最新区块链论文速读--CCF A会议 ICSE 2024 共13篇 附pdf下载 (2/2)

news2024/12/25 1:08:32

图片

Conference:International Conference on Software Engineering (ICSE)

CCF level:CCF A

Categories:Software Engineering/System Software/Programming Languages

Year:2024

Num:13

第1~7篇区块链文章请点击此处查看

8

Title: 

GPTScan: Detecting Logic Vulnerabilities in Smart Contracts by Combining GPT with Program Analysis

GPTScan:结合GPT与程序分析检测智能合约逻辑漏洞

Authors

图片

Abstract

Smart contracts are prone to various vulnerabilities, leading to substantial financial losses over time. Current analysis tools mainly target vulnerabilities with fixed control- or data-flow patterns, such as re-entrancy and integer overflow. However, a recent study on Web3 security bugs revealed that about 80% of these bugs cannot be audited by existing tools due to the lack of domain-specific property description and checking. Given recent advances in Large Language Models (LLMs), it is worth exploring how Generative Pre-training Transformer (GPT) could aid in detecting logic vulnerabilities. In this paper, we propose GPTScan, the first tool combining GPT with static analysis for smart contract logic vulnerability detection. Instead of relying solely on GPT to identify vulnerabilities, which can lead to high false positives and is limited by GPT's pre-trained knowledge, we utilize GPT as a versatile code understanding tool. By breaking down each logic vulnerability type into scenarios and properties, GPTScan matches candidate vulnerabilities with GPT. To enhance accuracy, GPTScan further instructs GPT to intelligently recognize key variables and statements, which are then validated by static confirmation. Evaluation on diverse datasets with around 400 contract projects and 3K Solidity files shows that GPTScan achieves high precision (over 90%) for token contracts and acceptable precision (57.14%) for large projects like Web3Bugs. It effectively detects ground-truth logic vulnerabilities with a recall of over 70%, including 9 new vulnerabilities missed by human auditors. GPTScan is fast and cost-effective, taking an average of 14.39 seconds and 0.01 USD to scan per thousand lines of Solidity code. Moreover, static confirmation helps GPTScan reduce two-thirds of false positives.

智能合约容易出现各种漏洞,久而久之会造成巨大的经济损失。当前的分析工具主要针对具有固定控制流或数据流模式的漏洞,例如重入和整数溢出。然而,最近一项关于 Web3 安全漏洞的研究表明,由于缺乏特定领域的属性描述和检查,大约 80% 的此类漏洞无法通过现有工具进行审计。鉴于大型语言模型 (LLM) 的最新进展,值得探索如何利用生成式预训练 Transformer (GPT) 来帮助检测逻辑漏洞。在本文中,我们提出了 GPTScan,这是第一个将 GPT 与静态分析相结合用于智能合约逻辑漏洞检测的工具。我们将 GPT 用作多功能代码理解工具,而不是仅仅依靠 GPT 来识别漏洞,因为这会导致很高的误报率,并且受到 GPT 预训练知识的限制。通过将每种逻辑漏洞类型分解为场景和属性,GPTScan 将候选漏洞与 GPT 进行匹配。为了提高准确率,GPTScan 进一步指示 GPT 智能识别关键变量和语句,然后通过静态确认进行验证。在包含约 400 个合约项目和 3K Solidity 文件的多种数据集上进行的评估表明,GPTScan 对代币合约的准确率高达 90% 以上,对 Web3Bugs 等大型项目的准确率也达到了可接受的水平(57.14%)。它有效地检测出了真实的逻辑漏洞,召回率超过 70%,包括 9 个人工审计人员遗漏的新漏洞。GPTScan 速度快、成本低,每千行 Solidity 代码平均扫描时间为 14.39 秒,成本为 0.01 美元。此外,静态确认可帮助 GPTScan 将误报率降低三分之二。

图片

Filtering rules:

  • FNK: The Function Name should contain at least one Keyword.

  • FCE: The Function Content should contain at least one Expression.

  • FCNE: The Function Content should Not contain any Expression.

  • FCCE: The Function Content should contain at least one Combination of given Expressions.

  • FCNCE: The Function Content should Not contain any Combination of given Expressions.

  • FPT: The Function Parameters should match the given Types.

  • FPNC: The Function should be Public, and we will Not analyze it

  • with its Caller.

  • FNM: The Function should Not contain Modifiers that with access

  • control (e.g., onlyOwner).

  • CFN: The Callers of this Function will Not be analyzed.

图片

图片

图片

Pdf link:

https://dl.acm.org/doi/10.1145/3597503.3639117

9

Title: 

When Contracts Meets Crypto: Exploring Developers' Struggles with Ethereum Cryptographic APIs

当合约遇上xx货币:探索开发人员使用以太坊加密 API 的困境

Authors

图片

Key words:

Ethereum, Smart Contracts, Empirical Study, Cryptography, API Usability

以太坊、智能合约、实证研究、密码学、API 可用性

Abstract

To empower smart contracts with the promising capabilities of cryptography, Ethereum officially introduced a set of cryptographic APIs that facilitate basic cryptographic operations within smart contracts, such as elliptic curve operations. However, since developers are not necessarily cryptography experts, requiring them to directly interact with these basic APIs has caused real-world security issues and potential usability challenges. To guide future research and solutions to these challenges, we conduct the first empirical study on Ethereum cryptographic practices. Through the analysis of 91,484,856 Ethereum transactions, 500 crypto-related contracts, and 483 StackExchange posts, we provide the first in-depth look at cryptographic tasks developers need to accomplish and identify five categories of obstacles they encounter. Furthermore, we conduct an online survey with 78 smart contract practitioners to explore their perspectives on these obstacles and elicit the underlying reasons. We find that more than half of practitioners face more challenges in cryptographic tasks compared to general business logic in smart contracts. Their feedback highlights the gap between low-level cryptographic APIs and high-level tasks they need to accomplish, emphasizing the need for improved cryptographic APIs, task-based templates, and effective assistance tools. Based on these findings, we provide practical implications for further improvements and outline future research directions.

为了将密码学的潜力发挥到极致,以太坊官方推出了一套密码学 API,用于在智能合约中实现基本的密码学操作,例如椭圆曲线操作。然而,由于开发人员不一定是密码学专家,要求他们直接与这些基本 API 交互已经导致了现实世界的安全问题和潜在的可用性挑战。为了指导未来的研究和应对这些挑战的解决方案,我们对以太坊密码学实践进行了首次实证研究。通过分析 91,484,856 笔以太坊交易、500 份加密相关合约和 483 篇 StackExchange 帖子,我们首次深入研究了开发人员需要完成的密码学任务,并确定了他们遇到的五类障碍。此外,我们对 78 位智能合约从业者进行了在线调查,以了解他们对这些障碍的看法并找出其根本原因。我们发现,超过一半的从业者在密码学任务中面临的挑战比智能合约中的一般业务逻辑更大。他们的反馈凸显了低级加密 API 与它们需要完成的高级任务之间的差距,强调需要改进加密 API、基于任务的模板和有效的辅助工具。基于这些发现,我们为进一步改进提供了实际意义,并概述了未来的研究方向。

图片

图片

图片

图片

图片

Pdf link:

https://dl.acm.org/doi/10.1145/3597503.3639131

10

Title: 

PrettySmart: Detecting Permission Re-delegation Vulnerability for Token Behaviors in Smart Contracts

PrettySmart:检测智能合约中代币行为的权限重新委托漏洞

Authors

图片

Key words:

Smart Contract, Permission Control, Vulnerability Detection

智能合约、权限控制、漏洞检测

Abstract

As an essential component in Ethereum and other blockchains, token assets have been interacted with by diverse smart contracts. Effective permission policies of smart contracts must prevent token assets from being manipulated by unauthorized adversaries. Recent efforts have studied the accessibility of privileged functions or state variables to unauthorized users. However, little attention is paid to how publicly accessible functions of smart contracts can be manipulated by adversaries to steal users' digital assets. This attack is mainly caused by the permission re-delegation (PRD) vulnerability. In this work, we propose PrettySmart, a bytecode-level Permission re-delegation vulnerability detector for Smart contracts. Our study begins with an empirical study on 0.43 million open-source smart contracts, revealing that five types of widely-used permission constraints dominate 98% of the studied contracts. Accordingly, we propose a mechanism to infer these permission constraints, as well as an algorithm to identify constraints that can be bypassed by unauthorized adversaries. Based on the identification of permission constraints, we propose to detect whether adversaries could manipulate the privileged token management functionalities of smart contracts. The experimental results on real-world datasets demonstrate the effectiveness of the proposed PrettySmart, which achieves the highest precision score and detects 118 new PRD vulnerabilities.

作为以太坊和其他区块链的重要组成部分,代币资产与各种智能合约都有交互。智能合约的有效权限策略必须防止代币资产被未经授权的对手操纵。最近的研究已经研究了特权函数或状态变量对未经授权用户的可访问性。然而,很少有人关注对手如何操纵智能合约的公开可访问函数来窃取用户的数字资产。这种攻击主要是由权限重新委托 (PRD) 漏洞引起的。在这项工作中,我们提出了 PrettySmart,一种用于智能合约的字节码级权限重新委托漏洞检测器。我们的研究首先对 43 万个开源智能合约进行了实证研究,结果表明,五种广泛使用的权限约束类型占据了所研究合约的 98%。因此,我们提出了一种推断这些权限约束的机制,以及一种识别可被未经授权的对手绕过的约束的算法。基于对权限约束的识别,我们建议检测对手是否可以操纵智能合约的特权代币管理功能。在真实数据集上的实验结果证明了所提出的 PrettySmart 的有效性,它获得了最高的精度分数并检测到 118 个新的 PRD 漏洞。

图片

图片

图片

图片

图片

图片

图片

图片

Pdf link:

https://dl.acm.org/doi/10.1145/3597503.3639140

11

Title: 

SCVHunter: Smart Contract Vulnerability Detection Based on Heterogeneous Graph Attention Network

SCVHunter:基于异构图注意力网络的智能合约漏洞检测

Authors

图片

Key words:

Blockchain, Smart Contract, Vulnerability Detection

区块链、智能合约、漏洞检测

Abstract

Smart contracts are integral to blockchain's growth, but their vulnerabilities pose a significant threat. Traditional vulnerability detection methods rely heavily on expert-defined complex rules that are labor-intensive and dificult to adapt to the explosive expansion of smart contracts. Some recent studies of neural network-based vulnerability detection also have room for improvement. Therefore, we propose SCVHunter, an extensible framework for smart contract vulnerability detection. Specifically, SCVHunter designs a heterogeneous semantic graph construction phase based on intermediate representations and a vulnerability detection phase based on a heterogeneous graph attention network for smart contracts. In particular, SCVHunter allows users to freely point out more important nodes in the graph, leveraging expert knowledge in a simpler way to aid the automatic capture of more information related to vulnerabilities. We tested SCVHunter on reentrancy, block info dependency, nested call, and transaction state dependency vulnerabilities. Results show remarkable performance, with accuracies of 93.72%, 91.07%, 85.41%, and 87.37% for these vulnerabilities, surpassing previous methods.

智能合约是区块链发展不可或缺的一部分,但其漏洞却带来了巨大的威胁。传统的漏洞检测方法严重依赖专家定义的复杂规则,这些规则需要大量人力,难以适应智能合约的爆炸式增长。近期一些基于神经网络的漏洞检测研究也存在改进空间。因此,我们提出了一个可扩展的智能合约漏洞检测框架SCVHunter。具体来说,SCVHunter为智能合约设计了一个基于中间表示的异构语义图构建阶段和一个基于异构图注意力网络的漏洞检测阶段。特别地,SCVHunter允许用户自由地指出图中更重要的节点,以更简单的方式利用专家知识来帮助自动捕获更多与漏洞相关的信息。我们在可重入、块信息依赖、嵌套调用和交易状态依赖漏洞上测试了SCVHunter。结果显示其性能卓越,对这些漏洞的准确率分别为93.72%、91.07%、85.41%和87.37%,超越了之前的方法。

图片

图片

图片

图片

图片

图片

图片

图片

Pdf link:

https://dl.acm.org/doi/10.1145/3597503.3639213

12

Title: 

Safeguarding DeFi Smart Contracts against Oracle Deviations

保护 DeFi 智能合约免受预言机偏差的影响

Authors

图片

Key words:

Blockchain, Decentralized Finance, Smart Contracts, Oracle Deviation, Static Program Analysis, Code Summary, Parameter Optimization

区块链、去中心化金融、智能合约、预言机偏差、静态程序分析、代码汇总、参数优化

Abstract

This paper presents OVer, a framework designed to automatically analyze the behavior of decentralized finance (DeFi) protocols when subjected to a "skewed" oracle input. OVer firstly performs symbolic analysis on the given contract and constructs a model of constraints. Then, the framework leverages an SMT solver to identify parameters that allow its secure operation. Furthermore, guard statements may be generated for smart contracts that may use the oracle values, thus effectively preventing oracle manipulation attacks. Empirical results show that OVer can successfully analyze all 10 benchmarks collected, which encompass a diverse range of DeFi protocols. Additionally, this paper illustrates that current parameters utilized in the majority of benchmarks are inadequate to ensure safety when confronted with significant oracle deviations. It shows that existing ad-hoc control mechanisms such as introducing delays are often in-sufficient or even detrimental to protect the DeFi protocols against the oracle deviation in the real-world.

本文介绍了一个框架,OVer,用于自动分析去中心化金融 (DeFi) 协议在受到“倾斜”预言机输入时的行为。OVer 首先对给定的合约进行符号分析,并构建约束模型。然后,该框架利用 SMT 求解器来识别允许其安全运行的参数。此外,可以为可能使用预言机值的智能合约生成保护语句,从而有效防止预言机操纵攻击。实证结果表明,OVer 可以成功分析收集到的所有 10 个基准,这些基准涵盖了多种 DeFi 协议。此外,本文还指出,大多数基准中使用的当前参数不足以确保在面临重大预言机偏差时的安全。它表明,现有的临时控制机制(例如引入延迟)通常不足以甚至有害于保护 DeFi 协议免受现实世界中的预言机偏差的影响。

图片

图片

Pdf link:

https://dl.acm.org/doi/10.1145/3597503.3639225

13

Title: 

Verifying Declarative Smart Contracts

验证声明式智能合约

Authors

图片

Key words:

permissioned blockchains, throughput, latency

许可区块链、吞吐量、延迟

Abstract

Smart contracts manage a large number of digital assets nowadays. Bugs in these contracts have led to significant financial loss. Verifying the correctness of smart contracts is, therefore, an important task. This paper presents an automated safety verification tool, DCV, that targets declarative smart contracts written in De-Con, a logic-based domain-specific language for smart contract implementation and specification. DCV proves safety properties by mathematical induction and can automatically infer inductive invariants using heuristic patterns, without annotations from the developer. Our evaluation on 23 benchmark contracts shows that DCV is effective in verifying smart contracts adapted from public repositories, and can verify contracts not supported by other tools. Furthermore, DCV significantly outperforms baseline tools in verification time.

如今,智能合约管理着大量数字资产。这些合约中的错误已导致重大的财务损失。因此,验证智能合约的正确性是一项重要任务。本文介绍了一种自动化安全验证工具 DCV,该工具针对用 De-Con 编写的声明式智能合约,De-Con 是一种用于智能合约实现和规范的基于逻辑的领域特定语言。DCV 通过数学归纳法证明安全属性,并可以使用启发式模式自动推断归纳不变量,而无需开发人员的注释。我们对 23 个基准合约的评估表明,DCV 可有效验证从公共存储库改编的智能合约,并可验证其他工具不支持的合约。此外,DCV 在验证时间方面明显优于基线工具。

图片

图片

图片

Pdf link:

https://dl.acm.org/doi/10.1145/3597503.3639203

图片

关注我们,持续接收区块链最新论文

洞察区块链技术发展趋势

Follow us to keep receiving the latest blockchain papers

Insight into Blockchain Technology Trends

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.coloradmin.cn/o/1821651.html

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈,一经查实,立即删除!

相关文章

【产品经理】订单处理2

本次讲解订单初始化成功到ERP系统过程中的后续环节。 一、根据客服备注更新订单信息 初始化订单过程中,若订单中的客服备注信息对订单进行更新,包括可能改收货信息、改商品、加赠品、指定快递等。 注意:更新订单的过程中要注意订单当前状…

10M速率1553总线终端(RT)模块是依据SAE-AS5652标准设计

10M速率1553总线终端(RT)模块是依据SAE-AS5652标准设计的支持传输速率10Mbps的总线远程终端(RT)模块,采用SIP封装技术,支持LocalBus接口或UART通信访问,64K*16bits存储空间,灵活的RT数据存储,具…

Android Room数据库使用介绍

1.简介 Room是Google提供的Android架构组件之一,旨在简化数据库操作。它是SQLite的一个抽象层,提供了更易用和安全的API。 Room的总体架构: 2.Room数据库的基础概念 Entity Entity是Room中的数据表,每个Entity类对应一个SQLite表。 DAO …

有什么开放式耳机值得买?六点选购建议你要注意了

作为一名数码爱好者,专业的数码博主,我只想把好的产品介绍给大家,让大家避雷不好用的产品,最近,很多人私信我问我开放式的耳机怎么样?和别的耳机又有什么区别,我发现大家对于开放式耳机的了解少…

什么是计算机技术与软件(初级、中级、高级)考试(软考)?

一、软考是什么? 计算机技术与软件专业技术资格(水平)考试(以下简称计算机软件资格考试)是原中国计算机软件专业技术资格和水平考试(简称软件考试)的完善与发展。计算机软件资格考试是由国家人力…

如何进行敏捷型数据治理?现行的数据治理体系是不是有瑕疵和遗漏?

敏捷型数据治理(Agile Data Governance)是一种灵活、迭代的方法,旨在快速响应和适应不断变化的业务需求和数据环境。与传统的数据治理方法相比,敏捷型数据治理更注重实践中的灵活性和速度,同时保持数据质量、隐私和安全…

Vue2数据响应式再次理解

今天遇到一个问题吧算是,项目用的vue2,期望把数据的某个数组清空,在组件内部调用this.xxarray [] 没问题,但是把数组引用传递到另外一个函数,执行赋值清空,会失效;大概的复原如下图 分析&#…

直播预约:存内计算加速大模型-未来智能计算的新引擎

直播简介: 在人工智能飞速发展的今天,大模型的训练和推理对计算资源的需求日益增长。传统计算架构已逐渐难以满足其对速度和效率的极致追求。本次直播,我们将深入探讨如何利用存内计算技术,为大模型带来革命性的加速效果。 直播亮点: 技术…

C++ 33 之 const 修饰静态成员

#include <iostream> #include <string.h> using namespace std;// 定义静态const数据成员时&#xff0c;最好在类内部初始化,避免在类外重复初始化&#xff0c;也为了代码的可读性和可维护性class Students03{ public:// 两种写法都可以const static int s_a 10;…

node 中间件使用例子

NodeJS在中间件领域有着较为广泛的应用&#xff0c;他能做一些中间层事件&#xff0c;把服务端一部分的代码抽出来&#xff0c;减少处理冗余事情付出的代价&#xff0c;同时让服务真正做业务处理而不用关心页面的事情 常见的应用场景有&#xff1a; 跨域&#xff1a;解决跨域问…

内存卡提示需要格式化?别急,这样拯救你的数据

一、内存卡突然提示需要格式化 在日常生活中&#xff0c;我们经常会使用到内存卡来存储照片、视频、文档等重要数据。然而&#xff0c;有时当我们试图访问内存卡时&#xff0c;却会遭遇一个令人头疼的问题——系统突然提示“内存卡需要格式化”。这意味着我们无法直接读取或写…

ARM32开发--IIC软实现

知不足而奋进 望远山而前行 目录 文章目录 前言 开发流程 GD32F4软件I2C初始化 GD32F4软件I2C引脚功能 写操作 读操作 总结 前言 在嵌入式系统开发中&#xff0c;软件实现的I2C通信协议扮演着至关重要的角色。本文将深入探讨如何在GD32F4系列微控制器上实现软件I2C功能…

『大模型笔记』缩放定律(scaling laws)是由记忆而非智力解释的吗?

MAC 文章目录 一. 缩放定律(scaling laws)是由记忆而非智力解释的吗?1. 视频原文内容2. 要点总结一般智能的定义规模最大化的论点性能衡量的方式及其影响大语言模型的基准测试大语言模型的本质与记忆基准测试插值的概念与基准测试实例人类和模型的推理与样本效率二. 参考文献一…

CTE-6作文

第一段 现象 引出原因 第二段 感受 举例 意义 危害 第三段 建议 展望 范文1 第一段 第二段 尾段 范文2 首段 第二段 尾段

诊所管理系统哪家会好一点

随着医疗行业的快速发展和信息化进程的加速&#xff0c;诊所作为医疗服务的重要基层单位&#xff0c;其运营管理效率与服务质量的提升愈发依赖于现代化的管理工具。诊所管理系统应运而生&#xff0c;旨在通过集成化、智能化的技术手段&#xff0c;帮助诊所实现诊疗流程优化、资…

用C语言实现扫雷

本篇适用于C语言初学者&#xff0c;主要涉及对于函数&#xff0c;数组&#xff0c;分支循环的运用。 目录 设计思想&#xff1a; 总代码&#xff08;改进后&#xff09;&#xff1a; 运行结果展示&#xff1a; 分布介绍&#xff1a; 声明&#xff1a; 代码主体部分&#…

精准定位,智慧提纯:高级数据提取策略

在数据驱动的时代&#xff0c;高级数据提取策略成为企业决策、科学研究以及各类项目成功的关键。数据提取&#xff0c;不仅仅是简单地收集信息&#xff0c;而是需要精准定位目标数据&#xff0c;并通过智慧提纯方法&#xff0c;从海量数据中提取出有价值、有深度的信息。本文将…

如何计算 GPT 的 Tokens 数量?

基本介绍 随着人工智能大模型技术的迅速发展&#xff0c;一种创新的计费模式正在逐渐普及&#xff0c;即以“令牌”&#xff08;Token&#xff09;作为衡量使用成本的单位。那么&#xff0c;究竟什么是Token呢&#xff1f; Token 是一种将自然语言文本转化为计算机可以理解的…

【成品设计】基于STM32的单相瞬时值反馈逆变器

《基于STM32的单相瞬时值反馈逆变器》 整体功能&#xff1a; 图13 软件框图 如图13所示&#xff0c;由于本设计中需要通过定时器中断执行一些程序&#xff0c;故首先对中断进行初始化。中断初始化以后即为对串口进行初始化&#xff0c;总共初始化了两个串口&#xff0c;第一个…

轻兔推荐 —— Alist

via&#xff1a;轻兔推荐 - https://app.lighttools.net/ 简介 Alist是一个开源自建网盘程序&#xff0c;界面简洁&#xff0c;功能完善&#xff0c;支持多种存储后端和文件预览功能。 - 分布式设计&#xff0c;无需中心服务器&#xff0c;数据均在本地设备 - 配置灵活&…