CN115994363A - Block chain security assessment method and device based on multidimensional security detection - Google Patents

Block chain security assessment method and device based on multidimensional security detection Download PDF

Info

Publication number
CN115994363A
CN115994363A CN202310297218.7A CN202310297218A CN115994363A CN 115994363 A CN115994363 A CN 115994363A CN 202310297218 A CN202310297218 A CN 202310297218A CN 115994363 A CN115994363 A CN 115994363A
Authority
CN
China
Prior art keywords
vulnerability
blockchain
security
detection
grammar
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310297218.7A
Other languages
Chinese (zh)
Inventor
马兆丰
傅泓毅
张宇青
段鹏飞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing University of Posts and Telecommunications
Original Assignee
Beijing University of Posts and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing University of Posts and Telecommunications filed Critical Beijing University of Posts and Telecommunications
Priority to CN202310297218.7A priority Critical patent/CN115994363A/en
Publication of CN115994363A publication Critical patent/CN115994363A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

The invention provides a blockchain security assessment method and device based on multidimensional security detection, wherein the method comprises the following steps: acquiring an intelligent contract source code and a grammar rule, optimizing the grammar rule, analyzing the intelligent contract source code based on the optimized grammar rule, constructing a grammar analysis tree based on the analyzed intelligent contract source code, and traversing the grammar analysis tree to generate an intermediate expression; wherein the optimized grammar rules comprise rules for identifying keywords; acquiring a vulnerability rule file set for matching intelligent contract vulnerabilities, matching each vulnerability rule file in the vulnerability rule file set with an intermediate expression, and obtaining a first matching result; the vulnerability rule file includes rules for matching integer overflows, state machines, or contract terminable type security issues; a first evaluation score is determined based on the first matching result. The method can accurately evaluate the safety of the blockchain system.

Description

Block chain security assessment method and device based on multidimensional security detection
Technical Field
The invention relates to the technical field of blockchain application, in particular to a blockchain security assessment method and device based on multidimensional security detection.
Background
With the advent of the 3.0 era of blockchains, blockchain systems are generally divided into five layers, namely an application layer, a contract layer, a consensus layer, a network layer and a data layer, and due to the explosive development of blockchains in recent years, the blockchain security problem gradually goes into the field of view of researchers, and due to the accelerated landing and wide application of blockchain applications, participating enterprises and technicians are in good balance, many security events caused by irregular development occur, and the most security events occurring in the blockchain network and the applications thereof are the intelligent contract, the consensus mechanism and the upper application.
Compared to the other two layers, some technologies and tools have been developed for intelligent contract detection in the contract layer, loi Luu et al developed a static analysis tool oynte based on symbolic execution, using symbolic values instead of specific execution programs; josselin Feist et al developed a static analysis tool, slither, based on static analysis, that obtains intermediate expressions through abstract syntax trees and combines predetermined analysis to detect vulnerabilities; petar Tsankov et al propose compliance and violation patterns and develop a security tool to extract accurate semantic information and then check compliance and violation patterns; tikhomirov et al devised an ethernet intelligent contract static analysis tool named SmartCheck that converts the resolution source code into a XML (Extensible Markup Language) -based intermediate representation and detects it from the XML path language schema. Although the existing tools can realize intelligent contract detection of the blockchain, almost all the detection tools have the problems of incomplete detection types, long detection time and unsatisfactory detection results, so that the safety of the blockchain system is difficult to ensure. Therefore, how to accurately evaluate the security of the blockchain system is a technical problem to be solved.
Disclosure of Invention
In view of the above, the present invention provides a blockchain security assessment method and apparatus based on multi-dimensional security detection, so as to solve one or more problems in the prior art.
According to one aspect of the invention, the invention discloses a blockchain security assessment method based on multidimensional security detection, which comprises the following steps:
acquiring an intelligent contract source code and a grammar rule, optimizing the grammar rule, analyzing the intelligent contract source code based on the optimized grammar rule, constructing a grammar analysis tree based on the analyzed intelligent contract source code, and traversing the grammar analysis tree to generate an intermediate expression; wherein the optimized grammar rules comprise rules for identifying keywords;
acquiring a vulnerability rule file set for matching intelligent contract vulnerabilities, matching each vulnerability rule file in the vulnerability rule file set with the intermediate expression, and acquiring a first matching result; the vulnerability rule file includes rules for matching integer overflows, state machines, or contract terminable type security issues;
a first evaluation score is determined based on the first matching result.
In some embodiments of the invention, the method comprises:
acquiring a consensus algorithm, the number of nodes, the number of sequencing nodes, the total amount of a system processor, the occupied amount of the system processor, the total amount of system memory, the occupied amount of the system memory, the number of abnormal nodes, the maximum safe utilization rate of the system processor and the maximum safe utilization rate of the system memory, and determining the final office time based on the acquired consensus algorithm;
determining system call risks and first risk grade scores corresponding to the system call risks based on the node number, the sequencing node number, the abnormal node number, the total system processor amount, the system processor occupation amount, the total system memory amount, the system memory occupation amount, the maximum safe use rate of the system processor and the maximum safe use rate of the system memory;
determining uplink test risks and second risk level scores corresponding to the uplink test risks based on the final time and actual time consumption of calling and responding to a target blockchain;
a second evaluation score is determined based on each of the first risk level scores and each of the second risk level scores.
In some embodiments of the invention, the method comprises:
determining an input vector based on blockchain platform system characteristics;
Determining fuzzy test data based on the input vector, and performing application vulnerability detection on the blockchain platform system based on the determined fuzzy test data to obtain the number of application vulnerabilities and the vulnerability types of the application vulnerabilities;
and determining the risk level score corresponding to each application vulnerability, and determining a third evaluation score based on the risk level score corresponding to each application vulnerability.
In some embodiments of the invention, the method comprises:
a composite evaluation score of the blockchain platform is calculated based on the first, second, and third evaluation scores.
In some embodiments of the invention, determining fuzzy test data based on the input vector includes:
a common vulnerability template is obtained, and a first fuzzy test data set is generated through the common vulnerability template based on the input vector;
performing mutation operation on the data in the first fuzzy test data set to obtain a second fuzzy test data set;
and taking the data in the second fuzzy test data set as fuzzy test data.
In some embodiments of the present invention, parsing the smart contract source code based on the optimized grammar rule, building a parse tree based on the parsed smart contract source code, including:
Analyzing the optimized grammar rule by using a left recursion elimination method to obtain an analyzed grammar rule;
analyzing the intelligent contract source code based on the analyzed grammar rule;
and constructing a grammar analysis tree based on the parsed intelligent contract source code.
In some embodiments of the invention, the first evaluation score is calculated by the formula:
Figure SMS_1
the calculation formula of the second evaluation score is:
Figure SMS_2
the calculation formula of the third evaluation score is:
Figure SMS_3
where n represents the number of holes in the first matching result,
Figure SMS_14
representing risk grade score corresponding to ith loophole in first matching result, and (I)>
Figure SMS_6
Representing the weight corresponding to the ith vulnerability in the first matching result,/th vulnerability>
Figure SMS_13
Representing the number of uplink test risks, +.>
Figure SMS_8
Indicate->
Figure SMS_16
Risk class score corresponding to the individual uplink test risk,/->
Figure SMS_18
Indicate->
Figure SMS_20
Weight corresponding to the individual uplink test risk, < ->
Figure SMS_9
Representing system call riskQuantity of->
Figure SMS_15
Indicate->
Figure SMS_4
Risk class score corresponding to individual system call risk, < ->
Figure SMS_10
Indicate->
Figure SMS_7
Weights corresponding to individual system call risks, +.>
Figure SMS_12
Representing the number of application vulnerabilities->
Figure SMS_17
Indicate->
Figure SMS_19
Risk level score corresponding to each application vulnerability, +.>
Figure SMS_5
Indicate->
Figure SMS_11
And applying the weight corresponding to the loopholes.
In some embodiments of the present invention, the calculation formula of the comprehensive evaluation score is:
P=[(P SC ×W SC )+ (P CS ×W CS )+ (P WA ×W WA )]×W;
wherein P is SC Representing a first evaluation score, P CS Representing a second evaluation score, P WA Represents a third evaluation score, W SC Weights representing the first evaluation score, W CS Weights representing the second evaluation score, W WA The weight representing the third evaluation score, W representing the adjustment weight.
According to another aspect of the present invention there is also disclosed a blockchain security assessment system based on multi-dimensional security detection, the system comprising a processor and a memory, the memory having stored therein computer instructions for executing the computer instructions stored in the memory, the system implementing the steps of the method as described in any of the embodiments above when the computer instructions are executed by the processor.
According to yet another aspect of the present invention, a computer-readable storage medium is also disclosed, on which a computer program is stored, which program, when being executed by a processor, carries out the steps of the method according to any of the embodiments described above.
According to the blockchain security assessment method and device based on multi-dimensional security detection, the intelligent contract source code is analyzed based on the optimized grammar rules, the vulnerability rule files in the vulnerability rule file set comprise rules for matching integer overflow, state machines or security problems of the type that contracts can be terminated, the corresponding contract grammar can be matched more accurately and carefully based on the method, the detection efficiency is improved, and the vulnerability of the intelligent contract layer can be comprehensively detected, so that the security of the blockchain system is improved.
In addition, the method and the device for evaluating the safety of the blockchain based on the multi-dimensional safety detection, disclosed by the embodiment of the invention, evaluate whether the current consensus algorithm and the system resource can ensure the safe and stable operation of the blockchain consensus mechanism or not in the blockchain system on the premise of carrying out intelligent contract safety detection on the blockchain platform, and detect the possible safety problem of the upper layer application of the blockchain by a fuzzy test method; based on the above, the method realizes multi-dimensional security detection of the blockchain, and further improves the security of the blockchain system.
Additional advantages, objects, and features of the invention will be set forth in part in the description which follows and in part will become apparent to those having ordinary skill in the art upon examination of the following or may be learned from practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims thereof as well as the appended drawings.
It will be appreciated by those skilled in the art that the objects and advantages that can be achieved with the present invention are not limited to the above-described specific ones, and that the above and other objects that can be achieved with the present invention will be more clearly understood from the following detailed description.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate and together with the description serve to explain the invention. The components in the figures are not necessarily to scale, emphasis instead being placed upon illustrating the principles of the invention. Corresponding parts in the drawings may be exaggerated, i.e. made larger relative to other parts in an exemplary device actually manufactured according to the present invention, for convenience in showing and describing some parts of the present invention. In the drawings:
FIG. 1 is a flowchart illustrating a blockchain security assessment method based on multi-dimensional security detection according to an embodiment of the invention.
FIG. 2 is a block chain security assessment system architecture based on multi-dimensional security detection according to an embodiment of the present invention.
