CN113886836A - Intelligent contract vulnerability detection method and related equipment - Google Patents
Intelligent contract vulnerability detection method and related equipment Download PDFInfo
- Publication number
- CN113886836A CN113886836A CN202111216136.2A CN202111216136A CN113886836A CN 113886836 A CN113886836 A CN 113886836A CN 202111216136 A CN202111216136 A CN 202111216136A CN 113886836 A CN113886836 A CN 113886836A
- Authority
- CN
- China
- Prior art keywords
- intelligent contract
- vulnerability
- path
- path selection
- selection model
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/25—Integrating or interfacing systems involving database management systems
- G06F16/252—Integrating or interfacing systems involving database management systems between a Database Management System and a front-end application
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/27—Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
- G06N3/088—Non-supervised learning, e.g. competitive learning
Abstract
The application discloses a detection method and related equipment for intelligent contract vulnerabilities, comprising the following steps: constructing an interactive interface of a path selection model and a symbol execution platform according to the state of an intelligent contract, the path space of the intelligent contract and whether the intelligent contract vulnerability is triggered in symbol execution; connecting the trained path selection model to a symbol execution platform through an interactive interface, and making a decision on path selection in the symbol execution process by the path selection model; the path selection model is obtained by adopting a reinforcement learning algorithm through unsupervised learning training; traversing the executable path of the target intelligent contract through a symbol execution platform to obtain a symbol execution result; and determining the vulnerability of the target intelligent contract according to the symbolic execution result. The method and the device can effectively select the path with the larger probability of the vulnerability, and can effectively shorten the time for discovering the vulnerability and improve the vulnerability detection efficiency compared with the random selection of the path in the traditional symbolic execution.
Description
Technical Field
The application relates to the technical field of intelligent contracts, in particular to a method and a device for detecting intelligent contract vulnerabilities.
Background
With the development and landing of Block Chain (Block Chain) technology, a large number of intelligent contracts (Smart contracts) are applied to different fields, such as financial services, public services, the internet of things, and the like.
The block chain is a data storage mode, the hash value of the last block is stored in each block, and a distributed storage mode is adopted, so that the data on the block chain can not be tampered, and the data on the block chain has the characteristics of incapability of destroying, anonymity and traceability.
Smart contracts are a big feature of the 2.0 era of blockchains, which are compiled locally by developers into source code, compiled into a piece of bytecode using a compiler, where each byte corresponds to an operation code, and then the bytecode is deployed onto the blockchain, i.e., saved on the blockchain. For the intelligent contract which is successfully deployed, a user can call the contract by initiating a specific transaction to the intelligent contract, the transaction comprises the number of the transmitted tokens and can also specify a function and a parameter of the function in the contract, the intelligent contract runs according to the deployed byte codes after receiving the transaction, and the running result is recorded on the block chain.
The credibility of the smart contract is derived from the fact that the smart contract cannot be tampered, and once the smart contract is deployed on line, anyone can attack the security vulnerability of the contract. In addition, many projects will disclose intelligent contract source code. Although the public transparency of the source code can improve the trust degree of the user on the contract, the hacking cost is greatly reduced, and each intelligent contract exposed on the open network can possibly become a gold mine and an attack target of a professional hacking team.
Currently, Ethereum (Ethereum) is the largest block chain platform supporting turing completion, and with the increase of the number of intelligent contracts and the popularization of Decentralized Application (DApp), digital assets related to the intelligent contracts increase in an exponential level. Compare traditional software, the safety problem of intelligent contract is more troublesome, and the reality condition is also more severe. In the event of a DAO attack, for example, a hacker steals $ 5000 million with a vulnerability. Without corresponding defensive measures, the deterioration of security problems cannot be prevented, thereby seriously compromising the economic value of the contract itself and the public's trust in the project. Therefore, detecting smart contracts before deployment and discovering possible exploits is an urgent problem to be solved.
Disclosure of Invention
In view of this, the present application provides a method for detecting a vulnerability of an intelligent contract and related devices, so as to detect a vulnerability of an intelligent contract.
In order to achieve the above object, a first aspect of the present application provides a method for detecting an intelligent contract vulnerability, including:
constructing an interactive interface of a path selection model and a symbol execution platform according to the state of an intelligent contract, the path space of the intelligent contract and whether the intelligent contract vulnerability is triggered in symbol execution;
connecting the trained path selection model to a symbol execution platform through the interactive interface, and making a decision on path selection in the symbol execution process by using the path selection model;
the path selection model is obtained by adopting a reinforcement learning algorithm through unsupervised learning training;
traversing the executable path of the target intelligent contract through the symbol execution platform to obtain a symbol execution result;
and determining the vulnerability of the target intelligent contract according to the symbolic execution result.
Preferably, the interactive interface comprises a status interface, an action selection interface and a reward feedback interface;
the process of constructing the interactive interface of the path selection model and the symbolic execution platform according to the state of the intelligent contract, the path space of the intelligent contract and whether the intelligent contract vulnerability is triggered in symbolic execution comprises the following steps:
according to the state of the intelligent contract, constructing state input from a symbol execution platform to a path selection model;
according to the path space and the current state of the intelligent contract, constructing an action input from a path selection model to a symbol execution platform;
and constructing reward input from the symbol execution platform to the path selection model according to whether the intelligent contract vulnerability is triggered in the symbol execution.
Preferably, the process of constructing a state input of the symbolic execution platform to the path selection model according to the state of the smart contract includes:
acquiring the state of an intelligent contract, wherein the state comprises code coverage rate, execution frequency of a preset operation code, path depth and/or path constraint;
and converting the state into a feature vector, and performing state input from the platform to the path selection model by using the feature vector as a symbol.
Preferably, the process of constructing an action input from the path selection model to the symbolic execution platform according to the path space and the current state of the intelligent contract includes:
determining a branch path through an E-greedy algorithm according to the path space and the current state of the intelligent contract, and taking the determined branch path as the action input from a path selection model to a symbol execution platform;
the current state is determined by the state input from the symbol execution platform at the current moment to the path selection model; e is a randomly determined probability.
Preferably, the process of constructing the reward input from the symbolic execution platform to the path selection model according to whether the intelligent contract vulnerability is triggered in symbolic execution includes:
and if the intelligent contract vulnerability is triggered in the symbol execution, generating a preset reward value, and taking the reward value as the reward input from the symbol execution platform to the path selection model.
Preferably, the symbolic execution result includes an operation code, variable and/or data stream involved in each action execution;
the process of determining the vulnerability of the target intelligent contract according to the symbolic execution result comprises the following steps:
determining a vulnerability of a target intelligent contract according to the operation code and a preset detection specification;
wherein the detection rule comprises:
if the variable on which the operation code depends comprises COINBASE, TIMETAMETAMP, NUMBER, DIFFICITY and/or GASLIMIT, determining that the target intelligent contract has a vulnerability of transferring depending on the block state;
judging whether the operation of transferring accounts first and then modifying the account book exists or not according to the operation codes and the data flow, and if so, determining that a reentry vulnerability exists in the target intelligent contract;
and for the incoming variable, if the variable itself or the variable after data flow is used as a parameter of the DelegateCall, determining that the target intelligent contract has a dangerous vulnerability of the entrustment call.
Preferably, the path selection model is a deep Q learning network DQN model; the training process of the DQN model comprises the following steps:
acquiring an intelligent contract code;
performing modeling on the symbol of the intelligent contract code into a Markov decision process to obtain a state space S, an action space A and a reward value R corresponding to an action of the DQN model;
initializing a network parameter Q (S, a) of the DQN model, wherein S belongs to S, and a belongs to A;
making a decision on path selection in the symbol execution process through the DQN model, and taking an action a according to the decisiontEnter state st+1And calculating a reward r(s) earned by said actiont,at) Updating the network parameter Q until the network parameter Q converges:
Q(st,at)←Q(st,at)+α(Rt+1+λmaxaQ(st+1,at)-Q(st,at))
where α refers to a learning rate for controlling the degree of difference to be taken into account between the previous Q value and the newly proposed Q value.
This application second aspect provides a detection device of intelligence contract vulnerability, includes:
the interface construction unit is used for constructing an interactive interface of the path selection model and the symbolic execution platform according to the state of the intelligent contract, the path space of the intelligent contract and whether the vulnerability of the intelligent contract is triggered in symbolic execution;
the platform building unit is used for connecting the trained path selection model to a symbol execution platform through the interactive interface, and the path selection model makes a decision on path selection in the symbol execution process;
the path selection model is obtained by adopting a reinforcement learning algorithm through unsupervised learning training;
the symbol execution unit is used for traversing the executable path of the target intelligent contract through the symbol execution platform to obtain a symbol execution result;
and the vulnerability mining unit is used for determining the vulnerability of the target intelligent contract according to the symbolic execution result.
The third aspect of the present application provides a device for detecting an intelligent contract vulnerability, including: a memory and a processor;
the memory is used for storing programs;
the processor is used for executing the program and realizing the steps of the detection method of the intelligent contract vulnerability.
A second aspect of the present application provides a storage medium having a computer program stored thereon, where the computer program is executed by a processor to implement the steps of the method for detecting a vulnerability of an intelligent contract as described above.
According to the technical scheme, the reinforcement learning algorithm is adopted in advance to train the path selection model through unsupervised learning, and the trained path selection model is obtained. In the detection of the intelligent contract vulnerability, firstly, an interactive interface of a path selection model and a symbolic execution platform is constructed according to the state of an intelligent contract, the path space of the intelligent contract and whether the intelligent contract vulnerability is triggered in symbolic execution. And then connecting the trained path selection model to a symbol execution platform through the interactive interface, and making a decision on path selection in the symbol execution process by using the path selection model. And traversing the executable path of the target intelligent contract through the symbol execution platform to obtain a symbol execution result. And finally, determining the vulnerability of the target intelligent contract according to the symbolic execution result. Because the path selection model is a trained model, paths with high probability of having the loopholes can be effectively selected, and compared with the random selection of the paths in the traditional symbolic execution, the time for finding the loopholes can be effectively shortened, so that the loophole detection efficiency is improved.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a schematic diagram of a method for detecting an intelligent contract vulnerability disclosed in an embodiment of the present application;
FIG. 2 is a schematic diagram illustrating a system for detecting a smart contract vulnerability disclosed in an embodiment of the present application;
FIG. 3 illustrates a schematic diagram of reinforcement learning disclosed in an embodiment of the present application;
fig. 4 is a schematic diagram of an intelligent contract vulnerability detection apparatus disclosed in an embodiment of the present application;
fig. 5 is a schematic diagram of a detection device for an intelligent contract vulnerability disclosed in an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
For the vulnerability security problem of intelligent contracts, Symbolic Execution (symbololic Execution) is the most common method that can use symbols as variables to perform static analysis on code. The symbolic execution technology is a classical program analysis technology, and the basic idea is to represent specific numerical values of an input program in the form of symbolic values, and to simulate and execute each program instruction in a symbolic mode, and to interpret the program instruction as a specific operation of the symbolic values of semantic equivalence.
However, the vulnerability code only occupies a very small portion of the whole intelligent contract, and if a depth-first traversal method is adopted and a branch path is randomly selected to continue execution in the symbol execution process according to the conventional method, a large amount of time in the symbol execution process is spent on processing the code portion without the vulnerability, so that resource waste and low detection efficiency are caused.
Based on the above, the application provides a method for detecting the vulnerability of the intelligent contract, which is based on reinforcement learning and symbolic execution technology to detect the vulnerability of the intelligent contract. Among them, Reinforcement Learning (Reinforcement Learning) is unsupervised machine Learning, and can obtain rewards in a set environment exploration process, and can learn optimum actions in different states according to the rewards, thereby obtaining better benefits.
Specifically, symbol execution is to use symbols to replace determined values to statically analyze program codes, and in the process of static analysis, paths are branched, and at this time, branch paths with higher vulnerability possibility are processed preferentially through reinforcement learning, so that the time for symbol execution can be greatly saved.
The method for detecting the intelligent contract vulnerability provided by the embodiment of the application is introduced below. Referring to fig. 1 and fig. 2, the method for detecting an intelligent contract vulnerability provided in the embodiment of the present application may include the following steps:
and S100, constructing an interactive interface of the path selection model and the symbol execution platform.
Specifically, an interactive interface of a path selection model and a symbol execution platform is constructed according to the state of an intelligent contract, the path space of the intelligent contract and whether the intelligent contract vulnerability is triggered in symbol execution. The path selection model belongs to a Deep learning neural Network model, which may be a value-based algorithm model, such as Q-learning, DQN (Deep Q-learning Network) and other models; policy-based algorithm models such as the Trust Region Policy Optimization (TRPO), Advantage Actor Critic (A2C) algorithm model, etc. are also possible.
This step is actually a process that models the process performed on the smart contracts as Markov Decisions (MDPs). Specifically, different paths and corresponding path constraint conditions are generated in the process of executing symbols, and when a path is branched when a conditional jump instruction is encountered during execution, one of the feasible branch paths needs to be selected for further execution, where there is a priority problem of branch selection. Thus, symbolic execution can be modeled as a Markov decision process, translating into a problem of reinforcement learning.
Reinforcement learning is an area of machine learning that emphasizes how to act based on the environment to achieve maximum expected benefit. Referring to fig. 3, in the world of reinforcement learning, a subject (Agent) interacts with an Environment (Environment), and the Agent acquires a State (State) from the Environment and determines an Action (Action) to be taken by itself, and the Environment rewards the Agent according to its logic (Reward). Wherein the prize is divided into forward and reverse direction.
Specifically, corresponding to the application scenario of the present application, State corresponds to an execution State of the intelligent contract, such as a partial attribute of the intelligent contract, a path space in a symbol execution process, and a corresponding path constraint condition; the Action corresponds to the selection of the path, for example, the Action space can be determined by the path space of the intelligent contract; reward depends on whether a smart contract vulnerability is triggered in symbol execution, e.g., when a vulnerability is triggered or detected, a corresponding forward Reward may be given.
And step S200, connecting the trained path selection model to a symbol execution platform through an interactive interface.
Specifically, the trained path selection model is connected to the symbol execution platform through the interactive interface constructed in step S100, and the path selection model makes a decision on path selection in the symbol execution process.
The path selection model is obtained by adopting a reinforcement learning algorithm through unsupervised learning training.
Specifically, the training process includes: in the interaction process of the path selection model and the symbolic execution platform, whether a vulnerability is triggered can be detected according to the symbolic execution result, so that the path selection model is rewarded, and the path selection model updates the network according to the rewarded change and the State change.
And selecting the optimal branch path to continue executing when the path is branched by using the path selection model, and preferentially analyzing branches possibly containing the vulnerability, thereby improving the vulnerability mining efficiency in the symbolic execution.
And step S300, traversing the executable path of the target intelligent contract through the symbol execution platform to obtain a symbol execution result.
Specifically, instructions on an executable path of a target intelligent contract program can be analyzed through a symbolic execution platform according to a path space of an intelligent contract, a program execution state is updated according to specific semantics, path constraints are collected, and fork execution is performed at a branch node, so that exploration of all executable paths in the program is completed, and a security problem is found.
The symbol execution platform may be an existing symbol execution tool (such as KLEE, ANGR, etc.) or a self-writing tool, so as to implement the function of symbol execution.
The constraint solving technology can solve the path constraint collected in the symbolic execution, judge whether the path is accessible, and detect whether the value of the variable is in accordance with the program safety regulation or possibly in accordance with the condition of vulnerability existence at a specific program point.
And S400, determining the vulnerability of the target intelligent contract according to the symbolic execution result.
The possible vulnerabilities of the intelligent contract can include integer overflow, dependent block state, reentry vulnerability, dangerous entrusting invocation, dependent external contract and the like.
The method and the device adopt a reinforcement learning algorithm in advance to train the path selection model through unsupervised learning to obtain the trained path selection model. In the detection of the intelligent contract vulnerability, firstly, an interactive interface of a path selection model and a symbolic execution platform is constructed according to the state of an intelligent contract, the path space of the intelligent contract and whether the intelligent contract vulnerability is triggered in symbolic execution. And then connecting the trained path selection model to a symbol execution platform through the interactive interface, and making a decision on path selection in the symbol execution process by using the path selection model. And traversing the executable path of the target intelligent contract through the symbol execution platform to obtain a symbol execution result. And finally, determining the vulnerability of the target intelligent contract according to the symbolic execution result. Because the path selection model is a trained model, paths with high probability of having the loopholes can be effectively selected, and compared with the random selection of the paths in the traditional symbolic execution, the time for finding the loopholes can be effectively shortened, so that the loophole detection efficiency is improved.
In some embodiments of the present application, the interactive interface mentioned in the above step S100 includes a status interface, an action selection interface and a reward feedback interface.
Based on this, the process of constructing the interaction interface between the path selection model and the symbolic execution platform according to the state of the intelligent contract, the path space of the intelligent contract, and whether the intelligent contract vulnerability is triggered in symbolic execution in step S100 may include:
and S1, constructing the state input from the symbolic execution platform to the path selection model according to the state of the intelligent contract.
And S2, constructing the action input from the path selection model to the symbol execution platform according to the path space and the current state of the intelligent contract.
And S3, constructing reward input from the symbolic execution platform to the path selection model according to whether the intelligent contract vulnerability is triggered in symbolic execution.
Through the construction of the interactive interface, the branch selection problem in the symbolic execution of the intelligent contract is converted into the problem of the reinforced learning, the state, the action and the reward function are defined for the symbolic execution of the intelligent contract, and the definition of the reinforced learning elements plays a key role in the effect of the technology, so that the path selection model can perform the reinforced learning on the path decision of the intelligent contract.
In some embodiments of the present application, the process of constructing the state input of the symbolic execution platform to the path selection model according to the state of the smart contract at S1 may include:
and S11, acquiring the state of the intelligent contract, wherein the state comprises at least one of Abstract Syntax Tree (AST), control flow graph, code coverage, execution frequency of preset operation code, path depth and path constraint of the intelligent contract.
Wherein, the code coverage rate may include:
JCSAJ coverage: whether each JCSAJ (linear code sequence and jump) was executed;
JJ Path coverage (JJ-Path coverage): whether each JJ path (path from jump to jump, i.e., JCSAJ) was executed;
path coverage (Path coverage): whether all possible paths in the program are executed;
entry point/end point coverage (Entry/exit coverage): whether to execute all possible entry points and end points in the bypass;
loop coverage (Loop coverage): whether all the cycles have the test of zero times, one time or more than one time;
parameter Value Coverage (Parameter Value Coverage): for all parameters of a method, whether the most common values have been performed.
In addition, the execution frequency of the preset operation code can be the execution frequency of some key operation codes; the path depth can be the total times of path jumping and reflects the path length from the entrance of the intelligent contract code to the current branch; the path constraint may be a jump condition of the path.
And S12, converting the state into a feature vector, and executing the state input of the platform to the path selection model by taking the feature vector as a symbol.
Wherein the process of converting the state into the feature vector includes a manner of converting the state into embedding (embedding), so that an input format of the neural network model can be adapted.
In some embodiments of the present application, the process of building the action input from the path selection model to the symbolic execution platform according to the path space and the current state of the smart contract at S2 may include:
and determining a branch path through an e-greedy algorithm according to the path space and the current state of the intelligent contract, and taking the determined branch path as the action input from the path selection model to the symbolic execution platform.
The current state is determined by the state input from the symbol execution platform at the current moment to the path selection model; e is a randomly determined probability.
Greedy algorithms (also known as greedy algorithms) always make the choice that seems best at the present time when solving a problem, resulting in a locally optimal solution in some sense.
In some embodiments of the present application, the process of constructing the reward input from the symbolic execution platform to the path selection model according to whether the intelligent contract vulnerability is triggered in symbolic execution at S3 may include:
and if the intelligent contract vulnerability is triggered in the symbol execution, generating a preset reward value, and taking the reward value as the reward input from the symbol execution platform to the path selection model.
Through the setting of the reward, a path selection model can be stimulated to learn to acquire a path which is more likely to trigger the vulnerability.
In some embodiments of the present application, the symbol execution result mentioned in the above step S400 may include one or more of an operation code, a variable and a data stream involved in each action execution.
Based on this, the step S400 of determining the vulnerability of the target intelligent contract according to the symbolic execution result may include:
and determining the vulnerability of the target intelligent contract according to the operation code and the preset detection specification.
Wherein the detection rule comprises:
1) and if the variable on which the operation code depends comprises COINBASE, TIMETAMETAMP, NUMBER, DIFFICITY and/or GASLIMIT, determining that the target intelligent contract has a vulnerability of transferring depending on the block state.
2) And judging whether the operation of transferring accounts first and then modifying the account book exists or not according to the operation codes and the data flow, and if so, determining that a reentry vulnerability exists in the target intelligent contract.
3) And for the incoming variable, if the variable itself or the variable after data flow is used as a parameter of the DelegateCall, determining that the target intelligent contract has a dangerous vulnerability of the entrustment call.
In order to enable the symbol execution to preferentially select the code part with higher vulnerability possibility, the selection problem of the branches is modeled as a Markov decision process, and the branches which are more likely to contain the vulnerability are selected by using the DQN algorithm of reinforcement learning to carry out preferential treatment, so that the purposes of accelerating the symbol execution efficiency and saving resources are achieved.
In some embodiments of the present application, the path selection model mentioned in the intelligent contract vulnerability method is a deep Q learning network DQN model. The training process of the DQN model may include:
and S1, acquiring the intelligent contract code.
For example, the open source code of the smart Contract can be collected from Contract Library (https:// extract-Library. com /) and Smartbug (https:// github. com/smartbytes) for the smart Contract of Ethereum, and the data set can be constructed accordingly.
And S2, performing and modeling symbolic execution of the intelligent contract codes into a Markov decision process to obtain a state space S, an action space A and a reward value R corresponding to the action of the DQN model.
S3, initializing the network parameters Q (S, a) of the DQN model, wherein S belongs to S and a belongs to A.
S4, making a decision on path selection in the symbol execution process through the DQN model, and taking an action a according to the decisiontEnter state st+1And calculating a reward r earned by said action(st,at) Updating the network parameter Q until the network parameter Q converges:
Q(st,at)←Q(st,at)+α(Rt+1+λmaxaQ(st+1,at)-Q(st,at))
where α refers to a learning rate for controlling the degree of difference to be taken into account between the previous Q value and the newly proposed Q value.
By training the path selection model, the characteristics of the intelligent contract can be fully extracted, when the path selection is performed by the symbolic execution, the path with higher vulnerability possibility can be selected for priority processing, the symbolic execution efficiency is improved, the time for analyzing the code without the vulnerability by the symbolic execution is reduced, and the rule does not need to be manually specified in advance in the process.
The following describes the detection apparatus for an intelligent contract vulnerability provided in the embodiment of the present application, and the detection apparatus for an intelligent contract vulnerability described below and the detection method for an intelligent contract vulnerability described above may be referred to in correspondence with each other.
Referring to fig. 4, the apparatus for detecting an intelligent contract vulnerability provided in the embodiment of the present application may include:
the interface construction unit 21 is configured to construct an interactive interface between a path selection model and a symbolic execution platform according to a state of an intelligent contract, a path space of the intelligent contract, and whether a vulnerability of the intelligent contract is triggered during symbolic execution;
the platform building unit 22 is used for connecting the trained path selection model to the symbol execution platform through the interactive interface, and the path selection model makes a decision on path selection in the symbol execution process;
the path selection model is obtained by adopting a reinforcement learning algorithm through unsupervised learning training;
the symbol execution unit 23 is configured to traverse a path executable by the target intelligent contract through the symbol execution platform to obtain a symbol execution result;
and the vulnerability mining unit 24 is configured to determine a vulnerability existing in the target intelligent contract according to the symbolic execution result of the symbolic execution unit 23.
In some embodiments of the present application, the interaction interface of the interface construction unit 21 includes a status interface, an action selection interface, and a reward feedback interface;
the process of constructing the interaction interface between the path selection model and the symbolic execution platform by the interface construction unit 21 according to whether the state of the intelligent contract, the path space of the intelligent contract, and the symbolic execution trigger the vulnerability of the intelligent contract, may include:
according to the state of the intelligent contract, constructing state input from a symbol execution platform to a path selection model;
according to the path space and the current state of the intelligent contract, constructing an action input from a path selection model to a symbol execution platform;
and constructing reward input from the symbol execution platform to the path selection model according to whether the intelligent contract vulnerability is triggered in the symbol execution.
In some embodiments of the present application, the process of constructing the state input from the symbolic execution platform to the routing model according to the state of the smart contract by the interface construction unit 21 may include:
acquiring the state of an intelligent contract, wherein the state comprises code coverage rate, execution frequency of a preset operation code, path depth and/or path constraint;
and converting the state into a feature vector, and performing state input from the platform to the path selection model by using the feature vector as a symbol.
In some embodiments of the present application, the process of constructing the action input from the path selection model to the symbolic execution platform by the interface construction unit 21 according to the path space and the current state of the intelligent contract may include:
determining a branch path through an E-greedy algorithm according to the path space and the current state of the intelligent contract, and taking the determined branch path as the action input from a path selection model to a symbol execution platform;
the current state is determined by the state input from the symbol execution platform at the current moment to the path selection model; e is a randomly determined probability.
In some embodiments of the present application, the process of constructing the reward input from the symbolic execution platform to the path selection model according to whether the intelligent contract vulnerability is triggered in the symbolic execution by the interface construction unit 21 may include:
and if the intelligent contract vulnerability is triggered in the symbol execution, generating a preset reward value, and taking the reward value as the reward input from the symbol execution platform to the path selection model.
In some embodiments of the present application, the result of the execution of the symbols in the symbol execution unit 23 includes the operation code, variables and/or data stream involved in each execution of the action.
In some embodiments of the present application, the process of determining, by the vulnerability mining unit 24, the vulnerability existing in the target intelligent contract according to the symbolic execution result may include:
and determining the vulnerability of the target intelligent contract according to the operation code and a preset detection specification.
Wherein the detection rule comprises:
if the variable on which the operation code depends comprises COINBASE, TIMETAMETAMP, NUMBER, DIFFICITY and/or GASLIMIT, determining that the target intelligent contract has a vulnerability of transferring depending on the block state;
judging whether the operation of transferring accounts first and then modifying the account book exists or not according to the operation codes and the data flow, and if so, determining that a reentry vulnerability exists in the target intelligent contract;
and for the incoming variable, if the variable itself or the variable after data flow is used as a parameter of the DelegateCall, determining that the target intelligent contract has a dangerous vulnerability of the entrustment call.
The detection device for the intelligent contract vulnerabilities provided by the embodiment of the application can be applied to detection equipment for the intelligent contract vulnerabilities, such as a computer with data storage and processing functions. Optionally, fig. 5 is a block diagram illustrating a hardware structure of a detection device for an intelligent contract vulnerability, and referring to fig. 5, the hardware structure of the detection device for the intelligent contract vulnerability may include: at least one processor 31, at least one communication interface 32, at least one memory 33 and at least one communication bus 34.
In the embodiment of the present application, the number of the processor 31, the communication interface 32, the memory 33 and the communication bus 34 is at least one, and the processor 31, the communication interface 32 and the memory 33 complete the communication with each other through the communication bus 34;
the processor 31 may be a central processing unit CPU, or an application Specific Integrated circuit asic, or one or more Integrated circuits configured to implement embodiments of the present application, etc.;
the memory 32 may comprise a high-speed RAM memory, and may further comprise a non-volatile memory (non-volatile memory) or the like, such as at least one disk memory;
wherein the memory 33 stores a program and the processor 31 may invoke the program stored in the memory 33, the program being for:
constructing an interactive interface of a path selection model and a symbol execution platform according to the state of an intelligent contract, the path space of the intelligent contract and whether the intelligent contract vulnerability is triggered in symbol execution;
connecting the trained path selection model to a symbol execution platform through the interactive interface, and making a decision on path selection in the symbol execution process by using the path selection model;
the path selection model is obtained by adopting a reinforcement learning algorithm through unsupervised learning training;
traversing the executable path of the target intelligent contract through the symbol execution platform to obtain a symbol execution result;
and determining the vulnerability of the target intelligent contract according to the symbolic execution result.
Alternatively, the detailed function and the extended function of the program may be as described above.
Embodiments of the present application further provide a storage medium, where a program suitable for execution by a processor may be stored, where the program is configured to:
constructing an interactive interface of a path selection model and a symbol execution platform according to the state of an intelligent contract, the path space of the intelligent contract and whether the intelligent contract vulnerability is triggered in symbol execution;
connecting the trained path selection model to a symbol execution platform through the interactive interface, and making a decision on path selection in the symbol execution process by using the path selection model;
the path selection model is obtained by adopting a reinforcement learning algorithm through unsupervised learning training;
traversing the executable path of the target intelligent contract through the symbol execution platform to obtain a symbol execution result;
and determining the vulnerability of the target intelligent contract according to the symbolic execution result.
Alternatively, the detailed function and the extended function of the program may be as described above.
In summary, the following steps:
the method comprises the steps of training a path selection model through unsupervised learning by adopting a reinforcement learning algorithm in advance to obtain the trained path selection model. In the detection of the intelligent contract vulnerability, firstly, an interactive interface of a path selection model and a symbolic execution platform is constructed according to the state of an intelligent contract, the path space of the intelligent contract and whether the intelligent contract vulnerability is triggered in symbolic execution. And then connecting the trained path selection model to a symbol execution platform through the interactive interface, and making a decision on path selection in the symbol execution process by using the path selection model. And traversing the executable path of the target intelligent contract through the symbol execution platform to obtain a symbol execution result. And finally, determining the vulnerability of the target intelligent contract according to the symbolic execution result. Because the path selection model is a trained model, paths with high probability of having the loopholes can be effectively selected, and compared with the random selection of the paths in the traditional symbolic execution, the time for finding the loopholes can be effectively shortened, so that the loophole detection efficiency is improved.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The embodiments in the present description are described in a progressive manner, each embodiment focuses on differences from other embodiments, the embodiments may be combined as needed, and the same and similar parts may be referred to each other.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (10)
1. A method for detecting intelligent contract vulnerabilities is characterized by comprising the following steps:
constructing an interactive interface of a path selection model and a symbol execution platform according to the state of an intelligent contract, the path space of the intelligent contract and whether the intelligent contract vulnerability is triggered in symbol execution;
connecting the trained path selection model to a symbol execution platform through the interactive interface, and making a decision on path selection in the symbol execution process by using the path selection model;
the path selection model is obtained by adopting a reinforcement learning algorithm through unsupervised learning training;
traversing the executable path of the target intelligent contract through the symbol execution platform to obtain a symbol execution result;
and determining the vulnerability of the target intelligent contract according to the symbolic execution result.
2. The method of claim 1, wherein the interactive interface comprises a status interface, an action selection interface, and a reward feedback interface;
the process of constructing the interactive interface of the path selection model and the symbolic execution platform according to the state of the intelligent contract, the path space of the intelligent contract and whether the intelligent contract vulnerability is triggered in symbolic execution comprises the following steps:
according to the state of the intelligent contract, constructing state input from a symbol execution platform to a path selection model;
according to the path space and the current state of the intelligent contract, constructing an action input from a path selection model to a symbol execution platform;
and constructing reward input from the symbol execution platform to the path selection model according to whether the intelligent contract vulnerability is triggered in the symbol execution.
3. The method of claim 2, wherein the process of building a state input of the symbolic execution platform to the routing model according to the state of the smart contract comprises:
acquiring the state of an intelligent contract, wherein the state comprises code coverage rate, execution frequency of a preset operation code, path depth and/or path constraint;
and converting the state into a feature vector, and performing state input from the platform to the path selection model by using the feature vector as a symbol.
4. The method of claim 2, wherein the process of constructing the action input of the path selection model to the symbolic execution platform according to the path space and the current state of the smart contract comprises:
determining a branch path through an E-greedy algorithm according to the path space and the current state of the intelligent contract, and taking the determined branch path as the action input from a path selection model to a symbol execution platform;
the current state is determined by the state input from the symbol execution platform at the current moment to the path selection model; e is a randomly determined probability.
5. The method of claim 2, wherein the process of constructing the reward input from the symbolic execution platform to the path selection model according to whether the intelligent contract vulnerability is triggered in symbolic execution comprises:
and if the intelligent contract vulnerability is triggered in the symbol execution, generating a preset reward value, and taking the reward value as the reward input from the symbol execution platform to the path selection model.
6. The method of claim 1, wherein the symbolic execution result comprises an opcode, a variable, and/or a data stream involved in each execution of the action;
the process of determining the vulnerability of the target intelligent contract according to the symbolic execution result comprises the following steps:
determining a vulnerability of a target intelligent contract according to the operation code and a preset detection specification;
wherein the detection rule comprises:
if the variable on which the operation code depends comprises COINBASE, TIMETAMETAMP, NUMBER, DIFFICITY and/or GASLIMIT, determining that the target intelligent contract has a vulnerability of transferring depending on the block state;
judging whether the operation of transferring accounts first and then modifying the account book exists or not according to the operation codes and the data flow, and if so, determining that a reentry vulnerability exists in the target intelligent contract;
and for the incoming variable, if the variable itself or the variable after data flow is used as a parameter of the DelegateCall, determining that the target intelligent contract has a dangerous vulnerability of the entrustment call.
