
Other versions
CN110737901B (en
Inventor
于汪洋
贾萌韩
王小明
张立臣
卢俊岭
庞光垚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shaanxi Normal University
Original Assignee
Shaanxi Normal University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shaanxi Normal University filed Critical Shaanxi Normal University
Priority to CN201910957063.9A priority Critical patent/CN110737901B/en
Publication of CN110737901A publication Critical patent/CN110737901A/en
Application granted granted Critical
Publication of CN110737901B publication Critical patent/CN110737901B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q40/00Finance; Insurance; Tax strategies; Processing of corporate or income taxes
    • G06Q40/04Trading; Exchange, e.g. stocks, commodities, derivatives or currency exchange

Landscapes

  • Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Accounting & Taxation (AREA)
  • Finance (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • Development Economics (AREA)
  • General Business, Economics & Management (AREA)
  • Technology Law (AREA)
  • Strategic Management (AREA)
  • Computing Systems (AREA)
  • Marketing (AREA)
  • Economics (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

logic vulnerability analysis method for a network transaction service interaction process in a design phase comprises the following steps of S100, modeling the network transaction service interaction process by using a color petri network to construct an interaction service process fusion network IBPF, S200, providing two basic security attributes of a transaction logic consistency and a transaction processing completion state in the network transaction service interaction process, S300, analyzing and verifying vulnerability of the network transaction service interaction process in the design phase by combining the interaction service process fusion network IBPF and the two basic security attributes based on an algorithm for finding logic vulnerability in the network transaction service interaction process, and the method can detect the logic vulnerability in the system design phase to avoid high cost caused by later maintenance and repair.

Description

Logic vulnerability analysis method for network transaction service interaction process in design stage
Technical Field
The disclosure belongs to the technical field of network transaction security, and particularly relates to a logic vulnerability analysis method for an design-stage network transaction service interaction process.
Background
Participating agents often use an Application Programming Interface (API) to merge business service functions, and such complex business interactions create a new security challenge — a logic vulnerability.
In such a hybrid distributed system, it is very challenging to coordinate the state of the relevant principals in secure ways, when a user abuses the legitimate application specific behavior against the expectations of the developer, there are often logical vulnerabilities, and the developer often has no idea of how to implement sufficient server-side authorization checks on the received request parameters.
In order to solve this problem, methods must be provided, and modeling and analyzing the network transaction business interaction process in the design stage is important technical directions of the current secure network transaction.
Disclosure of Invention
In view of this, the present disclosure provides logic vulnerability analysis methods for a network transaction service interaction process in a design phase, including the following steps:
s100: modeling a network transaction service interaction process by using a color petri network, and constructing an interactive service flow fusion network IBPF;
s200, providing two basic security attributes of transaction logic consistency and transaction processing completion state in the network transaction service interaction process;
s300: and based on an algorithm for finding the logic loophole in the network transaction service interaction process, combining the interactive service flow with the integrated network IBPF and the two basic security attributes, and performing loophole analysis and verification on the network transaction service interaction process in the design stage.
By the technical scheme, the method can detect the logic loophole in the system design stage, avoid high cost caused by later maintenance and repair, and can be used in various multi-agent network transaction service interaction flows by properly defining the service flow and the data set.
Drawings
Fig. 1 is a schematic flow chart of a method for analyzing logic vulnerabilities of a network transaction service interaction process in design phases provided in embodiments of the present disclosure;
FIG. 2 is a business interaction process between a user, a merchant and a third party payment platform in embodiments of the present disclosure;
FIG. 3 is a complete IBPF-based network transaction service interaction process in embodiments of the present disclosure;
FIG. 4 is a state of transaction completion after an initial configuration change is made by the present disclosure.
Detailed Description
In embodiments, referring to fig. 1 to 4, a logic vulnerability analysis method of design phase network transaction business interaction processes is disclosed, which comprises the following steps:
s100: modeling a network transaction service interaction process by using a color petri network, and constructing an interactive service flow fusion network IBPF;
s200, providing two basic security attributes of transaction logic consistency and transaction processing completion state in the network transaction service interaction process;
s300: and based on an algorithm for finding the logic loophole in the network transaction service interaction process, combining the interactive service flow with the integrated network IBPF and the two basic security attributes, and performing loophole analysis and verification on the network transaction service interaction process in the design stage.
For the embodiment, the method can detect the logic loophole in the system design stage, and avoids high cost caused by later maintenance and repair.
In another embodiments, fig. 2 shows the transaction interaction process between the shopper, merchant and third party payment platform, the dashed rectangle representing the pseudo code of ValidatePara, finishOrder and UpdateStatus, during the checkout process, two communications are made between the merchant and the third party payment platform, communications inform the third party payment platform that payment with the authentication data (identification) is about to be made (step 2), then the third party payment platform sends information with a payment token for identifying the payment transaction, the merchant passes the payment transaction to the shopper (step 4), the shopper passes the token and the total price to the third party payment platform again, requests payment, the third party payment platform accepts and confirms the payment information (step 5), after which the third party payment platform redirects the shopper browser to the merchant's API interface finishOrder and the token, total price and payment ID as parameters (step 6), the merchant directly contacts the third party payment platform to check and complete the transaction, the authentication function of validatePara, the merchant's authentication function verifies the transfer function, and the merchant's payment status is set as a valid transaction status record if the merchant's contact status is "valid" and the merchant's contact status "returns the transaction status to the merchant's contact status" and the merchant's status "if the merchant's contact status is" valid "and the merchant's contact status is" and the merchant's status is returned to the transaction status "step 35, the merchant's contact status is updated". the merchant's status "and the merchant's status is updated". the merchant's payment platform returns the transaction to the merchant's payment platform, the merchant's payment status "step 35, the merchant's payment status" step 9, the merchant's payment status "step 3 transaction is then the merchant's payment platform returns the merchant's status" and the transaction is updated "and the merchant's payment platform returns.
For this embodiment, as long as there are valid orderIDs that can enter the session in the transaction success state (i.e., step 10 in FIG. 2), the updateStatus marks the order corresponding to the orderID as paid, regardless of whether it is actually paid or not, when the shopper has obtained valid unpaid more expensive order IDs, the orderID can be replaced in step 11, which allows the shopper to complete the transaction process by paying a relatively lower price.
In another embodiments, the color petri net is nine-tuple CPN ═ s (P, T, a, Σ, V, C, G, E, I), where:
1) p is finite set of libraries (which in our structure can represent both conditions and subjects, and can store data, etc.);
2) t is sets of finite transitions T, such that
Figure BDA0002229679980000051
(indicating a network transaction event, or the occurrence of a transaction);
3)
Figure BDA0002229679980000052
directional arc sets are used for transmitting data along the direction pointed by the arcs;
4) Σ is sets of finite, non-empty colors, representing different data types;
5) v is sets of finite Type variables, such that Type [ V ] ∈ Σ applies to all variables V ∈ V.
6) P → Σ is a function of color sets specified for each bin.
7)G:T→EXPRVIs decision functions that specify Boolean expressions for each transition t, resulting in a Type [ G (t)]Bool, to constrain and judge the occurrence of transitions.
8)E:A→EXPRVIs a function of arc expressions which assigns an arc expression to each arc a, such that Type [ E (a)]=C(p)MSWhere p is the library connected to arc a (mainly constraining the occurrence of arcs, data can be transmitted only if the criteria are met).
9)I:
Figure BDA0002229679980000053
Is ID initialization functions, let Type [ I (p)]=C(p)MS(the initial data set is mainly defined).
For the purposes of this embodiment, the formalized representation of the CPN is the basis for defining various behavioral attributes and analytical methods.
In another embodiments, an IBPF is defined as follows:
definition 1: logic Business Process LBP ═ P, T, a, Σ, V, C, G, E, I, where:
LBP has three special libraries α and γ, wherein α ∈ P is called initial library and β ∈ P is called terminal library, γ ∈ P is called repository library,
Figure BDA0002229679980000061
the point represents the pre-transition set in the front, the post-transition set in the back, and the same applies to the back.
Define 2: logical Business processes with Channels (Logic Business process Channels) as LBPC ═ P ∪ PIN∪PO,T,A∪AIN∪AOΣ, V, C ', G, E ', I '), wherein:
1)PINis input channel libraries, POIs the pool of sets of output channels,
Figure BDA0002229679980000062
Figure BDA0002229679980000063
2)
Figure BDA0002229679980000064
3)
Figure BDA0002229679980000065
4)C′:(PIN∪PO) → Σ, if P ∈ P, then C' (P) ═ C (P);
5)E′:(AIN∪AO)→EXPRVif a ∈ a, then E' (a) ═ E (a);
6)
Figure BDA0002229679980000066
if P ∈ P, then I' (P) ═ I (P).
LBPC is an extension of LBP that integrates interaction libraries (channels) to describe the communication channels for trading parameters between different principals.
Definitions 3 LBPCn=(Pn∪PINn∪POn,Tn,An,∑n,Vn,Cn,Gn,En,In) (where N ∈ N)2Indicating that n belongs to a natural number set), are two LBPCs, such that
Figure BDA0002229679980000067
Figure BDA0002229679980000068
C1(p)=C2(p),I1(p)=I2(p),p∈(PIN1∩PO2)∪(PO1∩PIN2)。
The fusion operation phi of the two nets is LBPC1ΦLBPC2=LBPC=(P∪PIN∪POT, a, Σ, V, C, G, E, I), wherein P ═ P1∪P2,T=T1∪T2,A=A1∪A2,∑=∑1∪∑2,V=V1∪V2,(p∈Pn)→(C(p)=Cn(p))∧(I(p)=In(p)),(a∈An)→(A(a)=An(a)),(t∈Tn)→(G(t)=Gn(t))。
Definition 4 IBPF ═ (P ∪ P)IN∪PO,T,A,∑,V,C,G,E,I)=LBPC1ΦLBPC2Φ...ΦLBPCmCalled interactive business process convergence network IBPFs are the convergence of m (m ≧ 2) LBPCs.
The CPL ML (Community Party of New pal Marxist-Leninist) language is built based on the functional programming language Standard ML (SML) and is extended by defining the construction of color sets and declaration variables.
colset User=witha1|a2;
var u,u1:User;
colsetMerch=with b1|b2;
var m,m1:Merch;
colset Tpp=with c1|c2;
var t,t1:Tpp;
colset UserPara=product User*BOOL;
colsetUserMerPara=product User*Merch*BOOL;
colset TPPara=product Tpp*BOOL;
colset MerPara=product Merch*BOOL;
var orderIDBOOL,grossBOOL,orderFinishedBOOL,Shop-perOrderBOOL,tokenBOOL,identityBOOL,payerIDBOOL,resultBOOL:BOOL;
colset Parameter=union orderID:UserMerPara+gross:UserMerPara+orderFinished:MerPara+ShopperOrder:
UserPara+token:TPPara+payerID:TPPara+result:TPPara+identity:MerPara;
Where colset User, Merch, and Tpp denote multiple principal sets, such as users (shoppers), merchants, and third party payment platforms. UserPara, UserMerPara, TPPara, and MerPara are types that describe transaction parameters used in the transaction process, which are passed and exchanged between different principals, and are composed of product and uneon types. The prefixes User, Mer, and TPP represent data generated by the User (shopper), merchant, and third party payment platform, respectively.
In another embodiments, FIG. 3 is a CPN model corresponding to the network trading system of FIG. 2, i.e., an LBPN network, during network trading, order ID, order total, merchant ID, and currency are compromised, so we describe this scenario using BOOL types, each trading parameter specifying BOOL values, characterized by "parameter name" + "BOOL", corresponding to orderIDBOOL, grossBOOL, payerIDBOOL, tokenBOOL for the channel depository, we named using "prefix" + "chank", k e N. UChan1 in FIG. 3 refers to the channel depository from which the user sends data, MerChan2 refers to the channel depository from which the merchant sends data, and TppChan3 refers to the channel depository from which the third party payment platform sends data.
In another embodiments, the step S300 specifically includes:
constructing initial configuration according to the logic vulnerabilities, obtaining termination states by using a state traversal algorithm, analyzing the corresponding logic vulnerabilities, and finally verifying other logic vulnerabilities by constructing new initial configuration.
For the embodiment, firstly, the logic loopholes are caused by tampered transaction parameters in the network service interaction process, and can be divided into four types according to destruction rules, namely, destruction of order ID, total order number, merchant ID and currency, then construction of initial configuration is performed based on the logic loopholes needing to be verified, termination states are obtained by using an algorithm, namely, the states of all main bodies after the transaction is completed, only parts of a state space are searched, then corresponding logic loopholes are analyzed by comparing the output termination states with ideal states, and finally, other logic loopholes are verified by constructing new initial configuration.
In another embodiments, the IBPF-based service interaction process proposes a method for analyzing a logical vulnerability of a network transaction interaction process, and based on existing attributes, the main security objective of the network transaction service interaction process is to ensure the following transaction conditions:
1. transaction processing completion status: at the initial identification M0In the following, m ∈ N, σ is the executable transition sequence of IBPF, and the following two conditions need to be satisfied:
3)
Figure BDA0002229679980000091
4)
Figure BDA0002229679980000092
wherein, E (t, β)m) Is from transition t to repository βmM (β)m) Depot βmThe U + + notation in (1) indicates accumulation, all belonging to the library βmThe cumulative sum of the leading transitions.
Condition indicates that the participant completed the transaction, and if the shopper was paid and the third party payment platform was in a paid state, the merchant must reach a state to complete the transaction Another aspect, if the shopper did not pay and the third party payment platform did not pay, the merchant cannot be in a run state for the pending transactionmThe number of tokens is equal to the number of tokens of the input variable on the input arc, which ensures the completion of a single transaction. Condition two represents any repository γmThe necessary transaction parameters should have been obtained, likewise, gammamThe number of tokens in (1) is equal to the number of tokens of the input variable on the input arc.
2. Transaction logic consistency in initial identification M0Then, M ∈ N, and each transaction end state M needs to satisfy the following condition:
1) for each of the parameters v, it is,
Figure BDA0002229679980000101
vBOOL=true。
2) for each variable p representing a participant or a transaction,
Figure BDA0002229679980000102
and
Figure BDA0002229679980000103
it has only values.
Where condition states that there is no invalid data or parameter tampering during the transaction, condition two indicates that all transaction parameters must belong to the same transaction.
In another embodiments, to verify the vulnerability that "the user can pay less to complete the order", we first set initial configurations, M0(Tpp)=1’c1,M0(Merch)=1’b1++1’b2,M0(shop) ═ 1 'a 1+ + 1' a2, where a1 and a2 represent two shoppers, b1 and b2 represent two merchants, and c1 represents a third party payment platform, then sets of identifications omega (sets of tokens corresponding to the pool) that do not satisfy the causality of the transaction logic are obtained by constructing an algorithm for which the corresponding logic vulnerabilities are analyzed
The input is IBPF' (P ∪ P)IN∪P0,T,A,∑,V,C,G,E’,I)
And (3) outputting: identification set omega
1:
Figure BDA0002229679980000111
∏={M0};(M0Initial identification, step is initial states at the beginning of the algorithm)
2: let M0Is a root node and is marked as an intermediate state;
when the intermediate state nodes exist, selecting any intermediate state nodes as M;
3.1 if M is the trade finish state but does not satisfy the conformance of the trade logic , then omega is omega ∪ { M }, repeat step 3, otherwise proceed to step , (step is to judge if the state satisfies two conditions set by us under the initial identification, if yes, proceed to step 3.2, if not, save the state in the identification set, repeat step 3)
3.2 if
Figure BDA0002229679980000112
If M does not occur at t, pi ═ pi ∪ { M }, repeating the step 3, otherwise, performing the next step ;
3.3 if none of the above is satisfied, then for T (T ∈ T) that all happen under M, if there is one
Figure BDA0002229679980000113
Mark M 'as "intermediate state", pi ═ ∪ { M' }, repeat step 3;
3.4 remove the mark M marked as "intermediate state" and repeat step 3;
for FIG. 3, there are three root nodes, i.e., "intermediate nodes," each M0(Tpp)=1’c1,M0(Merch)=1’b1++1’b2,M0(chopper) ═ 1 'a 1+ + 1' a2, and any of these were selected as M of the algorithm, for example, M ═ M0(Tpp) ═ 1' c1, proceed with 3.1 of the algorithm, M is not the completion status of the transaction, then proceed with step 3.2,
Figure BDA0002229679980000114
t, M may occur at T, M 'is generated (Tpcontr1), M' is marked as "intermediate state", and the operation in step 3 is repeated, where M 'is M' at the intermediate node (Tpcontr1), M is M ═ M0(Merch)=1’b1++1’b2,M0(chopper) ═ 1 'a 1+ + 1' a2, the selection of M is repeated, all the libraries which can be executed are traversed in turn until all the intermediate nodes are traversed, the algorithm is finished, and the output is transmittedGo out Ω, i.e., not satisfying the flag set for compliance with transaction logic .
FIG. 4 is a transaction ending state M after setting the initial configuration for FIG. 3, wherein
M(TpStore)=1’gross((a1,b1,true))++1’token((c1,true))++1’Identity((b1,true))
M(MStore)=1’orderID((a1,b1,true))++1’payerID((a1,true))++1’result((c1,true))
M (MData3) ═ 1' orderID ((a1, b1, true)): these three results show that the shopper a1 paid the order in merchant b1 and the payer was a1, and the third party payment platform feedback was error free, both presented in the third party payment platform and in the merchant's data sheet, which was stored in the system and not displayed to the relevant participants
M (tpend) ═ 1 ' c1, m (mend) ═ 1 ' b1, m (uend) ═ 1 ' a 1: there is no error in the information that indicates the final feedback to the third party payment platform and to the merchant and shopper that shopper a1 has completed the order in merchant b1
M (user) ═ 1' orderFinished ((b2, true)): indicating that the order in merchant b2 was paid in the shopper's data, where merchant b2 may be legally registered by shopper a1, a vulnerability arises when shopper a1 completes the order in merchant b1 by paying the order of merchant b2 and what is displayed on the merchant's side and third party payment platforms is that the order in b1 is complete.
The transaction process does not satisfy causality, i.e. the shopper can replace the original merchant by registering merchants by himself to complete the target order, which damages the interests of the merchants, and does not conform to causality of the transaction logic, which is mainly caused by the complex interaction process between the subjects.
Although the embodiments of the present invention have been described above with reference to the accompanying drawings, the present invention is not limited to the above-described embodiments and application fields, and the above-described embodiments are illustrative, instructive, and not restrictive. Those skilled in the art, having the benefit of this disclosure, may effect numerous modifications thereto without departing from the scope of the invention as defined by the appended claims.

Claims (7)

  1. The logic vulnerability analysis method for the network transaction service interaction process in the design stage of 1, concretely comprises the following steps:
    s100: modeling a network transaction service interaction process by using a color petri network, and constructing an interactive service flow fusion network IBPF;
    s200, providing two basic security attributes of transaction logic consistency and transaction processing completion state in the network transaction service interaction process;
    s300: and based on an algorithm for finding the logic loophole in the network transaction service interaction process, combining the interactive service flow with the integrated network IBPF and the two basic security attributes, and performing loophole analysis and verification on the network transaction service interaction process in the design stage.
  2. 2. The method of claim 1, wherein the color Petri Net in the step S100 is specifically defined as nine-tuple CPN (P, T, A, Σ, V, C, G, E, I), wherein preferably:
    1) p is finite sets of libraries, represented by circles;
    2) t is sets of finite transitions T, such that
    Figure FDA0002229679970000011
    Represented by a rectangle;
    3)
    Figure FDA0002229679970000012
    sets of directed arcs, represented by directed arcs;
    4) Σ is sets of finite non-empty colors;
    5) v is sets of finite Type variables, such that Type [ V ] ∈ Σ applies to all variables V ∈ V;
    6) p → Σ is a function of color sets specified for each bin;
    7)G:T→EXPRVis decision functions that specify Boolean expressions for each transition t, resulting in a Type [ G (t)]=Bool;
    8)E:A→EXPRVIs a function of arc expressions which assigns an arc expression to each arc a, such that Type [ E (a)]=C(p)MSWhere p is the library connected to arc a, MS represents the multiple set;
    9)I:
    Figure FDA0002229679970000021
    is ID initialization functions, let Type [ I (p)]=C(p)MSWherein MS means a superset.
  3. 3. The method according to claim 1, wherein the interactive service flow fusion network IBPF in the S100 step describes a distributed, multi-subject and multi-session network transaction service interaction process based on a color petri net, which is specifically defined as:
    the logic business process LBP is (P, T, A, sigma, V, C, G, E, I), wherein the LBP has three special libraries α and gamma, wherein α epsilon P is called initial library place, β epsilon P is called termination library place, gamma epsilon P is called storage library place,
    logical service flows with channels LBPC ═ (P ∪ P)IN∪PO,T,A∪AIN∪AOSigma, V, C ', G, E ', I '), LBPC is extended from LBP, which integrates interaction libraries (channels) to describe communication channels for trading parameters between different subjects, where:
    1)PINis input channel libraries, POIs the pool of sets of output channels,
    Figure FDA0002229679970000024
    2)
    Figure FDA0002229679970000025
    3)
    Figure FDA0002229679970000026
    4)C′:(PIN∪PO) → Σ, if P ∈ P, then C' (P) ═ C (P);
    5)E′:(AIN∪AO)→EXPRVif a ∈ a, then E' (a) ═ E (a);
    6)I′:(PIN∪PO)→EXPRφif P ∈ P, then I' (P) ═ I (P);
    the fusion operation phi of the two nets is LBPC1ΦLBPC2=LBPC=(P∪PIN∪POT, a, Σ, V, C, G, E, I), wherein P ═ P1∪P2,T=T1∪T2,A=A1∪A2,∑=∑1∪∑2,V=V1∪V2,(p∈Pn)→(C(p)=Cn(p))∧(I(p)=In(p)),(a∈An)→(A(a)=An(a)),(t∈Tn)→(G(t)=Gn(t));
    Interactive service flow convergence network IBPF (P ∪ P)IN∪PO,T,A,∑,V,C,G,E,I)=LBPC1ΦLBPC2Φ...ΦLBPCm IBPFs are fusions of m (m.gtoreq.2) LBPCs.
  4. 4. The method of claim 1, wherein the transaction logic in step S200 is defined as:
    at the initial identification M0Then, M ∈ N, and each transaction end state M needs to satisfy the following condition:
    1) for each of the parameters v, it is,
    Figure FDA0002229679970000031
    vBOOL=true;
    2) for each variable p representing a participant or a transaction,
    Figure FDA0002229679970000032
    and
    Figure FDA0002229679970000033
    it has only values;
    wherein, βmDenotes a termination Bank, γmRepresenting a storage place, m is more than or equal to 2, and N is a natural number set.
  5. 5. The method according to claim 1, wherein the transaction processing completion status in step S200 is defined as:
    at the initial identification M0In the following, m ∈ N, σ is the executable transition sequence of IBPF, and the following two conditions need to be satisfied:
    1)
    2)
    Figure FDA0002229679970000035
    wherein, βmDenotes a termination Bank, γmRepresenting a storage place, m is more than or equal to 2, and N is a natural number set.
  6. 6. The method according to claim 1, wherein the step S300 specifically comprises:
    constructing initial configuration according to the logic loopholes, obtaining termination states by utilizing an algorithm for discovering the logic loopholes in the interaction process of the network transaction service, analyzing the corresponding logic loopholes, and finally verifying other logic loopholes by constructing new initial configuration.
  7. 7. The method according to claim 1, wherein the algorithm for discovering the logic vulnerability in the network transaction service interaction process in step S300 specifically includes:
    step 1: identification set
    Figure FDA0002229679970000041
    ∏={M0}; wherein M is0Is an initial identification;
    step 2: let M0Is a root node and is marked as an intermediate state;
    step 3, when the intermediate state nodes exist, selecting any intermediate state nodes as M;
    step 3.1, if the M is the transaction completion state but does not meet the consistency of the transaction logic , repeating the step 3 if the Ω is Ω ∪ { M }, otherwise, performing the next step ;
    step 3.2: if it is not
    Figure FDA0002229679970000042
    If M does not occur at t, pi ═ pi ∪ { M }, repeating the step 3, otherwise, performing the next step ;
    step 3.3: if none of the above is satisfied, then for T (T ∈ T) that all happen at M, if there is oneMark M 'as "intermediate state", pi ═ ∪ { M' }, repeat step 3;
    step 3.4: remove M marked as "intermediate state" and repeat step 3.
CN201910957063.9A 2019-10-11 2019-10-11 Logic vulnerability analysis method for network transaction service interaction process in design stage Active CN110737901B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910957063.9A CN110737901B (en) 2019-10-11 2019-10-11 Logic vulnerability analysis method for network transaction service interaction process in design stage

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910957063.9A CN110737901B (en) 2019-10-11 2019-10-11 Logic vulnerability analysis method for network transaction service interaction process in design stage

Publications (2)

Publication Number Publication Date
CN110737901A true CN110737901A (en) 2020-01-31
CN110737901B CN110737901B (en) 2021-05-18

Family

ID=69268612

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910957063.9A Active CN110737901B (en) 2019-10-11 2019-10-11 Logic vulnerability analysis method for network transaction service interaction process in design stage

Country Status (1)

Country Link
CN (1) CN110737901B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111404748A (en) * 2020-03-18 2020-07-10 陕西师范大学 Network resource configuration method based on time coloring Petri net

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105005891A (en) * 2015-06-30 2015-10-28 湖南人文科技学院 Color Petri-net based BPEL architecture mobile payment system
CN108123956A (en) * 2017-12-27 2018-06-05 中国人民解放军战略支援部队信息工程大学 Password misuse leak detection method and system based on Petri network

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105005891A (en) * 2015-06-30 2015-10-28 湖南人文科技学院 Color Petri-net based BPEL architecture mobile payment system
CN108123956A (en) * 2017-12-27 2018-06-05 中国人民解放军战略支援部队信息工程大学 Password misuse leak detection method and system based on Petri network

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
李文娟: "安全移动商务协议分析与研究", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111404748A (en) * 2020-03-18 2020-07-10 陕西师范大学 Network resource configuration method based on time coloring Petri net

Also Published As

Publication number Publication date
CN110737901B (en) 2021-05-18

Similar Documents

Publication Publication Date Title
TWI803466B (en) Blockchain implemented method and system
KR102050129B1 (en) Block chain supporting multiple one-way functions used for verification of blocks
Cohney et al. Transactional scripts in contract stacks
CN106504094B (en) Transaction matching method and system of distributed general ledger system based on block chain technology
JP2020080158A (en) System and method for implementing deterministic finite automaton (dfa) through blockchain
KR102569751B1 (en) Computer-implemented systems and methods for determining the state of machine-executable contracts implemented using blockchains
KR20210128452A (en) Computer-implemented systems and methods for implementing transfers via blockchain networks.
WO2020106961A1 (en) Lightweight blockchain supported transaction platform with proof-of-two consensus and centralized identification management
US20200320490A1 (en) Method and system for conducting a transaction using private blockchain
JP2021520732A (en) Computer-implemented systems and methods suitable for increasing the security of immediate offline blockchain transactions
US11803823B2 (en) Systems and methods for blockchain-based payment transactions, alerts, and dispute settlement, using a blockchain interface server
CN106575400A (en) Authentication system with message conversion
CN107909440B (en) Transaction synchronous clearing method and system for distributed general ledger system
US20080215357A1 (en) Detection of unknown scenarios
CN107730223A (en) It is a kind of to polymerize the system and method paid
US20220084090A1 (en) Systems and methods for managing direct exchange
US20230291561A1 (en) Blockchain tokens
CN116194940A (en) Tax mechanism based on blockchain
CN110737901B (en) Logic vulnerability analysis method for network transaction service interaction process in design stage
Uriawan et al. A dapp architecture for personal lending on blockchain
US20230013949A1 (en) Interactive user interface systems and methods for analyzing transaction attributes and dispute information using blockchain
CN114358948A (en) NFT atom exchange method, system, computer-readable storage medium and terminal device
Deljoo et al. An agent-based framework for multi-domain service networks
Yi et al. Bitcoin, Ethereum, Smart Contracts and Blockchain Types
Yu et al. Analyzing the validation flaws of online shopping systems based on coloured Petri nets

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant