【最新区块链论文录用资讯】CCF A—FSE 2024 共4篇 附pdf

图片

Conference:ACM International Conference on the Foundations of Software Engineering (FSE)

CCF level:CCF A

Categories:软件工程/系统软件/程序设计语言

Year:2024

Num:4

1

Title: 

Demystifying Invariant Effectiveness for Securing Smart Contracts

揭秘保护智能合约的不变有效性

Authors

ZHIYANG CHEN, University of Toronto, Canada

YE LIU, Nanyang Technological University, Singapore

SIDI MOHAMED BEILLAHI, University of Toronto, Canada

YI LI, Nanyang Technological University, Singapore

FAN LONG, University of Toronto, Canada

Abstract

Smart contract transactions associated with security attacks often exhibit distinct behavioral patterns compared with historical benign transactions before the attacking events. While many runtime monitoring and guarding mechanisms have been proposed to validate invariants and stop anomalous transactions on the fly, the empirical effectiveness of the invariants used remains largely unexplored. In this paper, we studied 23 prevalent invariants of 8 categories, which are either deployed in high-profile protocols or endorsed by leading auditing firms and security experts. Using these well-established invariants as templates, we developed a tool which dynamically generates new invariants customized for a given contract based on its historical transaction data. We evaluated our tool on 42 smart contracts that fell victim to 27 distinct exploits on the Ethereum blockchain. Our findings reveal that the most effective invariant guard alone can successfully block 18 of the 27 identified exploits with minimal gas overhead. Our analysis also shows that most of the invariants remain effective even when the experienced attackers attempt to bypass them. Additionally, we studied the possibility of combining multiple invariant guards, resulting in blocking up to 23 of the 27 benchmark exploits and achieving false positive rates as low as 0.32%.

与攻击事件发生前的历史良性交易相比,与安全攻击相关的智能合约交易往往表现出截然不同的行为模式。虽然已经提出了许多运行时监控和防护机制来验证不变式并即时阻止异常交易,但所用不变式的实证有效性在很大程度上仍未得到探索。在本文中,我们研究了 8 个类别中的 23 个流行不变式,这些不变式或已部署在知名协议中,或已得到领先审计公司和安全专家的认可。以这些成熟的不变式为模板,我们开发了一种工具,可根据历史交易数据动态生成为给定合约定制的新不变式。我们对以太坊区块链上遭受 27 种不同漏洞攻击的 42 个智能合约进行了评估。我们的研究结果表明,仅最有效的不变式防护就能以最小的gas开销成功阻止 27 种已识别漏洞中的 18 种。我们的分析还表明,即使经验丰富的攻击者试图绕过它们,大多数不变式仍然有效。此外,我们还研究了组合多个不变式防护的可能性,结果在 27 个基准漏洞中成功拦截了 23 个,误报率低至 0.32%。

图片

图片

图片

Pdf link:

https://arxiv.org/abs/2404.14580

2

Title: 

Efficiently Detecting Reentrancy Vulnerabilities in Complex Smart Contracts

高效检测复杂智能合约中的重入漏洞

Authors

ZEXU WANG, Sun Yat-sen University, China and Peng Cheng Laboratory, China

JIACHI CHEN, Sun Yat-sen University, China

YANLIN WANG, Sun Yat-sen University, China

YU ZHANG, Harbin Institute of Technology, China and Peng Cheng Laboratory, China

WEIZHE ZHANG, Harbin Institute of Technology, China and Peng Cheng Laboratory, China

ZIBIN ZHENG∗, Sun Yat-sen University, China and GuangDong Engineering Technology Research Center of Blockchain, China

Abstract

Reentrancy vulnerability as one of the most notorious vulnerabilities, has been a prominent topic in smart contract security research. Research shows that existing vulnerability detection presents a range of challenges, especially as smart contracts continue to increase in complexity. Existing tools perform poorly in terms of efficiency and successful detection rates for vulnerabilities in complex contracts.

To effectively detect reentrancy vulnerabilities in contracts with complex logic, we propose a tool named SliSE. SliSE’s detection process consists of two stages: Warning Search and Symbolic Execution Verification. In Stage I, SliSE utilizes program slicing to analyze the Inter-contract Program Dependency Graph (I-PDG) of the contract, and collects suspicious vulnerability information as warnings. In Stage II, symbolic execution is employed to verify the reachability of these warnings, thereby enhancing vulnerability detection accuracy. SliSE obtained the best performance compared with eight state-of-the-art detection tools. It achieved an F1 score of 78.65%, surpassing the highest score recorded by an existing tool of 9.26%. Additionally, it attained a recall rate exceeding 90% for detection of contracts on Ethereum. Overall, SliSE provides a robust and efficient method for detection of Reentrancy vulnerabilities for complex contracts.

重入漏洞作为最臭名昭著的漏洞之一,一直是智能合约安全研究中的一个突出话题。研究表明,现有的漏洞检测存在一系列挑战,尤其是随着智能合约的复杂性不断增加。现有工具在复杂合约漏洞的效率和成功检测率方面表现不佳。为了有效检测具有复杂逻辑的合约中的重入漏洞,我们提出了一种名为 SliSE 的工具。SliSE 的检测过程包括两个阶段:警告搜索和符号执行验证。在第一阶段,SliSE 利用程序切片分析合约的合约间程序依赖图(I-PDG),并收集可疑的漏洞信息作为警告。在第二阶段,采用符号执行来验证这些警告的可达性,从而提高漏洞检测的准确性。与八种最先进的检测工具相比,SliSE 的性能最佳。它的 F1 得分为 78.65%,超过了现有工具记录的最高得分 9.26%。此外,在检测以太坊上的合约时,它的召回率超过了 90%。总体而言,SliSE 为复杂合约的重入漏洞检测提供了一种稳健高效的方法。

图片

图片

图片

图片

图片

图片

Pdf link:

https://arxiv.org/abs/2403.11254

3

Title: 

SmartAxe: Detecting Cross-Chain Vulnerabilities in Bridge Smart Contracts via Fine-Grained Static Analysis

SmartAxe:通过细粒度静态分析检测 Bridge 智能合约中的跨链漏洞

Authors

Zeqin Liao (Sun Yat-sen University), Henglong Liang, Yuhong Nan, Sicheng Hao, Zibin Zheng, Juan Zhai, Jiajing Wu

Abstract

With the increasing popularity of blockchain, different blockchain platforms coexist in the ecosystem (e.g., Ethereum, BNB, EOSIO, etc.), which prompts the high demand for cross-chain communication. Cross-chain bridge is a specific type of decentralized application for asset exchange across different blockchain platforms. Securing the smart contracts of cross-chain bridges is in urgent need, as there are a number of recent security incidents with heavy financial losses caused by vulnerabilities in bridge smart contracts, as we call them Cross-Chain Vulnerabilities (CCVs). However, automatically identifying CCVs in smart contracts poses several unique challenges. Particularly, it is non-trivial to (1) identify application-specific access control constraints needed for cross-bridge asset exchange, and (2) identify inconsistent cross-chain semantics between the two sides of the bridge. In this paper, we propose SmartAxe, a new framework to identify vulnerabilities in cross-chain bridge smart contracts. Particularly, to locate vulnerable functions that have access control incompleteness, SmartAxe models the heterogeneous implementations of access control and finds necessary security checks in smart contracts through probabilistic pattern inference. Besides, SmartAxe constructs cross-chain control-flow graph (xCFG) and data-flow graph (xDFG), which help to find semantic inconsistency during cross-chain data communication. To evaluate SmartAxe, we collect and label a dataset of 88 CCVs from real-attacks cross-chain bridge contracts. Evaluation results show that SmartAxe achieves a precision of 84.95% and a recall of 89.77%. In addition, SmartAxe successfully identifies 278 new/unknown CCVs from 128 real-world cross-chain bridge applications (i.e., from 1,703 smart contracts). These identified CCVs affect a total amount of digital assets worth 1,885,250 USD

随着区块链的日益普及,不同的区块链平台(如以太坊、BNB、EOSIO 等)共存于生态系统中,这促使人们对跨链通信提出了很高的要求。跨链桥是一种特殊的去中心化应用,用于在不同区块链平台之间进行资产交换。由于近期发生了多起因跨链桥智能合约漏洞(我们称之为跨链漏洞(CCV))而造成重大经济损失的安全事件,因此迫切需要确保跨链桥智能合约的安全。然而,自动识别智能合约中的 CCV 带来了一些独特的挑战。特别是,要(1)识别跨桥资产交换所需的特定于应用程序的访问控制约束,以及(2)识别桥双方之间不一致的跨链语义,并非易事。在本文中,我们提出了一个新框架 SmartAxe,用于识别跨链桥智能合约中的漏洞。SmartAxe 对访问控制的异构实现进行建模,并通过概率模式推理在智能合约中找到必要的安全检查。此外,SmartAxe 还构建了跨链控制流图(xCFG)和数据流图(xDFG),有助于发现跨链数据通信过程中的语义不一致问题。为了评估 SmartAxe,我们从真实攻击的跨链桥合约中收集并标注了 88 个 CCV 数据集。评估结果表明,SmartAxe 的精确度为 84.95%,召回率为 89.77%。此外,SmartAxe 还成功地从 128 个真实跨链桥接应用(即 1,703 个智能合约)中识别出 278 个新的/未知 CCV。这些被识别的 CCV 影响的数字资产总价值为 1,885,250 美元

Pdf link:

暂未公布

4

Title: 

Static Application Security Testing (SAST) Tools for Smart Contracts: How Far Are We?

智能合约的静态应用安全测试 (SAST) 工具:我们还有多远?

Authors

KAIXUAN LI, Shanghai Key Laboratory of Trustworthy Computing, East China Normal University, China

YUE XUE, MetaTrust Labs, Singapore

SEN CHEN∗, College of Intelligence and Computing, Tianjin University, China

HAN LIU, Shanghai Key Laboratory of Trustworthy Computing, East China Normal University, China

KAIRAN SUN, Nanyang Technological University, Singapore

MING HU, Nanyang Technological University, Singapore

HAIJUN WANG, Xi’an Jiaotong University, China

YANG LIU, Nanyang Technological University, Singapore

YIXIANG CHEN, Shanghai Key Laboratory of Trustworthy Computing, East China Normal University, China

Abstract

In recent years, the importance of smart contract security has been heightened by the increasing number of attacks against them. To address this issue, a multitude of static application security testing (SAST) tools have been proposed for detecting vulnerabilities in smart contracts. However, objectively comparing these tools to determine their effectiveness remains challenging. Existing studies often fall short due to the taxonomies and benchmarks only covering a coarse and potentially outdated set of vulnerability types, which leads to evaluations that are not entirely comprehensive and may display bias.

In this paper, we fill this gap by proposing an up-to-date and fine-grained taxonomy that includes 45 unique vulnerability types for smart contracts. Taking it as a baseline, we develop an extensive benchmark that covers 40 distinct types and includes a diverse range of code characteristics, vulnerability patterns, and application scenarios. Based on them, we evaluated 8 SAST tools using this benchmark, which comprises 788 smart contract files and 10,394 vulnerabilities. Our results reveal that the existing SAST tools fail to detect around 50% of vulnerabilities in our benchmark and suffer from high false positives, with precision not surpassing 10%. We also discover that by combining the results of multiple tools, the false negative rate can be reduced effectively, at the expense of flagging 36.77 percentage points more functions. Nevertheless, many vulnerabilities, especially those beyond Access Control and Reentrancy vulnerabilities, remain undetected. We finally highlight the valuable insights from our study, hoping to provide guidance on tool development, enhancement, evaluation, and selection for developers, researchers, and practitioners.

近年来,由于针对智能合约的攻击日益增多,智能合约安全的重要性也随之提高。为了解决这个问题,人们提出了许多静态应用安全测试(SAST)工具来检测智能合约中的漏洞。然而,客观地比较这些工具以确定其有效性仍然具有挑战性。现有的研究往往存在不足,因为分类标准和基准只涵盖了一组粗略的、可能已经过时的漏洞类型,这导致评估并不完全全面,而且可能存在偏差。在本文中,我们提出了一种最新的细粒度分类法,其中包括 45 种独特的智能合约漏洞类型,从而填补了这一空白。以此为基线,我们开发了一个广泛的基准,涵盖 40 种不同类型,包括各种代码特征、漏洞模式和应用场景。在此基础上,我们使用该基准评估了 8 个 SAST 工具,其中包括 788 个智能合约文件和 10,394 个漏洞。我们的结果表明,现有的 SAST 工具无法检测到基准中约 50% 的漏洞,而且误报率很高,精度不超过 10%。我们还发现,通过合并多个工具的结果,可以有效降低误报率,但代价是标记的功能要多出 36.77 个百分点。尽管如此,许多漏洞,尤其是访问控制和重入性漏洞之外的漏洞,仍然没有被发现。最后,我们强调了研究中的宝贵见解,希望能为开发人员、研究人员和从业人员提供工具开发、增强、评估和选择方面的指导。

图片

图片

图片

Pdf link:

https://arxiv.org/abs/2404.18186

详情:https://2024.esec-fse.org/track/fse-2024-research-papers

图片

关注我们,持续接收区块链最新论文

洞察区块链技术发展趋势

Follow us to keep receiving the latest blockchain papers

Insight into Blockchain Technology Trends

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.mzph.cn/pingmian/16655.shtml

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

项目启动 | 晟泰克再度牵手盘古信息,引入IMS V6系统实现数字化深度推进

当前,中国汽车零部件行业的数字化转型正在快速推进,数字化工业软件已经广泛应用于汽车零部件的研发、生产和服务等各个环节,赋能行业实现降本减存,提质增效,有力推动了行业高质量发展。 成立于2003年的合肥晟泰克汽车…

深度学习之加宽全连接

1.Functional API 搭建神经网络模型 1.1.利用Functional API编写宽深神经网络模型进行手写数字识别 import numpy as np import pandas as pd import matplotlib.pyplot as plt from sklearn.datasets import load_iris from sklearn.model_selection import train_test_spli…

决策树与机器学习实战【代码为主】

文章目录 🛴🛴引言🛴🛴决策树使用案例🛴🛴numpy库生成模拟数据案例🛴🛴决策树回归问题🛴🛴决策树多分类问题 🛴🛴引言 决策树是一种经…

1-Django开端--学生管理系统

目录 项目结构 前端页面: add_data.html class_data.html index.html apps.py models.py views.py settings,py urls.py ...实现简略的身架... 项目结构 前端页面: add_data.html --添加数据. {% extends index/index.html %}{% block content %} <div class&qu…

强化学习,第 2 部分:政策评估和改进

目录 一、介绍 二、关于此文章 三、求解贝尔曼方程 四、策略评估 4.1 更新变体 4.2 例描述 五、策略改进 5.1 V函数描述 5.2 政策改进定理 六、策略迭代 七、值迭代 7.1 算法描述 7.2 异步值迭代 八、广义策略迭代 九、结论 一、介绍 R强化学习是机器学习中的一…

C#子窗体嵌入主窗体

上位机开发中&#xff0c;经常会需要将子窗体嵌入到主窗体。 运行结果 核心实现&#xff1a; private void button2_Click(object sender, EventArgs e){Form3 childForm new Form3();//判断容器中是否已经打开子窗体&#xff0c;如果打开现将其关闭foreach (Control item in…

RocketMq源码解析三:路由管理

Nameserver的主要作用是为消息的生产者和消息消费者提供关于主题Topic的路由信息&#xff0c;那么Nameserver需要存储路由的基础信息&#xff0c;还要管理Broker节点&#xff0c;包括路由注册、路由删除等。 一、路由元数据 路由元数据主要保存了topic信息&#xff0c;broker信…

5.22 R语言-正态性检验

正态性检验 正态性检验的目的是确定一组数据是否符合正态分布&#xff08;也称高斯分布&#xff09;。在统计分析和数据建模中&#xff0c;正态性假设是许多统计方法和模型的基础。了解数据是否符合正态分布有助于选择适当的统计方法和确保分析结果的有效性。 本文主要从概率…

执法行动高压下,勒索软件攻击仍持续增加

执法行动 最近几年&#xff0c;随着网络犯罪特别是勒索软件犯罪的日益猖獗&#xff0c;勒索软件攻击已经对网络空间安全构成重大威胁。互联网不是法外之地&#xff0c;执法机构也对应加强了执法力度&#xff0c;对全球威胁重大的网络犯罪团伙进行重点打击。对勒索软件团伙所控…

golang、laravel对接stripe海外支付接口的总结和流程(通俗易懂)

目录 stripe是什么&#xff1f; 环境 配置后台 首先让管理员把你设置成为开发者 然后进入后台 然后你要创建产品&#xff0c;开单周期要写每天&#xff0c;我这里理解成每天都会有人买的 获取产品id 获取密钥&#xff0c;后续代码需要用到 支付代码 唤起支付页面 测…

甘肃省大学生志愿服务西部计划报名流程及免冠证件照处理

在甘肃省&#xff0c;大学生志愿服务西部计划是一项旨在鼓励和引导大学生参与西部地区社会服务与发展的重要项目。随着2024年报名季的到来&#xff0c;许多有志青年正准备投身这一有意义的事业。本文将详细介绍报名流程&#xff0c;并提供免冠证件照的处理技巧&#xff0c;帮助…

设计模式11——代理模式

写文章的初心主要是用来帮助自己快速的回忆这个模式该怎么用&#xff0c;主要是下面的UML图可以起到大作用&#xff0c;在你学习过一遍以后可能会遗忘&#xff0c;忘记了不要紧&#xff0c;只要看一眼UML图就能想起来了。同时也请大家多多指教。 代理模式&#xff08;Proxy&am…

每日AIGC最新进展(12):在舞蹈视频生成中将节拍与视觉相融合、Text-to-3D综述、通过内容感知形状调整进行 3D 形状增强

Diffusion Models专栏文章汇总&#xff1a;入门与实战 Dance Any Beat: Blending Beats with Visuals in Dance Video Generation https://DabFusion.github.io 本文提出了一种名为DabFusion的新型舞蹈视频生成模型&#xff0c;该模型能够根据给定的静态图像和音乐直接生成舞蹈…

免费 OSS 资源 Backblaze B2 使用最新指南

免费的对象存储资源日渐枯竭&#xff0c;Backblaze 是为数不多仍提供免费 OSS 的良心厂商。另外一个则是大名鼎鼎的 Cloudflare R2。虽然免费&#xff0c;但 Backblaze 也修改了政策&#xff1a;如果不验证信用卡的话是不能打开 Public 选项的&#xff0c;或者支付一美金。估计…

24.5.26(树链剖分板子,二分+线段树)

星期一&#xff1a; 补重庆科技 C 二分 牛客传送门 思路&#xff1a;二维前缀和表示到第 i个人第 j个弹巢开了多少发&#xff0c;和st【i】表示第 i个人开的是第几个弹巢 对于 l和r的查询&#xff0c;使用前缀和二分找出第一个…

【UE5.1 角色练习】06-角色发射火球-part1

前言 在上一篇&#xff08;【UE5.1 角色练习】05-火球发射物-CSDN博客&#xff09;基础上实现角色可以发射火球的技能 效果 步骤 一、准备 1. 打开角色蓝图&#xff0c;添加两个浮点型变量&#xff0c;分别表示当前的MP值和满状态的MP值 添加一个函数&#xff0c;这里命名…

解密 Alpha 勒索软件

Alpha 勒索软件很容易与 ALPHV 勒索软件混淆&#xff0c;但其实这是两个不同的勒索软件团伙。近期&#xff0c;Alpha 勒索软件团伙在暗网上建立了数据披露网站&#xff0c;并且对外公开了6个受害者。 通常来说&#xff0c;勒索软件运营者在启动数据披露网站前会保持攻击态势。一…

c++ 实现 梯度下降线性回归模型

理论与python实现部分 3.1. 线性回归 — 动手学深度学习 2.0.0 documentation c代码 没能力实现反向传播求梯度&#xff0c;只能自己手动算导数了 #include <bits/stdc.h> #include <time.h> using namespace std;//y_hat X * W b // linreg 函数&#xff1a…

无经验求职者的福音:AI生成简历的便捷之道

第一步你需要先给自己写个简历&#xff0c;简历就是你求职时的一张脸&#xff0c;“漂亮”程度与否那可大了去了。一份漂亮的简历不仅内容满满当当突出重点&#xff0c;而且排版清晰亮眼&#xff0c;能让hr一下子捕捉到重点。 来看看一份漂亮的简历长啥样↓ 工作经历、个人能力…

Go语言

Go语言 Go语言全称Golanguage&#xff0c;Go&#xff08;又称 Golang&#xff09;是 Google 的 Robert Griesemer&#xff0c;Rob Pike 及 Ken Thompson 开发的一种静态强类型、编译并发型语言。于2009年首次发布 官网 特点 简单易学&#xff1a;Go语言语法简洁明了&#x…