FIG. 3 is a schematic diagram illustrating a smart contract checking process according to a blockchain security assessment method in accordance with an embodiment of the present invention.
FIG. 4 is a schematic diagram illustrating a detection flow of a consensus mechanism of a blockchain security assessment method according to an embodiment of the present invention.
FIG. 5 is a block chain security evaluation method according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the embodiments of the present invention will be described in further detail with reference to the accompanying drawings. The exemplary embodiments of the present invention and their descriptions herein are for the purpose of explaining the present invention, but are not to be construed as limiting the invention.
It should be noted that, in order to avoid obscuring the present invention due to unnecessary details, only structures and/or processing steps closely related to the solution according to the present invention are shown in the drawings, while other details not greatly related to the present invention are omitted.
It should be emphasized that the term "comprises/comprising" when used herein is taken to specify the presence of stated features, elements, steps or components, but does not preclude the presence or addition of one or more other features, elements, steps or components.
The common security risks and events in the application of the blockchain technology are mainly concentrated in a consensus layer, a contract layer and an application layer, and the corresponding key technologies are intelligent contracts, a consensus algorithm and upper-layer applications; the security of each layer directly affects the security of the blockchain system. Therefore, in order to improve the security of the blockchain system, the invention provides a blockchain security assessment method which can efficiently and comprehensively detect the loopholes of intelligent contracts to ensure the security of a contract layer; in addition, the security assessment method in some embodiments also detects the security of the deployed blockchain underlying consensus mechanism and applies security detection against blockchain platform upper layer application system security issues. Therefore, aiming at the safety problems of multidimensional and mutual correlation of layers in a blockchain system, the invention provides a blockchain safety evaluation method and device based on multidimensional safety detection.
Specifically, the blockchain security assessment method and device based on multidimensional security detection disclosed by the invention provide overall security assessment aiming at security risks related to the blockchain core technical layer, and the method can be used for respectively carrying out security assessment on intelligent contracts, consensus mechanisms and upper-layer applications of a blockchain system. According to the method, the network security technology and the vulnerability detection technology are specifically applied to the blockchain, the code audit and the intelligent contract are combined, the existing static detection technology is improved, grammar traversal logic in the detection process is improved, the corresponding contract grammar can be more accurately and carefully matched, the efficiency and the accuracy are improved, and vulnerability matching rules are improved, so that the method can detect more kinds of intelligent contract vulnerability types. In addition, the algorithm detection and performance monitoring technology is combined with the running state of the consensus algorithm, and whether the safe and stable running of the block chain consensus mechanism can be ensured based on the current consensus algorithm and system resources in the block chain system is evaluated through the detection of the type of the consensus algorithm, the uplink detection and the server performance monitoring; the network application security detection is combined with the blockchain platform, the platform is subjected to security detection by a guaranteed detection means, and the possible security problem of the blockchain upper layer application is tested.
Hereinafter, embodiments of the present invention will be described with reference to the accompanying drawings. In the drawings, the same reference numerals represent the same or similar components, or the same or similar steps.
Step S10: acquiring an intelligent contract source code and a grammar rule, optimizing the grammar rule, analyzing the intelligent contract source code based on the optimized grammar rule, constructing a grammar analysis tree based on the analyzed intelligent contract source code, and traversing the grammar analysis tree to generate an intermediate expression; wherein the optimized grammar rules comprise rules for identifying keywords.
This step is to enable the detection of smart contracts, i.e. to detect vulnerabilities in smart contracts based on static code detection techniques. In this step, intermediate expressions, such as forms of syntax trees or bytecodes, are built based on the source code for later deeper parsing.
Analyzing the intelligent contract source code based on the optimized grammar rule, and constructing a grammar analysis tree based on the analyzed intelligent contract source code, wherein the grammar analysis tree specifically comprises the following steps: analyzing the optimized grammar rule by using a left recursion elimination method to obtain an analyzed grammar rule; analyzing the intelligent contract source code based on the analyzed grammar rule; and constructing a grammar analysis tree based on the parsed intelligent contract source code. In this embodiment, when the optimized grammar rule is parsed, the grammar rule of the left recursion is eliminated to avoid ambiguity, and the intelligent contract source code is parsed by using the grammar rule of the left recursion, so as to construct a grammar analysis tree based on the parsed intelligent contract source code.
The present application uses parse trees in constructing intermediate expressions, which typically use a top-down LL (k) construction method, but such a methodThe grammar has some limitations on the matching of certain grammar structures, because ambiguity cannot be resolved and the most natural grammar in the grammar rules, which are usually left-recursive, cannot be identified. In view of this, the present invention uses All (x) method to assist in constructing intermediate expression, the All (x) method optimizes the analysis of grammar rules, simplifies the construction of grammar rules, and for left recursion type grammar rules, the All (x) method rewrites left recursion grammar rules into non-left recursion form of the same rule by algorithm so as to facilitate simple and efficient processing of ambiguous grammar rules, and in the process of processing left recursion grammar rules, the following four grammar rule sub-expression modes are identified as left recursion: two/three way systemAαAUnary suffixUnitary prefixαAMain expression typeαWhereinAIn the form of a regular sub-expression,αthe step of eliminating the left recursion is the operator as follows:
step 1: find out the sub-expression which accords with four left recursion rule modes in grammar rule;
step 2: combining the unary prefix expression and the main expression into A’;
Step 3: combining binary expression, ternary expression and unitary suffix expression intoA’’;
Step 4: will beAThe newly generated unary prefix expression in'' performs an operator priority check to see if { is satisfiedpr (i)>= pr(n)}, whereinpr(i)={n-i+1},prFor the purpose of the priority level,pr(i)for the priority of the current expression operator,nis the total number of expressions;
step 5: expressed in binary, ternary and unitary prefixAAdjusting according to whether the operator is a left correlation operator, if so, adding one step to the priority of the operator, otherwise, keeping the existing priority;
step 6: aggregating all expressionsPDoes not contain any left recursive expressionAExpression asA[0];
Step 7: will be originalAAnd adjusting according to the well-reconstructed arrangement of the priority.
In this embodiment, after the intelligent contract source code is parsed based on All (x) method, a parse tree in extensible markup language format is generated, so as to generate an intermediate expression. And for further linking with subsequent vulnerability matching, methods such as data streaming, stain analysis, etc. may be utilized to enrich the intermediate representation.
Step S20: acquiring a vulnerability rule file set for matching intelligent contract vulnerabilities, matching each vulnerability rule file in the vulnerability rule file set with the intermediate expression, and acquiring a first matching result; the vulnerability rule file includes rules for matching integer overflows, state machines, or contract terminable type security issues.
In the step, vulnerability matching is performed based on each vulnerability rule file in the vulnerability rule file set and the intermediate expression, so that the vulnerability or the security problem of the intelligent contract is matched. In this embodiment, the vulnerability rules files in the vulnerability rules file set can be matched to more types of vulnerabilities and security issues in the smart contracts, such as integer overflows, state machines, and types of contract abortable. In addition, if the grammar rule is optimized in step S10, the contract code can be more accurately parsed during the grammar analysis, so that more code features can be correctly identified and can be matched by the vulnerability rule of the step.
Step S30: a first evaluation score is determined based on the first matching result.
In this step, a first evaluation score of the smart contract is further determined based on the matched smart contract vulnerabilities. The first evaluation score is used to characterize security of the smart contract. Illustratively, the first evaluation score is calculated as:
Figure SMS_21
the method comprises the steps of carrying out a first treatment on the surface of the Wherein n represents the number of holes in the first matching result, ">
Figure SMS_22
Representing a risk level score corresponding to an ith smart contract vulnerability,/->
Figure SMS_23
And (5) representing the weight corresponding to the ith intelligent contract vulnerability.
Through the steps S10 to S30, it can be found that the blockchain security assessment method based on multi-dimensional security detection in the application adopts a static analysis technology when performing intelligent contract detection, specifically, firstly, an All (x) method is utilized to analyze an intelligent contract source code based on optimized grammar rules, namely, the intelligent contract source code is converted into a grammar analysis tree, then the grammar analysis tree is traversed and converted into an intermediate expression in an extensible markup language form, finally, the intermediate expression is matched according to a vulnerability matching rule in an extensible markup language path language mode, and if the intermediate expression is matched, the intelligent contract has corresponding vulnerability. According to the method and the device, the grammar rules of the existing intelligent contracts are optimized through optimizing the grammar analysis process, so that the optimized grammar rules comprise rules for identifying keywords, namely, more characteristic codes can be matched when a grammar analysis tree is generated, and intelligent contract codes can be analyzed more accurately; in addition, the loophole matching rule for matching the intelligent contract loopholes has wide coverage, and can be matched with more types of safety problems, such as a state machine, a suspendable type and the like, so that the intelligent contract detection method of the application improves the accuracy of safety monitoring of the block chain system, and further improves the safety of the block chain system.
Correspondingly, when the intelligent contract is detected through the blockchain security assessment system based on the multidimensional security detection, firstly, a user registers and logs in the assessment system, then enters a system interface, and the user selects the intelligent contract for detection in the security detection module. Referring to fig. 2, further, the smart contract source code to be detected is uploaded to the blockchain core security vulnerability assessment system at the smart contract detection primary interface, and the combined date is saved to the background at this time and waits for detection of a user operation instruction; after the intelligent contract source code enters the detection module, the detection module firstly converts the source code into an intermediate expression grammar tree (IR) so as to facilitate subsequent loophole matching; and the detection module loads a vulnerability matching rule, compares the vulnerability matching rule with the intermediate expression, and considers that the intelligent contract has corresponding vulnerability if the matching is successful. After the vulnerability matching is completed, the detection result and the final first evaluation score are returned to the front-end application, the intelligent contract detection primary interface shows whether a specific evaluation item is qualified or not, and the secondary interface shows contract content and vulnerability points and gives corresponding evaluation suggestions; regression detection is supported in the secondary interface, detection results can be completely exported through the export function of the primary interface, and reliable uplink of the results is supported.
In summary, the intelligent contract detection rule in the above embodiment converts the intelligent contract source code into the syntax analysis tree, uses the left recursion elimination method to make the generated syntax tree more accurate, converts the syntax analysis tree into the Intermediate Representation (IR) in the form of extensible markup language through the syntax traversal technology, can mark different types of codes according to the different conversion rules, and finally matches the intermediate representation according to the vulnerability matching rule of the extensible markup language path language mode, if the matching is completed, it indicates that the intelligent contract has a corresponding vulnerability. FIG. 3 is a schematic diagram of an intelligent contract checking flow of a blockchain security assessment method according to an embodiment of the invention, and referring to FIG. 3, the specific implementation steps include: (1) Firstly, compiling language types L according to intelligent contracts, and customizing grammar rules after corresponding optimizationSGenerating a parse tree in combination with All methodAI.e.A=E(All(*),S,L),ERepresenting the entire process flow. (2) For syntax analysis treeAPerforming traversal processing and generating intermediate expressions in the form of extensible markup language grammarsXI.e.X=IE(A),IERepresenting a traversal process. (3) Traversing the optimized vulnerability rule file capable of covering wider security risks RTherein is provided withnExtracting the bar rules to form rule setRBRules in the set can be matched with the intermediate expression X; at this timeRB=R→{R 1 ,R 2,…, R n }. (4) Aggregating rulesRBEach rule and intermediate expression of (a)XPerforming traversal matching, detecting whether there is a matching item,if yes, indicating that the intelligent contract has corresponding loopholes; obtaining a vulnerability matching result set after matching is completedResRes i ={RB i X},Res={ Res 1 , Res 2 ,…, Res n }iRepresenting the number of the corresponding element of the rule base or result set,nrepresenting the total number of vulnerabilities. (5) For result setResEach item of the security risk is arranged and processed according to the risk level score of the corresponding security riskGWeight adjustable according to actual situationWCalculate score P SC ;Res i →{G i ,W i -a }; wherein the number of loopholes in the first matching result is n,
Figure SMS_24
representing a risk level score corresponding to the ith vulnerability,/->
Figure SMS_25
And representing the weight corresponding to the ith vulnerability. Exemplary, the smart contract detection key algorithm scheme is as follows:
ContractVulnDetect
Input:
Figure SMS_26
Output:VulnRes
1:Begin
2: if (Exist(RuleFile)) then
3: IR = Interpreter(
Figure SMS_27
RuleFile)
4: if(Exist(RB)) then
5: VulnRes = VulnMatch(IR,RB)
6: return VulnRes
7: else
8: return error;
9:End
in another embodiment of the present invention, the blockchain security assessment method based on multi-dimensional security detection further includes the steps of: acquiring a consensus algorithm, the number of nodes, the number of sequencing nodes, the total amount of a system processor, the occupied amount of the system processor, the total amount of system memory, the occupied amount of the system memory, the number of abnormal nodes, the maximum safe utilization rate of the system processor and the maximum safe utilization rate of the system memory, and determining the final office time based on the acquired consensus algorithm; determining system call risks and first risk grade scores corresponding to the system call risks based on the node number, the sequencing node number, the abnormal node number, the total system processor amount, the system processor occupation amount, the total system memory amount, the system memory occupation amount, the maximum safe use rate of the system processor and the maximum safe use rate of the system memory; determining uplink test risks and second risk level scores corresponding to the uplink test risks based on the final time and actual time consumption of calling and responding to a target blockchain; a second evaluation score is determined based on each of the first risk level scores and each of the second risk level scores.
In the prior art, detection for the consensus mechanism is mainly focused on performance detection, and the detection technology for safety and stability of the running consensus algorithm is hardly available, the characteristics of different consensus algorithms are not directly reflected in the normal operation of the blockchain network, the types of the consensus algorithms used in the blockchain network are difficult to directly obtain in an intuitive way, and the safety of the consensus algorithm also depends on factors such as the number of nodes of the network, the environment where the network is located, server resources and the like, so the method is used for detecting the safety of the consensus mechanism.
In the above embodiment of the present disclosure, the blockchain security assessment method further detects the consensus algorithm on the basis of performing security detection on the intelligent contract, the consensus mechanism is located at the bottom position of the whole blockchain architecture, after the blockchain network is started, the set consensus algorithm is used to achieve the consensus among nodes, the characteristics of different consensus algorithms are not directly reflected in the normal operation of the blockchain network, the types of the consensus algorithms used in the blockchain network are difficult to directly obtain in an intuitive manner, and the security of the consensus algorithm also depends on factors such as the number of nodes of the network, the environment where the network is located, server resources, etc., so the proposed consensus security detection technology comprehensively considers multiple factors affecting the security of the consensus algorithm, and uses two detection technologies, namely RESTful Interface format calling technology, system calling technology, to detect the consensus algorithm and node number used by the blockchain network, and monitor the use condition of system resources, and comprehensively assess whether the consensus mechanism used by the detected blockchain network meets the requirements of security, reliability and reliability.
Illustratively, the consensus algorithm of the corresponding blockchain network may be obtained by a system call methodCP K Number of nodesNNumber of ordered nodesN O Number of synchronization nodesN P Total system processorCSystem processor occupancyC’’Total amount of system memoryMSystem memory footprintM’’Wherein the subscriptsKFor specific consensus algorithms, the types of consensus algorithms are such as PBFT, kafka, etc. Further, based on a specific consensus algorithm, a reference standard set rec= [ is set for each indexN RecN o RecN p RecC RecM Rec ]Wherein each sub-item in the reference standard set is a safety reference value domain corresponding to each index; comparing each index obtained by detection with a safe reference value range; if the comparison result is in accordance with the comparison result, representing that the corresponding index is safe; in addition, the node occupation ratio, the resource occupation condition and the like are required to be calculated so as to detect whether the common attack can be prevented by the common consensus algorithm, whether the common attack has fault tolerance or not, and whether the current common consensus mechanism can be supported by the system resource or not.
Wherein the number of abnormal nodes isN f The maximum fault tolerance of the consensus algorithm to the abnormal node is thatRThe number of normal nodes is according to the mechanism difference of the consensus algorithmN o -N f Or (b)N-N f The consensus algorithm needs to satisfy:
Figure SMS_28
or:
Figure SMS_29
the maximum safe utilization rates of the system processor and the memory are respectively recorded as L C L M Then the following needs to be satisfied:
Figure SMS_30
;/>
Figure SMS_31
while RESTful call tests the consensus reliability and consistency by an example uplink method to ensure that nodes of the normal operation of the system can agree on a specified time required by the system performance, and corresponding final time is set according to a consensus algorithm obtained by system call detectionT S The time taken to actually call the target blockchain and respond isT t Then it is required to satisfyT t T S The method comprises the steps of carrying out a first treatment on the surface of the Obtaining node matrix according to node numberN[i]Whereini∈NThe data of each node returned by the call test needs to be consistent.
Through the embodiment, the method of comprehensive detection by adopting various technologies is found, so that the actual data uplink distribution test is performed, the bottom configuration of the blockchain network is detected, and the safety of a consensus mechanism is comprehensively obtained, thereby further ensuring the accuracy of the safety detection of the consensus algorithm, and further improving the safety of the blockchain system.
Correspondingly, when the block chain security evaluation system based on the multi-dimensional security detection detects the consensus algorithm, similarly, a user firstly registers and logs in the evaluation system, then enters a system interface, and the user selects the consensus algorithm to detect in the security detection module. Further, inputting relevant information of a server corresponding to the blockchain network to be detected at a first-level interface detected by a consensus algorithm, and storing the relevant information to a background to wait for detection of a user operation instruction; the detection module loads a second-level interface for uplink call, a user inputs uplink test related data, the platform performs data uplink test according to the input information, displays block return information after data uplink, and detects consensus security consistency; the detection module loads a system remote call code, and the detection items such as the detected type, the sequence and the number of synchronous nodes, the resource consumption and the like of the consensus algorithm are displayed on a second-level interface detected by the consensus algorithm, so that the safety and the stability of the blockchain network under the current consensus mechanism are visually displayed; after the consensus problem is repaired, the regression test can be called again, and the result can be exported from the platform or can be reliably uplink to the platform.
In summary, the detection rule of the consensus algorithm in the above embodiment includes two parts, one is to detect the basic configuration and resource consumption of the blockchain network by using the host system call, and the other is to call the uplink related API in the blockchain network by using the RESTful Interface technology, so as to test whether the blockchain network can run safely and stably. The host system calling part firstly compiles detection codes in advance on a detection system, uploads corresponding host parameters on a platform, then is connected with a detected server remotely, detects the block chain network consensus algorithm, orderer and the number of Peer nodes by utilizing an internal system calling function, judges whether the used algorithm is safe and reliable according to detection conditions, judges whether the number of the nodes under the implementation of the algorithm can meet the application requirements of safety and stability, and gives corresponding results.
Fig. 4 is a schematic diagram of a detection flow of a consensus algorithm of a blockchain security assessment method according to an embodiment of the present invention, referring to fig. 4, when the detection of the consensus algorithm is performed, specific execution steps include: (1) The uplink test part fills in uplink test metadata including test time, personnel, content, mode and the like, encapsulates the uplink test metadata into a RESTful request, and sends the RESTful request to a tested blockchain system for uplink test, namely R EQ =M info (T,P,…,I),R EQ On behalf of the request,M info on behalf of the uplink metadata,Trepresenting the time of the uplink to be performed,Prepresenting the information of the person who is in the uplink,Irepresenting the uplink stored information. (2) After the block is successfully generated, the block information is returnedD ata Including block heightBBlock hashingHNumber of transactionsNEtc.;D ata =R sp (B,H,…,N),R sp representing a request response. (3) Performing block distribution after the block generation, and detecting safety indexes such as consensus consistency and final locality of the target block chain network according to whether all nodes of the target block chain network can return corresponding block generation data within a specified time and whether the data can keep consistency;C res= D ST (D ata ),C res representing the actual chain test result,D ST representing block distribution. (4) The basic detection part inputs test information on the detection platformI svr The method comprises the steps of configuring basic parameter information of a server such as an address, a user name and the like, and judging whether the server is legal or not before detection;I svr =A(U r, P s, D IR ),Arepresenting the total information set of the account,U r on behalf of the account name,P s the representative of the document is a certificate,D IR representing the configuration dependent directory address. (5) The detection module initiates remote system call by using the test information to obtain information such as the type of the consensus mechanism, the node, the server resource use and the like,Res c =D tc (I svr )→{C fg, U cpu, U mem },Res c for a set of results of a system call,D tc in order to detect the flow of the process, C fg The information is configured for a consensus mechanism,U cpu for the CPU to use the information,U mem and using information for the memory. (6) Integrating the results detected by the two methods, comparing and calculating with a standard value, comprehensively evaluating the safety of the target blockchain network and grading;P CS scoring a consensus mechanism, a risk level score corresponding to a security riskGWeight adjustable according to actual situationW
Figure SMS_34
;/>
Figure SMS_36
Representing the number of uplink test risks, +.>
Figure SMS_39
Indicate->
Figure SMS_33
Risk class score corresponding to the individual uplink test risk,/->
Figure SMS_37
Indicate->
Figure SMS_40
Weight corresponding to the individual uplink test risk, < ->
Figure SMS_42
Representing the number of risk of system call->
Figure SMS_32
Indicate->
Figure SMS_35
Risk class score corresponding to individual system call risk, < ->
Figure SMS_38
Represent the first
Figure SMS_41
And the system calls the weight corresponding to the risk. Exemplary, RESTful API call in consensus mechanism detection if block information and block distribution results are availableThe consensus algorithm can be considered to work normally and meet the safety requirements of consistency, final bureau and the like, and the execution code is as follows:
BlockTest
Input:
Figure SMS_43
Output:ConsensusRes
1:Begin
2: if (Verify(account)) then
3: BlockData = CreateBlock
Figure SMS_44
4: if (Exist(BlockData)) then
5: ConsensusRes = BlockDistrubute(BlockData)
6: return ConsensusRes
7: else
8: return error;
9: else
10: return error;
11:End
in yet another embodiment of the present invention, the blockchain security assessment method based on multi-dimensional security detection further includes the steps of: determining an input vector based on blockchain platform system characteristics; determining fuzzy test data based on the input vector, and performing application vulnerability detection on the blockchain platform system based on the determined fuzzy test data to obtain the number of application vulnerabilities and the vulnerability types of the application vulnerabilities; and determining a risk level score corresponding to each application vulnerability type, and determining a third evaluation score based on the risk level score corresponding to each application vulnerability. Illustratively, determining fuzzy test data based on the input vector includes: a common vulnerability template is obtained, and a first fuzzy test data set is generated through the common vulnerability template based on the input vector; performing mutation operation on the data in the first fuzzy test data set to obtain a second fuzzy test data set; and taking the data in the second fuzzy test data set as fuzzy test data.
In the embodiment, the blockchain security assessment method further performs security detection on an application layer on the basis of performing security detection on intelligent contracts and consensus algorithms. The upper layer application generally calls and manages the blockchain network by constructing a user-friendly interface, various common Web security problems, such as XSS loopholes, injection loopholes, information leakage and the like, are easy to generate in the construction process, and when the application security problem is detected, a fuzzy test technology is generally used for detection. There are generally two means for generating the Fuzzing data, one is a variant-based method, which performs data generation and testing based on known data samples; another is a vulnerability template-based method, where data generation and testing is performed according to known protocols or intelligence. The method combines the two methods, inserts a known vulnerability set according to a data packet obtained by a normal request after an initial request is carried out on a target, and generates and sends a large number of abnormal requests on the basis, thereby comprehensively checking common security vulnerabilities of the blockchain application.
In this embodiment, a batch of fuzzy test data is obtained first based on known vulnerability information in a vulnerability template, and then the fuzzy test data is mutated into a large amount of test data for fuzzy test based on a mutation method. The method not only exerts the known vulnerability advantages based on the template, but also exerts the number advantages based on the variety, and can generate more fuzzy test data on the premise of higher accuracy, thereby improving the detection efficiency.
Illustratively, the Fuzzing technique referred to herein may be summarized as follows:Fuzz(C,T k )={(b 1 ,S 1 , t 1 ),…,(b n ,S n ,t n ) -a }; wherein, the liquid crystal display device comprises a liquid crystal display device,Cas an input of the seed of the Fuzzing,T k for the number of threads to be counted,K∈(1,n),b i in order to output the resulting anomaly,S i in order to obtain test data corresponding to the anomalies,t i is time ofA stamp, if all seeds are entered, can also becomeFuzz({S i },T k )={(b 1 ,S i ,t 1 ),…,(b k ,S i ,t k ) }. The input and the thread can be adjusted in the whole detection stage, the detection result mainly depends on the input and the variation thereof, and the same abnormality can be generated by a plurality of inputs in the test process; in order to improve accuracy, a flag is first established for anomalies generated during testing:
Figure SMS_45
. In addition, since anomalies obtained during the test are independent of each other, a variable is requiredC i,j To determine whether the input contains an abnormalityjSeed of (2)i,/>
Figure SMS_46
. Multiple anomalies may cause the same vulnerabilityVWhere hashing is used to distinguish, if the total number of non-duplicate hashes isUThen the Fuzzing test is said to totally detectUA safety issue.
Correspondingly, when the block chain security evaluation system based on the multidimensional security detection is used for carrying out security detection on an application layer, similarly, a user firstly registers and logs in the evaluation system, then enters a system interface, and the user selects application security detection in the security detection module. Further inputting the URL and the IP address of the corresponding platform on the application security detection primary interface, storing the related information to the background at the moment, and waiting for the detection of the user operation instruction; the detection module automatically initiates a call for generating the Fuzzing data to prepare for testing; the detection module carries out fuzzy test on the corresponding URL by utilizing each vulnerability scanning unit, records the detected abnormality and carries out vulnerability judgment; the scanning result is displayed on a primary interface in the form of detection items and detection ratings after being processed, the corresponding secondary interface displays vulnerability details and repair suggestions, the scanning module can be called again to carry out regression testing after vulnerability repair, and the result can be exported on a platform or can be reliably uplink on the platform.
In summary, the application security detection technology of the above embodiment utilizes the Fuzzing technology, which is a black box detection technology for mining program holes by injecting a large amount of abnormal data into a target program and monitoring whether the program generates an abnormality, combines the deep, accurate and efficient and automatic characteristics of manual penetration test, utilizes the Fuzzing technology to construct a large amount of preset test cases, performs full-scale test coverage on each subsystem of the target system and each data input point below the subsystem, and can simply, efficiently and automatically mine various abnormalities and application holes in the target system, and screen the repeated holes in the test process so as to find out the repeated holes as accurately as possible.
Fig. 5 is a schematic diagram of a security detection flow applied to a consensus algorithm of a blockchain security assessment method according to an embodiment of the present invention, and referring to fig. 5, when performing security detection, specific implementation steps include: (1) determining an input vector: firstly, carrying out normal request on a target platform, obtaining a normal request message, and determining an input vector according to the characteristics of a target system, wherein the input vector is a request parameter set which can influence the target system; V=D(F TR ),VIn order to input the vector(s),Din order to request a process flow,F TR is a system feature. (2) generating fuzzy test data: generating Fuzzing test data according to the determined input vector, wherein the embodiment adopts a mode of combining two methods based on a template and variation, and performs variation generation of Fuzzing data according to the obtained input vector and the existing vulnerability template and mode;D fuzz= G en V,A log ,T pt ),D fuzz in order to generate the fuzzy test data,G en in order to generate a flow path, the method comprises the steps of,A log for the generation of the variation, the variation is generated,T pt is a known template. (3) performing a blur test: starting the Fuzzing test program or script, rootSelecting proper thread numbers according to the performance of the test system, loading generated Fuzzing data, sending a large number of abnormal requests, and performing Fuzzing test on the target system in a multithreading mode;T res =F uzz D fuzz T rd ),T res in order to test the set of responses received by the process,F uzz for the Fuzzing test procedure,T rd is the number of threads. (4) monitoring for anomalies: the discovery of the loopholes is based on monitoring of the abnormality, the Fuzzing program collects and analyzes the abnormality returned by the target system in the test process to determine the cause of the abnormality, and in addition, the abnormality of the test program or the script itself is detected for subsequent improvement to improve the test efficiency and accuracy; i.e. Err=D err (T res ),ErrAs a set of anomalies the set of anomalies,D err is a judging flow. (5) vulnerability determination: performing vulnerability matching and judgment on the detected target system abnormality, determining whether the abnormality is a known or unknown security vulnerability, and repeatedly judging the vulnerability to acquire as many application vulnerabilities as possible on the premise of ensuring accuracy and no repetition; i.e.Res f =VD(Err),Res f In order to detect the set of vulnerabilities,VDis a judging flow. (6) evaluating application security: after the detection is completed, carrying out security assessment on the application security according to the number of the application loopholes and the types of the application loopholes; for result setRes f Each vulnerability in the security risk is arranged and processed according to the risk level score of the corresponding security riskGWeight adjustable according to actual situationWGive a score ofP WA Res f {G i ,W i },
Figure SMS_47
;/>
Figure SMS_48
Indicating the number of security vulnerabilities of the application,/>
Figure SMS_49
indicate->
Figure SMS_50
Risk level score corresponding to each application vulnerability, +.>
Figure SMS_51
Indicate->
Figure SMS_52
And applying the weight corresponding to the loopholes. Exemplary, its execution code is as follows:
WebVulnDetect
Input:
Figure SMS_53
Output:Vulns
1:Begin
2: if (Exist(IP)) then
3: if (Exist(URL)) then
4: Vector = WebInfoDetect(IP,URL)
5: FuzzData = DataGenerate(Vector,ALGO)
6: for(exception = Fuzzing(FuzzData,IP,URL))
7: if(isVuln(exception))
8: vulns[n+1] =exception
9: else
10: continue
11 return vulns
12: else
13: return error;
14: else
15: returnerror;
16:End
the prior art blockchain related security detection technology and tools are more specific to a blockchain core technology or a certain type of security problem in intelligent contracts, consensus algorithms and application security, research products are usually in a single application form, the requirements of multi-dimensional security detection and evaluation of the prior blockchain system cannot be met, the application practice of comprehensive security detection on the whole blockchain network and the application of the whole blockchain network above the whole blockchain system is lack, and a reliable verification and tracing way is needed for detection results. Based on the above, the blockchain security assessment method is further improved on the basis of the above embodiment, so as to further improve the security of the blockchain system.
Specifically, in this embodiment, the blockchain security assessment method based on multi-dimensional security detection further includes: a composite evaluation score of the blockchain platform is calculated based on the first, second, and third evaluation scores. Illustratively, the calculation formula of the comprehensive evaluation score is: p= [ (P) SC ×W SC )+ (P CS ×W CS )+ (P WA ×W WA )]X W; wherein P is SC Representing a first evaluation score, P CS Representing a second evaluation score, P WA Represents a third evaluation score, W SC Weights representing the first evaluation score, W CS Weights representing the second evaluation score, W WA The weight representing the third evaluation score, W representing the adjustment weight. In this embodiment, the smart contracts, consensus algorithm, and application security respective evaluation scores are multiplied by the adjustable weight sums of the respective portions, and then multiplied by the adjustable weights W to calculate a comprehensive evaluation score for the blockchain system; the weight depends on the risk coefficient of the blockchain application scene, and the comprehensive evaluation score comprehensively and flexibly carries out multidimensional comprehensive evaluation on the blockchain safety, so that the safety of a blockchain system is ensured.
Accordingly, the present invention also provides a blockchain security assessment system based on multi-dimensional security detection, the system including a processor and a memory, the memory having stored therein computer instructions for executing the computer instructions stored in the memory, the system implementing the steps of the method as described in any of the embodiments above when the computer instructions are executed by the processor.
In the block chain security evaluation system, three detection methods of an intelligent contract detection technology, a consensus mechanism detection technology and an application security detection technology can be integrated into a comprehensive unified evaluation system in a modularized mode, three modules evaluate the security of one type of block chain key technology respectively, and the block chain network and a platform thereof are subjected to complete and comprehensive security evaluation. In the evaluation system, each security evaluation result can be evaluated and scored according to the comprehensive results of different security index items, and when a certain blockchain network and a platform thereof are comprehensively evaluated, the blockchain network and the platform thereof can be comprehensively evaluated with different weights according to different application scenes. In the security evaluation system, one or more security items can be evaluated according to actual requirements, and are evaluated and rated according to vulnerability types, and comprehensive evaluation is performed by combining a plurality of indexes, so that the security problems of various aspects and multiple layers in the current blockchain technology application are solved; the block chain related safety detection is automated, platform-based and engineering, so that the detection technology can fall to the real application scene, all block chain systems of the platform can store the evaluation result on the chain in a reliable and transparent manner, the problem of reliable tracing of the evaluation result is solved, the fusion and innovation of the detection technology and the block chain can effectively ensure the safety of the block chain system, and the loss caused by unknown safety problems is reduced.
According to the embodiment, the blockchain security assessment method and the blockchain security assessment device based on the multi-dimensional security detection detect three parts, namely the intelligent contract, the consensus mechanism and the upper layer application corresponding security, which are most vulnerable to the current blockchain system based on the intelligent contract, the consensus algorithm and the application security, and the intelligent contract detection adopts a static detection method, analyzes a code grammar tree and matches with a vulnerability rule, so that vulnerability detection is performed on the contract efficiently and accurately; the detection of the consensus algorithm adopts a method of comprehensively detecting a plurality of technologies, so that the actual data uplink distribution test is carried out, the bottom layer configuration of the block chain network is also detected, and the safety of the consensus mechanism is comprehensively obtained; and (3) the application detection is combined with the Fuzzing technology to generate a large amount of access data, and the application vulnerability is detected according to the abnormality judgment. The system bottom technology related in the invention adopts the most mature alliance chains, uses Hyperledger Fabric with the most extensive scene as a block chain bottom framework, and supports reliable uplink of platform vulnerability detection result data.
In addition, the system disclosed by the application fuses the mentioned evaluation method and technology into the blockchain platform, improves the automation degree of vulnerability detection, realizes the whole process of safety detection, corresponding detection item safety rating, detection result export and uplink, projects and platforms the detection technology, can fall to the actual application scene, solves the problem that the existing tool can only aim at single type of safety risk, is complex in operation, cannot automatically and efficiently evaluate the overall safety of the blockchain system, meets the current increasing requirements on the safety evaluation of the blockchain system, improves the overall safety water level of social blockchain application, and provides guarantee for the safety application of the blockchain technology.
In addition, the invention also discloses a computer readable storage medium, on which a computer program is stored, which program, when being executed by a processor, implements the steps of the method according to any of the embodiments above.
Those of ordinary skill in the art will appreciate that the various illustrative components, systems, and methods described in connection with the embodiments disclosed herein can be implemented as hardware, software, or a combination of both. The particular implementation is hardware or software dependent on the specific application of the solution and the design constraints. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention. When implemented in hardware, it may be, for example, an electronic circuit, an Application Specific Integrated Circuit (ASIC), suitable firmware, a plug-in, a function card, or the like. When implemented in software, the elements of the invention are the programs or code segments used to perform the required tasks. The program or code segments may be stored in a machine readable medium or transmitted over transmission media or communication links by a data signal carried in a carrier wave. A "machine-readable medium" may include any medium that can store or transfer information. Examples of machine-readable media include electronic circuitry, semiconductor memory devices, ROM, flash memory, erasable ROM (EROM), floppy disks, CD-ROMs, optical disks, hard disks, fiber optic media, radio Frequency (RF) links, and the like. The code segments may be downloaded via computer networks such as the internet, intranets, etc.
It should also be noted that the exemplary embodiments mentioned in this disclosure describe some methods or systems based on a series of steps or devices. However, the present invention is not limited to the order of the above-described steps, that is, the steps may be performed in the order mentioned in the embodiments, or may be performed in a different order from the order in the embodiments, or several steps may be performed simultaneously.
In this disclosure, features that are described and/or illustrated with respect to one embodiment may be used in the same way or in a similar way in one or more other embodiments and/or in combination with or instead of the features of the other embodiments.
The above description is only of the preferred embodiments of the present invention and is not intended to limit the present invention, and various modifications and variations can be made to the embodiments of the present invention by those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (10)

1. A blockchain security assessment method based on multi-dimensional security detection, the method comprising:
acquiring an intelligent contract source code and a grammar rule, optimizing the grammar rule, analyzing the intelligent contract source code based on the optimized grammar rule, constructing a grammar analysis tree based on the analyzed intelligent contract source code, and traversing the grammar analysis tree to generate an intermediate expression; wherein the optimized grammar rules comprise rules for identifying keywords;
Acquiring a vulnerability rule file set for matching intelligent contract vulnerabilities, matching each vulnerability rule file in the vulnerability rule file set with the intermediate expression, and acquiring a first matching result; the vulnerability rule file includes rules for matching integer overflows, state machines, or contract terminable type security issues;
a first evaluation score is determined based on the first matching result.
2. The blockchain security assessment method based on multi-dimensional security detection of claim 1, wherein the method comprises:
acquiring a consensus algorithm, the number of nodes, the number of sequencing nodes, the total amount of a system processor, the occupied amount of the system processor, the total amount of system memory, the occupied amount of the system memory, the number of abnormal nodes, the maximum safe utilization rate of the system processor and the maximum safe utilization rate of the system memory, and determining the final office time based on the acquired consensus algorithm;
determining system call risks and first risk grade scores corresponding to the system call risks based on the node number, the sequencing node number, the abnormal node number, the total system processor amount, the system processor occupation amount, the total system memory amount, the system memory occupation amount, the maximum safe use rate of the system processor and the maximum safe use rate of the system memory;
Determining uplink test risks and second risk level scores corresponding to the uplink test risks based on the final time and actual time consumption of calling and responding to a target blockchain;
a second evaluation score is determined based on each of the first risk level scores and each of the second risk level scores.
3. The blockchain security assessment method based on multi-dimensional security detection of claim 2, wherein the method comprises:
determining an input vector based on blockchain platform system characteristics;
determining fuzzy test data based on the input vector, and performing application vulnerability detection on the blockchain platform system based on the determined fuzzy test data to obtain the number of application vulnerabilities and the vulnerability types of the application vulnerabilities;
and determining the risk level score corresponding to each application vulnerability, and determining a third evaluation score based on the risk level score corresponding to each application vulnerability.
4. A blockchain security assessment method based on multi-dimensional security detection as in claim 3, wherein the method comprises:
a composite evaluation score of the blockchain platform is calculated based on the first, second, and third evaluation scores.
5. The blockchain security assessment method based on multi-dimensional security detection of claim 3, wherein determining fuzzy test data based on the input vector comprises:
a common vulnerability template is obtained, and a first fuzzy test data set is generated through the common vulnerability template based on the input vector;
performing mutation operation on the data in the first fuzzy test data set to obtain a second fuzzy test data set;
and taking the data in the second fuzzy test data set as fuzzy test data.
6. The blockchain security assessment method based on multidimensional security detection of claim 1, wherein parsing the smart contract source code based on the optimized grammar rules and constructing a parse tree based on the parsed smart contract source code comprises:
analyzing the optimized grammar rule by using a left recursion elimination method to obtain an analyzed grammar rule;
analyzing the intelligent contract source code based on the analyzed grammar rule;
and constructing a grammar analysis tree based on the parsed intelligent contract source code.
7. The blockchain security assessment method based on multi-dimensional security detection of claim 4, wherein the first assessment score is calculated as:
Figure QLYQS_1
The calculation formula of the second evaluation score is:
Figure QLYQS_2
the calculation formula of the third evaluation score is:
Figure QLYQS_3
where n represents the number of holes in the first matching result,
Figure QLYQS_18
representing risk grade score corresponding to ith loophole in first matching result, and (I)>
Figure QLYQS_6
Representing the weight corresponding to the ith vulnerability in the first matching result,/th vulnerability>
Figure QLYQS_16
Representing the number of uplink test risks, +.>
Figure QLYQS_15
Indicate->
Figure QLYQS_19
Risk class score corresponding to the individual uplink test risk,/->
Figure QLYQS_17
Indicate->
Figure QLYQS_20
Weight corresponding to the individual uplink test risk, < ->
Figure QLYQS_8
Representing the number of risk of system call->
Figure QLYQS_12
Indicate->
Figure QLYQS_4
The individual system invokes a risk level score corresponding to the risk,
Figure QLYQS_10
indicate->
Figure QLYQS_7
Weights corresponding to individual system call risks, +.>
Figure QLYQS_14
Representing the number of application vulnerabilities->
Figure QLYQS_9
Indicate->
Figure QLYQS_13
Risk level score corresponding to each application vulnerability, +.>
Figure QLYQS_5
Indicate->
Figure QLYQS_11
And applying the weight corresponding to the loopholes.
8. The blockchain security assessment method based on multi-dimensional security detection of claim 7, wherein the calculation formula of the comprehensive assessment score is:
P=[(P SC ×W SC )+ (P CS ×W CS )+ (P WA ×W WA )] ×W;
wherein P is SC Representing a first evaluation score, P CS Representing a second evaluation score, P WA Represents a third evaluation score, W SC Weights representing the first evaluation score, W CS Weights representing the second evaluation score, W WA The weight representing the third evaluation score, W representing the adjustment weight.
9. A blockchain security assessment system based on multi-dimensional security detection, the system comprising a processor and a memory, wherein the memory has stored therein computer instructions, the processor being operable to execute the computer instructions stored in the memory, the system implementing the steps of the method of any of claims 1 to 8 when the computer instructions are executed by the processor.
10. A computer readable storage medium, on which a computer program is stored, characterized in that the program, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 8.
CN202310297218.7A 2023-03-24 2023-03-24 Block chain security assessment method and device based on multidimensional security detection Pending CN115994363A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310297218.7A CN115994363A (en) 2023-03-24 2023-03-24 Block chain security assessment method and device based on multidimensional security detection

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310297218.7A CN115994363A (en) 2023-03-24 2023-03-24 Block chain security assessment method and device based on multidimensional security detection

Publications (1)

Publication Number Publication Date
CN115994363A true CN115994363A (en) 2023-04-21

Family

ID=85995469

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310297218.7A Pending CN115994363A (en) 2023-03-24 2023-03-24 Block chain security assessment method and device based on multidimensional security detection

Country Status (1)

Country Link
CN (1) CN115994363A (en)

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109492402A (en) * 2018-10-25 2019-03-19 杭州趣链科技有限公司 A kind of intelligent contract safe evaluating method of rule-based engine
CN110061889A (en) * 2019-04-01 2019-07-26 北京众享比特科技有限公司 Block chain performance test methods, device, equipment and storage medium
CN110912855A (en) * 2018-09-17 2020-03-24 中国信息通信研究院 Block chain architecture security assessment method and system based on permeability test case set
CN111367815A (en) * 2020-03-24 2020-07-03 中国电子科技网络信息安全有限公司 Man-machine cooperation based software vulnerability fuzzy test method
US20200372154A1 (en) * 2019-05-21 2020-11-26 Jaroona Chain Ou Blockchain security
CN112256271A (en) * 2020-10-19 2021-01-22 中国科学院信息工程研究所 Block chain intelligent contract security detection system based on static analysis
CN112769845A (en) * 2021-01-18 2021-05-07 杭州安恒信息技术股份有限公司 Vulnerability testing method and device, electronic device and computer equipment
CN112907082A (en) * 2021-02-23 2021-06-04 上海腾天节能技术有限公司 Block chain consensus algorithm evaluation optimization method
CN113806799A (en) * 2021-08-27 2021-12-17 北京邮电大学 Block chain platform safety intensity assessment method and device
CN114064471A (en) * 2021-11-11 2022-02-18 中国民用航空总局第二研究所 Ethernet/IP protocol fuzzy test method based on generation of countermeasure network
CN114741699A (en) * 2022-03-07 2022-07-12 华东师范大学 Fuzzy test vulnerability mining system combined with self-attention mechanism
CN115271714A (en) * 2022-06-13 2022-11-01 广州大学 Automatic safety evaluation method of block chain consensus mechanism

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110912855A (en) * 2018-09-17 2020-03-24 中国信息通信研究院 Block chain architecture security assessment method and system based on permeability test case set
CN109492402A (en) * 2018-10-25 2019-03-19 杭州趣链科技有限公司 A kind of intelligent contract safe evaluating method of rule-based engine
CN110061889A (en) * 2019-04-01 2019-07-26 北京众享比特科技有限公司 Block chain performance test methods, device, equipment and storage medium
US20200372154A1 (en) * 2019-05-21 2020-11-26 Jaroona Chain Ou Blockchain security
CN111367815A (en) * 2020-03-24 2020-07-03 中国电子科技网络信息安全有限公司 Man-machine cooperation based software vulnerability fuzzy test method
CN112256271A (en) * 2020-10-19 2021-01-22 中国科学院信息工程研究所 Block chain intelligent contract security detection system based on static analysis
CN112769845A (en) * 2021-01-18 2021-05-07 杭州安恒信息技术股份有限公司 Vulnerability testing method and device, electronic device and computer equipment
CN112907082A (en) * 2021-02-23 2021-06-04 上海腾天节能技术有限公司 Block chain consensus algorithm evaluation optimization method
CN113806799A (en) * 2021-08-27 2021-12-17 北京邮电大学 Block chain platform safety intensity assessment method and device
CN114064471A (en) * 2021-11-11 2022-02-18 中国民用航空总局第二研究所 Ethernet/IP protocol fuzzy test method based on generation of countermeasure network
CN114741699A (en) * 2022-03-07 2022-07-12 华东师范大学 Fuzzy test vulnerability mining system combined with self-attention mechanism
CN115271714A (en) * 2022-06-13 2022-11-01 广州大学 Automatic safety evaluation method of block chain consensus mechanism

Similar Documents

Publication Publication Date Title
CN109325351B (en) Security hole automatic verification system based on public testing platform
US9594797B2 (en) Data quality assessment
Li et al. Block: a black-box approach for detection of state violation attacks towards web applications
CN112818351B (en) Industrial control system-oriented vulnerability priority analysis method, system, equipment and storage medium
CN108628748B (en) Automatic test management method and automatic test management system
CN114095273A (en) Deep learning-based internet vulnerability mining method and big data mining system
JP2007502467A (en) System and method for automated computer support
CN110765459A (en) Malicious script detection method and device and storage medium
Alkhalaf et al. Viewpoints: differential string analysis for discovering client-and server-side input validation inconsistencies
CN115033894B (en) Software component supply chain safety detection method and device based on knowledge graph
CN114564726B (en) Software vulnerability analysis method and system based on big data office
CN111611590B (en) Method and device for data security related to application program
CN116107589A (en) Automatic compiling method, device and equipment of software codes and storage medium
Kirschner et al. Automatic derivation of vulnerability models for software architectures
Qu Research on password detection technology of iot equipment based on wide area network
Marquardt et al. Déjà vu? Client-side fingerprinting and version detection of web application software
CN116248393A (en) Intranet data transmission loophole scanning device and system
CN109670317B (en) Internet of things equipment inheritance vulnerability mining method based on atomic control flow graph
CN115994363A (en) Block chain security assessment method and device based on multidimensional security detection
Wang et al. A model-based behavioral fuzzing approach for network service
CN116302984A (en) Root cause analysis method and device for test task and related equipment
CN112579436B (en) Micro-service software architecture identification and measurement method
Mendes et al. Benchmarking the security of web serving systems based on known vulnerabilities
CN114462043A (en) Java anti-serialization vulnerability detection system and method based on reinforcement learning
CN107239704A (en) Malicious web pages find method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination