SafeOnLine:基於程式執行路徑標記的智能合約審計方案

Zhi-Hai Lin; 林智海

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/81654

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	廖婉君(Wan-Jun Liao)
dc.contributor.author	Zhi-Hai Lin	en
dc.contributor.author	林智海	zh_TW
dc.date.accessioned	2022-11-24T09:25:18Z	-
dc.date.available	2022-11-24T09:25:18Z	-
dc.date.copyright	2021-08-13
dc.date.issued	2021
dc.date.submitted	2021-08-02
dc.identifier.citation	Nakamoto, S., Bitcoin: A peer-to-peer electronic cash system. 2019, Manubot. Buterin, V., Ethereum: A next-generation smart contract and decentralized application platform. URL https://github.com/ethereum/wiki/wiki/%5BEnglish%5D-White-Paper, 2014. 7. INTRODUCTION TO SMART CONTRACTS. March 30, 2021; Available from: https://ethereum.org/en/developers/docs/smart-contracts/. CONSENSUS MECHANISMS. May 11, 2021; Available from: https://ethereum.org/en/developers/docs/consensus-mechanisms/. NI, Y., C. ZHANG, and T. YIN, A Survey of Smart Contract Vulnerability Research. Journal of Cyber Security, 2020. 5(3): p. 78-99. Ball, T. and J.R. Larus. Efficient path profiling. in Proceedings of the 29th Annual IEEE/ACM International Symposium on Microarchitecture. MICRO 29. 1996. IEEE. ETHEREUM VIRTUAL MACHINE (EVM). May 14, 2021; Available from: https://ethereum.org/en/developers/docs/evm/. GAS AND FEES. June 8, 2021; Available from: https://ethereum.org/en/developers/docs/gas/. Perez, D. and B. Livshits. Smart contract vulnerabilities: Vulnerable does not imply exploited. in 30th {USENIX} Security Symposium ({USENIX} Security 21). 2021. Kalra, S., et al. ZEUS: Analyzing Safety of Smart Contracts. in Ndss. 2018. Chang, J., et al. sCompile: Critical path identification and analysis for smart contracts. in International Conference on Formal Engineering Methods. 2019. Springer. Cheng, A., MEV vs Fair Ordering. 2021, Medium. Mehar, M.I., et al., Understanding a revolutionary and flawed grand experiment in blockchain: the DAO attack. Journal of Cases on Information Technology (JCIT), 2019. 21(1): p. 19-32. Palladino, S., The parity wallet hack explained. OpenZeppelin blog, https://blog. openzeppelin. com/on-the-parity-wallet-multisig-hack-405a8c12e8f7, 2017. Antonopoulos, A.M. and G. Wood, Mastering ethereum: building smart contracts and dapps. 2018: O'reilly Media. Grieco, G., et al. Echidna: effective, usable, and fast fuzzing for smart contracts. in Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis. 2020. Jiang, B., Y. Liu, and W.K. Chan. ContractFuzzer: fuzzing smart contracts for vulnerability detection. ACM. He, J., et al. Learning to fuzz from symbolic execution with application to smart contracts. in Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. 2019. Wüstholz, V. and M. Christakis. Harvey: A greybox fuzzer for smart contracts. in Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. 2020. Luu, L., et al. Making smart contracts smarter. in Proceedings of the 2016 ACM SIGSAC conference on computer and communications security. 2016. Torres, C.F., J. Schütte, and R. State. Osiris: Hunting for integer bugs in ethereum smart contracts. in Proceedings of the 34th Annual Computer Security Applications Conference. 2018. Mueller, B. Mythril. Available from: https://github.com/ConsenSys/mythril. Mossberg, M., et al. Manticore: A user-friendly symbolic execution framework for binaries and smart contracts. in 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE). 2019. IEEE. Tsankov, P., et al. Securify: Practical security analysis of smart contracts. in Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. 2018. Permenev, A., et al. Verx: Safety verification of smart contracts. in 2020 IEEE Symposium on Security and Privacy (SP). 2020. IEEE. So, S., et al. VeriSmart: A highly precise safety verifier for Ethereum smart contracts. in 2020 IEEE Symposium on Security and Privacy (SP). 2020. IEEE. 27. Zhou, E., et al. Security assurance for smart contract. in 2018 9th IFIP International Conference on New Technologies, Mobility and Security (NTMS). 2018. IEEE. Tikhomirov, S., et al. Smartcheck: Static analysis of ethereum smart contracts. in Proceedings of the 1st International Workshop on Emerging Trends in Software Engineering for Blockchain. 2018. Feist, J., G. Grieco, and A. Groce. Slither: a static analysis framework for smart contracts. in 2019 IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB). 2019. IEEE. Sumner, W.N., et al., Precise calling context encoding. IEEE Transactions on Software Engineering, 2011. 38(5): p. 1160-1177. D'Elia, D.C. and C. Demetrescu, Ball-larus path profiling across multiple loop iterations. ACM Sigplan Notices, 2013. 48(10): p. 373-390. Larus, J.R., Whole program paths. ACM SIGPLAN Notices, 1999. 34(5): p. 259-269. Melski, D. and T. Reps. Interprocedural path profiling. in International Conference on Compiler Construction. 1999. Springer. DECENTRALIZED APPLICATIONS (DAPPS). [cited 2021; Available from: https://ethereum.org/en/dapps/#what-are-dapps. Ramamurthy, B., Blockchain in action. 2020: Manning Publications. Solidity. [cited 2021; Available from: https://docs.soliditylang.org/en/latest/. Ganache. [cited 2021; Available from: https://github.com/trufflesuite/ganache. Truffle Suite. [cited 2021; Available from: https://github.com/trufflesuite/truffle. Brent, L., et al., Vandal: A scalable security analysis framework for smart contracts. arXiv preprint arXiv:1809.03981, 2018. Belazzougui, D., F.C. Botelho, and M. Dietzfelbinger. Hash, displace, and compress. in European Symposium on Algorithms. 2009. Springer. OpenZepplin. [cited 2021; Available from: https://openzeppelin.com/. Etherscan. [cited 2021; Available from: https://etherscan.io/. CryptoKitties. [cited 2021; Available from: https://www.cryptokitties.co/. StatusNetwork. [cited 2021; Available from: https://status.im/.
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/81654	-
dc.description.abstract	以太坊智能合約是由以太坊區塊鏈網絡中互不信任的節點共同運行的去中心化程式。因此，智能合約的安全性是一個重要議題。為確保智能合約安全，在部署至區塊鏈前對它們進行審計是一種常見和流行的做法。然而，倘若在審計階段遺漏某個漏洞，則部署後的智能合約將有可能持續受到攻擊。本文提出了一個在智能合約執行過程中檢測潛在攻擊的方法。首先對智能合約進行靜態分析，再通過程式執行路徑標記和程式插樁技術，將智能合約的執行路徑限制在預先定義的安全路徑集內，攔截可疑攻擊併發出警報。實驗結果表明，該方法能夠在適度增加智能合約部署和運行開銷的前提下，有效應對路徑相關的智能合約漏洞。	zh_TW
dc.description.provenance	Made available in DSpace on 2022-11-24T09:25:18Z (GMT). No. of bitstreams: 1 U0001-2207202116584600.pdf: 2414466 bytes, checksum: 6e6e295f1330eef096c580e46d4c0ca7 (MD5) Previous issue date: 2021	en
dc.description.tableofcontents	中文摘要 i 英文摘要 ii 圖目錄 v 表目錄 vi 1 Introduction 1 2 Smart Contract Vulnerabilities 4 3 Related Work 10 3.1 Smart Contract Vulnerabilities Analysis and Audit 10 3.2 Program Execution Path Profiling 12 4 Smart contract execution model 13 4.1 Smart Contract Program Basic 14 4.2 Data Storage Model 14 4.3 Smart Contract Invocation 14 5 Audit and Protect Approach 15 5.1 Overview 15 5.2 Protection Scenario 17 5.3 Program Execution Path Collection 19 5.4 Instrumentation 23 5.5 Storage of Safe Path Set 24 6 Evaluation 25 6.1 Practicability 26 6.2 Effectiveness 28 6.3 Discussion 30 7 Future Work 31 8 Conclusion 32 參考文獻 33 附錄 35 I 35 II 36
dc.language.iso	en
dc.subject	區塊鏈	zh_TW
dc.subject	執行路徑標記	zh_TW
dc.subject	智能合約	zh_TW
dc.subject	程式漏洞	zh_TW
dc.subject	以太坊	zh_TW
dc.subject	程式插樁	zh_TW
dc.subject	blockchain	en
dc.subject	program instrumentation	en
dc.subject	execution path profiling	en
dc.subject	vulnerability	en
dc.subject	smart contract	en
dc.subject	Ethereum	en
dc.title	SafeOnLine:基於程式執行路徑標記的智能合約審計方案	zh_TW
dc.title	SafeOnLine: A smart contract audit framework based on program execution path profiling	en
dc.date.schoolyear	109-2
dc.description.degree	碩士
dc.contributor.oralexamcommittee	郭耀煌(Hsin-Tsai Liu),鄭永斌(Chih-Yang Tseng),陳俊良
dc.subject.keyword	區塊鏈,以太坊,智能合約,程式漏洞,執行路徑標記,程式插樁,	zh_TW
dc.subject.keyword	blockchain,Ethereum,smart contract,vulnerability,execution path profiling,program instrumentation,	en
dc.relation.page	30
dc.identifier.doi	10.6342/NTU202101670
dc.rights.note	未授權
dc.date.accepted	2021-08-02
dc.contributor.author-college	電機資訊學院	zh_TW
dc.contributor.author-dept	電機工程學研究所	zh_TW
顯示於系所單位：	電機工程學系

文件中的檔案：

檔案	大小	格式
U0001-2207202116584600.pdf 未授權公開取用	2.36 MB	Adobe PDF

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。