CN112836217A - SGX-based block chain virtual machine method and system for dynamically reducing TCB - Google Patents

SGX-based block chain virtual machine method and system for dynamically reducing TCB Download PDF

Info

Publication number
CN112836217A
CN112836217A CN202110036603.7A CN202110036603A CN112836217A CN 112836217 A CN112836217 A CN 112836217A CN 202110036603 A CN202110036603 A CN 202110036603A CN 112836217 A CN112836217 A CN 112836217A
Authority
CN
China
Prior art keywords
sensitive
virtual machine
sgx
function
intelligent contract
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110036603.7A
Other languages
Chinese (zh)
Other versions
CN112836217B (en
Inventor
肖喜
张焓祺
夏树涛
江勇
郑海涛
陆孺牛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen International Graduate School of Tsinghua University
Original Assignee
Shenzhen International Graduate School of Tsinghua University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen International Graduate School of Tsinghua University filed Critical Shenzhen International Graduate School of Tsinghua University
Priority to CN202110036603.7A priority Critical patent/CN112836217B/en
Publication of CN112836217A publication Critical patent/CN112836217A/en
Application granted granted Critical
Publication of CN112836217B publication Critical patent/CN112836217B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/40Transformation of program code
    • G06F8/41Compilation

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Stored Programmes (AREA)

Abstract

The invention discloses a block chain virtual machine method and a block chain virtual machine system for dynamically reducing TCB based on SGX, which are combined with a taint analysis technology, dynamically reduce TCB and reduce code risk, incorporate taint analysis into a scheme, automatically position sensitive code statements related to sensitive data in an intelligent contract according to intelligent contract source codes, and acquire virtual machine operation codes corresponding to the sensitive code statements. After the sensitive and non-sensitive virtual machine operation codes are obtained, the selection module selects the corresponding C + + function running in the virtual machine according to the sensitive/non-sensitive operation codes. The virtual machine module executes the user request according to the byte code compiled by the intelligent contract, and for the operation code related to the sensitive data, the operation code related to the sensitive data is executed in the trusted execution environment Enclave provided by the SGX, and the operation code not related to the sensitive data is executed outside the Enclave, so that the TCB is reduced.

Description

SGX-based block chain virtual machine method and system for dynamically reducing TCB
Technical Field
The invention relates to the technical field, in particular to a block chain virtual machine method and a block chain virtual machine system for dynamically reducing TCB based on SGX.
Background
The Blockchain (Blockchain) originated in Bitcoin (Bitcoin), and as early as 2008, 11.1.s.. This is an open, peer-to-peer distributed network that has not developed in the past decade. The blockchain is an application system with computer technologies such as a distributed data storage technology, a point-to-point transmission technology, a consensus mechanism and an encryption algorithm. The individual data blocks are linked together by cryptographic methods and form information which can be used for forgery protection (validation). Each block of data, called a block, contains transactions that have been validated over a period of time, and the chain of blocks is called a block chain.
Within 5 years from 2008 to 2013, the bitcoin network fully proves the feasibility and the safety. However, the bitcoin network still has some limitations, and the user can only use the transaction function of the bitcoin network, but cannot define other contents. Thus, Vitalik Buterin published the Ether Fang white paper "A Next-Generation Smart Contract and Decentralized Application Platform" which proposed Ether Fang networks to apply blockchains to fields other than currency. The Etherum not only has own virtual currency, Etherum, but also allows users to write programs to realize diversified functions. A user-written program is called an intelligent contract, which is a computer contract implemented in a programmed manner, and the contract will execute correctly according to the written program logic. Therefore, the intelligent contract realizes the functions that the two parties of the user agree to reach an agreement and correctly execute the agreement without a third party. In recent years, ethernet has become one of the most commonly used block chain systems, since it is a well-defined system that can run intelligent contracts. The Etherhouse node executes the intelligent contracts through a simple stack-based architecture, the Etherhouse Virtual Machine (EVM). However, all nodes in the ether house have a full copy of the blockchain data, meaning that the data is public, but does not contain some sensitive data (e.g., financial transactions, personal data, health records). This therefore leads to a leakage of user privacy. The execution of intelligent contracts also lacks privacy because the intelligent contracts running on the etherhouses involve data of the blockchain.
A Trusted Execution Environment (TEE) is a suitable solution, such as the Enclave runtime Environment created by Intel Software Guard Extensions (SGX) provided by Intel. SGX is fully known as Intel Software Guard Extensions, a set of instructions provided by Intel to enhance application code and data security. The envelope in SGX is a specific Trusted Execution Environment (TEE) that provides CPU-based protection for developers to prevent tampering or leakage of data. SGX may prevent external applications or operating systems from interfering with programs running in Enclave. The intelligent contract is operated in the envelope, namely the operation process and the data generated in the operation process can be protected. However, if running the entire intelligent contract program in Enclave would result in a large Trusted Computing Base (TCB), the potential security vulnerabilities would increase as the amount of code increases. Therefore, only code that is related to sensitive data can run in Enclave.
In the prior art, the scheme described in patent CN111010398A provides a block chain data transmission system based on SGX encryption. According to the scheme, the block chain data is encrypted through the SGX, and the confidentiality of the encryption process is guaranteed. The data receiving unit receives user block chain data, the data encryption unit encrypts the data in a trusted execution environment provided by the SGX, the redundancy coding unit performs redundancy coding on the data, and the main control unit transmits the data to the background terminal. According to the scheme, the data is encrypted in the trusted execution environment provided by the SGX, so that the encryption process is protected, and the security of the data is protected. However, execution of the smart contracts still runs outside of the trusted execution environment provided by the SGX. This scheme does not guarantee confidentiality of the execution of the intelligent contract. The solution of patent CN109660358A proposes a data circulation method based on block chain and secure execution environment. Aiming at the field of data processing, the method ensures the privacy of the data processing process by using a trusted computing environment provided by SGX. The data demander provides an intelligent contract using data according to the intelligent contract template; the data provider extracts self data according to the demand file to generate a standard data file; the data executive checks contract feasibility and deploys the contract; the parties sign the contract. The data providing side provides data to the computing nodes protected by the SGX, and the data requiring side executes the deployed intelligent contract to obtain an execution result. The method protects the privacy of intelligent contract execution through the SGX trusted execution environment. However, since this method can only be applied to the data processing domain, it is not possible to run other intelligent contracts written by users in the SGX. There are limitations to this approach. The proposal of patent CN111932249A proposes a data transaction ecosystem based on block chains. The method constructs a secure data transaction platform, and protects the execution process of the intelligent contract through the SGX. The buyer deploys a data analysis intelligent contract on the platform, the seller sends data through the platform, and the trusted node protected by the SGX analyzes the data provided by the seller by using the intelligent contract deployed by the buyer and returns the result to the buyer. In addition, the scheme also provides a reward module which gives certain reward to the operation of the third party trusted node to execute the intelligent contract. The scheme not only provides an execution process of the SGX protection intelligent contract, but also protects the data privacy of the seller, so that the buyer only obtains the data analysis result and does not obtain the data. However, since in this scheme the intelligent contracts running on trusted nodes protected by SGX can only be used to analyze data, no other intelligent contracts written by the user can be run. This solution has limitations. The patent CN111160905A discloses a method and device for processing and protecting a block link point user request. The method uses an internal private key to verify an access key in a security area provided by the SGX, and processes data requested by a user. This means includes a requester contract, a docking contract, a relay zone and a security zone. The requester contract constructs a request data packet according to a user request; generating a data packet ID according to the data packet content by the docking contract; the relay area verifies the data packet and sends the access key and the data packet to the security area; the secure area uses the internal private key to verify the access key and invokes the data and methods to process the user's request. The scheme ensures that the intelligent contract is executed in the SGX, ensures the confidentiality of execution and can run any legal intelligent contract written by a user. However, running the entire program in SGX may create a large Trusted Computing Base (TCB), and the potential security vulnerabilities may increase as the amount of code increases. This approach may result in a larger TCB, thereby increasing code risk. The scheme of patent CN111709745A proposes a block chain transaction security protection system based on SGX and a method thereof. The method protects the confidentiality of the user request of the lightweight client through the SGX execution environment of all nodes. Establishing a trusted encryption channel between the lightweight client and the full-node server; constructing a request by the lightweight client according to the user requirement; the lightweight client sends an encrypted user request to the full-node server; the full-node service side decrypts and processes the user request in a trusted execution environment provided by the SGX. The scheme ensures the confidentiality of the intelligent contract executed by the lightweight client and simultaneously supports any legal intelligent contract written by a user. However, running the entire smart contract in the trusted execution environment provided by SGX results in a larger TCB, and the potential code risk increases as TCBs increase. This approach can result in larger TCBs, thereby increasing code risk.
In a blockchain network, the execution of intelligent contracts requires the disclosure of user data, which results in the disclosure of user privacy. In the existing partial scheme, the intelligent contracts of specific functions can only be operated in a trusted execution environment protected by SGX, and the universality is poor. In other prior art schemes, the entire intelligent contract is placed in the trusted execution environment provided by the SGX, which in turn creates a larger TCB, increasing the risk of code.
Disclosure of Invention
The invention aims to make up for the defects of the prior art, and provides a block chain virtual machine method and a system for dynamically reducing TCB (traffic channel bus) based on SGX (secure gateway X), aiming at the problems that the block chain execution intelligent contract lacks confidentiality and the whole intelligent contract is placed in the SGX to cause code risk. The invention fully utilizes the content of the SGX technology, combines the taint analysis technology, dynamically analyzes the intelligent contract, and only places the code related to the sensitive data in the Enclave for operation.
The invention is realized by the following technical scheme:
a block chain virtual machine method for dynamically reducing TCB based on SGX specifically comprises the following steps:
s1, inputting an intelligent contract source code;
s2, compiling the intelligent contract source code to obtain a byte code sequence;
s3, constructing function sets corresponding to all the virtual machine operation codes;
s4, performing taint analysis on the intelligent contract source code by adopting a taint analysis method to obtain a sensitive operation code set and a non-sensitive operation code set;
s5, selecting corresponding execution functions from the constructed function sets corresponding to all the virtual machine operation codes according to the sensitive operation code set and the non-sensitive operation code set, and sending the execution functions to the virtual machine module;
s6, the virtual machine module executes an execution function corresponding to the sensitive opcode set inside the trusted execution environment Enclave provided by the SGX, and executes an execution function corresponding to the non-sensitive opcode set outside the trusted execution environment Enclave.
Step S2 is to compile the smart contract source code into a byte code sequence by a solid compiler.
The function set corresponding to all the virtual machine opcodes in step S3 includes two versions of C + + function sets, that is, the C + + function set running inside the Enclave corresponding to all the virtual machine opcodes
Figure BDA0002894585050000041
And transportC + + function set with rows outside Enclave
Figure BDA0002894585050000042
Step S4, performing taint analysis on the intelligent contract source code by using a taint analysis method to obtain a sensitive operation code set and a non-sensitive operation code set, which are as follows:
marking parameters of each function of the intelligent contract as sensitive, and tracking the transfer process of the sensitive variables by adopting an open source tool Slither; variables dependent on the sensitive variables are also marked as sensitive, an expression using sensitive data is also marked as a sensitive expression, and an operation code of a Solidity compiler expression is given by using an open source tool Slither, so that a sensitive operation code set of the sensitive expression is extracted; since the number of opcodes is fixed, removing the sensitive opcode set results in a non-sensitive opcode set.
The specific process of step S5 is as follows:
from the set according to the set of sensitive opcodes
Figure BDA0002894585050000051
Corresponding C + + function is selected to obtain the selected C + + function set
Figure BDA0002894585050000052
From the set according to the non-sensitive opcode set
Figure BDA0002894585050000053
Corresponding C + + function is selected to obtain the selected C + + function set
Figure BDA0002894585050000054
Respectively assemble
Figure BDA0002894585050000055
And collections
Figure BDA0002894585050000056
And transmitting the data to the virtual machine module.
The specific process of step S6 is as follows:
for sensitive operation codes, the virtual machine module runs a C + + function set in an Enclave trusted execution environment provided by SGX
Figure BDA0002894585050000057
The function of (1); for non-sensitive operation codes, running a C + + function set outside an Enclave trusted execution environment provided by SGX
Figure BDA0002894585050000058
The function of (1).
A block chain virtual machine system for dynamically reducing TCB based on SGX comprises a identity compiler, a taint analysis module, a selection module in an execution environment and a virtual machine module;
the Solidity compiler compiles an intelligent contract source code to obtain a byte code sequence;
the taint analysis module carries out taint analysis on the intelligent contract source code to obtain a sensitive operation code set and a non-sensitive operation code set;
the selection module selects corresponding execution functions from the constructed function sets corresponding to all the virtual machine operation codes according to the sensitive operation code set and the non-sensitive operation code set and sends the execution functions to the virtual machine module;
the virtual machine module runs an execution function corresponding to the sensitive opcode set inside a trusted execution environment Enclave provided by the SGX, and executes an execution function corresponding to the non-sensitive opcode set outside the trusted execution environment Enclave.
And the execution environment is also provided with a loading and storing module.
The loading and storing module is used for loading the intelligent contract state and storing the intelligent contract new state.
The invention has the advantages that: the invention provides a novel block chain virtual machine technology based on SGX, combines a taint analysis technology, dynamically reduces TCB (trusted security bus), reduces code risk, integrates taint analysis into a scheme, automatically positions sensitive code sentences related to sensitive data in an intelligent contract according to intelligent contract source codes, and obtains virtual machine operation codes corresponding to the sensitive code sentences.
After the sensitive and non-sensitive virtual machine operation codes are obtained, the selection module selects the corresponding C + + function running in the virtual machine according to the sensitive/non-sensitive operation codes. The virtual machine module executes the user request according to the byte code sequence compiled by the intelligent contract, and for the operation code related to the sensitive data, the operation code is executed in the trusted execution environment Enclave provided by the SGX, and the operation code not related to the sensitive data is executed outside the Enclave, so that the TCB is reduced.
Drawings
Fig. 1 is a working principle diagram of the present invention.
Fig. 2 is a general flow diagram of the present invention.
Detailed Description
The invention is mainly divided into three aspects, the first is that the invention integrates the taint analysis technology, analyzes the intelligent contract code and searches the code related to the sensitive data. The operation code related to the sensitive data is dynamically obtained according to the intelligent contract. The second is that the selection module in the scheme selects a corresponding function executed by the virtual machine according to the operation code, that is, a sensitive function running in the security zone is selected according to the sensitive operation code, and a non-sensitive function not running in the security zone is selected by the non-sensitive operation code. The third is that the invention constructs the execution environment of the intelligent contract, namely the virtual machine, and runs the code related to the sensitive data in the trusted execution environment Enclave provided by the SGX, and executes the code not related to the sensitive data outside the Enclave. Therefore, the invention can only place the code related to sensitive data in the trusted execution environment of SGX to run according to the intelligent contract code logic, thereby ensuring the confidentiality of execution and dynamically reducing TCB.
As shown in fig. 1 and 2. Wherein the content of the first and second substances,
Figure BDA0002894585050000061
and
Figure BDA0002894585050000062
are respectively provided withRepresenting the C + + function set running inside the Enclave and the C + + function set running outside the Enclave corresponding to all the virtual machine operation codes.
Figure BDA0002894585050000063
And
Figure BDA0002894585050000064
and the C + + function sets represent the C + + function sets divided by the selection module and respectively correspond to the C + + function sets running inside the Enclave and the C + + function sets running outside the Enclave.
Taint analysis is the first part of the protocol. We developed the taint analysis program with the Python API provided by the third-party open source tool Slither. Slither is an intelligent contract static analysis framework proposed in 2019 and can be used for vulnerability detection, code optimization suggestion, code understanding and code review.
The method takes the source code of the intelligent contract as input, and each parameter of each function of the contract depends on a variable controlled by a user and represents the privacy of the user, so that the parameter of each function of the contract is marked as sensitive, and Slither tracks the transfer process of the sensitive variable. Variables that depend on sensitive variables are also marked as sensitive, and expressions that use sensitive data are also marked as sensitive. Thus, this step can obtain all sensitive expressions. Since Slither can give the opcode of the Solidity expression, the sensitive opcode of the sensitive expression can be extracted. Since the number of opcodes is fixed, this step can also result in insensitive opcodes. Sensitive opcodes and non-sensitive opcodes will be used for the next part of the invention.
A selection module: because the SDKs related to the SGX are all based on the C + + language, the C + + language is also adopted for designing the virtual machine. Therefore, the virtual machine running bytecode is equivalent to the C + + function corresponding to the program execution bytecode. Because of the design principle of SGX, some common C + + Standard libraries (STLs) cannot be used inside Enclave, so that the C + + function running inside Enclave and the C + + function running outside Enclave corresponding to the same bytecode have the same logic, and the code implementation is different. Therefore, for each bytecode, two versions of C + + functions need to be implemented, namely a function version running inside Enclave and a function version running outside Enclave.
The invention realizes two versions of C + + function libraries for all the virtual machine operation codes:
Figure BDA0002894585050000071
and
Figure BDA0002894585050000072
and the operation codes respectively represent a C + + function set running inside the Enclave and a C + + function set running outside the Enclave corresponding to all the virtual machines. The selection module in the execution environment respectively selects the sensitive operation code and the non-sensitive operation code generated according to the taint analysis
Figure BDA0002894585050000073
And
Figure BDA0002894585050000074
c + + functions corresponding to virtual machine operation codes are extracted from the operation codes to generate
Figure BDA0002894585050000075
And
Figure BDA0002894585050000076
the function set is used in the next part of the invention.
The load and store module in the execution environment is primarily responsible for loading the intelligent contract state and storing the new state. The virtual machine will execute the user's request according to the byte code compiled by the smart contract. For sensitive operation codes, the method runs in an Enable execution environment (Enable) provided by SGX
Figure BDA0002894585050000077
The function of (1); for non-sensitive opcodes, it will run outside Enclave
Figure BDA0002894585050000081
The function of (1).
The specific implementation method comprises the following steps:
(1) a user inputs an intelligent contract source code;
(2) a Solidity compiler compiles a source code to obtain a byte code sequence and transmits the byte code sequence to an execution environment;
(3) the taint analysis module carries out taint analysis on the intelligent contract source code to obtain a sensitive operation code set and a non-sensitive operation code set;
(4) the selection module selects from the sensitive/non-sensitive opcode set
Figure BDA0002894585050000082
Selecting corresponding C + + function to obtain
Figure BDA0002894585050000083
Transmitting to the virtual machine module;
(5) the loading and storing module reads the state of the intelligent contract;
(6) the virtual machine module executes the intelligent contract byte codes, and the loading and storing module stores the new state of the intelligent contract.
1. Taint analysis technology for searching intelligent contract sensitive virtual machine operation code
Taint analysis techniques are commonly used to analyze whether data introduced by taint sources in a program is directly propagated to taint gathering points, which can create privacy data disclosure problems. The traditional taint analysis is used for analyzing the transmission of sensitive variables (taint variables), and the taint analysis technology provided by the invention further searches sensitive sentences related to the sensitive variables and sensitive virtual machine operation codes corresponding to the sensitive sentences on the basis of searching the sensitive variables. No research has been considered to search intelligent contract-sensitive virtual machine opcodes through taint analysis techniques, nor to integrate taint analysis with SGX-based intelligent contract security enforcement.
2. Secure execution environment for dynamic TCB reduction based on SGX
In some existing researches, although the operation process of the smart contract is protected by considering the combination of the trusted execution environment provided by the SGX and the virtual machine, the operation of the whole extent in the trusted environment causes a larger TCB, and the code risk and the security vulnerability increase with the increase of the TCB. In the invention, on the basis of combining the SGX and the intelligent contract virtual machine, the sensitive and non-sensitive virtual machine operation codes obtained by searching through the taint analysis technology are dynamically operated in a trusted execution environment Enclave provided by the SGX, and the non-sensitive operation codes are operated outside the Enclave, so that the aim of dynamically reducing the TCB according to the intelligent contract is fulfilled.

Claims (9)

1. A block chain virtual machine method for dynamically reducing TCB based on SGX is characterized in that: the method specifically comprises the following steps:
s1, inputting an intelligent contract source code;
s2, compiling the intelligent contract source code to obtain a byte code sequence;
s3, constructing function sets corresponding to all the virtual machine operation codes;
s4, performing taint analysis on the intelligent contract source code by adopting a taint analysis method to obtain a sensitive operation code set and a non-sensitive operation code set;
s5, selecting corresponding execution functions from the constructed function sets corresponding to all the virtual machine operation codes according to the sensitive operation code set and the non-sensitive operation code set, and sending the execution functions to the virtual machine module;
s6, the virtual machine module executes an execution function corresponding to the sensitive opcode set inside the trusted execution environment Enclave provided by the SGX, and executes an execution function corresponding to the non-sensitive opcode set outside the trusted execution environment Enclave.
2. The SGX-based block chain virtual machine method for dynamically reducing TCBs according to claim 1, wherein: step S2 is to compile the smart contract source code into a byte code sequence by a solid compiler.
3. An SGX based dynamic reduction TCB zone as claimed in claim 2The block chain virtual machine method is characterized in that: the function set corresponding to all the virtual machine operation codes comprises two versions of C + + function sets, namely, the C + + function set running in the inside of the envelope corresponding to all the virtual machine operation codes
Figure FDA0002894585040000011
And a set of C + + functions running outside the Enclave
Figure FDA0002894585040000012
4. The SGX-based block chain virtual machine method for dynamically reducing TCBs according to claim 3, wherein: step S4, performing taint analysis on the intelligent contract source code by using a taint analysis method to obtain a sensitive operation code set and a non-sensitive operation code set, which are as follows:
marking parameters of each function of the intelligent contract as sensitive, and tracking the transfer process of the sensitive variables by adopting an open source tool Slither; variables dependent on the sensitive variables are also marked as sensitive, an expression using sensitive data is also marked as a sensitive expression, and an operation code of a Solidity compiler expression is given by using an open source tool Slither, so that a sensitive operation code set of the sensitive expression is extracted; since the number of opcodes is fixed, removing the sensitive opcode set results in a non-sensitive opcode set.
5. The SGX-based block chain virtual machine method for dynamically reducing TCBs according to claim 4, wherein: the specific process of step S5 is as follows:
from the set according to the set of sensitive opcodes
Figure FDA0002894585040000021
Corresponding C + + function is selected to obtain the selected C + + function set
Figure FDA0002894585040000022
From the set according to the non-sensitive opcode set
Figure FDA0002894585040000023
Corresponding C + + function is selected to obtain the selected C + + function set
Figure FDA0002894585040000024
Respectively assemble
Figure FDA0002894585040000025
And collections
Figure FDA0002894585040000026
And transmitting the data to the virtual machine module.
6. The SGX-based block chain virtual machine method for dynamically reducing TCBs according to claim 5, wherein: the specific process of step S6 is as follows:
for sensitive operation codes, the virtual machine module runs a C + + function set in an Enclave trusted execution environment provided by SGX
Figure FDA0002894585040000027
The function of (1); for non-sensitive operation codes, running a C + + function set outside an Enclave trusted execution environment provided by SGX
Figure FDA0002894585040000028
The function of (1).
7. A block chain virtual machine system for SGX-based dynamic TCB reduction, comprising: the system comprises a identity compiler, a taint analysis module, a selection module and a virtual machine module;
the Solidity compiler compiles an intelligent contract source code to obtain a byte code sequence;
the taint analysis module carries out taint analysis on the intelligent contract source code to obtain a sensitive operation code set and a non-sensitive operation code set;
the selection module selects corresponding execution functions from the constructed function sets corresponding to all the virtual machine operation codes according to the sensitive operation code set and the non-sensitive operation code set and sends the execution functions to the virtual machine module;
the virtual machine module runs an execution function corresponding to the sensitive opcode set inside a trusted execution environment Enclave provided by the SGX, and executes an execution function corresponding to the non-sensitive opcode set outside the trusted execution environment Enclave.
8. The SGX based dynamic reduce TCB blockchain virtual machine system of claim 7 wherein: and the execution environment is also provided with a loading and storing module.
9. The SGX-based block chain virtual machine system for dynamic reduction of TCB of claim 8, wherein: the loading and storing module is used for loading the intelligent contract state and storing the intelligent contract new state.
CN202110036603.7A 2021-01-12 2021-01-12 SGX-based block chain virtual machine method and system for dynamically reducing TCB Active CN112836217B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110036603.7A CN112836217B (en) 2021-01-12 2021-01-12 SGX-based block chain virtual machine method and system for dynamically reducing TCB

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110036603.7A CN112836217B (en) 2021-01-12 2021-01-12 SGX-based block chain virtual machine method and system for dynamically reducing TCB

Publications (2)

Publication Number Publication Date
CN112836217A true CN112836217A (en) 2021-05-25
CN112836217B CN112836217B (en) 2023-02-10

Family

ID=75927811

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110036603.7A Active CN112836217B (en) 2021-01-12 2021-01-12 SGX-based block chain virtual machine method and system for dynamically reducing TCB

Country Status (1)

Country Link
CN (1) CN112836217B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113609481A (en) * 2021-06-02 2021-11-05 西安四叶草信息技术有限公司 Byte code-based PHP taint analysis method and device
CN114301928A (en) * 2021-11-29 2022-04-08 之江实验室 SGX-based chain uplink and downlink mixed consensus method and system
WO2024001038A1 (en) * 2022-06-29 2024-01-04 蚂蚁区块链科技 (上海) 有限公司 Method for detecting private data leak

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105389513A (en) * 2015-11-26 2016-03-09 华为技术有限公司 Trusted execution method and apparatus for virtual trusted platform module (vTPM)
US20170352027A1 (en) * 2016-06-07 2017-12-07 Cornell University Authenticated data feed for blockchains
CN109063471A (en) * 2018-07-17 2018-12-21 广州大学 A kind of guard method of SGX operation
CN110032884A (en) * 2019-01-31 2019-07-19 阿里巴巴集团控股有限公司 The method and node, storage medium of secret protection are realized in block chain
US20200322129A1 (en) * 2019-04-03 2020-10-08 Alibaba Group Holding Limited Processing blockchain data based on smart contract operations executed in a trusted execution environment
CN111770206A (en) * 2020-08-31 2020-10-13 支付宝(杭州)信息技术有限公司 Method for deploying intelligent contract, block chain node and storage medium

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105389513A (en) * 2015-11-26 2016-03-09 华为技术有限公司 Trusted execution method and apparatus for virtual trusted platform module (vTPM)
US20170352027A1 (en) * 2016-06-07 2017-12-07 Cornell University Authenticated data feed for blockchains
CN109063471A (en) * 2018-07-17 2018-12-21 广州大学 A kind of guard method of SGX operation
CN110032884A (en) * 2019-01-31 2019-07-19 阿里巴巴集团控股有限公司 The method and node, storage medium of secret protection are realized in block chain
US20200322129A1 (en) * 2019-04-03 2020-10-08 Alibaba Group Holding Limited Processing blockchain data based on smart contract operations executed in a trusted execution environment
CN111770206A (en) * 2020-08-31 2020-10-13 支付宝(杭州)信息技术有限公司 Method for deploying intelligent contract, block chain node and storage medium

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
MARCUS BRANDENBURGER,ET AL: "Blockchain and Trusted Computing: Problems, Pitfalls, and a Solution for Hyperledger Fabric", 《ARXIV:1805.08541V1》 *
王进文等: "SGX技术应用研究综述", 《网络新媒体技术》 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113609481A (en) * 2021-06-02 2021-11-05 西安四叶草信息技术有限公司 Byte code-based PHP taint analysis method and device
CN113609481B (en) * 2021-06-02 2024-01-30 西安四叶草信息技术有限公司 PHP (phase-shift register) taint analysis method and device based on byte codes
CN114301928A (en) * 2021-11-29 2022-04-08 之江实验室 SGX-based chain uplink and downlink mixed consensus method and system
WO2024001038A1 (en) * 2022-06-29 2024-01-04 蚂蚁区块链科技 (上海) 有限公司 Method for detecting private data leak

Also Published As

Publication number Publication date
CN112836217B (en) 2023-02-10

Similar Documents

Publication Publication Date Title
Tikhomirov et al. Smartcheck: Static analysis of ethereum smart contracts
Mirzaei et al. AndrODet: An adaptive Android obfuscation detector
US9208319B2 (en) Code base partitioning system
CN111770206A (en) Method for deploying intelligent contract, block chain node and storage medium
CN112836217B (en) SGX-based block chain virtual machine method and system for dynamically reducing TCB
Cervesato Typed MSR: Syntax and examples
Kim et al. Avengers, Assemble! survey of WebAssembly security solutions
Garrigues et al. Promoting the development of secure mobile agent applications
Ameur-Boulifa et al. Sysml model transformation for safety and security analysis
Gupta et al. An insecurity study of ethereum smart contracts
Dai et al. Trustzone-based secure lightweight wallet for hyperledger fabric
Goel et al. A blockchain-based Aadhar system: distributed authentication system
Desnitsky et al. Automated design, verification and testing of secure systems with embedded devices based on elicitation of expert knowledge
Ahila et al. Overview of mobile agent security issues—Solutions
Lee et al. Classification and analysis of security techniques for the user terminal area in the internet banking service
Ismail et al. Edge IoT-cloud framework based on blockchain
Rahim et al. Holistic feistel authenticated learning-based authorization for protecting the internet of things from cyber attacks
Duggan Cryptographic types
Aziz A static analysis framework for security properties in mobile and cryptographic systems
Ménétrey et al. A Comprehensive Trusted Runtime for WebAssembly with Intel SGX
Nielson et al. Secure guarded commands
CN112527307B (en) Program control flow hiding method, system and application
Kalapaaking et al. Blockchain-Based Access Control for Secure Smart Industry Management Systems
Helal et al. Towards preserving privacy and security in blockchain
Chivers Information modeling for automated risk analysis

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant