CN115037512B

CN115037512B - Formal static analysis method and device for intelligent contracts of public chains of Ethernet

Info

Publication number: CN115037512B
Application number: CN202210457028.2A
Authority: CN
Inventors: 李兆轩; 章睿
Original assignee: Institute of Information Engineering of CAS
Current assignee: Institute of Information Engineering of CAS
Priority date: 2022-04-27
Filing date: 2022-04-27
Publication date: 2023-06-20
Anticipated expiration: 2042-04-27
Also published as: CN115037512A

Abstract

The invention discloses a formal static analysis method and device for an intelligent contract of an Ethernet public chain. The method comprises the following steps: acquiring source codes of intelligent contracts of an Ethernet public chain, extracting code sentences of the source codes, and generating a solubility expression and a characteristic map of the source codes; describing the source code as an XML form intermediate representation, an IR form intermediate representation, and an IR-SSA form intermediate representation based on the code statement, the solubility expression, and the feature map; and performing vulnerability pattern detection and optimization pattern detection according to the XML form intermediate representation, the IR form intermediate representation and the IR-SSA form intermediate representation to obtain an analysis result of the Ethernet public chain intelligent contract. The invention can rapidly complete the full-flow automatic analysis of contracts in the environment with limited memory resources, has accurate and robust detection results, can find the security problem of missing report of the existing method on the Ethernet, and can better assist the security supervision of intelligent contracts.

Description

Formal static analysis method and device for intelligent contracts of public chains of Ethernet

Technical Field

The invention relates to the technical field of intelligent contract security of an Ethernet, in particular to a formal static analysis method and device for intelligent contracts of public chains of the Ethernet.

Background

The intelligent contract can realize complex blockchain application due to its graphic completeness, and is widely applied in the fields of finance, the Internet of things, energy, medical health, supply chains and the like. The non-tamperable nature of the blockchain makes the smart contract unable to change once deployed, which leaves a great security risk for the blockchain system even if the smart contract itself has a security hole. Frequent bursts of smart contract security events not only cause significant economic loss to users, but also severely impact the fair and trusted nature of smart contracts.

For this reason, the academia and industry have proposed a series of methods for analysis of security of ethernet intelligent contracts. These methods can be classified into dynamic analysis and static analysis. Dynamic analysis refers to a method for discovering contract vulnerabilities in the process of executing contracts by using technologies such as theorem proving, symbolic execution and the like. The theorem proving usually adopts an F x s frame and a K frame to describe the attribute of the contract, and then utilizes an theorem proving device to verify whether the logic code of the contract has security holes, and the method requires a user to provide verification specifications, so that automatic analysis is difficult to realize; symbolic execution builds a control flow graph (Control Flow Graph, CFG) of a contract using bytecodes (bytecodes) generated from contract compilation, and then discovers vulnerabilities in the contract execution process through predefined vulnerability detection rules, but the complexity and complexity of the CFG execution process makes the vulnerability detection rules difficult to define, and the types of detectable vulnerabilities are limited. Compared with a dynamic analysis method, the static analysis method is more applied in the aspect of intelligent contract vulnerability detection and is higher in efficiency. It extracts semantic information from the input contract ByteCode or solubility source code to construct a middle layer representation (Intermediate Reprementation, IR) and then discovers problems in the contract by matching predefined security patterns. However, due to the fact that part of contract original semantics (such as var variables) are missing in the IR in the existing static analysis method, a large number of false positives and false negatives are prone to occur in detection results.

Disclosure of Invention

In order to overcome the defects of the prior art, the invention provides a formal static analysis method and device for intelligent contracts of public chains of Ethernet, which are used for analyzing potential security risks of the intelligent contracts of the Ethernet and effectively protecting privacy and property security of users on blockchains.

In order to achieve the above purpose, the present invention provides the following technical solutions:

a formal static analysis method for intelligent contracts of public chains of Ethernet includes the steps:

acquiring source codes of an intelligent contract of an Ethernet public chain, extracting code sentences of the source codes, and generating a characteristic map and a solubility expression of the source codes;

describing the source code as an XML form intermediate representation, an IR form intermediate representation, and an IR-SSA form intermediate representation based on the code statement, the solubility expression, and the feature map;

and performing vulnerability pattern detection and optimization pattern detection according to the XML form intermediate representation, the IR form intermediate representation and the IR-SSA form intermediate representation to obtain an analysis result of the Ethernet public chain intelligent contract.

Further, the feature map includes: AST syntax tree, contract inheritance relationship, and control flow graph.

Further, describing the source code as an intermediate representation in XML form, comprising:

Analyzing the code statement according to the attribute of each field in the code statement, and forming an XML form intermediate representation of the source code based on an analysis result.

Further, describing the source code as an intermediate representation of the IR form, comprising:

obtaining contract variables from the feature map and the stability expression, and designating type labels for each variable according to the action of the contract variables and defined variable types to obtain an IR form intermediate representation of the variables, wherein the types of the contract variables comprise: the presence variable or the auxiliary variable;

obtaining arithmetic operation from the characteristic spectrum and the stability expression, and performing formal representation according to the functional type of the arithmetic operation to obtain an IR formal intermediate representation of the arithmetic operation, wherein the functional type of the arithmetic operation comprises: assignment, arithmetic, indexing, and membership;

obtaining other operations from the feature map and the stability expression, and performing formal representation according to the formats of the other operations to obtain an IR formal intermediate representation of the other operations, wherein the other operations comprise: create, convert, push, delete, upack, condition, init and Return;

Acquiring a function call operation from the feature map and the stability expression, and formalizing the function call operation according to the type of the function call operation to obtain an IR form intermediate representation of the function call operation;

the IR form intermediate representation of the source code is obtained based on the IR form intermediate representation of the variable, the IR form intermediate representation of the arithmetic operation, the IR form intermediate representation of the other operations and the IR form intermediate representation of the function call operation.

Further, describing the source code as an intermediate representation of the IR-SSA form, comprising:

updating the left value of the intermediate representation of the IR form so that each variable is assigned only once;

adding phi sentences into the function input inlet to automatically judge the execution path so as to obtain a corresponding input value;

based on the IR form intermediate representation assigned to the input value, an IR-SSA form intermediate representation of the source code is obtained.

Further, the performing vulnerability pattern detection and optimization pattern detection according to the XML form intermediate representation, the IR form intermediate representation and the IR-SSA form intermediate representation to obtain an analysis result of the Ethernet public chain intelligent contract, including:

using a grammar analyzer ANTLR to visualize the intermediate representation of the XML form to obtain an XML analysis tree, and obtaining a security mode of a vulnerability feature definition XPath form based on the XML form analysis tree;

Traversing the XML form intermediate representation, the IR form intermediate representation and the IR-SSA form intermediate representation, recording the numerical operation intermediate representation and the function call intermediate representation, and storing variable data with links by using an array to obtain a module analysis result, wherein the module analysis result comprises: the method comprises the steps of reading and writing state variables, operation variables, custom function declarations and built-in function calls of internal/source codes in functions and contracts;

for XML form intermediate representation, defining a security mode of XPath form according to vulnerability characteristics, and further completing mode matching to obtain an XML form intermediate representation matching result;

for the IR form intermediate representation and the IR-SSA form intermediate representation, based on a stain tracking mechanism, quickly setting a vulnerability security mode of a python command format by calling the module analysis result, and obtaining an IR form intermediate representation matching result and an IR-SSA form intermediate representation matching result through command execution;

summarizing the XML form intermediate representation matching result, the IR form intermediate representation matching result and the IR-SSA form intermediate representation matching result to obtain a vulnerability pattern detection result;

extracting vulnerability causes and optimization suggestions from a vulnerability database according to the vulnerability pattern detection result to obtain an optimization pattern detection result;

And generating an analysis result of the intelligent contract of the public chain of the Ethernet based on the vulnerability pattern detection result and the optimization pattern detection result.

Further, the method further comprises:

based on the module analysis result, the XML form intermediate representation, the IR form intermediate representation and the IR-SSA form intermediate representation, secondary development is performed by using a third party tool, and a secondary development result is obtained.

A computer readable storage medium having stored thereon a computer program which when executed by a processor implements a formalized static analysis method for an ethernet public chain smart contract as described above.

An electronic device comprising a memory and a processor, wherein a computer program is stored in the memory, and the computer program is loaded and executed by the processor to realize the formal static analysis method facing the Ethernet public chain intelligent contract.

Compared with the prior art, the invention has the beneficial effects that:

(1) Compared with the existing method, the intelligent contract formalized static analysis method provided by the invention has higher accuracy and recall rate, and can realize more refined detection.

(2) The intelligent contract formalized static analysis method provided by the invention can resist code confusion methods which disturb data dependency and destroy context semantic links, has higher robustness compared with the current method, can analyze more contracts, and has lower analysis failure rate.

(3) The intelligent contract formalized static analysis method provided by the invention can find the security problem which cannot be detected by other methods on the Ethernet, and has stronger practical use significance.

(4) The intelligent contract formalized static analysis method provided by the invention can rapidly complete the full-flow automatic analysis of contracts in the environment with limited memory resources, and is convenient and concise for user operation and complete in the content of the generated detection report.

Drawings

FIG. 1 is a mechanical drawing of an intelligent contract vulnerability rating in a method according to an embodiment of the invention.

FIG. 2 is a flow chart of static analysis in the form of an Ethernet intelligent contract in a method according to an embodiment of the invention.

FIG. 3 is a flowchart of a method for converting a source code of a resolution contract into XML intermediate representation in accordance with an embodiment of the present invention.

FIG. 4 is a flow chart of an intermediate representation of the conversion of a resolution contract source code to IR/IR-SSA in a method according to an embodiment of the invention.

FIG. 5 is a flowchart of XPath format security pattern matching for contract name reuse holes in a method according to an embodiment of the present invention.

FIG. 6 is a flow chart of command format security mode execution with a reentrant vulnerability for Ethernet transfer in a method according to an embodiment of the invention.

FIG. 7A is a graph of contract analysis versus time for the present invention versus prior art methods.

FIG. 7B is a diagram illustrating the memory overhead analysis of the present invention versus the prior art method.

Detailed Description

The present invention will be described in further detail below with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present invention more apparent. It should be understood that the description of the specific embodiment is intended for purposes of illustration only and is not intended to limit the scope of the present disclosure.

The invention discloses a formal static analysis method for an intelligent contract of an Ethernet public chain, which comprises the following four parts: extracting contract semantic information, converting intermediate representation, formulating and matching a vulnerability security mode, summarizing a vulnerability detection result and outputting a report.

The intelligent contract formalized static analysis method for the Ethernet comprises four parts, namely information extraction, language conversion, module analysis and mode detection. Specifically, in the information extraction section, semantic information such as the execution order of the contract resolution source code is extracted by one of the compiler such as ANTRL syntax parser and Truffle, solc, remix, and a feature map such as a program control flow graph is constructed. In the language conversion part, the obtained code statement and the characteristic map are formally described by combining with the conversion grammar of the SmartIR intermediate representation of autonomous design, and the intermediate representation of three forms (called SmartIR) of XML\IR\IR-SSA is obtained. In the module analysis section, smartIR is traversed to summarize information that can be directly used (e.g., variable data dependency, numerical operation, function call operation, etc.) to reduce redundant operations of the next-stage pattern detection section. In the mode detection part, based on SmartIR and module analysis and summary results, a security mode corresponding to the vulnerability is designed in advance according to the characteristics of the vulnerability, and XML and IR/IR-SSA are respectively matched by using XPath and a command execution mode. And in a result aggregation and output part, summarizing detection results of two types of matching modes, and outputting a detection report containing vulnerability causes, utilization processes and improvement suggestions. In the whole process, the full automation can be realized without manual intervention.

The invention relates to an intelligent contract formalized static analysis method for an Ethernet, which is shown in figure 2 and comprises the following steps:

step 1: and extracting contract semantic information in the intelligent contract source codes of the Ethernet.

(1) According to the grammar rules of the resolution, the grammar analyzer ANTLR extracts information such as code sentences in the contract source codes; (2) By utilizing one of the compilers such as Truffle, solc, remix to generate an AST grammar tree of contract solubility source codes, semantic information such as a solubility expression (brief expression of partial solubility source code statement), contract relation, variable relation and the like is obtained from the AST grammar tree, and feature maps such as contract inheritance relation, program control flow graph and the like are constructed.

Step 2: the special intermediate is designed to represent SmartIR, and the automatic conversion of contract information to SmartIR is realized.

The present invention divides SmartIR intermediate representation into three types of SmartIR according to language representation: XML, IR, and IR-SSA.

XML form

For XML forms, FIG. 3 illustrates an intermediate representation of the source code of a resolution contract reading an account balance and the corresponding converted XML form. According to the grammar rules of the resolution, the grammar analyzer ANTLR extracts information such as code sentences in the contract source codes, further analyzes the resolution code sentences into different parts according to the attribute of each field in the statement, and further forms an XML intermediate representation form, for example, the ui and msg.sender in the drawing are respectively analyzed into an elementaryTypeName and an environmentVariable. To facilitate the formulation of accurate vulnerability security schemas, the ANTLR is further used to visualize the XML form to obtain an XML parse tree. In an XML parse tree, leaf nodes represent expression fields, and other nodes represent attributes of the fields.

IR form

As for the IR form, as a second form of SmartIR, it includes more than 40 instructions, obtained from feature maps of an AST syntax tree constructed, contract inheritance relationship, and solubility expression, etc., according to a corresponding conversion method. Some key instructions and descriptions of the conversion method are given below.

(1) Variable(s)

Contract variables are divided into two classes according to their representation: there are variables and auxiliary variables. The presence variables are variables that can be seen in the contract, including state variables, local variables, constants, stability variables, and tuple variables; auxiliary variables are used to represent intermediate operations or temporarily converted variables, including a sample variable and a Reference variable. The Reference variable (REFVAL) refers specifically to the auxiliary variable for mapping/indexing access. In addition, LVAL and RVAL are used to represent the left and right values of the expression, respectively, to distinguish between the allocation variable and the read variable in the expression. The transformation method comprises the following steps: by acquiring contract variables from the feature patterns and the stability expressions extracted in advance, a type label is assigned to each variable according to the action of each variable in combination with the variable types defined above.

(2) Commonly used operations

The operation is divided into four types according to the function of the operation: assignment, arithmetic, indexing, and membership. The assignment operation may be expressed as LVAL: =rval, where the expression right value RVAL is typically a variable or function such as a tuple. The arithmetic operations are classified into a unitary operation and a binary operation according to the number of participating operation variables. The unary operation is denoted as lval= (| to …) RVAL, where |! Representing logical negations, -representing bit-wise negations. The binary operation includes 19 common operations such as addition, subtraction, multiplication, and division, and is expressed as lval=rval (+, -,) RVAL. The indexing operation is mainly used for array and value mapping and can be expressed as REFVAL- > LVAL [ RVAL ], wherein REFVAL is an index variable. The member operations are used to access internal data of structures such as struct, which may be denoted as REFVAL- > (LVAL, CONTRACT, ENUM). RVAL, where CONTACT is a CONTRACT variable and ENUM is an enumeration variable. The transformation method comprises the following steps: an IR intermediate representation of this operation is formed by taking an arithmetic operation from a pre-extracted feature map and a resolution expression and converting it into a formalized representation of the corresponding type.

(3) Other operations

In addition to the above-described general arithmetic operations, there are operations such as Create, convert, push, delete, upack, condition, init, return. The Create operation is used to Create a NEW variable, which may be denoted lval=new_arr, new_arr representing creation of an array; the Push operation is used for adding variables for the array or the dynamic function, and the variables are respectively expressed as PUSH LVAL RVAL and PUSH LVAL Func; the Delete operation is the deletion of the corresponding element, denoted as DelLVAL; in contract operations, operations of type conversion (for example, string type is converted into uint256 type) often occur, and for this purpose, a conversion operation is introduced, which is denoted as CONVERT LVAL RVAL TYPE; the Unpack operation is used to extract the corresponding element in the tuple, denoted LVAL= UNPACK TUPLEVARIABLE INDEX (: int), where TUPLEVARIABLE is the tuple variable and INDEX is the subscript value; condition operations are used to represent conditions in the loop and If operations; in order to facilitate judging whether the array is initialized, an array initialization operation Arr Init is introduced, wherein Arr is an array variable to be initialized; in functions with Return values, typically null (None), variable (RVAL), and TUPLE (TUPLE), a Return operation is required. The transformation method comprises the following steps: the IR intermediate representation of the operation is obtained by obtaining the operation from the pre-extracted feature map and the solubility expression and formally representing the operation in a corresponding format.

(4) Function call operations

The contract CALL operation can be classified into two kinds of HIGH-LEVEL CALL (high_level_call) and LOW-LEVEL CALL (low_level_call) according to security LEVEL and influence degree, and the whole can be expressed as follows: lval=level_call DST Func (parameters), where Func is the function name and parameters is the function parameter. Low_LEVEL_CALL refers to calling functions that have a greater degree of impact on the contract, such as a success function, a CALL function for transfer but not protected; high_level_call refers to a CALL to a HIGH security function such as transfer. According to the writer of the calling function, the function is divided into a custom function CALL (in_call) and a solubility built-IN function CALL (solubility_call), and the whole can be expressed as a CALL function [ parameters ]. The CALL custom dynamic function is expressed as IN_DYN_CALL, and SOLITY_CALL includes functions such as keccak256 (). In addition, function CALLs can be classified into library function CALLs (lib_call), EVENT function CALLs (event_call), SEND ethernet TRANSFER function CALLs (SEND), and TRANSFER ethernet TRANSFER function CALLs (TRANSFER) according to the attributes of the calling functions. Lib_call refers to calling a function in a contract library, e.g., safemath (using safemath), which defines some secure numerical operations; event_call is mainly used for recording the execution state of a function, and is expressed as event_call EVENT (parameters); both SEND and TRANSFER are TRANSFER operations, which may be denoted as (SEND) DEST VALUE, and TRANSFER automatically rolls back when an error occurs, so it is more secure than SEND. It should be noted that: the same function may have multiple categories, such as: the Suicide function belongs to both LOW_LEVEL_CALL and SOLITY_CALL. For this class of functions, there will be multiple calls representing the corresponding function in the IR intermediate representation for traversing the matches in the secure mode. The transformation method comprises the following steps: the IR intermediate representation of the function calling operation is obtained by acquiring the function calling operation from the feature map and the stability expression extracted in advance and adopting the unique representation modes of the types according to the type of calling.

IR-SSA forms

For the IR-SSA form, as a third form of SmartIR, it is a static single allocation (Static Single Assignment, SSA) representation of IR. The representation updates the left value of the expression on the basis of the IR form such that each variable is assigned only once; and adding phi sentences into the function input entries to automatically judge the execution paths so as to obtain corresponding input values. FIG. 4 depicts an example of conversion of a contract from a resolution source code to IR and IR-SSA. The contract fragment shows that the user calls a call function to send the balance userBalances [ msg.sender ] to the address msg.sender, and determines the return status of the call. And extracting semantics such as call function transfer, balance zero setting and the like from the Solidity, and summarizing to obtain information such as a program control flow graph and the like. IR conversion methods based on the summarized information and SmartIR gave the IR depicted in the figure. Wherein IR disassembles and represents the execution in function withawBasane (), points to the location where userBasanes [ msg sender ] is stored using REFVAL_3, and indicates that the variable type is uint256; the CALL LOW LEVEL CALL implements a transfer operation of value amounttowithaw and represents the returned CALL state as the memory variable TEMP 2 (pool). If determination results in branching of execution, causing userBalances [ msg.sender ] to appear different values, but IR is not differentiated for subsequent use. For this purpose, the execution path is automatically judged in the IR-SSA using the phi statement, the return value is denoted userbalances_5, and the possible value of the state variable userBalances before the function widthwbalance () is called at this point. The IR-SSA form thus presents a more accurate and clear representation of code relationships than the IR form.

Smartir has advantages over existing intermediate representations:

currently, intermediate representations such as SlithIR, scilla are often used for contract security analysis. SlithIR is an intermediate representation of the analytical method Slither, which has the following problems: (1) Slit ir requires extracting relevant information from AST to construct a program execution flow graph. An AST cannot accurately represent the semantics of an original contract because it loses part of the original semantics. For example, the var variable is discarded after the solc version 0.5.0, so it is necessary to detect it. However, in an AST generated by solc compilation, the var variable is directly converted into a type like uint8, so that the problem cannot be detected by the slit. (2) AST information cannot be obtained if the contract cannot be compiled, resulting in a slighir where the contract cannot be built. (3) Function identifiers constant and assambly exist in AST, but slighir does not capture this information, which would result in the slithers not being able to detect the problems associated with these identifiers. These problems can be solved by SmartIR, because the XML form in SmartIR is derived from parsing the contract source code by grammar rules, the complete contract semantics can be obtained to complete the normal detection even if the contract cannot be compiled. While XML intermediate representations can solve the above problems well, analysis based solely on XML intermediate representations has many limitations, such as the inability to consider relationships (e.g., contracts and variables) between components. It can lead to problems such as limited detection range, reduced matching accuracy, etc. In contrast, smartIR provides both forms of IR and IR-SSA to account for the above disadvantages. Scila is an intermediate representation of Zilliqa blockchain usage. It is not clear whether Scilla can represent the complete semantics of a contract. In summary, smartIR, which integrates three forms of XML, IR and IR-SSA, is able to accurately and robustly express the complete original semantics of contracts.

Step 3: based on a modular analysis of SmartIR intermediate representation.

To further facilitate the establishment of the vulnerability security mode and the matching efficiency, this step performs information preprocessing in advance based on SmartIR, for example: and extracting and sorting information such as numerical operation, variable data dependency relationship, function call in the contract and the like. Specifically, by traversing intermediate representations in the form of XML, IR, IR-SSA in SmartIR, according to the types of intermediate representations described above, intermediate representations in operations in a contract regarding numerical operations, function calls, etc. are recorded, variable data with connections is stored using an array, and finally state variables, operation variables, custom function statements, internal/stability built-in function calls for functions, reads and writes in the contract are summarized. Because the information is generally a repeated operation item in the contract matching process, the information can be arranged in advance, so that a plurality of redundant operations can be reduced when a plurality of loopholes are detected in a subsequent process, and the detection efficiency is greatly improved. For example: by using the array with the association relation, the user can be helped to quickly identify whether the association exists between two or even a plurality of variable data; by writing state variables with the integrated function, it can be quickly determined whether the function has changed the contract state.

Step 4: and detecting the loophole security mode based on SmartIR intermediate representation and module analysis results.

The final stage of the static analysis method is based on SmartIR intermediate representation and module analysis results, and the matching of contract vulnerabilities is realized by using a predefined security mode. For the XML form of SmartIR, the present invention uses XPath for pattern matching. FIG. 5 depicts one example of a contract for XPath detection holes to illustrate the XPath detection process. The example code has a vulnerability for contract name reuse, i.e., the code has two contracts named A in it. When the code is running, only the first contract will be compiled and the second contract will be discarded. If contract B inherits the second contract, then this will result in contract B failing to execute as intended by the contract writer, resulting in unexpected errors. The loopholes cannot be detected by the existing detection methods such as Slither, oyente and the like without reporting errors during contract compiling. According to the principle of the vulnerability and the XML parsing tree, the invention prepares the following security modes (codes) to judge whether the vulnerability of contract name reuse exists or not:

//contractDefinition[

(identifier/text()[1]＝preceding-sibling::contractDefinition/identifier/text()[1])

or

(identifier/text()[1]＝following-sibling::contractDefinition/identifier/text()[1])

]/identifier

the security mode describes two contract name field repetitions, indicating that the vulnerability exists if a match is made to the intermediate representation that meets the criteria. The XPath method can obtain the original semantics of contracts, but has more limitations and is not suitable for detecting complex security holes. For example, the following contract codes:

uint a＝this.balance；if(a＝＝100ether){…}

Although this is not directly used when judging in the code, it indirectly participates in judgment to cause If condition to be disturbed by miners. To solve this problem, the present invention introduces a smudge tracking mechanism on the basis of IR and IR-SSA to detect such contract codes that indirectly cause problems to occur.

Aiming at the intermediate representation of the IR/IR-SSA form in SmartIR, the invention introduces a stain tracking mechanism, formulates a vulnerability security mode of a python command format, and discovers the existence of the command through command executionAn intermediate representation of the problem. In particular, FIG. 6 illustrates a process for detecting reentrant vulnerability codes in FIG. 4 based on a command execution method in the form of IR/IR-SSA. The variable contacts is a set of all contracts, and the constituent relationship between contract components is contacts->function->node->ir/ir-ssa, wherein functions are a function set contained in a contract, nodes are an operation node set contained in a function, and ir/ir-ssa contains instructions such as variables and functions defined by the intermediate representation. Functions and modifiers are declared in the functions_and_modifiers_modified record contract. The established security pattern matching is divided into two stages, wherein the first stage integrates basic information, traverses all IR and CALL operations in nodes, and summarizes information such as read-write variables of each node (the stage corresponds to the information integration in the step 3); the second stage is feature matching, traversing each node in the contract, finding the node with reentrant features in combination with the find_value function. In the first stage, since the transfer of 0ether does not result in loss of ether, this case can be filtered in combination with data_dependency (ir, 0) when judging whether send_eth can be performed, wherein data_dependency judges the dependency by using the stain tracking technique. By this stage the work of the subsequent pattern matching stage can be simplified and many repetitive operations can be omitted for other security patterns. In the second phase, find_value functions to find variables that are read before call and written after call. If the detection features are all satisfied, it is indicated that the contract has a reentrant vulnerability. When all nodes have been traversed, return if no loopholes are found

Instead, the matched node and function are returned.

Finally, the detection results of the security modes of all loopholes are summarized, specifically: and aggregating the two types of security mode detection results of the same vulnerability to obtain a final contract detection result. And automatically extracting vulnerability causes and optimization suggestions from a vulnerability database by contrasting the detected vulnerabilities, and uniformly outputting the vulnerability causes and optimization suggestions after forming a contract risk assessment report.

For example: for reentry loopholes, the reason is that transfer operations in the contract function use call/send functions, and the balance state is read before the function is called, and the balance state is changed after the function is called. Because the transfer operation triggers the fallback function, an attacker can write the fallback function which calls the contract function, and further generate reentry attacks, so that the contract balance is maliciously stolen. The corresponding optimization suggests using transfer functions for transfer operations and transfer employs query-change-transfer mode.

For left-to-right overlay vulnerabilities, this occurs because malicious actors can force RTL text presentation using Unicode characters (u+202E) that overlay right-to-left and have the user achieve the true intent of a confusing contract. The corresponding optimization proposal is that special control characters are not allowed to be used when writing contracts.

For unused state variable problems, this occurs because the state variables are defined but not used at all, which would result in unnecessary Gas overhead for contract operation. The corresponding optimization proposal is to delete unused state variables in the contract.

Analysis and evaluation:

test environment:

in order to test the vulnerability detection capability and the detection cost of the method, the method is compared with the prior methods such as Slither, smartCheck, securify2.0, oyente, osiris, mythori and the like in a virtual machine with environment Ubuntu 18.04 (Intel (R) Core (TM) i7-10875H CPU@2.30GHz and 8GB memory). The test Dataset contains two, dataset Dataset_1 is a set of know-how-vulnerability-exists intelligent contracts, containing 149 contracts, 6331 line code. Dataset_2 is a contract downloaded from the Ethernet backbone through the blockchain browser, is a contract that has been actually deployed, and can accurately reflect the detection capability of the method of the present invention through the data set. The details of the two data sets are shown in the table below.

Table 1 test dataset information

The test indexes are as follows:

we call the discovery of vulnerabilities a question, all of which are divided into two categories, the True Positive (TP) question and the False Positive (FP) question. Also, for each method, false negative questions (FN) represent the number of holes that have not been detected, and the false discovery rate (false discovery rate, FDR) is obtained by dividing the discovered FPs by the number of all detected questions:

Where n is the number of detected contracts. Recall (Recall) is given by TP divided by the number of all questions:

in addition, FNR refers to the probability that a leak cannot be detected. The detection capability of the method can be accurately reflected by testing FDR, FNR and Recall.

In order to distinguish the detection effect of different security vulnerabilities in the test, we evaluate the security of the vulnerabilities according to the evaluation mechanism shown in fig. 1. Specifically, contract vulnerabilities can be divided into 5 categories according to the extent of hazard and difficulty of exploitation: high, medium, low, information, optimization. The vulnerability level may be divided into: high, medium, low, information and Optimization. In particular, high hazard levels refer to vulnerabilities that can cause significant economic loss and serious data confusion to contract business systems, and the hazard is almost irreversible. Including but not limited to:

(1) Large assets are stolen or frozen;

(2) Core services of the contract fail to function properly, such as denial of service;

(3) Contract core business logic is optionally tampered with or bypassed, such as transfer, billing, accounting, etc.;

(4) Fairness designs for contracts are ineffective such as electronic voting, drawing, auctions, etc.

The Medium hazard level refers to that the vulnerability may cause a certain hazard to the contracted service system, for example: less economic loss. Including but not limited to:

(1) Some assets are stolen or frozen;

(2) The uncore business logic of the contract is destroyed;

(3) Bypassing non-core business validation of contracts;

(4) The contract triggers an error event or employs a non-standard interface, which in turn results in an incident.

The Low hazard degree means that the vulnerability only has a weak influence on the constraint business system. Including but not limited to:

(1) The stability of contract operation is affected, such as call failure rate and abnormal increase in resource consumption;

(2) Contracts adopt nonstandard interfaces or realize the interfaces, and influence the safety and compatibility of the interfaces;

(3) Contracts can trigger spurious events but with less loss.

The extent of information means that the vulnerability has little substantial damage to the contract business system, but alerts the contract writer that the code is here error-prone. It requires that the contract owner be able to develop the contract according to specifications. Including but not limited to:

(1) delegatecall, selfdestruct and other sensitive function calls;

(2) Content improved in the contract writing specification, such as variables and functions updated in version 0.5.0 (use of external visibility, etc.).

The degree of optimizations means that the contract can be optimized, thereby making the contract run more efficient, more readable, and consuming less gas.

Including but not limited to:

(1) Useless operation is removed, and operation expenditure is reduced;

(2) The code algorithm is optimized to improve the speed of operation and security.

The exploitation difficulty of a vulnerability is divided into 3 types according to three dimensions of the attack cost (such as money, time and technology), the exploitation condition (i.e. the difficulty of the attack being exploited) and the triggering probability (such as the vulnerability can only be triggered by a small number of people): exact, probibly and possbly. Generally, exact utilization is difficult, requires low cost, can stably trigger vulnerabilities, and does not require special condition thresholds.

Including but not limited to:

(1) The call is easy; (2) requires little gas cost; (3) an attacker need only have a small number of assets.

The probabaly utilization difficulty needs a certain cost and utilization condition, and the loophole is not easy to trigger. Including but not limited to:

(1) An attacker needs to pay a lower cost than the benefits of the attack;

(2) Requiring an attacker to reach certain normal conditions, such as collusion with miners or outbound nodes;

(3) There is a need to incorporate known attack implementations in smart contracts, such as other Oracle contracts on the attack chain.

Possibely's difficulty in utilization requires expensive costs and stringent utilization conditions, and vulnerabilities are difficult to trigger. Including but not limited to:

(1) An attacker needs to pay a cost exceeding the benefits of the attack;

(2) An attacker is required to meet more difficult conditions, such as specific signatures belonging to a few critical accounts, which are difficult to build.

To better understand the rating mechanism, the following describes three exemplary evaluation scenarios of vulnerabilities:

(1) Reentrant vulnerabilities with ethernet money transfer. The vulnerability can lead to a large number of assets being hyperbranched or stolen, belonging to the High hazard degree; an auxiliary contract is needed to finish the attack, namely a certain condition is needed to trigger the vulnerability, and the vulnerability belongs to the probabaly utilization difficulty. The extent of the impact of reentry vulnerability is therefore rated High.

(2) the timestamp depends on the vulnerability. The loophole may cause security risks such as verification failure, random number being controlled, and the like, and belongs to Low hazard degree; the attacker is required to collude with miners or block-out nodes, and belongs to the probabaly utilization difficulty. The extent of influence of the timestamp dependency vulnerability is therefore rated Low.

(3) locked-ether asset lock vulnerabilities. The vulnerability will result in a small amount of asset loss or freezing, belonging to the Medium hazard level; the vulnerability can be stably triggered, and the fact is determined after the code is written, and the vulnerability belongs to exact utilization difficulty. The degree of impact of a locked-ether asset lock vulnerability is therefore rated as Medium.

Experimental test results:

(1) Method accuracy test and comparison

Table 2dataset_1 test results

By analyzing 149 contracts in Dataset Dataset_1 using 8 methods (where the method of the present invention is referred to as SmartFast), the situation where each method detects vulnerabilities can be obtained. Table 2 shows the detection of representative vulnerabilities and all vulnerabilities (Total) in each vulnerability class. By comparison, it can be found that:

(1) for most vulnerabilities, the methods of the invention have lower FDR and higher recall rates than other methods. For example, the locked Ether vulnerability, the FDR of the method of the invention is 0, while the FDR of Securify is 50%. The recall rate of the method is 73.33%, which is far higher than 46.67% of SmartCheck. For some vulnerabilities, such as the timestamp vulnerability, the FDR of the Mythrel method is lower than the method of the present invention. This is because their recall rate is low and even the timestamp vulnerability is not detected.

(2) From Opt to High, the detection effect of the method of the invention is always the best compared with the other 7 methods. For example, for a hazard class High vulnerability, the FDR of the method of the invention is 2.56%, less than 14.29% of Mythril, and much less than 70% of Securify2.0; the recall rate is 69.7%, greater than 60.09% of the slit, and much greater than 0.46% of SmartCheck. There are of course some methods that have higher FDR or Recall on some vulnerability detection effects than the methods of the present invention. In a combined view, the FDR of the method is 1.57 percent (the accuracy is 98.43 percent), the recall rate is 85.12 percent, and the detection effect is better than that of the other 7 methods.

(2) Method robustness test and comparison

Robustness can be divided into detection robustness and outcome robustness, taking into account both analysis failure rate and accuracy. The detection robustness is related to the contract duty cycle that can be analyzed (i.e., analysis failure rate). The resulting robustness reflects the resistive effect of the method on contract code obfuscation methods. For detection robustness, the method of the present invention can detect all contracts in Dataset_1 (failure rate 0%) as shown in Table 2. It is not possible for the slit and security 2.0 method. This is because the split cannot obtain the AST syntax tree of the partial contract, resulting in analysis failure. For the methods of Securify2.0, the analysis failure is mainly due to errors in internal analysis components (e.g., IR).

For result robustness, some contract codes in Dataset_1 are obfuscated by inserting irrelevant statements, disturbing data dependencies, and so on.

function direct()public{

msg.sender.send(address(this).balance)；

}

For the contract code with the optional send ether vulnerability, anyone can call the function "dicet ()" to extract all balances of the contract. In order to make the vulnerability code as invisible as possible, the code described below is programmed by code obfuscation.

The variables "msg. Sender" and "address (this). Balance" are replaced with destination and value. While inserting irrelevant statements in the fourth row to break the connection of the context. The method of the present invention is resistant to these confounding methods and can accurately detect vulnerabilities in both contracts due to the data dependency and stain analysis mechanisms employed in the method of the present invention. However, smartCheck and other methods are easily interfered by code obfuscation methods because the relation between variables is not considered, for example, for some contracts with timestamp holes, smartCheck and other methods can generate false positives and false negatives after interference.

(3) Ethernet public chain intelligent contract vulnerability analysis details

Table 3dataset_2 test results

Table 3 shows the results of the 8 methods on Dataset_2, combined with the results in Table 2, securify and Securify2.0 detected a large number of High hazard loopholes, most of which could be false positives. Compared with other methods, the detection failure rate of the method is lower and is only 0.4 percent. At the same time, there is more or less security risk for the contracts actually deployed on the ethernet in dataset_2, and we should pay attention to this.

(4) Engine time overhead and memory detail analysis

The execution overhead required for each method is analyzed using contracts on the ethernet public chain. First, about 100 contracts of about 121KB in size, for example, contracts of address 0xce b23f11c486be7f8be4fac3b4ee6372d7ee91e are selected (line 3049). The oscillo tool was used to record 8 methods to detect the time and memory overhead of these contracts.

As can be seen from fig. 7A, the static analysis method (inventive method, smartCheck, slither) generally requires less time overhead than the dynamic analysis method (Oyente, mythril, osiris). But with exceptions. For example, securify2.0 analyzes a 121KB contract for an average of 450 seconds, which is more than the dynamic analysis method of Oyente et al. This is caused by the cumbersome internal detection mechanism in security 2.0. In contrast, the method of the invention adopts the streamline design principle, and can finish detection after an average of 11.5 seconds. But this introduces an acceptable overhead of additional time (about 3-4 seconds) as it compensates for the deficiencies of SmartCheck and slit, and performs more operations.

As shown in fig. 7B, these methods typically require more memory overhead than static analysis methods due to the thousands of search paths that need to be traversed and performed in dynamic analysis methods such as Osiris. This represents a major advantage of the static analysis method, namely the ability to accurately detect contracts in a limited time. In addition, the method of the invention requires less memory overhead than other methods (such as slit), which benefits from the optimized rules in the method of the invention, and the phenomenon brings great development potential to the method of the invention. For example, XML and IR forms in SmartIR can be analyzed in parallel, so that the memory space is fully utilized, and the detection efficiency of the method is further improved.

(5) Ethernet public chain intelligent contract specific vulnerability discovery capability

By analyzing the detection results, the method discovers a plurality of real intelligent contract examples on the Ethernet, and can discover vulnerabilities which cannot be discovered by other methods through comparison of the detection results.

(1) Detection of integer overflow loopholes. First is the WinStar contract (contract address 0x80d0f44bf75ec3e591ac137ac4b88989bb43a 006), which currently has a balance of 1.60E+15Wei, involving 25 transactions. An integer underflow hole exists at line 43, the conditions occurring are: atBlock [ msg.sender ] =1, invented [ msg.sender ] = 115792089237316195423570985008687907853269984665640564039457584007913129639935. The method of the invention can detect the loophole, but Slither, osiris and other methods cannot. Similar contracts also include ETHMaxilist (contract address: 0xc36fe594db560bfde1bdf d6b40a7a775d702a1c, line 171). It is well known that oynte also supports the detection of integer overflow loopholes, but for the contract WCT (contract address: 0x2c53d82384c6fc9bd6e4e16ecaa5d85861ac5ce6, balance 9.00e+16), it reports that there is an integer overflow loophole at line 43 c=a+b. Since the 44 th row is verified using assast (c > =a), this is a false positive, and the method of the present invention detects that this code is safe.

(2) Detection of reentrant vulnerabilities. The present invention detects that there is a reentrant vulnerability in line 243 of the contract Redexchange (contract address: 0x5409Fcd56836e0e0459C12Ab45e7Ef23C6094bEd, balance 2.00E+16). The code loopholes are as follows:

totalEthFundRecieved＝SafeMath.add(totalEthFundRecieved，ethToPay)；

if(！bondFundAddress.call.value(_bondEthToPay).gas(400000)()){

totalEthFundRecieved＝SafeMath.sub(totalEthFundRecieved，_bondEthToPay)；

}

the function is declared public and can be called by any administtrators. And the Gas specified by the call function is too large, the safe Gas is typically 2300 (< < 40000). So for this contract, an attacker can construct an attack contract and set the withdrawal address bond address to the attack contract address using the setbond bond address function, thereby implementing a reentry attack. However, the method of oynte et al did not detect this vulnerability.

Modifications and equivalents may be made by those skilled in the art without departing from the spirit and scope of the invention, which is defined by the appended claims.

Claims

1. A formal static analysis method for intelligent contracts of public chains of Ethernet includes the steps:

acquiring source codes of intelligent contracts of an Ethernet public chain, extracting code sentences of the source codes, and generating a solubility expression and a characteristic map of the source codes;

describing the source code as an XML form intermediate representation, an IR form intermediate representation, and an IR-SSA form intermediate representation based on the code statement, the solubility expression, and the feature map; wherein,

The describing the source code as an XML form intermediate representation includes:

analyzing the code statement according to the attribute of each field in the code statement, and forming an XML form intermediate representation of the source code based on an analysis result;

the describing the source code as an intermediate representation of an IR form includes:

obtaining other operations from the feature map and the stability expression, and performing formal representation according to the format of the other operations to obtain an IR formal intermediate representation of the other operations, wherein the other operations comprise: create, convert, push, delete, unpack, condition, init and Return;

Acquiring a function call operation from the feature map and the stability expression, and formalizing the function call operation according to the call type of the function call operation to obtain an IR form intermediate representation of the function call operation;

obtaining the IR form intermediate representation of the source code based on the IR form intermediate representation of the variable, the IR form intermediate representation of the operation, the IR form intermediate representation of other operations and the IR form intermediate representation of the function call operation;

the describing the source code as an intermediate representation of the IR-SSA form includes:

obtaining an IR-SSA form intermediate representation of the source code based on the IR form intermediate representation assigned to the input value; and performing vulnerability pattern detection and optimization pattern detection according to the XML form intermediate representation, the IR form intermediate representation and the IR-SSA form intermediate representation to obtain an analysis result of the Ethernet public chain intelligent contract.

2. The method of claim 1, wherein the feature map comprises: AST syntax tree, contract inheritance relationship, and control flow graph.

3. The method of claim 1, wherein performing vulnerability pattern detection and optimization pattern detection according to the XML form intermediate representation, the IR form intermediate representation, and the IR-SSA form intermediate representation to obtain an analysis result of the ethernet public chain intelligent contract comprises:

for the IR form intermediate representation and the IR-SSA form intermediate representation, based on a stain tracking mechanism, formulating a vulnerability security mode of a python command format by calling the module analysis result, and obtaining an IR form intermediate representation matching result and an IR-SSA form intermediate representation matching result through command execution;

4. The method of claim 1, wherein the method further comprises:

5. A computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the method of any of claims 1-4.

6. An electronic device comprising a memory and a processor, the memory having stored therein a computer program that is loaded and executed by the processor to implement the method of any of claims 1-4.