摘要
以太坊等公链上的智能合约可以实现各种去中心化应用,但频发的安全事件导致用户的财产遭受威胁。智能合约安全问题极大地影响用户对去中心化应用的信任度,且链上信息具有不可篡改的特性,使得智能合约在部署前的安全审计和漏洞修复过程必不可少,但当前的安全研究大多聚焦于智能合约漏洞检测技术。文章首先介绍了智能合约相关背景并比较了其与传统应用程序的差异,提出了包含漏洞识别和补丁生成两大关键步骤的智能合约部署前漏洞自动化修复流程,然后分析并阐述了常见的漏洞类型和漏洞检测技术,深入讨论了基于字节码和源码生成智能合约常见漏洞补丁的研究进展,最后对智能合约漏洞补丁生成技术面临的有效性、成本、可扩展性等性能问题以及漏洞自动修复技术的未来方向进行了展望。
Smart contracts on public blockchain such as Ethereum can realize various decentralized applications,but frequent security incidents threaten users'property.The security problems of smart contracts greatly affect users'trust in decentralized applications,and the immutable nature of on-chain information makes the security audit and vulnerability repair process of smart contracts essential before deployment.However,most of the current security research focuses on the vulnerability detection technology of smart contracts.Firstly,the background of smart contracts is introduced and the differences between smart contracts and traditional application are compared.The automatic vulnerability repair process before deployment of smart contracts is proposed,which includes two key steps of vulnerability identification and patch generation.Besides,common vulnerability types and vulnerability detection technologies are analyzed,the research progress of patch generation based on bytecode and source code is discussed in detail.Finally,the effectiveness,cost,scalability and other performance problems,as well as the future direction of vulnerability automatic repair technology are prospected.
作者
傅紫薇
沈子牛
陈云芳
张伟
FU Zi-wei;SHEN Zi-niu;CHEN Yun-fang;ZHANG Wei(School of Computer Science,Nanjing University of Posts and Telecommunications,Nanjing 210023,China)
出处
《计算机技术与发展》
2023年第2期110-118,共9页
Computer Technology and Development
基金
国家重点研发计划资助(2019YFB2101700)。
关键词
区块链安全
以太坊
智能合约
漏洞检测
自动化修复
blockchain security
Ethereum
smart contracts
vulnerability detection
automation repair