CN113190850A - Method for realizing intelligent contract short address attack detection tool - Google Patents

Method for realizing intelligent contract short address attack detection tool Download PDF

Info

Publication number
CN113190850A
CN113190850A CN202110568452.XA CN202110568452A CN113190850A CN 113190850 A CN113190850 A CN 113190850A CN 202110568452 A CN202110568452 A CN 202110568452A CN 113190850 A CN113190850 A CN 113190850A
Authority
CN
China
Prior art keywords
item
short address
type
parameter
function
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110568452.XA
Other languages
Chinese (zh)
Other versions
CN113190850B (en
Inventor
陈厅
李子豪
罗夏朴
王晓峰
王挺
贺哲远
房可昭
张愉菲
朱航
李洪伟
程岩
张小松
倪孝泽
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
University of Electronic Science and Technology of China
Original Assignee
University of Electronic Science and Technology of China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by University of Electronic Science and Technology of China filed Critical University of Electronic Science and Technology of China
Priority to CN202110568452.XA priority Critical patent/CN113190850B/en
Publication of CN113190850A publication Critical patent/CN113190850A/en
Application granted granted Critical
Publication of CN113190850B publication Critical patent/CN113190850B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/40Transformation of program code
    • G06F8/53Decompilation; Disassembly

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to the technical field of information, and provides a method for realizing an intelligent short address attack detection tool. The aim is to detect and find out the occurrence of the short address attack, so that the issuer of the token rejects the transaction request when the short address attack occurs, thereby greatly ensuring the security of the token contract. The main scheme includes that a decompiling module is used for processing an intelligent contract by byte codes to obtain function ids, the output of the decompiling module enters a TASE module, the TASE module acquires a parameter list corresponding to each function id and combines the function ids and the corresponding parameter lists to output a function signature; the obtained function signature is used as input, when a user calls an intelligent contract, a function signature id is obtained from calling data, and then a parameter list in the corresponding function signature is found out; and for each parameter in the function signature, positioning an actual parameter in the calling data by means of TASE, and checking whether the filling is correct or not, wherein if the filling is wrong, the attack is judged.

Description

Method for realizing intelligent contract short address attack detection tool
Technical Field
The invention relates to the technical field of information, and provides a method for realizing an intelligent short address attack detection tool.
Background
With the rapid development of decentralized applications, blockchain technology is now being widely focused on. An etherhouse is an open-source, common blockchain platform with intelligent contract functionality, the existence of which allows people to quickly develop decent applications. Meanwhile, disputes among entities are well solved by the Ethengfang, and privacy of users is guaranteed. Currently, over 3000 million intelligent contracts are deployed on the largest intelligent contract hosting chain of the etherhouses. Among them, the most interesting is the token contract, which provides people with a new way to manage assets using digital money, and thus its security is particularly important.
Unfortunately, short address attacks can result if certain detection mechanisms are absent. Short address attacks can result in theft of funds on contracts, which can make security issues for intelligent contracts, particularly token contracts, severely challenging, and also make people lose trust in digital currency, and thus detection of such attacks is particularly important.
When a user interacts with an intelligent contract on an ethernet via the Web3 API, the data in the request is encoded according to the contract ABI specification, and different encoding rules are applied according to different data types. If not, we consider the arguments sent to the function call invalid. Although the Web3 API can generate valid arguments, in practice many invalid arguments are found for a variety of reasons, such as malicious intent, parameter filling confusion, compiler bugs, Web3 compatibility issues, changes to new versions of the compiler, etc. Invalid actual parameters may result in runtime exceptions, unexpected execution results, and even theft of property. Short address attacks are one means of exploiting construction of invalid arguments for property theft. At present, a short address attack detection means for an intelligent Ethernet house contract is mainly started from three aspects, and whether the number of input address bits is in compliance is detected on a trading exchange level; on the aspect of an ether house, before the node sends a transaction, whether the function parameter digit is in compliance is checked; at the token contract level, we check len (msg. data) 68 for the transfer function, and the same applies to the other functions. These detection means all require the positioning of the input address.
Disclosure of Invention
The invention aims to detect and find out the occurrence of the short address attack, so that an issuer of the token rejects the transaction request when the short address attack occurs, thereby greatly ensuring the security of the contract of the token.
An implementation method of an intelligent contract short address attack detection tool comprises the following steps
Step 1, obtaining a function id by using a decompiling module:
the intelligent contract uploaded to the Ethenhouse by a user exists in a byte code form, the byte code of the intelligent contract is decompiled, code block and function identification is carried out on the byte code in the decompiled process, and the identification result comprises a function id;
step 2, TASE obtains a function signature:
the output of the decompiling module enters a TASE module, and the TASE module acquires a parameter list corresponding to each function id and combines the function id and the corresponding parameter list to output a function signature;
step 3, the function signature obtained in the step 2 is used as input, when a user calls an intelligent contract, a function signature id is obtained from calling data, and then a parameter list in the corresponding function signature is found out;
and 4, positioning the actual parameters in the calling data for each parameter in the function signature by means of TASE, and checking whether the filling is correct or not, wherein if the filling is wrong, the attack is judged.
Step 4.1, if the parameter is a basic type, checking the correctness of filling according to the following rules in the table 1, if the parameter is correct;
step 4.2, if the parameter is a static array (a structure composed of basic types), checking the correctness of each item in the array according to the rules in table 1, specifically see method two;
and 4.3, if the parameter is dynamic struct, nested array, dynamic array, bytes or string (a structure consisting of basic types), checking the structure and the content of the parameter, specifically referring to a method three. Table 1:
Figure BDA0003081519500000021
wherein uint8, uint16, …, uint256, int8, int16, …, int256, bytes8, bytes16, …, bytes256 are basic types in the Solidity programming language, representing unsigned and signed integers and bytes of the corresponding digit, respectively; address, pool, address type and Boolean type, which are also basic types in the Solidiy programming language.
One byte string, e.g., 11001011, in the etherhouse virtual machine, the high order is the leftmost of the byte string and the low order is the rightmost of the byte string. As in this byte string, the upper 3 bits are three bits from the leftmost, resulting in 110, and the lower 3 bits are three bits from the rightmost, resulting in 011.
In the above technical solution, step 4.1 includes the following steps:
step 4.1.1, according to the type and value of the parameter, judging whether the value meets the corresponding standard according to the rule in table 1, for example, the type of one real parameter is cool, and the value is
Figure BDA0003081519500000031
It does not meet the criteria for the pool type in rule 1 because its high 255 bits are not zero, whereas in rule 1 it is required that its high 255 bits are all zero.
Step 4.1.2, if the standard is met, outputting true, which represents that short address attack does not exist; otherwise, false is output, which represents that the short address attack is detected.
In the above technical solution, step 4.2 specifically includes the following steps:
step 4.2.1, for each item in the array, judging the type of each item to be a static array or a basic type, if the type of each item is the static array, performing step 4.2.3, and if the type of each item is the basic type, performing step 4.2.2;
step 4.2.2, if the item is of the basic type, detecting the item by using the step 4.1, if the detection result outputs false, outputting false finally to represent that the short address attack is detected, and performing the step 4.2.4, if the detection result outputs true, representing that the short address attack is not detected, continuously detecting the next item until each item is detected, and then performing the step 4.2.4;
step 4.2.3, if the item is a static array, continuing to execute the step 4.2.1 to detect the item; (ii) a
And 4.2.4, if false is not output after each item is detected, outputting true, which represents that short address attack does not exist.
In the above technical solution, step 4.3 specifically includes the following steps:
step 4.3.1, according to the types of the items, the structure and the content of the item can be determined, the content of the item can contain a plurality of items, each item can be a basic type, an array or a dynamic struct, the type of each item is judged, if the type of each item is the basic type, the step 4.3.2 is carried out, if the type of each item is the static array, the step 4.3.3 is carried out, and if the type of each item is the dynamic struct, the step 4.3.4 is carried out;
and 4.3.2, if the item is of the basic type, detecting the item by using the step 4.1, and if the detection result outputs false, finally outputting false, which represents that the short address attack is detected.
And 4.3.3, if the item is a static array, detecting the item by using the step 4.2, and if the detection result outputs false, finally outputting false, wherein the false represents that the short address attack is detected.
And 4.3.4, if the item is dynamic struct, recursively calling the step 4.3 to detect the item, and if the detection result outputs false, finally outputting false, which represents that short address attack is detected. As for a struct, it is defined as struct example { int x [10 ]; int y, then for the variable declared by struct example, it consists of two terms, for each term of this struct, the correctness of the first term x can be determined by method two, the correctness of the second term y can be determined by step 4.3.2, and finally the correctness of struct is determined by them jointly. Further, if another struct, it is defined as struct test { struct example; int z }, then for the variable stated in test, firstly determining the correctness of the first item e, when determining the correctness of one item, determining the correctness of the step 4.3 by means of the step 4.3, and then calling the step 4.3.3 and the step 4.3.2 by means of the step 4.3, then directly determining the correctness of the second item by means of the step 4.3.2, and finally determining the correctness of the struct, if incorrect, outputting false, otherwise, outputting true. As shown in fig. 3
And 4.3.5, if false is not output after each item is detected, outputting true, which represents that no short address attack exists.
Because the invention adopts the technical means, the invention has the following beneficial effects:
in the present invention, the recovered function signature is used to automatically detect the tool of invalid arguments sent to the identity smart contract, through which short address attacks can be easily detected and discovered.
The invention provides a method and a device for rapidly detecting short address attacks by utilizing a function signature technology, and the method and the device can ensure that an issuer of the token rejects the transaction request when the short address attacks, thereby greatly ensuring the security of a token contract.
Drawings
FIG. 1 is a work flow diagram;
FIG. 2 is a diagram of an embodiment of a short address attack;
FIG. 3 is an exemplary diagram of struct.
Detailed Description
Examples of the invention
We use the transaction detected by ParChecker (as shown in fig. 2) to explain how a short address attack steals the token and then give the detection result.
The transaction calls the transfer () function of the token intelligence contract with function id 0xa9059cbb to pass token. the transfer () function has two parameters: a _ to indicating the address type of the recipient, and a _ value indicating the number of tokens of the uint256 type. The attacker removes the end zeros of to and then the EVM pads the high order zeros of to 32 bytes. After this, evm (ethereum virtualmachine) adds 0 to 32 bytes in length after the lowest byte of _ value, so _ value changes from 0x2710 to 0x 271000. The attacker can launch an attack that fools the victim into exchanging wallets, transferring more tokens to the addresses they control (i.e., to).
By first locating the call of transfer (), we can find such an attack from the results of ParChecker. Then we check if the length of the actual parameter len is less than 64 bytes, i.e. the length of a valid address plus a valid uint 256. If so, we check if its highest 64-len byte is zero for the last 32 bytes of the parameter. If this is the case, a short address attack is detected, since the highest 64-len bytes will be used to complement the short address. Finally, we found 73 attack transactions that invoked 25 smart contracts. The detailed results are shown in table 2.
TABLE 1 short Address attacks detected by ParChecker
Figure BDA0003081519500000051
Figure BDA0003081519500000061

Claims (5)

1. An implementation method of an intelligent contract short address attack detection tool is characterized by comprising the following steps
Step 1, obtaining a function id by using a decompiling module:
the intelligent contract uploaded to the Ethenhouse by a user exists in a byte code form, the byte code of the intelligent contract is decompiled, code block and function identification is carried out on the byte code in the decompiled process, and the identification result comprises a function id;
step 2, TASE obtains a function signature:
the output of the decompiling module enters a TASE module, and the TASE module acquires a parameter list corresponding to each function id and combines the function id and the corresponding parameter list to output a function signature;
step 3, the function signature obtained in the step 2 is used as input, when a user calls an intelligent contract, a function signature id is obtained from calling data, and then a parameter list in the corresponding function signature is found out;
and 4, positioning the actual parameters in the calling data for each parameter in the function signature by means of TASE, and checking whether the filling is correct or not, wherein if the filling is wrong, the attack is judged.
2. The method of claim 1, wherein the tool for detecting the short address attack comprises a first tool for detecting the short address attack,
step 4.1, if the parameter is a basic type, the positioning rule is from the Contract ABI standard[1]Each parameter class described inThe filling scheme is a type of filling scheme, input parameters are converted into a string of byte codes according to the filling scheme, the correctness of the filled byte codes is checked according to the rules in the table 1, and if the correctness is correct, true is output to represent that short address attack does not exist; otherwise, outputting false, which represents that short address attack is detected;
step 4.2, if the parameter is a static array, checking the correctness of each item in the static array according to the rule in the table 1, which is described in detail below;
step 4.3, if the parameter is dynamic struct, checking the structure and the content of the parameter, wherein the specific description is as follows;
table 1:
Figure FDA0003081519490000011
Figure FDA0003081519490000021
wherein uint8, uint16, …, uint256, int8, int16, …, int256, bytes8, bytes16, …, bytes256 are basic types in the Solidity programming language, representing unsigned and signed integers and bytes of the corresponding digit, respectively; address, pool, address type and Boolean type, which are also basic types in the Solidiy programming language.
3. The method for implementing the intelligent short address attack detection tool according to claim 2, wherein the step 4.1 comprises the following steps:
step 4.1.1, judging whether the value meets the corresponding standard according to the type of the parameter and the value of the parameter and the rule in the table 1;
step 4.1.2, if the standard is met, outputting true, which represents that short address attack does not exist; otherwise, false is output, which represents that the short address attack is detected.
4. The method for implementing the intelligent short-address attack detection tool according to claim 2, wherein the step 4.2 specifically comprises the following steps:
step 4.2.1, for each item in the array, judging the type of each item to be a static array or a basic type, if the type of each item is the static array, performing step 4.2.3, and if the type of each item is the basic type, performing step 4.2.1;
step 4.2.2, if the item is of the basic type, detecting the item by using the step 4.1, if the detection result outputs false, outputting false finally to represent that the short address attack is detected, and performing the step 4.2.4, if the detection result outputs true, representing that the short address attack is not detected, continuously detecting the next item until each item is detected, and then performing the step 4.2.4;
step 4.2.3, if the item is a static array, continuing to execute the step 4.2.1 to detect the item;
and 4.2.4, if false is not output after each item is detected, outputting true, which represents that short address attack does not exist.
5. The method for implementing an intelligent short-address attack detection tool according to claim 4, wherein step 4.3 specifically comprises the following steps:
step 4.3.1, according to the types of the items, the structure and the content of the item can be determined, the content of the item can contain a plurality of items, each item can be a basic type, a static array or a dynamic struct, the type of each item is judged, if the type of each item is the basic type, the step 4.3.2 is carried out, if the type of each item is the static array, the step 4.3.3 is carried out, and if the type of each item is the dynamic struct, the step 4.3.4 is carried out;
step 4.3.2, if the item is of the basic type, detecting the item by using the step 4.1, and if the detection result outputs false, finally outputting false, which represents that the short address attack is detected;
4.3.3, if the item is a static array, detecting the item by using the step 4.2, and if the detection result outputs false, finally outputting false, which represents that the short address attack is detected;
4.3.4, if the item is dynamic struct, recursively calling the step 4.3.1 to detect the item, and if the detection result outputs false, finally outputting false, which represents that short address attack is detected;
and 4.3.5, if false is not output after each item is detected, outputting true, which represents that no short address attack exists.
CN202110568452.XA 2021-05-24 2021-05-24 Method for realizing intelligent contract short address attack detection tool Active CN113190850B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110568452.XA CN113190850B (en) 2021-05-24 2021-05-24 Method for realizing intelligent contract short address attack detection tool

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110568452.XA CN113190850B (en) 2021-05-24 2021-05-24 Method for realizing intelligent contract short address attack detection tool

Publications (2)

Publication Number Publication Date
CN113190850A true CN113190850A (en) 2021-07-30
CN113190850B CN113190850B (en) 2022-10-11

Family

ID=76985187

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110568452.XA Active CN113190850B (en) 2021-05-24 2021-05-24 Method for realizing intelligent contract short address attack detection tool

Country Status (1)

Country Link
CN (1) CN113190850B (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109800175A (en) * 2019-02-20 2019-05-24 河海大学 A kind of ether mill intelligence contract reentry leak detection method based on code pitching pile
CN109948345A (en) * 2019-03-20 2019-06-28 杭州拜思科技有限公司 A kind of method, the system of intelligence contract Hole Detection
CN111310191A (en) * 2020-02-12 2020-06-19 广州大学 Block chain intelligent contract vulnerability detection method based on deep learning
CN111563742A (en) * 2020-05-11 2020-08-21 西安邮电大学 Fuzzy testing method for intelligent contract transaction sequence dependence vulnerability variation
CN111679962A (en) * 2020-06-02 2020-09-18 浙江大学 Behavior detection and analysis system based on Ether house
CN111680271A (en) * 2020-06-02 2020-09-18 浙江大学 Contract code obfuscation platform and method based on intelligent contract byte code characteristics
CN112380541A (en) * 2020-11-16 2021-02-19 深圳壹账通智能科技有限公司 Method and device for detecting vulnerability of intelligent contract and computer equipment

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109800175A (en) * 2019-02-20 2019-05-24 河海大学 A kind of ether mill intelligence contract reentry leak detection method based on code pitching pile
CN109948345A (en) * 2019-03-20 2019-06-28 杭州拜思科技有限公司 A kind of method, the system of intelligence contract Hole Detection
CN111310191A (en) * 2020-02-12 2020-06-19 广州大学 Block chain intelligent contract vulnerability detection method based on deep learning
CN111563742A (en) * 2020-05-11 2020-08-21 西安邮电大学 Fuzzy testing method for intelligent contract transaction sequence dependence vulnerability variation
CN111679962A (en) * 2020-06-02 2020-09-18 浙江大学 Behavior detection and analysis system based on Ether house
CN111680271A (en) * 2020-06-02 2020-09-18 浙江大学 Contract code obfuscation platform and method based on intelligent contract byte code characteristics
CN112380541A (en) * 2020-11-16 2021-02-19 深圳壹账通智能科技有限公司 Method and device for detecting vulnerability of intelligent contract and computer equipment

Also Published As

Publication number Publication date
CN113190850B (en) 2022-10-11

Similar Documents

Publication Publication Date Title
He et al. Characterizing code clones in the ethereum smart contract ecosystem
He et al. Smart contract vulnerability analysis and security audit
US20220350579A1 (en) Method for controlling the flow execution of a generated script of a blockchain transaction
TWI715999B (en) Identification method and device of identity information
Xu et al. A novel machine learning‐based analysis model for smart contract vulnerability
Dingman et al. Defects and vulnerabilities in smart contracts, a classification using the NIST bugs framework
TWI271056B (en) System security approach methods using state tables, related computer-readable medium, and related systems
CN107872452A (en) A kind of recognition methods of malicious websites, device, storage medium and program product
CN108012268A (en) A kind of mobile phone terminal SIM card and the method for safe handling App, medium
CN111476573B (en) Account data processing method, device, equipment and storage medium
CN110263580B (en) Data processing method and device based on block chain and block chain link points
US20160260089A1 (en) Secure account management using tokens
TW201732704A (en) Service implementation method, apparatus and system based on fix protocol
US11538028B1 (en) Implementing non-fungible tokens using bitcoin
RU2734027C2 (en) Method and device for preventing an attack on a server
Duan et al. Multiple‐Layer Security Threats on the Ethereum Blockchain and Their Countermeasures
Alkhalifah et al. An empirical analysis of blockchain cybersecurity incidents
Garcia Bringas et al. BlockChain platforms in financial services: current perspective
CN114201756A (en) Vulnerability detection method and related device for intelligent contract code segment
CN113469811A (en) Block chain transaction processing method and device
CN113190850B (en) Method for realizing intelligent contract short address attack detection tool
KR20220101952A (en) Apparatus and method for detecting illegal transactions of bitcoin
CN105376265B (en) A kind of application method and device of network exhaustive resource
CN110610423A (en) Processing method for supporting stateful and stateless contracts by block chain intelligent contract platform
Bu et al. Security Checking of Trigger-Action-Programming Smart Home Integrations

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant