一种基于领域自适应的智能合约安全分析框架

doi:10.3969/j.issn.0255-8297.2024.04.003

摘要/Abstract

摘要： 现有智能合约漏洞检测方案很大程度上依赖于缜密的专家规则或先验知识，不仅缺乏灵活性且难以应对新型未知漏洞检测，为此提出一种基于领域自适应的智能合约安全分析框架（domain adaptive security analysis framework,DASAF）。首先，在DASAF中，智能合约操作码执行逻辑被获取并被转化为序列特征。其次，为了解决深度学习模型中固有的数据偏移现象引起的模型老化，以及新型未知漏洞有标签样本不足导致的难以获得强泛化性能的问题，在DASAF中引入了生成对抗网络结构和领域自适应技术。最后，在一个公开基准数据集上详细评估了DASAF在智能合约漏洞分析领域的有效性，并与同类方案进行了对比，实验结果表明，本文提出的DASAF优于同类方案。

关键词: 智能合约, 领域自适应技术, 生成对抗网络, 漏洞检测, 深度学习

Abstract: The available smart contract vulnerability detection schemes mostly rely on expert-defined rules, which lack flexibility and struggle with new unknown vulnerabilities. To address this challenge, we present a novel framework called domain adaptive security analysis framework (DASAF). Firstly, we obtain the execution logic of smart contract opcodes and convert them into meaningful sequential features. Secondly, to overcome the inherent data bias in deep learning models, which leads to model aging and difficulty in achieving strong generalization performance due to insufficient labeled samples in new unknown vulnerabilities, the DASAF framework introduces adversarial generative network structure and domain adaptation techniques. Finally, we evaluate the effectiveness of the DASAF framework in the field of smart contract vulnerability analysis and detection using a public benchmark dataset, and compare it with similar schemes. The experimental results demonstrate the superiority of the DASAF framework over comparable approaches.

Key words: smart contract, domain adaptation techniques, generative adversarial network, vulnerability detection, deep learning

中图分类号:

TP309

王娜, 朱会娟, 宋香梅, 冯霞. 一种基于领域自适应的智能合约安全分析框架[J]. 应用科学学报, 2024, 42(4): 585-597.

WANG Na, ZHU Huijuan, SONG Xiangmei, FENG Xia. A Domain Adaptive Security Analysis Framework for Smart Contracts[J]. Journal of Applied Sciences, 2024, 42(4): 585-597.

参考文献

[1] Yuan Y, Wang F Y. Blockchain and cryptocurrencies: model, techniques, and applications [J]. IEEE Transactions on Systems, Man, and Cybernetics: Systems, 2018, 48(9): 1421-1428.
[2] Wood G. Ethereum: a secure decentralised generalised transaction ledger [J]. Ethereum Project Yellow Paper, 2014, 151: 1-32.
[3] Androulaki E, Barger A, Bortnikov V, et al. Hyperledger Fabric: a distributed operating system for permissioned blockchains [C]//13th EuroSys Conference, 2018: 1-15.
[4] Alomar A, Bhuiyan M Z A, Basu A, et al. Privacy-friendly platform for healthcare data in cloud based on blockchain environment [J]. Future Generation Computer Systems, 2019, 95: 511-521.
[5] Schär F. Decentralized finance: on blockchain- and smart contract-based financial markets [J]. Federal Reserve Bank of St. Louis Review, 2021, 103(2): 153-174.
[6] Wan Z, Guan Z, Cheng X. PRIDE: a private and decentralized usage-based insurance using blockchain [C]//IEEE International Conference on Internet of Things and IEEE Green Computing and Communications and IEEE Cyber, Physical and Social Computing and IEEE Smart Data, 2018: 1349-1354.
[7] Liu Z G, Qian P, Wang X, et al. Combining graph neural networks with expert knowledge for smart contract vulnerability detection [J]. IEEE Transactions on Knowledge Data Engineering, 2023, 35(2): 1296-1310.
[8] He D J, Deng Z, Zhang Y X, et al. Smart contract vulnerability analysis and security audit [J]. IEEE Network, 2020, 34(5): 276-282;
[9] Zhao L T, Zhong L, Liu J D, et al. A regulatable mechanism for transacting data assets [J]. IEEE Internet of Things Journal, 2023, 10(24): 201615-21632.
[10] Wang W, Song J J, Xu G Q, et al. ContractWard: automated vulnerability detection models for Ethereum smart contracts [J]. IEEE Transactions on Network Science Engineering, 2020, 8(2): 1133-1144.
[11] Kalra S, Goel S, Dhawan M, et al. ZEUS: analyzing safety of smart contracts [C]//Network and Distributed System Security Symposium, 2018: 1-12.
[12] Jiang B, Liu Y, Chan W K. Contractfuzzer: fuzzing smart contracts for vulnerability detection [C]//33rd ACM/IEEE International Conference on Automated Software Engineering, 2018: 259-269.
[13] Luu L, Chu D H, Olickel H, et al. Making smart contracts smarter [C]//ACM SIGSAC Conference on Computer and Communications Security, 2016: 254-269.
[14] Sato T, Himura Y. Smart-contract based system operations for permissioned blockchain [C]// 9th IFIP International Conference on New Technologies, Mobility and Security (NTMS), 2018: 1-6.
[15] Feng S Y, Gangal V, Wei J, et al. A survey of data augmentation approaches for NLP [DB/OL]. 2021[2024-01-02]. https://arxiv.org/abs/2105.03075v1.
[16] 邓枭, 叶蔚, 谢睿, 等. 基于深度学习的源代码缺陷检测研究综述[J]. 软件学报, 2023, 34(2): 625- 654. Deng X, Ye W, Xie R, et al. Survey of source code bug detection based on deep learning [J]. Journal of Software, 2023, 34(2): 625-654. (in Chinese)
[17] Wu H J, Zhang Z, Wang S W, et al. Peculiar smart contract vulnerability detection based on crucial data flow graph and pre-training techniques [C]//IEEE 32nd International Symposium on Software Reliability Engineering (ISSRE), 2021: 378-389.
[18] 钱鹏, 刘振广, 何钦铭, 等. 智能合约安全漏洞检测技术研究综述[J]. 软件学报, 2021, 33(8): 3059- 3085. Qian P, Liu Z G, He Q M, et al. Smart contract vulnerability detection technique: a survey [J]. Journal of Software, 2021, 33(8): 3059-3085. (in Chinese)
[19] Hildenbrandt E, Saxena M, Rodrigues N, et al. KEVM: a complete formal semantics of the Ethereum virtual machine [C]//IEEE 31st Computer Security Foundations Symposium (CSF), 2018: 204-217.
[20] 胡甜媛, 李泽成, 李必信, 等. 智能合约的合约安全和隐私安全研究综述[J]. 计算机学报, 2021, 44(12): 2485-2514. Hu T Y, Li Z C, Li B X, et al. Contractual security and privacy secyrity of smart contract: a system mapping study [J]. Chinese Journal of Computers, 2021, 44(12): 2485-2514. (in Chinese)
[21] Wüstholz V, Christakis M. Harvey: a greybox fuzzer for smart contracts [C]//28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, 2020: 1398-1409.
[22] Baldoni R, Coppa E, D’elia D C, et al. A survey of symbolic execution techniques [J]. ACM Computing Surveys, 2018, 51(3): 1-39.
[23] Feist J, Grieco G, Groce A. Slither: a static analysis framework for smart contracts [C]//2nd International Workshop on Emerging Trends in Software Engineering for Blockchain, 2019: 8-15.
[24] Mueller B. A framework for bug hunting on the ethereum blockchain [EB/OL]. 2017[2024- 01-02]. https://github.com/ConsenSys/mythril.
[25] Sharifani K, Amini M. Machine learning and deep learning: a review of methods and applications [J]. World Information Technology and Engineering Journal, 2023, 10(7): 3897-3904.
[26] Hu H, Bai Q, Xu Y. SCSGuard deep scam detection for ethereum smart contracts [C]//IEEE INFOCOM 2022-IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), 2022: 1-6.
[27] Zhuang Y, Liu Z G, Qian P, et al. Smart contract vulnerability detection using graph neural network [C]//Twenty-Ninth International Conference on International Joint Conferences on Artificial Intelligence, 2021: 3283-3290.
[28] Zou W, Lo D, Kochhar P S, et al. Smart contract development challenges and opportunities [J]. IEEE Transactions on Software Engineering, 2019, 47(10): 2084-2106.
[29] Pan S J, Yang Q. A survey on transfer learning [J]. IEEE Transactions on Knowledge Data Engineering, 2009, 22(10): 1345-1359.
[30] Farahani A, Voghoei S, Rasheed K, et al. A brief review of domain adaptation [DB/OL]. 2020[2024-01-02]. https://arxiv.org/abs/2010.03978.
[31] Goodfellow I, Pouget Abadie J, Mirza M, et al. Generative adversarial nets [J]. Communications of the ACM, 2020, 63(11): 139-144.
[32] Vaswani A, Shazeer N, Parmar N, et al. Attention is all you need [DB/OL]. 2023[2024-01-02]. https://arxiv.org/abs/1706.03762.
[33] Kingma D P, Ba J. Adam: a method for stochastic optimization[DB/OL]. 2017[2024-01-02]. https://arxiv.org/abs/1412.6980v6.
[34] Abdelaziz T, Hobor A. Smart learning to find dumb contracts [C]//32nd USENIX Security Symposium, 2023: 1775-1792.