ISSN 1000-1239 CN 11-1777/TP

计算机研究与发展 ›› 2021, Vol. 58 ›› Issue (4): 834-848.doi: 10.7544/issn1000-1239.2021.20200135

• 信息安全 • 上一篇    下一篇

一种基于运行时信息的以太坊智能合约防御技术

向杰,杨哲慜,周顺帆,杨珉   

  1. (复旦大学软件学院 上海 200433) (jxiang17@fudan.edu.cn)
  • 出版日期: 2021-04-01

A Runtime Information Based Defense Technique for Ethereum Smart Contract

Xiang Jie, Yang Zhemin, Zhou Shunfan, Yang Min   

  1. (College of Software,Fudan University,Shanghai 200433)
  • Online: 2021-04-01

摘要: 智能合约是区块链技术最成功的应用之一,已经被广泛集成到应用程序中,成为应用去中心化的常见实现方案.然而,智能合约由于其独有的金融特性,一直以来饱受安全攻击,各种新的恶意攻击类型层出不穷.现有的研究工作提出了多种有效检测合约漏洞的方法,但在实际应用中都存在着各种局限:仅针对已知的漏洞类型,需要修改合约代码来消除漏洞,链上开销过大.由于智能合约部署到链上后的不可修改性,这些针对特定漏洞类型的检测防御手段无法对原有的合约进行修复,因此很难及时地应对新型的漏洞和攻击.为此,提出了一种基于运行时信息的智能合约可升级防御技术,通过引入运行时的各种信息,为链下对攻击和漏洞的检测提供实时的数据.同时,设计了一套部署在合约上的访问控制机制,基于动态检测的结果,对合约的访问进行限制,从而在不需要修改合约代码的情况下实现动态的防御.由于以太坊本身的机制无法对实时攻击进行识别和拦截,为了减小这一影响,利用竞争(race condition)的机制来增强防御的效果.实验结果分析表明:该防御技术可以有效地检测并防御攻击,对于后续的攻击交易,可以实现100%的拦截成功率,对于首次检测到的实时攻击,利用竞争可以达到97.5%的成功率.

关键词: 区块链, 以太坊, 智能合约, 攻击与防御, 访问控制

Abstract: As one of the most successful applications of blockchain technology, Ethereum smart contract has been widely integrated into programs and become a common implementation scheme for decentralized applications. However, smart contract suffers from security attacks since born because of its unique financial characteristics, and fresh attack forms continue to dribble out. State-of-art research works have proposed many effective mechanisms to detect vulnerabilities in smart contract, but they all have limitations in practical, such as design only for known vulnerabilities, need to modify the contract code, and the cost on-chain is too high. Because of the immutability of smart contract, these defense techniques which aim at specific vulnerabilities cannot fix the original contract, and as a result, they can hardly work on the new attack forms. To this end, we present a runtime information based upgradable defense system for Ethereum smart contract, which provides real-time data for the off-chain attack detection by collecting kinds of runtime information. At the same time, we design an access control mechanism deployed on smart contract, which restricts the access to the contract based on the dynamic detection result, so that we can secure the contract without modifying the code. Ethereum does not provide a mechanism to recognize and intercept real-time attack transactions, So we make use of race condition to enhance the defense on the real-time attack. The evaluation results show that out defense technology is extremely effective to prevent attacks, which can achieve 100% success rate for the follow-up attacks and achieve 97.5% success rate for the first attack detected by the use of race condition.

Key words: blockchain, Ethereum, smart contract, attack and defense, access control

中图分类号: