  • 余星鑫,吴槟,于正民.上下文敏感的Solidity智能合约重构克隆漏洞检测系统[J].信息安全学报,已采用    [点击复制]
  • YU Xingxin,WU Bin,YU Zhengmin.A Context-Sensitive System for Restructured Cloning Vulnerability Detection in Solidity Smart Contract[J].Journal of Cyber Security,Accept   [点击复制]
【打印本页】 【下载PDF全文】 查看/发表评论下载PDF阅读器关闭

过刊浏览    高级检索

本文已被:浏览 3767次   下载 213  
余星鑫, 吴槟, 于正民
关键词:  克隆漏洞检测  智能合约  区块链
A Context-Sensitive System for Restructured Cloning Vulnerability Detection in Solidity Smart Contract
YU Xingxin, WU Bin, YU Zhengmin
(Institute of Information Engineering, Chinese Academy of Sciences)
With the development of blockchain, smart contracts are very popular. We have observed that smart contract programmers tend to copy and paste code to quickly duplicate some functionality, which can introduce clone-related vulnerabilities into new smart contract. With the fact that nearly 90% of smart contracts on Ethereum are clones, the harmfulness of cloning-related vulnerability has been magnified. Even worse, programmers may modify the copied source code across functions, which poses a huge challenge for detecting such restructured cloning vulnerability. Due to the immutability of blockchain data, it is very difficult to repair the deployed vulnerability smart contracts. Therefore, it is urgent to perform clone vulnerability detection on the code of smart contracts before deploying them. In this paper, to fill this gap, we propose a context-sensitive and scalable method to detect restructured cloning vulnerability in Solidity smart contracts, called Sol-RCVD. It does not require pre-defined vulnerability features, and it can automatically generate two granularities of vulnerability fingerprints based on the existing vulnerability smart contract code, including Function granularity and Line granularity. And we use inter-process program slicing to make the multi-granularity fingerprint context-sensitive, the improved fingerprint contains more contextual information and finer-grained code information. We evaluate our method both in the artificially constructed dataset and Ethereum smart contract dataset, the experiment result shows that Sol-RCVD has much lower false negative rate and lower false positive rate compared with competitive methods. Sol-RCVD outperforms them in terms of both accuracy and scalability (0.37 seconds per contract file), which can help developers detect vulnerabilities efficiently during the smart contract de-velopment stage. We also compare Sol-RCVD with 8 state-of-the-art detection tools that are not focused on clone-related vulnerability, and Sol-RCVD performs best. Based on Sol-RCVD, we have detected hundreds of vulnerable smart contracts in Ethereum that have never been reported before and obtain 4 CVEs.
Key words:  cloning vulnerability detection  smart contract  blockchain