基于漏洞子树的链码漏洞检测方法

doi:10.6040/j.issn.1671-9352.9.2025.001

摘要/Abstract

摘要： 针对联盟链超级账本(Hyperledger Fabric)中链码的安全漏洞问题,提出了一种基于漏洞子树和预训练模型的深度学习漏洞检测网络。检测方法包括2个关键阶段:首先,通过自动化工具提取链码为抽象语法树,并设计了漏洞子树结构VB-tree,确保模型专注于关键漏洞特征,在此基础上根据程序语句之间的数据和控制依赖关系转化为数据流图;其次,利用预训练模型对提取的特征进行处理,准确识别潜在漏洞。最后,从Github收集了6 935个不同领域开源项目的链码构建可用于评估方法有效性的数据集。实验结果表明,在检测链码中的21种漏洞时,模型的平均F1分数为93.68%,优于现有的方法。

关键词: 区块链, 智能合约, 漏洞检测

Abstract: Aiming at the problem of security vulnerabilities in chain codes in the consortium chain Hyperledger Fabric, a deep learning vulnerability detection network based on vulnerability subtrees and pre-trained models is proposed. The detection method includes two key stages: first, the chain code is extracted into an abstract syntax tree through an automated tool, and a vulnerability subtree structure VB-tree is designed to ensure that the model focuses on key vulnerability features. On this basis, it is converted into a data flow graph based on the data and control dependencies between program statements; second, the extracted features are processed using a pre-trained model to accurately identify potential vulnerabilities. Finally, chain codes of 6 935 open source projects in different fields are collected from Github to construct a dataset that can be used to evaluate the effectiveness of the method. Experimental results show that when detecting 21 types of vulnerabilities in chain codes, the average F1 score of the model is 93.68%, which is better than existing methods.

Key words: blockchain, smart contract, vulnerability detection

中图分类号:

TP309

林思怡,宋甫元,付章杰. 基于漏洞子树的链码漏洞检测方法[J]. 《山东大学学报(理学版)》, 2026, 61(3): 20-28.

参考文献

[1] 参考文献:[1] SZABO N. Smart contracts: building blocks for digital markets[J]. EXTROPY, 1996(16):18.
[2] SUN Nan, WANG Wei, TONG Yongxin, et al. Blockchain based federated learning for intrusion detection for Internet of Things[J]. Frontiers of Computer Science, 2024, 18(5):185328.
[3] CHEN Xingxing, CHENG Qingfeng, YANG Weidong, et al. An anonymous authentication and secure data transmission scheme for the Internet of Things based on blockchain[J]. Frontiers of Computer Science, 2024, 18(3):183807.
[4] QU Youyang, MA Lichuan, YE Wenjie, et al. Towards privacy-aware and trustworthy data sharing using blockchain for edge intelligence[J]. Big Data Mining and Analytics, 2023, 6(4):443-464.
[5] ZHANG Xiaofeng, LI Ling. A review of blockchain solutions in supply chain traceability[J]. Tsinghua Science and Technology, 2022, 28(3):500-510.
[6] BUTERIN V. A next-generation smart contract and decentralized application platform[J]. White Paper, 2014, 3(37):2-1.
[7] NAKAMOTO S. Bitcoin: a peer-to-peer electronic cash system[EB/OL]. https://bitcoin.org/en/bitcoin-paper.
[8] DANNEN C. Introducing Ethereum and solidity[M]. Berkeley:Apress, 2017.
[9] DEL C M. The DAO attacked: code issue leads to $60 million ether theft[J]. Saatavissa, 2016, 3:1-4.
[10] LUU L, CHU D H, OLICKEL H, et al. Making smart contracts smarter[C] //2016 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2016:254-269.
[11] TSANKOV P, DAN A, DRACHSLER-COHEN D, et al. Securify: practical security analysis of smart contracts[C] //2018 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2018:67-82.
[12] KALRA S, GOEL S, DHAWAN M, et al. Zeus: analyzing safety of smart contracts[C] //25th Annual Network and Distributed System Security Symposium(NDSS 2018). San Diego: Internet Society, 2018:1-12.
[13] BHARGARAN K, DELIGNAT-LAVAUD A, FOURNET C, et al. Formal verification of smart contracts: short paper[C] //2016 ACM Workshop on Programming Languages and Analysis for Security. New York: ACM, 2016:91-96.
[14] JIANG Bo, LIU Ye, CHAN W K. Contractfuzzer: fuzzing smart contracts for vulnerability detection[C] //2018 33rd ACM/IEEE International Conference on Automated Software Engineering(ASE). New York: ACM, 2018:259-269.
[15] LIU Zhenguang, QIAN Peng, et al. Rethinking smart contract fuzzing: fuzzing with invocation ordering and important branch revisiting[J]. IEEE Transactions on Information Forensics and Security, 2023, 18:1237-1251.
[16] ZHUANG Yuan, LIU Zhenguang, QIAN Peng, et al. Smart contract vulnerability detection using graph neural networks[C] //30th International Joint Conference on Artificial Intelligence(IJCAI-21), 2021:3283-3290.
[17] ZHANG Zhuo, YAN Lei, YAN Meng, et al. Reentrancy vulnerability detection and localization: a deep learning based two-phase approach[C] //2022 37th IEEE/ACM International Conference on Automated Software Engineering(ASE). New York: ACM, 2022:1-13.
[18] CACHIN C. Architecture of the hyperledger blockchain fabric[C] //Workshop on Distributed Cryptocurrencies and Consensus Ledgers. 2016, 310(4):1-4.
[19] PETERS M E, NEUMANN M, IYYER M, et al. Deep contextualized word representations[C] //2018 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies. New Orleans: ACL, 2018:2227-2237.
[20] RADFORD A, NARASIMHAN K, SALIMANS T, et al. Improving language understanding by generative pre-training[EB/OL]. 2018.
[21] DEVLIN J, CHANG M W, LEE K, et al. BERT: pre-training of deep bidirectional transformers for language understanding[C] //2019 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies. Minneapolis: ACL, 2019:4171-4186.
[22] GUO Daya, REN Shuo, LU Shuai, et al. GraphCodeBERT: pre-training code representations with data flow[C] //2021 International Conference on Learning Representations. ICLR, 2021.
[23] WU Hongjun, et al. Peculiar: smart contract vulnerability detection based on crucial data flow graph and pre-training techniques[C] //2021 IEEE 32nd International Symposium on Software Reliability Engineering(ISSRE). IEEE, 2021.
[24] ANDROULAKI E, BARGER A, BORTNIKOV V, et al. Hyperledger fabric: a distributed operating system for permissioned blockchains[C] //2018 13th EuroSys Conference. New York: ACM, 2018:1-15.
[25] SOUSA J, BESSANI A, VUKOLIC M. A byzantine fault-tolerant ordering service for the hyperledger fabric blockchain platform[C] //2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks(DSN). IEEE, 2018.
[26] HUANG Yongfeng, BIAN Yiyang, et al. Smart contract security: a software lifecycle perspective[J]. IEEE Access, 2019, 7:150184-150202.
[27] LV Penghui. Potential risk detection system of hyperledger fabric smart contract based on static analysis[C] //2021 IEEE Symposium on Computers and Communications(ISCC). IEEE, 2021:1-7.
[28] YAMASHITA K, NOMURA Y, ZHOU E, et al. Potential risks of hyperledger fabric smart contracts[C] //2019 IEEE International Workshop on Blockchain Oriented Software Engineering(IWBOSE). IEEE, 2019:1-10.
[29] LI Peiru, WANG Yizheng, HUANG Hao, et al. A vulnerability detection framework for hyperledger fabric smart contracts based on dynamic and static analysis[C] //Proceedings of the 26th International Conference on Evaluation and Assessment in Software Engineering. New York: ACM, 2022:366-374.
[30] XU Xiaofei, HU Tiaoyuan, LI Bixin, et al. CCDetector: detect chaincode vulnerabilities based on knowledge graph[C] //2023 IEEE 47th Annual Computers, Software, and Applications Conference(COMPSAC). IEEE, 2023:699-704.
[31] LUA T. Tree-sitter[EB/OL]. 2023. https://tree-sitter.github.io/tree-sitter/.

多维度评价

Viewed

Full text

Abstract

Cited

Shared

Discussed