7. The method of claim 1, wherein the path selection model is a deep Q learning network DQN model; the training process of the DQN model comprises the following steps:
acquiring an intelligent contract code;
performing modeling on the symbol of the intelligent contract code into a Markov decision process to obtain a state space S, an action space A and a reward value R corresponding to an action of the DQN model;
initializing a network parameter Q (S, a) of the DQN model, wherein S belongs to S, and a belongs to A;
making a decision on path selection in the symbol execution process through the DQN model, and taking an action a according to the decisiontEnter state st+1And calculating a reward r(s) earned by said actiont,at) Updating the network parameter Q until the network parameter Q converges:
Q(st,at)←Q(st,at)+α(Rt+1+λmaxaQ(st+1,at)-Q(st,at))
where α refers to a learning rate for controlling the degree of difference to be taken into account between the previous Q value and the newly proposed Q value.
8. A detection device of intelligence contract leak which characterized in that includes:
the interface construction unit is used for constructing an interactive interface of the path selection model and the symbolic execution platform according to the state of the intelligent contract, the path space of the intelligent contract and whether the vulnerability of the intelligent contract is triggered in symbolic execution;
the platform building unit is used for connecting the trained path selection model to a symbol execution platform through the interactive interface, and the path selection model makes a decision on path selection in the symbol execution process;
the path selection model is obtained by adopting a reinforcement learning algorithm through unsupervised learning training;
the symbol execution unit is used for traversing the executable path of the target intelligent contract through the symbol execution platform to obtain a symbol execution result;
and the vulnerability mining unit is used for determining the vulnerability of the target intelligent contract according to the symbolic execution result.
9. A detection equipment of intelligent contract vulnerability, comprising: a memory and a processor;
the memory is used for storing programs;
the processor is used for executing the program and realizing the steps of the intelligent contract vulnerability detection method according to any one of claims 1-7.
10. A storage medium having stored thereon a computer program which, when executed by a processor, carries out the steps of the method of detecting a smart contract vulnerability according to any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111216136.2A CN113886836A (en) | 2021-10-19 | 2021-10-19 | Intelligent contract vulnerability detection method and related equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111216136.2A CN113886836A (en) | 2021-10-19 | 2021-10-19 | Intelligent contract vulnerability detection method and related equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113886836A true CN113886836A (en) | 2022-01-04 |
Family
ID=79003572
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111216136.2A Pending CN113886836A (en) | 2021-10-19 | 2021-10-19 | Intelligent contract vulnerability detection method and related equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113886836A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114510723A (en) * | 2022-02-18 | 2022-05-17 | 北京大学 | Intelligent contract authority management vulnerability detection method and device |
-
2021
- 2021-10-19 CN CN202111216136.2A patent/CN113886836A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114510723A (en) * | 2022-02-18 | 2022-05-17 | 北京大学 | Intelligent contract authority management vulnerability detection method and device |
| CN114510723B (en) * | 2022-02-18 | 2024-04-16 | 北京大学 | Intelligent contract authority management vulnerability detection method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Mavridou et al. | VeriSolid: Correct-by-design smart contracts for Ethereum | |
| Kashyap et al. | JSAI: A static analysis platform for JavaScript | |
| Momeni et al. | Machine learning model for smart contracts security analysis | |
| US8935677B2 (en) | Automatic reverse engineering of input formats | |
| CN111259395B (en) | Method and device for acquiring utilization program of intelligent contract and storage medium | |
| CN110096439B (en) | Test case generation method for solidity language | |
| Grech et al. | MadMax: Analyzing the out-of-gas world of smart contracts | |
| CN114266050A (en) | Cross-platform malicious software countermeasure sample generation method and system | |
| Naeem et al. | Scalable mutation testing using predictive analysis of deep learning model | |
| Li et al. | Detecting standard violation errors in smart contracts | |
| CN113886836A (en) | Intelligent contract vulnerability detection method and related equipment | |
| Aydin et al. | Automated test generation from vulnerability signatures | |
| Sendner et al. | Smarter Contracts: Detecting Vulnerabilities in Smart Contracts with Deep Transfer Learning. | |
| CN106709350A (en) | Virus detection method and device | |
| Moyen et al. | Loop quasi-invariant chunk detection | |
| CN116702157B (en) | Intelligent contract vulnerability detection method based on neural network | |
| US10585651B2 (en) | Partial connection of iterations during loop unrolling | |
| CN116663018A (en) | Vulnerability detection method and device based on code executable path | |
| CN111079932A (en) | Intelligent honeypot system based on reward feedback | |
| CN115688108A (en) | Webshell static detection method and system | |
| Yilmaz et al. | Guide me to exploit: Assisted ROP exploit generation for ActionScript virtual machine | |
| CN115168861A (en) | Data security verification method, device, equipment and storage medium | |
| US20210271762A1 (en) | Method and device for symbolic analysis of a software program | |
| Pfeffer et al. | Efficient and safe control flow recovery using a restricted intermediate language | |
| Pontiggia et al. | Verification of programs with exceptions through operator precedence automata |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |