政大機構典藏-National Chengchi University Institutional Repository(NCCUR):Item 140.119/119883
English  |  正體中文  |  简体中文  |  Post-Print筆數 : 27 |  Items with full text/Total items : 111300/142216 (78%)
Visitors : 48283963      Online Users : 827
RC Version 6.0 © Powered By DSPACE, MIT. Enhanced by NTU Library IR team.
Scope Tips:
  • please add "double quotation mark" for query phrases to get precise results
  • please goto advance search for comprehansive author search
    •  Adv. Search
    HomeLoginUploadHelpAboutAdminister Goto mobile version
    政大典藏 > College of Commerce > Department of MIS > Theses >  Item 140.119/119883


    Please use this identifier to cite or link to this item: https://nccur.lib.nccu.edu.tw/handle/140.119/119883


    Title: 智能合約堆疊溢位偵測與靜態分析
    Static Stack Overflow Detection on Smart Contracts
    Authors: 黃仲瑀
    Huang, Chung Yu
    Contributors: 郁方
    黃仲瑀
    Huang, Chung Yu
    Keywords: 區塊鏈
    以太坊
    智能合約
    靜態分析
    符號執行
    Date: 2018
    Issue Date: 2018-09-03 15:48:18 (UTC+8)
    Abstract: 近期,不只是在資訊領域,區塊鏈技術的應用正在如火如荼的快速成長中。各種新興虛擬貨幣如雨後春筍般大量出現,新創產業也陸續利用發行ICO的方式募資。有賴於智能合約,區塊鏈能夠運用的領域越來越廣泛。智能合約的功能就像一支在區塊鏈上的程式,使用者可以對智能合約發起交易,交易的過程所執行的內容,則是由智能合約中的程式邏輯決定,比方說一個點數交換的智能合約,其中可能包含了點數的轉換或是儲值的功能。各式各樣的智能合約已經存在目前的區塊鏈環境中,但就像是一般的程式一樣,智能合約也是有可能成為惡意行為的攻擊對象。此次研究的目的,是希望能夠透過靜態分析,針對尚未執行前的智能合約進行惡意行為檢查。我們希望能夠讓使用者在尚未執行智能合約之前,就能夠先針對智能合約進行檢測。在部份的研究中,已經有些實用的工具能夠檢查出潛在的風險。而我們希望能夠針對智能合約執行時的錯誤例外進行分析,這些錯誤例外包含了堆疊溢位以及gas值超過區塊上限的情況。透過我們的分析,能夠知道智能合約中有沒有包含循環,從這些循環來找出錯誤例外的發生。
    Decentralized cryptocurrencies are based on a distributed ledger (a publicly- readable record) of a sequence of transactions. Recently, applications based on blockchain technologies have grown fast in many fields in our life, not only in technical industries but also in others such as financial industries. Smart contracts are programs that can be triggered by blockchain transactions. The transaction logic is coding inside the smart contract and can be executed automatically. Transactions will be kept on blockchain and cannot be modified by others. However, just like other programs, there exist some dangerous actions that can make the smart contract vulnerable. It is essential for having a rigorous approach to checking the correctness of smart contracts. In this work, we investigate static analysis techniques to detect vulnerabilities that could be exploited by malicious executions at runtime. Mainly, we focus on unexpected exceptions that occur inside a smart contract, such as EVM stack overflow or massive consumption of gas, which may lead to abnormal termination or abortion of contract execution. We target on contract opcodes and build instruction level symbolic execution for gas consumption and stack simulation. The analysis process consists of control flow graph construction with gas and stack status associated blocks. We then apply depth-first search to detect cycles that may raise stack size and generate their path constraints for execution accordingly. By solving the path constraints, we identify the inputs to trigger the execution and detect potential vulnerabilities or massive gas consumption. Our model checking approach benefits from soundness from formal reasoning, as well as automation from systematic symbolic execution. We report our analysis results against various contracts on Etherscan.
    Reference: References
    [1] P. Dai, N. Mahi, J. Earls, and A. Norta, “Smart-contract value-transfer protocols
    on a distributed mobile application platform,” URL: https://qtum. org/uploads/-
    files/cf6d69348ca50dd985b60425ccf282f3. pdf, 2017.
    [2] “Solidity-solidity 0.4.21 documentation.” https://solidity.readthedocs.io/en/
    develop/.
    [3] “Counterparty.” https://counterparty.io/.
    [4] “Stellar - develop the world’s new financial system.” https://www.stellar.org/.
    [5] “Home — lisk.” https://lisk.io/.
    [6] “The dao (organization) - wikipedia.” https://en.wikipedia.org/wiki/The_DAO_
    (organization).
    [7] N. Atzei, M. Bartoletti, and T. Cimoli, “A survey of attacks on ethereum smart
    contracts (sok),” in International Conference on Principles of Security and Trust,
    pp. 164–186, Springer, 2017.
    [8] “coloredcoins.org.” http://coloredcoins.org/.
    [9] “Create a democracy contract in ethereum.” https://www.ethereum.org/dao.
    [10] “Monegraph.” https://monegraph.com/.
    [11] K. Delmolino, M. Arnett, A. Kosba, A. Miller, and E. Shi, “Step by step towards
    creating a safe smart contract: Lessons and insights from a cryptocurrency lab,” in
    International Conference on Financial Cryptography and Data Security, pp. 79–94,
    Springer, 2016.
    [12] T. Dickerson, P. Gazzillo, M. Herlihy, and E. Koskinen, “Adding concurrency to
    smart contracts,” in Proceedings of the ACM Symposium on Principles of Distributed
    Computing, pp. 303–312, ACM, 2017.
    [13] M. Herlihy, V. Luchangco, M. Moir, and W. N. Scherer III, “Software transactional
    memory for dynamic-sized data structures,” in Proceedings of the twenty-second annual
    symposium on Principles of distributed computing, pp. 92–101, ACM, 2003.
    [14] L. Luu, D.-H. Chu, H. Olickel, P. Saxena, and A. Hobor, “Making smart contracts
    smarter,” in Proceedings of the 2016 ACM SIGSAC Conference on Computer and
    Communications Security, pp. 254–269, ACM, 2016.
    [15] “Oyente by oyente.” https://oyente.github.io/benchmarks/.
    [16] K. Bhargavan, A. Delignat-Lavaud, C. Fournet, A. Gollamudi, G. Gonthier,
    N. Kobeissi, N. Kulatova, A. Rastogi, T. Sibut-Pinote, N. Swamy, et al., “Formal verification
    of smart contracts: Short paper,” in Proceedings of the 2016 ACM Workshop
    on Programming Languages and Analysis for Security, pp. 91–96, ACM, 2016.
    [17] N. Swamy, C. Hrit¸cu, C. Keller, A. Rastogi, A. Delignat-Lavaud, S. Forest, K. Bhargavan,
    C. Fournet, P.-Y. Strub, M. Kohlweiss, et al., “Dependent types and multimonadic
    effects in f,” in ACM SIGPLAN Notices, vol. 51, pp. 256–270, ACM, 2016.
    [18] A. Dika, “Ethereum smart contracts: Security vulnerabilities and security tools,”
    Master’s thesis, NTNU, 2017.
    [19] “Securify - formal verification of ethereum smart contracts.” https://securify.ch/.
    [20] “Smartdec — smart contracts security audit.” http://smartcontracts.smartdec.
    net/.
    [21] M. Suiche, “Porosity: A decompiler for blockchain-based smart contracts bytecode,”
    DEF CON, vol. 25, 2017.
    [22] E. Hildenbrandt, M. Saxena, X. Zhu, N. Rodrigues, P. Daian, D. Guth, and G. Rosu,
    “Kevm: A complete semantics of the ethereum virtual machine,” tech. rep., 2017.
    [23] S. Amani, M. B´egel, M. Bortin, and M. Staples, “Towards verifying ethereum smart
    contract bytecode in isabelle/hol,” CPP. ACM. To appear, 2018.
    [24] A. Mavridou and A. Laszka, “Tool demonstration: Fsolidm for designing secure
    ethereum smart contracts,”
    [25] “Finite-state machine - wikipedia.” https://en.wikipedia.org/wiki/
    Finite-state_machine.
    [26] “Nxt - the blockchain application platform.” https://nxtplatform.org/.
    [27] P. L. Seijas, S. J. Thompson, and D. McAdams, “Scripting smart contracts for distributed
    ledger technology.,” IACR Cryptology ePrint Archive, vol. 2016, p. 1156,
    2016.
    [28] “Zero-knowledge proof - wikipedia.” https://en.wikipedia.org/wiki/
    Zero-knowledge_proof.
    [29] “Proof-carrying code - wikipedia.” https://en.wikipedia.org/wiki/
    Proof-carrying_code.
    [30] J. Rubin, M. Naik, and N. Subramanian, “Merkelized abstract syntax trees.”
    [31] “Ethereum network status.” https://ethstats.net/.
    [32] “Ethereum blockchain explorer and search.” https://etherscan.io/.
    [33] “Installing the solidity compiler — solidity 0.4.21 documentation.” http://
    solidity.readthedocs.io/en/v0.4.21/installing-solidity.html.
    [34] “Remix - solidity ide.” https://remix.ethereum.org/#optimize=false&version=
    builtin.
    [35] “Graphviz - graph visualization software.” https://www.graphviz.org/
    Description: 碩士
    國立政治大學
    資訊管理學系
    105356037
    Source URI: http://thesis.lib.nccu.edu.tw/record/#G0105356037
    Data Type: thesis
    DOI: 10.6814/THE.NCCU.MIS.024.2018.A05
    Appears in Collections:[Department of MIS] Theses

    Files in This Item:

    File SizeFormat
    603701.pdf3254KbAdobe PDF2155View/Open


    All items in 政大典藏 are protected by copyright, with all rights reserved.


    社群 sharing

    著作權政策宣告 Copyright Announcement
    1.本網站之數位內容為國立政治大學所收錄之機構典藏,無償提供學術研究與公眾教育等公益性使用,惟仍請適度,合理使用本網站之內容,以尊重著作權人之權益。商業上之利用,則請先取得著作權人之授權。
    The digital content of this website is part of National Chengchi University Institutional Repository. It provides free access to academic research and public education for non-commercial use. Please utilize it in a proper and reasonable manner and respect the rights of copyright owners. For commercial use, please obtain authorization from the copyright owner in advance.

    2.本網站之製作,已盡力防止侵害著作權人之權益,如仍發現本網站之數位內容有侵害著作權人權益情事者,請權利人通知本網站維護人員(nccur@nccu.edu.tw),維護人員將立即採取移除該數位著作等補救措施。
    NCCU Institutional Repository is made to protect the interests of copyright owners. If you believe that any material on the website infringes copyright, please contact our staff(nccur@nccu.edu.tw). We will remove the work from the repository and investigate your claim.
    DSpace Software Copyright © 2002-2004  MIT &  Hewlett-Packard  /   Enhanced by   NTU Library IR team Copyright ©   - Feedback