CN114996126A - Vulnerability detection method and system for EOSIO intelligent contract - Google Patents

Abstract

The invention discloses a vulnerability detection method and system for an EOSIO intelligent contract, and belongs to the technical field of block chain intelligent contracts. And carrying out gray box test on the EOSIO intelligent contract, and finding and reporting the security vulnerability existing in the EOSIO intelligent contract so as to improve the security of the intelligent contract in the block chain and reduce the economic loss caused by the security vulnerability of the intelligent contract. The method can fully test the EOSIO intelligent contract, and has the advantages of high code coverage rate and high detection accuracy compared with the conventional EOSIO intelligent contract vulnerability detection method, so that the accuracy, efficiency and automation degree of vulnerability excavation of the EOSIO intelligent contract can be improved, the potential security vulnerability of the intelligent contract is fully analyzed, the security of the intelligent contract is improved, and unnecessary loss is avoided.

Description

Vulnerability detection method and system for EOSIO intelligent contract

Technical Field

The invention belongs to the technical field of intelligent contracts of block chains, and particularly relates to a fuzzy test method and a fuzzy test system for an EOSIO intelligent contract gray box.

Background

Research aiming at intelligent contract vulnerability detection can be divided into the following three categories according to a detection method of the intelligent contract vulnerability detection:

the formal verification method scans the intelligent contract source code or byte code through syntax analysis, control flow analysis and data flow analysis, establishes an abstract syntax tree, a control flow graph and a data flow graph, and further adopts a formal tool to model, analyze and verify the execution process of the intelligent contract. Representative tools of this type are vulhunter, Slither, and the like, which parses the WebAssembly bytecode file of the EOSIO intelligent contract to generate a control flow graph, and matches the code blocks in the control flow graph that are relevant to the intelligent contract vulnerability using a predefined pattern. The EVul Hunter only supports two EOSIO intelligent contract security vulnerabilities, the predefined mode used by the EVul Hunter depends on the known attack means, the EVul Hunter must regenerate the predefined mode once the attack means is changed, and the generation of the predefined mode must be manually extracted and summarized from the intelligent contract, so that the extension of vulnerability support types is limited. Slither is a vulnerability detection tool for an intelligent Ethenhouse contract, and takes a Solidiy abstract syntax tree compiled from the intelligent Ethenhouse contract as input, obtains a type inheritance graph and a control flow graph of the intelligent contract through data integration, analyzes information of variables and functions in the intelligent Ethenhouse contract, reads and writes the variables, controls function permissions and the like, and searches for a mode matched with a security vulnerability from the information. Tikhomirov et al have proposed SmartCheck, a classification-based ethernet intelligent contract security vulnerability detection tool, SmartCheck can process ethernet intelligent contract bytecode written by Solidity, and convert the bytecode into an XML form, and then analyze the XPath path in the converted XML file to detect security vulnerabilities in ethernet intelligent contracts. Wang et al propose ContractWard, which, unlike other similar tools, combines the advantages of formal verification methods and machine learning techniques, and reduces the time overhead of static detection by training a machine learning model for vulnerability patterns. However, the vulnerability model used by the three parties is unique to the Ethengfang intelligent contract and cannot be applied to the EOSIO intelligent contract. Secondly, the Ethernet intelligent contracts are compiled into the solid byte codes and executed in an EVM virtual machine of the Ethernet, the EOSIO intelligent contracts are compiled into the WebAssembly byte codes and executed in the WebAssembly virtual machine by using the C/C + + language, and the architecture, the type system and the execution environment of the Ethernet intelligent contracts and the EOSIO intelligent contracts are fundamentally different, so that a vulnerability detection tool specially used for the Ethernet or based on the EVM virtual machine cannot be transplanted for detecting the security vulnerability of the EOSIO intelligent contracts. In addition, the formal verification method has a great limitation for intelligent contract vulnerability mining, and since the blockchain can be regarded as a huge state machine, the execution path of the intelligent contract is not only related to the input received by the contract and the program context of the contract, but also depends on the state of the blockchain when the contract is executed, so that the formal verification method lacking the state information of the blockchain may misjudge that the code which cannot be executed in the real environment has a security vulnerability, and the false alarm rate is increased. Similarly, the static analysis method cannot solve the problem of intelligent contract security vulnerability detection related to identity verification, storage and transmission of confidential data.

The fuzzy testing method judges whether the execution behavior of the intelligent contract accords with the testing prediction of the security vulnerability by sending the testing transaction to the intelligent contract and recording and analyzing the execution behavior of the intelligent contract. Representative works for such tools are Con-traceFuzzer, EOSFuzzer, and Echidna, among others. Con-tracefuzzy is a black box fuzzy test tool for an Ethernet intelligent contract, 7 kinds of test predictions of security vulnerabilities of the Ethernet intelligent contract are defined, the Contractfuzzy is used for firstly obtaining a function signature of the intelligent contract from an application binary interface of the Ethernet intelligent contract, generating a fuzzy test input meeting the specification of the application binary interface, then executing the test input by using the intelligent contract in a local EVM virtual machine, recording an execution log of the intelligent contract, and finally detecting whether the execution log is in accordance with the test predictions. However, the interaction mode of the EOSIO intelligent contract is greatly different from that of the ethernet intelligent contract, for example, the EOSIO contract transfer must be performed by calling the system contract EOSIO. token, and the EOSIO uses the role-based authority management, and the signature and authentication mode of the transaction are significantly different from that of the ethernet, so that the vulnerability detection tool based on the EVM virtual machine cannot be used for detecting the EOSIO intelligent contract. The EOSFuzzer is used as a black box fuzzy test tool for the EOSIO intelligent contract and is similar to the vulnerability detection principle of the ContractFuzzer, but the EOSFuzzer defines 3 testing predictions of the security vulnerability of the EOSIO intelligent contract and uses one local EOSIO node as a fuzzy test execution environment of the intelligent contract. The fuzzy test method of the intelligent contract is essentially to deploy the tested contract on a local private chain and use a fuzzy test case based on the intelligent contract interface rule to interact with the tested contract. Because the tested contracts are already deployed on the block chain when the test is carried out, the fuzzy test method can trigger the loopholes by using the state of the block chain and the interaction mode among the contracts, and solves the problems that the formal verification method has high false alarm rate and cannot solve the security loopholes related to identity verification, encrypted data storage and transmission. However, the existing tools are based on the fuzzy test of a pure black box, the generation and the variation of the fuzzy test input can only use the prior experience of the existing vulnerability attack method, certain blindness exists, and the internal execution condition of a program is not considered, so that the coverage rate of codes of the fuzzy test tool aiming at the WebAssembly intelligent contract is low, and a large amount of report missing is caused.

Symbol execution method symbol execution technology was proposed in 1970 and has been a research hotspot in recent years. The method adopts abstract symbols to replace determined variable values as program input, and obtains an output result of each path abstraction. Compared with the black box fuzzing test method, the symbolic execution method can efficiently explore the execution path of the intelligent contract and achieve code coverage close to 100%. Because the symbolic execution method is mostly based on an x86/x64 structure, and byte code files of the intelligent contract have differences in the architecture, program organization and storage form, the application of the symbolic execution method in the field of the intelligent contract needs to firstly solve the problems of function interface identification, variable type inference and the like. Cabilllero et al propose methods to extract key code from x86/x64 architecture binary programs, identify program interfaces and function signatures therein, and use this information for symbolic execution of x86/x64 programs to improve security tool performance. The method for converting the Ethernet workshop virtual machine byte codes into the rule-based expression form is provided by Albert et al, and the difficulty of performing symbol execution on the Ethernet workshop intelligent contract byte codes is reduced. In the field of intelligent contract security vulnerability detection, a security tool based on a symbolic execution method also exists, and representative works of the tool are WANA, Mythril, Mythx and the like. WANA is a security vulnerability detection framework for EtherFang and EOSIO intelligent contracts that uses symbolic execution engines to explore intelligent contract execution paths and report the existence of vulnerabilities when an execution path is found that is reachable from the bug code to the token transfer function. Similar to the formal verification method, the detection method also fails to consider the block chain state when the intelligent contract is actually executed, and only an execution path can be determined between the defect code and the transfer function, but when an account authentication action exists on the execution path, the path may not be reached when the intelligent contract is executed on the actual chain, so that false alarm is caused. In addition, the defect code mode defined by the WANA is also defined by using a hard coding mode, only two defect code modes of the EOSIO intelligent contract are defined, compared with 8 common security holes, the detection capability is insufficient, and the defect code definition mode of the hard coding limits the further expansion of the WANA. Mythril is an EVM bytecode security analysis tool that can detect intelligent contract security vulnerabilities based on EVM virtual machines using symbolic execution, constraint solving, and taint analysis methods. We must emphasize again that there are fundamental differences in architecture, type system and operation mode between the WebAssembly virtual machine and the EVM virtual machine used by the EOSIO intelligent contract, so that vulnerability detection tools for the EVM intelligent contract, such as Mythril, cannot be transplanted and applied to vulnerability detection of the EOSIO intelligent contract based on the WebAssembly virtual machine.

In summary, the existing method has the problems of weak expansion capability, few types of supported vulnerabilities, low coverage rate of test codes of the EOSIO intelligent contract and insufficient test, so that the security vulnerabilities in the EOSIO intelligent contract cannot be effectively detected, and economic losses are caused to users and developers of the intelligent contract. The method can effectively solve the problems of the existing method, improve the accuracy, efficiency and automation degree of vulnerability discovery, fully analyze the potential security vulnerability of the intelligent contract, improve the security of the intelligent contract and avoid unnecessary loss.

Disclosure of Invention

The technical problem to be solved by the invention is as follows: and carrying out gray box test on the EOSIO intelligent contract, and finding and reporting the security vulnerability existing in the EOSIO intelligent contract so as to improve the security of the intelligent contract in the block chain and reduce the economic loss caused by the security vulnerability of the intelligent contract.

In view of the above problems in the prior art, an object of the present invention is to provide a vulnerability detection method for an EOSIO intelligent contract, which includes:

step 1: performing instrumentation on a chain API of an EOSIO blockchain platform and a WebAssembly virtual machine, and recording chain API call information and code coverage rate information of instrumented codes during the running period of an intelligent contract;

step 2: compiling the intelligent contract source code to generate an intelligent contract ABI file and a WebAssembly byte code file for the intelligent contract of the active code, and directly reading the ABI file and the WebAssembly byte code file for the intelligent contract of the passive code;

and step 3: instrumentation is carried out on the intelligent contract WebAssembly byte code file, and the instrumentation code records the execution path of the instrumentation code during the running of the intelligent contract;

and 4, step 4: deploying the intelligent contract byte code file to a local block chain node, analyzing the intelligent contract ABI file, and acquiring a function list of the intelligent contract;

and 5: generating a test case according to the intelligent contract function list obtained in the step 4, and executing the test case on the block chain; the test case comprises a method or a function of a function list in the intelligent contract and parameters required for calling the method or the function;

step 6: recording an intelligent contract execution path and code coverage rate, and judging whether the execution path meets a test prediction or not so as to judge and report security vulnerabilities in the intelligent contract; the code coverage rate is code execution rate, and the test prediction refers to a possible execution path of the intelligent contract with the vulnerability;

and 7: and (5) carrying out mutation on the test case according to the code coverage rate, and returning to the step 5 for repeated operation.

Further, the concrete pile inserting method in the step 1 comprises the following steps:

step A1: inserting code record chain API call information into each chain API of the EOSIO block chain platform at an implementation function inlet of the chain API, and writing the call information into a log file; the calling information specifically comprises a caller of the chain API, calling time of the chain API and parameters used by the calling chain API;

step A2: performing instrumentation on the addressing and jumping logic of the WebAssembly virtual machine, wherein the instrumentation mode is as follows: searching code positions for processing jump and function call in the WebAssembly virtual machine source code, namely modifying the code positions of the program counter PC, inserting codes for calculating the current address of the program counter PC and the address after the jump into the positions, and recording the current address of the program counter PC and the address after the jump;

step A3: at the instrumentation position searched in the step a2, performing an exclusive or operation on the current position P1 and the jump position P2 of the program counter PC of the WebAssembly virtual machine by the insertion code, and performing a shift operation on P1 and P2 to generate an integer for identifying an execution path of the tested intelligent contract;

step A4: and B, inserting code for counting the execution path of the tested intelligent contract at the instrumentation position searched by the step A2, and recording the execution path of the tested contract generated by the step A3 into an intelligent contract code coverage rate information file by the inserted code.

Further, the pile inserting method in the step 3 comprises:

step B1: disassembling the intelligent contract WebAssembly byte code file to obtain a WAST file, and then extracting a function signature imported by the intelligent contract;

b2, searching for the pile inserting position in the WAST file, wherein the concrete determination mode for searching for the pile inserting position is as follows: searching a function definition area in each WAST file, and positioning an instruction sequence distributed by the function stack for each function; wherein, the stack allocates the characteristics of the instruction sequence: firstly, reading a stack pointer variable to a global variable reading instruction on a stack, then reading a stack length to a 32-bit integer stacking instruction on the stack, and finally subtracting the stack length variable from the stack pointer variable to generate a 32-bit integer subtraction instruction of a new stack pointer variable, wherein the position where the 32-bit integer subtraction instruction ends is a pile inserting position;

step B3: inserting a function signature imported by an intelligent contract into a WAST file function import section;

step B4: inserting a stack allocation code, a function call code and a stack cleaning code of a function call imported by the intelligent contract into each insertion position searched by the step B2 in the WAST file;

step B5: recompiling the WAST file into a WebAssembly file to complete the pile insertion;

further, the method for acquiring the execution path of the intelligent contract in step 6 includes: reading a chain API call information log file generated by instrumentation codes of the chain API of the EOSIO blockchain platform in the step 1, and reading an intelligent contract execution path log file generated by the instrumentation codes of intelligent contract WebAssembly byte codes in the step 3, wherein the two files jointly form an execution path of an intelligent contract.

Further, the method for calculating the code coverage in step 6 is as follows: reading intelligent contract code coverage rate information generated by the WebAssembly virtual machine instrumentation code in the step 1, counting the number of integers identifying execution paths in a file, and taking the number of the paths as the code coverage rate of the intelligent contract.

Further, the test prediction in the step 6 is defined by the user according to the type of the vulnerability to be detected.

A vulnerability detection system for an EOSIO smart contract, the system comprising: the test system comprises a test case generating module, a fuzzy test controller module and an intelligent contract operation information collecting module;

the test case generation module realizes that: generating a test case by taking code coverage as a guide; analyzing the ABI file of the contract to be tested to obtain parameter list information required by the function call; during the first fuzzy test, generating a test case based on a pure random mode, stacking data in the test case to generate an unstructured seed file, and starting a grey box fuzzy test parameter generation engine at the bottom layer; in the subsequent fuzzy test process, the bottom layer parameter production engine can continuously generate new output character strings according to the code coverage rate information fed back by the fuzzy test controller module; according to the stored parameter list information, a test case which accords with the semantics of an intelligent contract function can be generated through bitwise interception, type forced conversion and structured combination;

the fuzzy test controller module implements: logic control including intelligent contract test environment construction, intelligent contract fuzzy test process control and vulnerability detection;

the intelligent contract operation information collection module is an EOSIO local node which performs instrumentation on addressing and jumping logics of a chain API and a WebAssembly virtual machine;

the intelligent contract operation information collection module adopts a chain API (application program interface) instrumentation mode as follows: inserting code record chain API call information into each chain API of the EOSIO block chain platform at an implementation function inlet of the chain API, and writing the call information into a log file; the call information specifically includes a caller of the chain API, a call time of the chain API, and a parameter used to call the chain API.

Further, the method for realizing logic control including intelligent contract test environment construction, intelligent contract fuzzy test process control and vulnerability detection in the fuzzy test controller module comprises the following steps:

the intelligent contract testing environment is constructed as follows: before fuzzy test is carried out on intelligent contracts, intelligent contract source codes of active codes are compiled to generate intelligent contract ABI files and WebAssembly byte code files, and for the intelligent contracts of passive codes, the ABI files and the WebAssembly byte code files are directly read; analyzing the ABI file of the intelligent contract and reading a function list of the intelligent contract; then, the fuzzy test controller module disassembles the intelligent contract WebAssembly byte code file to obtain a WAST file, extracts a function signature imported by the intelligent contract, searches for a stub position in the WAST file, inserts a code to record execution path information of the intelligent contract when the intelligent contract is executed, and the concrete determination mode of the stub position is as follows: searching a function definition area in each WAST file, and positioning an instruction sequence distributed by the function stack for each function; the stack allocation instruction sequence is characterized by comprising a global variable reading instruction for reading a stack pointer variable onto a stack, a 32-bit integer stacking instruction for reading the stack length onto the stack, and a 32-bit integer subtraction instruction for subtracting the stack length variable from the stack pointer variable to generate a new stack pointer variable, wherein the end position of the 32-bit integer subtraction instruction is a peg-insertion position, and then a function signature imported by an intelligent contract is inserted into a function import section of a WAST file, and a stack allocation code, a function call code and a stack cleaning code called by the function imported by the intelligent contract are inserted into each insertion position in the WAST file; finally, deploying the intelligent contract byte code file to an intelligent contract operation information collection module to construct a test environment for the intelligent contract;

the intelligent contract fuzzy test process control: loading detection configuration of intelligent contract security loopholes to be detected, reading an intelligent contract name and a fuzzy test round number N in the detection configuration, reading a test case transaction generated for an intelligent contract from a test case generation engine module, submitting the test case transaction to an intelligent contract operation information collection module to execute the transaction so as to execute an attack action on the intelligent contract, exiting a fuzzy test process control logic of the contract after N rounds of tests are performed, and after each round of tests are finished, obtaining code coverage rate information generated by the intelligent contract information collection module by a fuzzy test controller module and feeding the code coverage rate information back to the test case generation module;

and detecting the vulnerability: after the fuzzy test controller module performs 1 round of fuzzy test each time, acquiring the execution path information of the current 1 round of test intelligent contract from the intelligent contract operation information collector, comparing the execution path information with the test prediction defined by the detection configuration, and reporting that the current intelligent contract has a security vulnerability if the execution path of the intelligent contract comprises a mode defined by the test prediction.

The method can fully test the EOSIO intelligent contract, and has the advantages of high code coverage rate and high detection accuracy compared with the conventional EOSIO intelligent contract vulnerability detection method, so that the accuracy, efficiency and automation degree of vulnerability excavation of the EOSIO intelligent contract can be improved, the potential security vulnerability of the intelligent contract is fully analyzed, the security of the intelligent contract is improved, and unnecessary loss is avoided.

Drawings

FIG. 1 is a system architecture diagram of the present invention.

FIG. 2 is a flow chart of the system operation of the present invention.

Detailed Description

WASM, or WebAssembly, is an experimental low-level programming language that is applied to clients within browsers. WebAssembly is a portable abstract syntax tree designed to provide faster compilation and execution than JavaScript. WebAssembly will allow developers to compile using their familiar programming languages (initially with C/C + + as the implementation target) and then execute it in the browser by the virtual machine engine. The WebAssembly virtual machine is a virtual execution environment of the WebAssembly program. Smart contracts (english) are a special protocol used in the block chain for making contracts, and contain code functions, and also have the functions of interacting with other contracts, making decisions, storing data, sending ethernet coins, etc. Intelligent contract principals provide verification and execution of conditions established within the contract. Smart contracts allow trusted transactions to be conducted without third parties. These transactions are traceable and irreversible. Code coverage (english: Code coverage) is a measure in software testing, the narrow Code coverage describes the degree of source Code testing in a program, the ratio of the tested Code to all the Code is called Code coverage, and when the source Code of the program cannot be obtained, the Code coverage can also be approximately simulated by using the number of jump paths.

Fig. 1 shows a specific embodiment of an intelligent contract vulnerability detection system for EOS according to the present invention. The system comprises three parts of components: the system comprises a test case generating module, a fuzzy test controller module and an intelligent contract operation information collecting module;

the test case generation module has the functions of: generating a test case by taking code coverage as a guide; analyzing the ABI file of the contract to be tested to obtain parameter list information required by the function call; during the first fuzzy test, generating a test case based on a pure random mode, stacking data in the test case to generate an unstructured seed file, and starting a grey box fuzzy test parameter generation engine at the bottom layer; in the subsequent fuzzy test process, the bottom layer parameter production engine can continuously generate new output character strings according to the code coverage rate information fed back by the fuzzy test controller module; according to the stored parameter list information, a test case which accords with the semantics of an intelligent contract function can be generated through bitwise interception, type forced conversion and structured combination;

the fuzzy test controller module functions include: the logic control including intelligent contract test environment construction, intelligent contract fuzzy test process control and vulnerability detection; wherein:

the intelligent contract testing environment is constructed as follows: before fuzzy test is carried out on the intelligent contract, intelligent contract source code compiling is carried out on the intelligent contract of the active code to generate an intelligent contract ABI file and a WebAssembly byte code file, and the ABI file and the WebAssembly byte code file of the intelligent contract of the passive code are directly read; analyzing the ABI file of the intelligent contract and reading a function list of the intelligent contract; then, the fuzzy test controller module disassembles the intelligent contract WebAssembly byte code file to obtain a WAST file, extracts a function signature imported by the intelligent contract, searches for a stub position in the WAST file, inserts a code to record execution path information of the intelligent contract when the intelligent contract is executed, and the concrete determination mode of the stub position is as follows: searching a function definition area in each WAST file, and positioning an instruction sequence distributed by the function stack for each function; the stack allocation instruction sequence is characterized by comprising a global variable reading instruction for reading a stack pointer variable onto a stack, a 32-bit integer stacking instruction for reading the stack length onto the stack, and a 32-bit integer subtraction instruction for subtracting the stack length variable from the stack pointer variable to generate a new stack pointer variable, wherein the end position of the 32-bit integer subtraction instruction is a peg-insertion position, and then a function signature imported by an intelligent contract is inserted into a function import section of a WAST file, and a stack allocation code, a function call code and a stack cleaning code called by the function imported by the intelligent contract are inserted into each insertion position in the WAST file; finally, deploying the intelligent contract byte code file to an intelligent contract operation information collection module to construct a test environment for the intelligent contract;

the intelligent contract fuzzy test process control: loading detection configuration of intelligent contract security loopholes to be detected, reading an intelligent contract name and a fuzzy test round number N in the detection configuration, reading test case transaction generated for an intelligent contract from a test case generation engine module, submitting the test case transaction to an intelligent contract operation information collection module to execute the transaction so as to execute attack behaviors on the intelligent contract, exiting a fuzzy test process control logic of the contract after N rounds of tests are performed, and after each round of tests are finished, obtaining code coverage rate information generated by the intelligent contract information collection module by a fuzzy test controller module and feeding the code coverage rate information back to the test case generation module;

the vulnerability detection comprises the following steps: after the fuzzy test controller module performs 1 round of fuzzy test each time, acquiring the execution path information of the current 1 round of test intelligent contract from the intelligent contract operation information collector, comparing the execution path information with the test prediction defined by the detection configuration, and reporting that the current intelligent contract has a security vulnerability if the execution path of the intelligent contract comprises a mode defined by the test prediction.

The intelligent contract operation information collection module is an EOSIO local node which performs instrumentation on addressing and jumping logic of a chain API and a WebAssembly virtual machine;

the intelligent contract operation information collection module adopts a chain API (application program interface) instrumentation mode as follows: inserting code record chain API call information into each chain API of the EOSIO block chain platform at an implementation function inlet of the chain API, and writing the call information into a log file; the calling information specifically comprises a caller of the chain API, calling time of the chain API and parameters used by the calling chain API;

the chain API pile inserting method specifically comprises the following steps:

in an EOSIO intelligent contract, the number of a current or previous block can be inquired through the tap _ block _ num ()/tap _ block _ prefix (), and for API instrumentation of the two chains, whether information related to the block chain is inquired in the running process of the intelligent contract or not can be judged;

the transfer () function of a system contract eosio. token is instrumented to record EOS token transfer behaviors occurring in the running process of an intelligent contract;

a require _ recipient () for sending a copy of the current transaction to the designated account for notifying the account that the current transaction has been executed;

require _ auth ()/has _ auth (), which is used to confirm whether the transaction contains the authority of the specified account, and determine whether the intelligent contract has performed authority detection on the incoming action by means of instrumentation;

when the intelligent contract needs to allocate a new memory, the WebAssembly virtual machine calls a memcpy () external function, and the length and the position of stack memory allocation in the operation process of the intelligent contract are obtained by inserting the function;

6. the authority sensitive API comprises db _ store (), db _ update (), db _ clear (), API functions such as send _ inline () and send _ transferred () for signing and sending transactions, and the APIs can operate the data stored in the chain, start and send new transactions and check whether API callers have execution authority before use;

the specific method for inserting the WebAssembly virtual machine comprises the following steps of;

1. and searching code positions for processing jump and function call in the WebAssembly virtual machine source code, namely modifying the code positions of the program counter PC, and inserting codes for calculating the current address of the program counter PC and the address after the jump into the code positions.

2. After the WebAssembly virtual machine addresses and jumps the logic instrumentation position, inserting a code to perform XOR operation on the current position and the jump position of a program counter PC of the WebAssembly virtual machine, and then inserting the code to generate an execution path by using shift operation.

3. And inserting codes for counting execution paths into the WebAssembly virtual machine, wherein each path is identified by using an integer to generate an intelligent contract code coverage rate information file.

The intelligent contract operation information collection module is used for collecting chain API call information of the intelligent contract, and executing path information and code coverage rate information.

1. Collecting calling information and execution path information of an intelligent contract chain API: reading a chain API call information log file generated by instrumentation code of a chain API of an EOSIO blockchain platform to collect intelligent contract chain API call information, and reading an intelligent contract execution path log file generated by instrumentation code of intelligent contract WebAssembly byte codes to collect intelligent contract execution path information.

2. Intelligent contract code coverage collection: reading an intelligent contract code coverage rate information file generated by the WebAssembly virtual machine instrumentation code, counting the number of integers identifying execution paths in the file, and taking the number of the paths as the code coverage rate of the intelligent contract.

Taking the detection flow of stack overflow vulnerability as an example, the whole process of vulnerability detection by using the specific embodiment of the invention is shown in fig. 2:

the intelligent contract running information collection module records information such as execution paths and code coverage rate of the intelligent contract during running by instrumentation of a chain API of an EOSIO block chain and a WebAssembly virtual machine;

wherein the chain API of the instrumented EOSIO blockchain includes:

in the EOSIO intelligent contract, the number of the current or previous block can be inquired through the two blocks, and the API (application program interface) instrumentation of the two chains can judge whether the information related to the block chain is inquired in the running process of the intelligent contract or not;

the transfer () function of a system contract eosio. token is instrumented to record EOS token transfer behaviors occurring in the running process of an intelligent contract;

a require _ recipient () for sending a copy of the current transaction to the designated account for notifying the account that the current transaction has been executed;

require _ auth ()/has _ auth (), which is used for confirming whether the transaction contains the authority of the specified account, and whether the intelligent contract carries out authority detection on the incoming action can be judged by inserting the authority;

when the intelligent contract needs to allocate a new memory, the WebAssembly virtual machine calls a memcpy () external function, and the allocated length and position of the stack memory in the running process of the intelligent contract can be obtained by inserting the function;

the authority sensitive API comprises db _ store (), db _ update (), db _ clear (), and API functions such as send _ inline () and send _ preferred () for signing and sending transactions, wherein the API functions can operate and close the data stored in the chain, start and send new transactions, and check whether an API caller has execution authority before use;

instrumented WebAssembly virtual machine instructions include:

control instruction, namely, performing instrumentation on the control instruction in the instruction set to record the instruction name and the value of a program counter PC during the execution of the intelligent contract, wherein the information is mainly used for calculating the code coverage rate and acquiring the information of the intelligent contract function call chain;

an arithmetic instruction, namely performing instrumentation on the addition and multiplication instructions to support the detection of integer overflow loopholes;

the fuzzy test controller module compiles the intelligent contract source code to generate an intelligent contract ABI file and a WebAssembly byte code file for the intelligent contract of the active code, and directly reads the ABI file and the WebAssembly byte code file for the intelligent contract of the passive code;

the fuzzy test controller module disassembles the WebAssembly byte code file of the contract to obtain a WAST file, extracts a function signature imported by the intelligent contract, searches for a instrumentation position in the WAST file, and inserts a stack allocation code, a function call code and a stack cleaning code of a function call imported by the intelligent contract;

the fuzzy test controller module deploys the intelligent contract byte code file to a local block link node, and simultaneously analyzes the intelligent contract ABI file to obtain a function list of the intelligent contract;

the fuzzy test controller module reads configuration information such as a function domain, a fuzzy test round and the like according to the current intelligent contract security vulnerability detection configuration, and then selects a function which meets the function domain condition in the intelligent contract to perform fuzzy test of the corresponding round;

the test case generation module reads parameter list information of a tested function in an intelligent contract ABI file during first fuzzy test, generates a test case based on a pure random mode, and simultaneously stacks data in the test case to generate an unstructured seed file to start a bottom gray box fuzzy test parameter generation engine;

in the subsequent fuzzy test process of the test case generation module, the bottom layer parameter production engine can continuously generate new output character strings according to the code coverage rate information fed back by the fuzzy test controller module; according to the previously stored parameter list information, a test case which accords with the semantics of an intelligent contract function can be generated through bitwise interception, type strong conversion and structured combination;

the fuzzy test controller module calls a corresponding intelligent contract function according to the test case output by the test case generating module;

the intelligent contract running information collection module writes calling information and code coverage rate information into a log file based on chain API (application programming interface) callers, calling time, API use parameters and the like of previous instrumentation records;

the fuzzy test controller module analyzes the generated log file and judges whether the execution path meets a test prediction or not so as to judge and report security flaws in the intelligent contract; simultaneously calculating the code coverage rate in the current fuzzy test iteration process;

and the fuzzy test controller module selects whether the next round of test is needed or not according to the detection result of the current round of fuzzy test.

Claims (8)

1. A vulnerability detection method for EOSIO intelligent contracts comprises the following steps:

step 1: performing instrumentation on a chain API of an EOSIO blockchain platform and a WebAssembly virtual machine, and recording chain API call information and code coverage rate information of instrumented codes during the running period of an intelligent contract;

step 2: compiling the intelligent contract source code to generate an intelligent contract ABI file and a WebAssembly byte code file for the intelligent contract of the active code, and directly reading the ABI file and the WebAssembly byte code file for the intelligent contract of the passive code;

and step 3: instrumentation is carried out on the intelligent contract WebAssembly byte code file, and the instrumentation code records the execution path of the instrumentation code during the running of the intelligent contract;

and 4, step 4: deploying the intelligent contract byte code file to a local block chain node, analyzing the intelligent contract ABI file, and acquiring a function list of the intelligent contract;

and 5: generating a test case according to the intelligent contract function list obtained in the step 4, and executing the test case on the block chain; the test case comprises a method or a function of a function list in the intelligent contract and parameters required by calling the method or the function;

step 6: recording an intelligent contract execution path and code coverage rate, and judging whether the execution path meets a test prediction or not so as to judge and report security vulnerabilities in the intelligent contract; the code coverage rate is code execution rate, and the test prediction refers to a possible execution path of the intelligent contract with the vulnerability;

and 7: and (5) mutating the test case according to the code coverage rate, and returning to the step 5 for repeated operation.

2. The vulnerability detection method for EOSIO intelligent contracts according to claim 1, wherein the specific instrumentation method in the step 1 is as follows:

step A1: inserting code record chain API call information into each chain API of the EOSIO block chain platform at an implementation function inlet of the chain API, and writing the call information into a log file; the calling information specifically comprises a caller of the chain API, calling time of the chain API and parameters used by the calling chain API;

step A2: performing instrumentation on the addressing and jumping logic of the WebAssembly virtual machine, wherein the instrumentation mode is as follows: searching code positions for processing jump and function call in a WebAssembly virtual machine source code, namely modifying the code positions of a program counter PC, inserting codes for calculating the current address of the program counter PC and the address after jump into the positions, and recording the current address of the program counter PC and the address after jump;

step A3: in the instrumentation position searched in the step a2, performing xor operation on the current position P1 and the jump position P2 of the program counter PC of the WebAssembly virtual machine by the insertion code, and performing shift operation on P1 and P2 to generate an integer for identifying an execution path of the tested intelligent contract;

step A4: and B, inserting code for counting the execution path of the tested intelligent contract at the instrumentation position searched by the step A2, and recording the execution path of the tested contract generated by the step A3 into an intelligent contract code coverage rate information file by the inserted code.

3. The vulnerability detection method for EOSIO intelligent contracts according to claim 1, wherein the instrumentation method in the step 3 is as follows:

step B1: disassembling the intelligent contract WebAssembly byte code file to obtain a WAST file, and then extracting a function signature imported by the intelligent contract;

b2, searching for the pile inserting position in the WAST file, wherein the concrete determination mode for searching for the pile inserting position is as follows: searching a function definition area in each WAST file, and positioning an instruction sequence distributed by the function stack for each function; wherein, the stack allocates the characteristics of the instruction sequence: firstly, reading a stack pointer variable to a global variable reading instruction on a stack, then reading a stack length to a 32-bit integer stacking instruction on the stack, and finally subtracting the stack length variable from the stack pointer variable to generate a 32-bit integer subtraction instruction of a new stack pointer variable, wherein the position where the 32-bit integer subtraction instruction ends is a pile inserting position;

step B3: inserting a function signature imported by an intelligent contract into a WAST file function import section;

step B4: inserting a stack allocation code, a function call code and a stack cleaning code of a function call imported by the intelligent contract into each insertion position searched by the step B2 in the WAST file;

step B5: and recompiling the WAST file into a WebAssembly file to complete the instrumentation.

4. The method for detecting the vulnerability of the EOSIO intelligent contract according to claim 1, wherein the method for acquiring the execution path of the intelligent contract in the step 6 comprises: reading a chain API call information log file generated by instrumentation codes of the chain API of the EOSIO blockchain platform in the step 1, and reading an intelligent contract execution path log file generated by the instrumentation codes of intelligent contract WebAssembly byte codes in the step 3, wherein the two files jointly form an execution path of an intelligent contract.

5. The method for vulnerability detection for EOSIO intelligent contracts of claim 1, wherein the method for calculating code coverage in step 6 is: reading intelligent contract code coverage rate information generated by the WebAssembly virtual machine instrumentation code in the step 1, counting the number of integers identifying execution paths in a file, and taking the number of the paths as the code coverage rate of the intelligent contract.

6. The vulnerability detection method for EOSIO intelligent contracts according to claim 1, wherein the test prediction in the step 6 is self-defined by a user according to the vulnerability type to be detected.

7. A vulnerability detection system for an EOSIO smart contract, the system comprising: the test system comprises a test case generating module, a fuzzy test controller module and an intelligent contract operation information collecting module;

the test case generation module realizes that: generating a test case by taking code coverage as a guide; analyzing the ABI file of the contract to be tested to obtain parameter list information required by the function call; during the first fuzzy test, generating a test case based on a pure random mode, stacking data in the test case to generate an unstructured seed file, and starting a grey box fuzzy test parameter generation engine at the bottom layer; in the subsequent fuzzy test process, the bottom layer parameter production engine can continuously generate new output character strings according to the code coverage rate information fed back by the fuzzy test controller module; according to the stored parameter list information, a test case which accords with the semantics of an intelligent contract function can be generated through bitwise interception, type forced conversion and structured combination;

the fuzzy test controller module implements: logic control including intelligent contract test environment construction, intelligent contract fuzzy test process control and vulnerability detection;

the intelligent contract operation information collection module is an EOSIO local node which performs instrumentation on addressing and jumping logics of a chain API and a WebAssembly virtual machine;

the intelligent contract operation information collection module adopts a chain API (application program interface) pile inserting mode as follows: inserting code record chain API call information into each chain API of the EOSIO block chain platform at the implementation function entrance, and writing the call information into a log file; the call information specifically includes a caller of the chain API, a call time of the chain API, and a parameter used by the call chain API.

8. The system for vulnerability detection to EOSIO intelligent contracts of claim 7, wherein the method for implementing logic control including intelligent contract test environment construction, intelligent contract fuzzy test process control and vulnerability detection in the fuzzy test controller module is as follows:

the intelligent contract testing environment is constructed as follows: before fuzzy test is carried out on the intelligent contract, intelligent contract source code compiling is carried out on the intelligent contract of the active code to generate an intelligent contract ABI file and a WebAssembly byte code file, and the ABI file and the WebAssembly byte code file of the intelligent contract of the passive code are directly read; analyzing the ABI file of the intelligent contract and reading a function list of the intelligent contract; then, the fuzzy test controller module disassembles the intelligent contract WebAssembly byte code file to obtain a WAST file, extracts a function signature imported by the intelligent contract, searches for a stub position in the WAST file, inserts a code to record execution path information of the intelligent contract when the intelligent contract is executed, and the concrete determination mode of the stub position is as follows: searching a function definition area in each WAST file, and positioning an instruction sequence distributed by the function stack for each function; the stack allocation instruction sequence is characterized by comprising a global variable reading instruction for reading a stack pointer variable onto a stack, a 32-bit integer stacking instruction for reading the stack length onto the stack, and a 32-bit integer subtraction instruction for subtracting the stack length variable from the stack pointer variable to generate a new stack pointer variable, wherein the end position of the 32-bit integer subtraction instruction is a peg-insertion position, and then a function signature imported by an intelligent contract is inserted into a function import section of a WAST file, and a stack allocation code, a function call code and a stack cleaning code called by the function imported by the intelligent contract are inserted into each insertion position in the WAST file; finally, deploying the intelligent contract byte code file to an intelligent contract operation information collection module to construct a test environment for the intelligent contract;

the intelligent contract fuzzy test process control: loading detection configuration of intelligent contract security loopholes to be detected, reading an intelligent contract name and a fuzzy test round number N in the detection configuration, reading test case transaction generated for an intelligent contract from a test case generation engine module, submitting the test case transaction to an intelligent contract operation information collection module to execute the transaction so as to execute attack behaviors on the intelligent contract, exiting a fuzzy test process control logic of the contract after N rounds of tests are performed, and after each round of tests are finished, obtaining code coverage rate information generated by the intelligent contract information collection module by a fuzzy test controller module and feeding the code coverage rate information back to the test case generation module;

and detecting the vulnerability: after the fuzzy test controller module performs 1 round of fuzzy test each time, acquiring the execution path information of the current 1 round of test intelligent contract from the intelligent contract operation information collector, comparing the execution path information with the test prediction defined by the detection configuration, and reporting that the current intelligent contract has a security vulnerability if the execution path of the intelligent contract comprises a mode defined by the test prediction.

Images