CN112836217A - SGX-based block chain virtual machine method and system for dynamically reducing TCB - Google Patents
SGX-based block chain virtual machine method and system for dynamically reducing TCB Download PDFInfo
- Publication number
- CN112836217A CN112836217A CN202110036603.7A CN202110036603A CN112836217A CN 112836217 A CN112836217 A CN 112836217A CN 202110036603 A CN202110036603 A CN 202110036603A CN 112836217 A CN112836217 A CN 112836217A
- Authority
- CN
- China
- Prior art keywords
- sensitive
- virtual machine
- sgx
- function
- intelligent contract
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 47
- 238000004458 analytical method Methods 0.000 claims abstract description 32
- 230000006870 function Effects 0.000 claims description 78
- 230000008569 process Effects 0.000 claims description 18
- 230000014509 gene expression Effects 0.000 claims description 12
- 230000009467 reduction Effects 0.000 claims description 4
- 238000012546 transfer Methods 0.000 claims description 3
- 230000001419 dependent effect Effects 0.000 claims description 2
- 239000007787 solid Substances 0.000 claims description 2
- 238000005516 engineering process Methods 0.000 abstract description 12
- RTZKZFJDLAIYFH-UHFFFAOYSA-N Diethyl ether Chemical compound CCOCC RTZKZFJDLAIYFH-UHFFFAOYSA-N 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 238000013459 approach Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 3
- 238000007405 data analysis Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000003032 molecular docking Methods 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 238000013500 data storage Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 230000036541 health Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 230000000644 propagated effect Effects 0.000 description 1
- 238000012552 review Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 239000000126 substance Substances 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/40—Transformation of program code
- G06F8/41—Compilation
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Stored Programmes (AREA)
Abstract
The invention discloses a block chain virtual machine method and a block chain virtual machine system for dynamically reducing TCB based on SGX, which are combined with a taint analysis technology, dynamically reduce TCB and reduce code risk, incorporate taint analysis into a scheme, automatically position sensitive code statements related to sensitive data in an intelligent contract according to intelligent contract source codes, and acquire virtual machine operation codes corresponding to the sensitive code statements. After the sensitive and non-sensitive virtual machine operation codes are obtained, the selection module selects the corresponding C + + function running in the virtual machine according to the sensitive/non-sensitive operation codes. The virtual machine module executes the user request according to the byte code compiled by the intelligent contract, and for the operation code related to the sensitive data, the operation code related to the sensitive data is executed in the trusted execution environment Enclave provided by the SGX, and the operation code not related to the sensitive data is executed outside the Enclave, so that the TCB is reduced.
Description
Technical Field
The invention relates to the technical field, in particular to a block chain virtual machine method and a block chain virtual machine system for dynamically reducing TCB based on SGX.
Background
The Blockchain (Blockchain) originated in Bitcoin (Bitcoin), and as early as 2008, 11.1.s.. This is an open, peer-to-peer distributed network that has not developed in the past decade. The blockchain is an application system with computer technologies such as a distributed data storage technology, a point-to-point transmission technology, a consensus mechanism and an encryption algorithm. The individual data blocks are linked together by cryptographic methods and form information which can be used for forgery protection (validation). Each block of data, called a block, contains transactions that have been validated over a period of time, and the chain of blocks is called a block chain.
Within 5 years from 2008 to 2013, the bitcoin network fully proves the feasibility and the safety. However, the bitcoin network still has some limitations, and the user can only use the transaction function of the bitcoin network, but cannot define other contents. Thus, Vitalik Buterin published the Ether Fang white paper "A Next-Generation Smart Contract and Decentralized Application Platform" which proposed Ether Fang networks to apply blockchains to fields other than currency. The Etherum not only has own virtual currency, Etherum, but also allows users to write programs to realize diversified functions. A user-written program is called an intelligent contract, which is a computer contract implemented in a programmed manner, and the contract will execute correctly according to the written program logic. Therefore, the intelligent contract realizes the functions that the two parties of the user agree to reach an agreement and correctly execute the agreement without a third party. In recent years, ethernet has become one of the most commonly used block chain systems, since it is a well-defined system that can run intelligent contracts. The Etherhouse node executes the intelligent contracts through a simple stack-based architecture, the Etherhouse Virtual Machine (EVM). However, all nodes in the ether house have a full copy of the blockchain data, meaning that the data is public, but does not contain some sensitive data (e.g., financial transactions, personal data, health records). This therefore leads to a leakage of user privacy. The execution of intelligent contracts also lacks privacy because the intelligent contracts running on the etherhouses involve data of the blockchain.
A Trusted Execution Environment (TEE) is a suitable solution, such as the Enclave runtime Environment created by Intel Software Guard Extensions (SGX) provided by Intel. SGX is fully known as Intel Software Guard Extensions, a set of instructions provided by Intel to enhance application code and data security. The envelope in SGX is a specific Trusted Execution Environment (TEE) that provides CPU-based protection for developers to prevent tampering or leakage of data. SGX may prevent external applications or operating systems from interfering with programs running in Enclave. The intelligent contract is operated in the envelope, namely the operation process and the data generated in the operation process can be protected. However, if running the entire intelligent contract program in Enclave would result in a large Trusted Computing Base (TCB), the potential security vulnerabilities would increase as the amount of code increases. Therefore, only code that is related to sensitive data can run in Enclave.
In the prior art, the scheme described in patent CN111010398A provides a block chain data transmission system based on SGX encryption. According to the scheme, the block chain data is encrypted through the SGX, and the confidentiality of the encryption process is guaranteed. The data receiving unit receives user block chain data, the data encryption unit encrypts the data in a trusted execution environment provided by the SGX, the redundancy coding unit performs redundancy coding on the data, and the main control unit transmits the data to the background terminal. According to the scheme, the data is encrypted in the trusted execution environment provided by the SGX, so that the encryption process is protected, and the security of the data is protected. However, execution of the smart contracts still runs outside of the trusted execution environment provided by the SGX. This scheme does not guarantee confidentiality of the execution of the intelligent contract. The solution of patent CN109660358A proposes a data circulation method based on block chain and secure execution environment. Aiming at the field of data processing, the method ensures the privacy of the data processing process by using a trusted computing environment provided by SGX. The data demander provides an intelligent contract using data according to the intelligent contract template; the data provider extracts self data according to the demand file to generate a standard data file; the data executive checks contract feasibility and deploys the contract; the parties sign the contract. The data providing side provides data to the computing nodes protected by the SGX, and the data requiring side executes the deployed intelligent contract to obtain an execution result. The method protects the privacy of intelligent contract execution through the SGX trusted execution environment. However, since this method can only be applied to the data processing domain, it is not possible to run other intelligent contracts written by users in the SGX. There are limitations to this approach. The proposal of patent CN111932249A proposes a data transaction ecosystem based on block chains. The method constructs a secure data transaction platform, and protects the execution process of the intelligent contract through the SGX. The buyer deploys a data analysis intelligent contract on the platform, the seller sends data through the platform, and the trusted node protected by the SGX analyzes the data provided by the seller by using the intelligent contract deployed by the buyer and returns the result to the buyer. In addition, the scheme also provides a reward module which gives certain reward to the operation of the third party trusted node to execute the intelligent contract. The scheme not only provides an execution process of the SGX protection intelligent contract, but also protects the data privacy of the seller, so that the buyer only obtains the data analysis result and does not obtain the data. However, since in this scheme the intelligent contracts running on trusted nodes protected by SGX can only be used to analyze data, no other intelligent contracts written by the user can be run. This solution has limitations. The patent CN111160905A discloses a method and device for processing and protecting a block link point user request. The method uses an internal private key to verify an access key in a security area provided by the SGX, and processes data requested by a user. This means includes a requester contract, a docking contract, a relay zone and a security zone. The requester contract constructs a request data packet according to a user request; generating a data packet ID according to the data packet content by the docking contract; the relay area verifies the data packet and sends the access key and the data packet to the security area; the secure area uses the internal private key to verify the access key and invokes the data and methods to process the user's request. The scheme ensures that the intelligent contract is executed in the SGX, ensures the confidentiality of execution and can run any legal intelligent contract written by a user. However, running the entire program in SGX may create a large Trusted Computing Base (TCB), and the potential security vulnerabilities may increase as the amount of code increases. This approach may result in a larger TCB, thereby increasing code risk. The scheme of patent CN111709745A proposes a block chain transaction security protection system based on SGX and a method thereof. The method protects the confidentiality of the user request of the lightweight client through the SGX execution environment of all nodes. Establishing a trusted encryption channel between the lightweight client and the full-node server; constructing a request by the lightweight client according to the user requirement; the lightweight client sends an encrypted user request to the full-node server; the full-node service side decrypts and processes the user request in a trusted execution environment provided by the SGX. The scheme ensures the confidentiality of the intelligent contract executed by the lightweight client and simultaneously supports any legal intelligent contract written by a user. However, running the entire smart contract in the trusted execution environment provided by SGX results in a larger TCB, and the potential code risk increases as TCBs increase. This approach can result in larger TCBs, thereby increasing code risk.
In a blockchain network, the execution of intelligent contracts requires the disclosure of user data, which results in the disclosure of user privacy. In the existing partial scheme, the intelligent contracts of specific functions can only be operated in a trusted execution environment protected by SGX, and the universality is poor. In other prior art schemes, the entire intelligent contract is placed in the trusted execution environment provided by the SGX, which in turn creates a larger TCB, increasing the risk of code.
Disclosure of Invention
The invention aims to make up for the defects of the prior art, and provides a block chain virtual machine method and a system for dynamically reducing TCB (traffic channel bus) based on SGX (secure gateway X), aiming at the problems that the block chain execution intelligent contract lacks confidentiality and the whole intelligent contract is placed in the SGX to cause code risk. The invention fully utilizes the content of the SGX technology, combines the taint analysis technology, dynamically analyzes the intelligent contract, and only places the code related to the sensitive data in the Enclave for operation.
The invention is realized by the following technical scheme:
a block chain virtual machine method for dynamically reducing TCB based on SGX specifically comprises the following steps:
s1, inputting an intelligent contract source code;
s2, compiling the intelligent contract source code to obtain a byte code sequence;
s3, constructing function sets corresponding to all the virtual machine operation codes;
s4, performing taint analysis on the intelligent contract source code by adopting a taint analysis method to obtain a sensitive operation code set and a non-sensitive operation code set;
s5, selecting corresponding execution functions from the constructed function sets corresponding to all the virtual machine operation codes according to the sensitive operation code set and the non-sensitive operation code set, and sending the execution functions to the virtual machine module;
s6, the virtual machine module executes an execution function corresponding to the sensitive opcode set inside the trusted execution environment Enclave provided by the SGX, and executes an execution function corresponding to the non-sensitive opcode set outside the trusted execution environment Enclave.
Step S2 is to compile the smart contract source code into a byte code sequence by a solid compiler.
The function set corresponding to all the virtual machine opcodes in step S3 includes two versions of C + + function sets, that is, the C + + function set running inside the Enclave corresponding to all the virtual machine opcodesAnd transportC + + function set with rows outside Enclave
Step S4, performing taint analysis on the intelligent contract source code by using a taint analysis method to obtain a sensitive operation code set and a non-sensitive operation code set, which are as follows:
marking parameters of each function of the intelligent contract as sensitive, and tracking the transfer process of the sensitive variables by adopting an open source tool Slither; variables dependent on the sensitive variables are also marked as sensitive, an expression using sensitive data is also marked as a sensitive expression, and an operation code of a Solidity compiler expression is given by using an open source tool Slither, so that a sensitive operation code set of the sensitive expression is extracted; since the number of opcodes is fixed, removing the sensitive opcode set results in a non-sensitive opcode set.
The specific process of step S5 is as follows:
from the set according to the set of sensitive opcodesCorresponding C + + function is selected to obtain the selected C + + function setFrom the set according to the non-sensitive opcode setCorresponding C + + function is selected to obtain the selected C + + function setRespectively assembleAnd collectionsAnd transmitting the data to the virtual machine module.
The specific process of step S6 is as follows:
for sensitive operation codes, the virtual machine module runs a C + + function set in an Enclave trusted execution environment provided by SGXThe function of (1); for non-sensitive operation codes, running a C + + function set outside an Enclave trusted execution environment provided by SGXThe function of (1).
A block chain virtual machine system for dynamically reducing TCB based on SGX comprises a identity compiler, a taint analysis module, a selection module in an execution environment and a virtual machine module;
the Solidity compiler compiles an intelligent contract source code to obtain a byte code sequence;
the taint analysis module carries out taint analysis on the intelligent contract source code to obtain a sensitive operation code set and a non-sensitive operation code set;
the selection module selects corresponding execution functions from the constructed function sets corresponding to all the virtual machine operation codes according to the sensitive operation code set and the non-sensitive operation code set and sends the execution functions to the virtual machine module;
the virtual machine module runs an execution function corresponding to the sensitive opcode set inside a trusted execution environment Enclave provided by the SGX, and executes an execution function corresponding to the non-sensitive opcode set outside the trusted execution environment Enclave.
And the execution environment is also provided with a loading and storing module.
The loading and storing module is used for loading the intelligent contract state and storing the intelligent contract new state.
The invention has the advantages that: the invention provides a novel block chain virtual machine technology based on SGX, combines a taint analysis technology, dynamically reduces TCB (trusted security bus), reduces code risk, integrates taint analysis into a scheme, automatically positions sensitive code sentences related to sensitive data in an intelligent contract according to intelligent contract source codes, and obtains virtual machine operation codes corresponding to the sensitive code sentences.
After the sensitive and non-sensitive virtual machine operation codes are obtained, the selection module selects the corresponding C + + function running in the virtual machine according to the sensitive/non-sensitive operation codes. The virtual machine module executes the user request according to the byte code sequence compiled by the intelligent contract, and for the operation code related to the sensitive data, the operation code is executed in the trusted execution environment Enclave provided by the SGX, and the operation code not related to the sensitive data is executed outside the Enclave, so that the TCB is reduced.
Drawings
Fig. 1 is a working principle diagram of the present invention.
Fig. 2 is a general flow diagram of the present invention.
Detailed Description
The invention is mainly divided into three aspects, the first is that the invention integrates the taint analysis technology, analyzes the intelligent contract code and searches the code related to the sensitive data. The operation code related to the sensitive data is dynamically obtained according to the intelligent contract. The second is that the selection module in the scheme selects a corresponding function executed by the virtual machine according to the operation code, that is, a sensitive function running in the security zone is selected according to the sensitive operation code, and a non-sensitive function not running in the security zone is selected by the non-sensitive operation code. The third is that the invention constructs the execution environment of the intelligent contract, namely the virtual machine, and runs the code related to the sensitive data in the trusted execution environment Enclave provided by the SGX, and executes the code not related to the sensitive data outside the Enclave. Therefore, the invention can only place the code related to sensitive data in the trusted execution environment of SGX to run according to the intelligent contract code logic, thereby ensuring the confidentiality of execution and dynamically reducing TCB.
As shown in fig. 1 and 2. Wherein the content of the first and second substances,andare respectively provided withRepresenting the C + + function set running inside the Enclave and the C + + function set running outside the Enclave corresponding to all the virtual machine operation codes.Andand the C + + function sets represent the C + + function sets divided by the selection module and respectively correspond to the C + + function sets running inside the Enclave and the C + + function sets running outside the Enclave.
Taint analysis is the first part of the protocol. We developed the taint analysis program with the Python API provided by the third-party open source tool Slither. Slither is an intelligent contract static analysis framework proposed in 2019 and can be used for vulnerability detection, code optimization suggestion, code understanding and code review.
The method takes the source code of the intelligent contract as input, and each parameter of each function of the contract depends on a variable controlled by a user and represents the privacy of the user, so that the parameter of each function of the contract is marked as sensitive, and Slither tracks the transfer process of the sensitive variable. Variables that depend on sensitive variables are also marked as sensitive, and expressions that use sensitive data are also marked as sensitive. Thus, this step can obtain all sensitive expressions. Since Slither can give the opcode of the Solidity expression, the sensitive opcode of the sensitive expression can be extracted. Since the number of opcodes is fixed, this step can also result in insensitive opcodes. Sensitive opcodes and non-sensitive opcodes will be used for the next part of the invention.
A selection module: because the SDKs related to the SGX are all based on the C + + language, the C + + language is also adopted for designing the virtual machine. Therefore, the virtual machine running bytecode is equivalent to the C + + function corresponding to the program execution bytecode. Because of the design principle of SGX, some common C + + Standard libraries (STLs) cannot be used inside Enclave, so that the C + + function running inside Enclave and the C + + function running outside Enclave corresponding to the same bytecode have the same logic, and the code implementation is different. Therefore, for each bytecode, two versions of C + + functions need to be implemented, namely a function version running inside Enclave and a function version running outside Enclave.
The invention realizes two versions of C + + function libraries for all the virtual machine operation codes:andand the operation codes respectively represent a C + + function set running inside the Enclave and a C + + function set running outside the Enclave corresponding to all the virtual machines. The selection module in the execution environment respectively selects the sensitive operation code and the non-sensitive operation code generated according to the taint analysisAndc + + functions corresponding to virtual machine operation codes are extracted from the operation codes to generateAndthe function set is used in the next part of the invention.
The load and store module in the execution environment is primarily responsible for loading the intelligent contract state and storing the new state. The virtual machine will execute the user's request according to the byte code compiled by the smart contract. For sensitive operation codes, the method runs in an Enable execution environment (Enable) provided by SGXThe function of (1); for non-sensitive opcodes, it will run outside EnclaveThe function of (1).
The specific implementation method comprises the following steps:
(1) a user inputs an intelligent contract source code;
(2) a Solidity compiler compiles a source code to obtain a byte code sequence and transmits the byte code sequence to an execution environment;
(3) the taint analysis module carries out taint analysis on the intelligent contract source code to obtain a sensitive operation code set and a non-sensitive operation code set;
(4) the selection module selects from the sensitive/non-sensitive opcode setSelecting corresponding C + + function to obtainTransmitting to the virtual machine module;
(5) the loading and storing module reads the state of the intelligent contract;
(6) the virtual machine module executes the intelligent contract byte codes, and the loading and storing module stores the new state of the intelligent contract.
1. Taint analysis technology for searching intelligent contract sensitive virtual machine operation code
Taint analysis techniques are commonly used to analyze whether data introduced by taint sources in a program is directly propagated to taint gathering points, which can create privacy data disclosure problems. The traditional taint analysis is used for analyzing the transmission of sensitive variables (taint variables), and the taint analysis technology provided by the invention further searches sensitive sentences related to the sensitive variables and sensitive virtual machine operation codes corresponding to the sensitive sentences on the basis of searching the sensitive variables. No research has been considered to search intelligent contract-sensitive virtual machine opcodes through taint analysis techniques, nor to integrate taint analysis with SGX-based intelligent contract security enforcement.
2. Secure execution environment for dynamic TCB reduction based on SGX
In some existing researches, although the operation process of the smart contract is protected by considering the combination of the trusted execution environment provided by the SGX and the virtual machine, the operation of the whole extent in the trusted environment causes a larger TCB, and the code risk and the security vulnerability increase with the increase of the TCB. In the invention, on the basis of combining the SGX and the intelligent contract virtual machine, the sensitive and non-sensitive virtual machine operation codes obtained by searching through the taint analysis technology are dynamically operated in a trusted execution environment Enclave provided by the SGX, and the non-sensitive operation codes are operated outside the Enclave, so that the aim of dynamically reducing the TCB according to the intelligent contract is fulfilled.
Claims (9)
1. A block chain virtual machine method for dynamically reducing TCB based on SGX is characterized in that: the method specifically comprises the following steps:
s1, inputting an intelligent contract source code;
s2, compiling the intelligent contract source code to obtain a byte code sequence;
s3, constructing function sets corresponding to all the virtual machine operation codes;
s4, performing taint analysis on the intelligent contract source code by adopting a taint analysis method to obtain a sensitive operation code set and a non-sensitive operation code set;
s5, selecting corresponding execution functions from the constructed function sets corresponding to all the virtual machine operation codes according to the sensitive operation code set and the non-sensitive operation code set, and sending the execution functions to the virtual machine module;
s6, the virtual machine module executes an execution function corresponding to the sensitive opcode set inside the trusted execution environment Enclave provided by the SGX, and executes an execution function corresponding to the non-sensitive opcode set outside the trusted execution environment Enclave.
2. The SGX-based block chain virtual machine method for dynamically reducing TCBs according to claim 1, wherein: step S2 is to compile the smart contract source code into a byte code sequence by a solid compiler.
3. An SGX based dynamic reduction TCB zone as claimed in claim 2The block chain virtual machine method is characterized in that: the function set corresponding to all the virtual machine operation codes comprises two versions of C + + function sets, namely, the C + + function set running in the inside of the envelope corresponding to all the virtual machine operation codesAnd a set of C + + functions running outside the Enclave
4. The SGX-based block chain virtual machine method for dynamically reducing TCBs according to claim 3, wherein: step S4, performing taint analysis on the intelligent contract source code by using a taint analysis method to obtain a sensitive operation code set and a non-sensitive operation code set, which are as follows:
marking parameters of each function of the intelligent contract as sensitive, and tracking the transfer process of the sensitive variables by adopting an open source tool Slither; variables dependent on the sensitive variables are also marked as sensitive, an expression using sensitive data is also marked as a sensitive expression, and an operation code of a Solidity compiler expression is given by using an open source tool Slither, so that a sensitive operation code set of the sensitive expression is extracted; since the number of opcodes is fixed, removing the sensitive opcode set results in a non-sensitive opcode set.
5. The SGX-based block chain virtual machine method for dynamically reducing TCBs according to claim 4, wherein: the specific process of step S5 is as follows:
from the set according to the set of sensitive opcodesCorresponding C + + function is selected to obtain the selected C + + function setFrom the set according to the non-sensitive opcode setCorresponding C + + function is selected to obtain the selected C + + function setRespectively assembleAnd collectionsAnd transmitting the data to the virtual machine module.
6. The SGX-based block chain virtual machine method for dynamically reducing TCBs according to claim 5, wherein: the specific process of step S6 is as follows:
for sensitive operation codes, the virtual machine module runs a C + + function set in an Enclave trusted execution environment provided by SGXThe function of (1); for non-sensitive operation codes, running a C + + function set outside an Enclave trusted execution environment provided by SGXThe function of (1).
7. A block chain virtual machine system for SGX-based dynamic TCB reduction, comprising: the system comprises a identity compiler, a taint analysis module, a selection module and a virtual machine module;
the Solidity compiler compiles an intelligent contract source code to obtain a byte code sequence;
the taint analysis module carries out taint analysis on the intelligent contract source code to obtain a sensitive operation code set and a non-sensitive operation code set;
the selection module selects corresponding execution functions from the constructed function sets corresponding to all the virtual machine operation codes according to the sensitive operation code set and the non-sensitive operation code set and sends the execution functions to the virtual machine module;
the virtual machine module runs an execution function corresponding to the sensitive opcode set inside a trusted execution environment Enclave provided by the SGX, and executes an execution function corresponding to the non-sensitive opcode set outside the trusted execution environment Enclave.
8. The SGX based dynamic reduce TCB blockchain virtual machine system of claim 7 wherein: and the execution environment is also provided with a loading and storing module.
9. The SGX-based block chain virtual machine system for dynamic reduction of TCB of claim 8, wherein: the loading and storing module is used for loading the intelligent contract state and storing the intelligent contract new state.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110036603.7A CN112836217B (en) | 2021-01-12 | 2021-01-12 | SGX-based block chain virtual machine method and system for dynamically reducing TCB |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110036603.7A CN112836217B (en) | 2021-01-12 | 2021-01-12 | SGX-based block chain virtual machine method and system for dynamically reducing TCB |
Publications (2)
Publication Number | Publication Date |
---|---|
CN112836217A true CN112836217A (en) | 2021-05-25 |
CN112836217B CN112836217B (en) | 2023-02-10 |
Family
ID=75927811
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110036603.7A Active CN112836217B (en) | 2021-01-12 | 2021-01-12 | SGX-based block chain virtual machine method and system for dynamically reducing TCB |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112836217B (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113609481A (en) * | 2021-06-02 | 2021-11-05 | 西安四叶草信息技术有限公司 | Byte code-based PHP taint analysis method and device |
CN114301928A (en) * | 2021-11-29 | 2022-04-08 | 之江实验室 | SGX-based chain uplink and downlink mixed consensus method and system |
WO2024001038A1 (en) * | 2022-06-29 | 2024-01-04 | 蚂蚁区块链科技 (上海) 有限公司 | Method for detecting private data leak |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105389513A (en) * | 2015-11-26 | 2016-03-09 | 华为技术有限公司 | Trusted execution method and apparatus for virtual trusted platform module (vTPM) |
US20170352027A1 (en) * | 2016-06-07 | 2017-12-07 | Cornell University | Authenticated data feed for blockchains |
CN109063471A (en) * | 2018-07-17 | 2018-12-21 | 广州大学 | A kind of guard method of SGX operation |
CN110032884A (en) * | 2019-01-31 | 2019-07-19 | 阿里巴巴集团控股有限公司 | The method and node, storage medium of secret protection are realized in block chain |
US20200322129A1 (en) * | 2019-04-03 | 2020-10-08 | Alibaba Group Holding Limited | Processing blockchain data based on smart contract operations executed in a trusted execution environment |
CN111770206A (en) * | 2020-08-31 | 2020-10-13 | 支付宝(杭州)信息技术有限公司 | Method for deploying intelligent contract, block chain node and storage medium |
-
2021
- 2021-01-12 CN CN202110036603.7A patent/CN112836217B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105389513A (en) * | 2015-11-26 | 2016-03-09 | 华为技术有限公司 | Trusted execution method and apparatus for virtual trusted platform module (vTPM) |
US20170352027A1 (en) * | 2016-06-07 | 2017-12-07 | Cornell University | Authenticated data feed for blockchains |
CN109063471A (en) * | 2018-07-17 | 2018-12-21 | 广州大学 | A kind of guard method of SGX operation |
CN110032884A (en) * | 2019-01-31 | 2019-07-19 | 阿里巴巴集团控股有限公司 | The method and node, storage medium of secret protection are realized in block chain |
US20200322129A1 (en) * | 2019-04-03 | 2020-10-08 | Alibaba Group Holding Limited | Processing blockchain data based on smart contract operations executed in a trusted execution environment |
CN111770206A (en) * | 2020-08-31 | 2020-10-13 | 支付宝(杭州)信息技术有限公司 | Method for deploying intelligent contract, block chain node and storage medium |
Non-Patent Citations (2)
Title |
---|
MARCUS BRANDENBURGER,ET AL: "Blockchain and Trusted Computing: Problems, Pitfalls, and a Solution for Hyperledger Fabric", 《ARXIV:1805.08541V1》 * |
王进文等: "SGX技术应用研究综述", 《网络新媒体技术》 * |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113609481A (en) * | 2021-06-02 | 2021-11-05 | 西安四叶草信息技术有限公司 | Byte code-based PHP taint analysis method and device |
CN113609481B (en) * | 2021-06-02 | 2024-01-30 | 西安四叶草信息技术有限公司 | PHP (phase-shift register) taint analysis method and device based on byte codes |
CN114301928A (en) * | 2021-11-29 | 2022-04-08 | 之江实验室 | SGX-based chain uplink and downlink mixed consensus method and system |
WO2024001038A1 (en) * | 2022-06-29 | 2024-01-04 | 蚂蚁区块链科技 (上海) 有限公司 | Method for detecting private data leak |
Also Published As
Publication number | Publication date |
---|---|
CN112836217B (en) | 2023-02-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Tikhomirov et al. | Smartcheck: Static analysis of ethereum smart contracts | |
Mirzaei et al. | AndrODet: An adaptive Android obfuscation detector | |
US9208319B2 (en) | Code base partitioning system | |
CN111770206A (en) | Method for deploying intelligent contract, block chain node and storage medium | |
CN112836217B (en) | SGX-based block chain virtual machine method and system for dynamically reducing TCB | |
Cervesato | Typed MSR: Syntax and examples | |
Kim et al. | Avengers, Assemble! survey of WebAssembly security solutions | |
Garrigues et al. | Promoting the development of secure mobile agent applications | |
Ameur-Boulifa et al. | Sysml model transformation for safety and security analysis | |
Gupta et al. | An insecurity study of ethereum smart contracts | |
Dai et al. | Trustzone-based secure lightweight wallet for hyperledger fabric | |
Goel et al. | A blockchain-based Aadhar system: distributed authentication system | |
Desnitsky et al. | Automated design, verification and testing of secure systems with embedded devices based on elicitation of expert knowledge | |
Ahila et al. | Overview of mobile agent security issues—Solutions | |
Lee et al. | Classification and analysis of security techniques for the user terminal area in the internet banking service | |
Ismail et al. | Edge IoT-cloud framework based on blockchain | |
Rahim et al. | Holistic feistel authenticated learning-based authorization for protecting the internet of things from cyber attacks | |
Duggan | Cryptographic types | |
Aziz | A static analysis framework for security properties in mobile and cryptographic systems | |
Ménétrey et al. | A Comprehensive Trusted Runtime for WebAssembly with Intel SGX | |
Nielson et al. | Secure guarded commands | |
CN112527307B (en) | Program control flow hiding method, system and application | |
Kalapaaking et al. | Blockchain-Based Access Control for Secure Smart Industry Management Systems | |
Helal et al. | Towards preserving privacy and security in blockchain | |
Chivers | Information modeling for automated risk analysis |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |