微信服务号

微信订阅号

2025-4-24- 9
Home > Archive>Volume 35, Issue 9, 2024 >4193-4217. DOI:10.13328/j.cnki.jos.007133
PDF HTML XML Export Cite reminder
Vulnerability Detection Model for Blockchain Systems Based on Formal Method
Author:
Affiliation:

  • Article
    • | |
  • Metrics
    • |
  • Reference [60]
    • |
  • Related [20]
    • | | |
  • Comments
    Abstract:

    As blockchain technology is widely employed in all walks of life, the architecture of blockchain systems becomes increasingly more complex, which raises the number of security issues. At present, traditional vulnerability detection methods such as fuzz testing and symbol execution are adopted in blockchain systems, but these techniques cannot detect unknown vulnerabilities effectively. To improve the security of blockchain systems, this study proposes a vulnerability detection model for blockchain systems (VDMBS) based on the formal method. This model integrates multiple security factors including system migration state, security property and trust relationship among nodes, and provides a vulnerability model building method based on business process execution language (BPEL). Finally, the effectiveness of the proposed vulnerability detection model is verified on a blockchain-based e-voting election system by NuSMV, and the experimental results show that compared with five existing formal testing tools, the proposed VDMBS model can detect more blockchain system logic vulnerabilities and smart contract vulnerabilities.

    Reference
    [1] Latif SA, Wen FBX, Iwendi C, Wang LLF, Mohsin SM, Han ZY, Band SS. AI-empowered, blockchain and SDN integrated security architecture for IoT network of cyber physical systems. Computer Communications, 2022, 181: 274–283.
    [2] Kumar A, Singh AK, Ahmad I, Singh PK, Anushree, Verma PK, Alissa KA, Bajaj M, Rehman AU, Tag-Eldin E. A novel decentralized blockchain architecture for the preservation of privacy and data security against cyberattacks in healthcare. Sensors, 2022, 22(15): 5921.
    [3] Taylor PJ, Dargahi T, Dehghantanha A, Parizi RM, Choo KKR. A systematic literature review of blockchain cyber security. Digital Communications and Networks, 2020, 6(2): 147–156.
    [4] Liu ZY, Luong NC, Wang WB, Niyato D, Wang P, Liang YC, Kim DI. A survey on blockchain: A game theoretical perspective. IEEE Access, 2019, 7: 47615–47643.
    [5] Vasek M, Thornton M, Moore T. Empirical analysis of denial-of-service attacks in the Bitcoin ecosystem. In: Proc. of the 2014 Financial Cryptography and Data Security: FC 2014 Workshops, BITCOIN and WAHC 2014. Christ Church: Springer, 2014. 57–71. [doi: 10.1007/978-3-662-44774-1_5]
    [6] Bhutta MNM, Khwaja AA, Nadeem A, Ahmad HF, Khan MK, Hanif MA, Song HB, Alshamari M, Cao Y. A survey on blockchain technology: Evolution, architecture and security. IEEE Access, 2021, 9: 61048–61073.
    [7] Khan MA, Salah K. IoT security: Review, blockchain solutions, and open challenges. Future Generation Computer Systems, 2018, 82: 395–411.
    [8] Tsankov P, Dan A, Drachsler-Cohen D, Gervais A, Buenzli F, Vechev M. Securify: Practical security analysis of smart contracts. In: Proc. of the 2018 ACM SIGSAC Conf. on Computer and Communications Security. Toronto: ACM, 2018. 67–82.
    [9] Qu C, Tao M, Zhang J, Hong XY, Yuan RF. Blockchain based credibility verification method for IoT entities. Security and Communication Networks, 2018, 2018: 7817614.
    [10] Luu L, Chu DH, Olickel H, Saxena P, Hobor A. Making smart contracts smarter. In: Proc. of the 2016 ACM SIGSAC Conf. on Computer and Communications Security. Vienna: ACM, 2016. 254–269. [doi: 10.1145/2976749.2978309]
    [11] Li PR, Li SS, Ding MJ, Yu JP, Zhang H, Zhou X, Li JY. A vulnerability detection framework for hyperledger fabric smart contracts based on dynamic and static analysis. In: Proc. of the 26th Int’l Conf. on Evaluation and Assessment in Software Engineering. Gothenburg: ACM, 2022. 366–374. [doi: 10.1145/3530019.3531342]
    [12] Li JX, Wu JG, Chen L. Block-secure: Blockchain based scheme for secure P2P cloud storage. Information Sciences, 2018, 465: 219–231.
    [13] Alharbi T. Deployment of blockchain technology in software defined networks: A survey. IEEE Access, 2020, 8: 9146–9156.
    [14] Fung CJ, Zhang J, Aib I, Boutaba R. Dirichlet-based trust management for effective collaborative intrusion detection networks. IEEE Trans. on Network and Service Management, 2011, 8(2): 79–91.
    [15] Zhuang Y, Liu ZG, Qian P, Liu Q, Wang X, He QM. Smart contract vulnerability detection using graph neural networks. In: Proc. of the 29th Int’l Joint Conf. on Artificial Intelligence. Yokohama, 2020. 3283–3290.
    [16] Afzaal H, Imran M, Janjua MU, Gochhayat SP. Formal modeling and verification of a blockchain-based crowdsourcing consensus protocol. IEEE Access, 2022, 10: 8163–8183.
    [17] Ribeiro M, Ad?o P, Mateus P. Formal verification of Ethereum smart contracts using Isabelle/HOL. In: Logic, Language, and Security: Essays Dedicated to Andre Scedrov on the Occasion of His 65th Birthday. Switzerland: Springer Int’l Publishing, 2020. 71–97. [doi: 10.1007/978-3-030-62077-6_7]
    [18] Grishchenko I, Maffei M, Schneidewind C. A semantic framework for the security analysis of Ethereum smart contracts. In: Proc. of the 7th Int’l Conf. on Principles of Security and Trust. Thessaloniki: Springer, 2018. 243–269. [doi: 10.1007/978-3-319-89722-6_10]
    [19] Krupp J, Rossow C. TEETHER: Gnawing at Ethereum to automatically exploit smart contracts. In: Proc. of the 27th USENIX Conf. on Security Symp. Baltimore: USENIX Association, 2018. 1317–1333.
    [20] Feist J, Grieco G, Groce A. Slither: A static analysis framework for smart contracts. In: Proc. of the 2nd IEEE/ACM Int’l Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB). Montreal: IEEE, 2019. 8–15.
    [21] Jiang B, Liu Y, Chan WK. ContractFuzzer: Fuzzing smart contracts for vulnerability detection. In: Proc. of the 33rd ACM/IEEE Int’l Conf. on Automated Software Engineering. Montpellier: ACM, 2018. 259–269. [doi: 10.1145/3238147.3238177]
    [22] Wang W, Song JJ, Xu GQ, Li YD, Wang H, Su CH. ContractWard: Automated vulnerability detection models for Ethereum smart contracts. IEEE Trans. on Network Science and Engineering, 2021, 8(2): 1133–1144.
    [23] Norta A, Matulevi?ius R, Leiding B. Safeguarding a formalized blockchain-enabled identity-authentication protocol by applying security risk-oriented patterns. Computers & Security, 2019, 86: 253–269.
    [24] Matsuo SI. How formal analysis and verification add security to blockchain-based systems. In: Proc. of the 2017 Formal Methods in Computer Aided Design (FMCAD). Vienna: IEEE, 2017. 1–4. [doi: 10.23919/FMCAD.2017.8102228]
    [25] Chaudhary KC, Chand V, Fehnker A. Double-spending analysis of bitcoin. In: Proc. of the 24th Pacific Asia Conf. on Information Systems. Dubai, 2020. 210.
    [26] Kalra S, Goel S, Dhawan M, Sharma S. Zeus: Analyzing safety of smart contracts. In: Proc. of the 2018 Network and Distributed Systems Security (NDSS) Symp. San Diego, 2018. 1–12.
    [27] Geatti L, Gianola A, Gigante N. Linear temporal logic modulo theories over finite traces. In: Proc. of the 31st Int’l Joint Conf. on Artificial Intelligence. Vienna, 2022. 2641–2647.
    [28] Ye X, Shi JQ, Huang YH, Li Q, Wei HS, Chen XY. Parallel computational tree logic model-checking on pushdown systems. Concurrency and Computation: Practice and Experience, 2022, 34(23): e7173.
    [29] Doostali S, Babamir SM, Javani M. Using a process algebra interface for verification and validation of UML statecharts. Computer Standards & Interfaces, 2023, 86: 103739.
    [30] Walkinshaw N, Hierons RM. Modelling second-order uncertainty in state machines. IEEE Trans. on Software Engineering, 2023, 49(5): 3261–3276.
    [31] Grossman S, Abraham I, Golan-Gueta G, Michalevsky Y, Rinetzky N, Sagiv M, Zohar Y. Online detection of effectively callback free objects with applications to smart contracts. Proc. of the ACM on Programming Languages, 2017, 2: 48.
    [32] Schneidewind C, Grishchenko I, Scherer M, Maffei M. eThor: Practical and provably sound static analysis of Ethereum smart contracts. In: Proc. of the 2020 ACM SIGSAC Conf. on Computer and Communications Security. ACM, 2020. 621–640. [doi: 10.1145/3372297.3417250]
    [33] Shaikh E, Al-Ali AR, Muhammad S, Mohammad N, Aloul F. Security analysis of a digital twin framework using probabilistic model checking. IEEE Access, 2023, 11: 26358–26374.
    [34] Waldmann U, Tourret S, Robillard S, Blanchette J. A comprehensive framework for saturation theorem proving. Journal of Automated Reasoning, 2022, 66(4): 499–539.
    [35] Tempel S, Herdt V, Drechsler R. Specification-based symbolic execution for stateful network protocol implementations in IoT. IEEE Internet of Things Journal, 2023, 10(11): 9544–9555.
    [36] Wang D, Dou WS, Gao Y, Wu CN, Wei J, Huang T. Model checking guided testing for distributed systems. In: Proc. of the 18th European Conf. on Computer Systems. Rome: ACM, 2023. 127–143. [doi: 10.1145/3552326.3587442]
    [37] Khan KM, Arshad J, Khan MM. Empirical analysis of transaction malleability within blockchain-based e-voting. Computers & Security, 2021, 100: 102081.
    [38] Zhang SJ, Lee JH. Double-spending with a Sybil attack in the Bitcoin decentralized network. IEEE Trans. on Industrial Informatics, 2019, 15(10): 5715–5722.
    [39] Shah Z, Ullah I, Li HL, Levula A, Khurshid K. Blockchain based solutions to mitigate distributed denial of service (DDoS) attacks in the Internet of Things (IoT): A survey. Sensors, 2022, 22(3): 1094.
    [40] Sahay R, Geethakumari G, Mitra B. A novel blockchain based framework to secure IoT-LLNs against routing attacks. Computing, 2020, 102(11): 2445–2470.
    [41] Tran M, Shenoi A, Kang MS. On the routing-aware peering against network-eclipse attacks in Bitcoin. In: Proc. of the 30th USENIX Security Symp. (USENIX Security 2021). 2021. 1253–1270.
    [42] Du Y, Wang Z, Li J, Shi L, Jayakody DNK, Chen Q, Chen W, Han Z. Blockchain-aided edge computing market: Smart contract and consensus mechanisms. IEEE Trans. on Mobile Computing, 2023, 22(6): 3193–3208.
    [43] Wang JL, Liu Q, Song BY. Blockchain-based multi-malicious double-spending attack blacklist management model. The Journal of Supercomputing, 2022, 78(12): 14726–14755.
    [44] Hafid A, Hafid AS, Samih M. A tractable probabilistic approach to analyze Sybil attacks in sharding-based blockchain protocols. IEEE Trans. on Emerging Topics in Computing, 2023, 11(1): 126–136.
    [45] Piantadosi V, Rosa G, Placella D, Scalabrino S, Oliveto R. Detecting functional and security-related issues in smart contracts: A systematic literature review. Software: Practice and Experience, 2023, 53(2): 465–495.
    [46] 钱鹏, 刘振广, 何钦铭, 黄步添, 田端正, 王勋. 智能合约安全漏洞检测技术研究综述. 软件学报, 2022, 33(8): 3059–3085. http://www.jos.org.cn/1000-9825/6375.htm
    Qian P, Liu ZG, He QM, Huang BT, Tian DZ, Wang X. Smart contract vulnerability detection technique: A survey. Ruan Jian Xue Bao/Journal of Software, 2022, 33(8): 3059–3085 (in Chinese with English abstract). http://www.jos.org.cn/1000-9825/6375.htm
    [47] 董伟良, 刘哲, 刘逵, 黎立, 葛春鹏, 黄志球. 智能合约漏洞检测技术综述. 软件学报, 2024, 35(1): 38–62. http://www.jos.org.cn/1000-9825/6810.htm
    Dong WL, Liu Z, Liu K, Li L, Ge CP, Huang ZQ. Survey on vulnerability detection technology of smart contracts. Ruan Jian Xue Bao/Journal of Software, 2024, 35(1): 38–62 (in Chinese with English abstract). http://www.jos.org.cn/1000-9825/6810.htm
    [48] 韩璇, 袁勇, 王飞跃. 区块链安全问题: 研究现状与展望. 自动化学报, 2019, 45(1): 206–225.
    Han X, Yuan Y, Wang FY. Security problems on blockchain: The state of the art and future trends. Acta Automatica Sinica, 2019, 45(1): 206–225 (in Chinese with English abstract).
    [49] 冯萍慧, 连一峰, 戴英侠, 鲍旭华. 基于可靠性理论的分布式系统脆弱性模型. 软件学报, 2006, 17(7): 1633–1640. http://www.jos.org.cn/1000-9825/17/1633.htm
    Feng PH, Lian YF, Dai YX, Bao XH. A vulnerability model of distributed systems based on reliability theory. Ruan Jian Xue Bao/Journal of Software, 2006, 17(7): 1633–1640 (in Chinese with English abstract). http://www.jos.org.cn/1000-9825/17/1633.htm
    [50] Gao HH, Zhang YD, Miao HK, Barroso RJD, Yang XX. SDTIOA: Modeling the timed privacy requirements of IoT service composition: A user interaction perspective for automatic transformation from BPEL to timed automata. Mobile Networks and Applications, 2021, 26(6): 2272–2297.
    [51] Cimatti A, Clarke E, Giunchiglia F, Roveri M. NuSMV: A new symbolic model checker. Int’l Journal on Software Tools for Technology Transfer, 2000, 2(4): 410–425.
    [52] Hjálmarsson FT, Hreiearsson GK, Hamdaqa M, Hjálmtysson G. Blockchain-based e-voting system. In: Proc. of the 11th IEEE Int’l Conf. on Cloud Computing (CLOUD). San Francisco: IEEE, 2018. 983–986. [doi: 10.1109/CLOUD.2018.00151]
    [53] Marcilla B. Polygon-NFT-marketplace. 2022. https://github.com/ikcoin/Polygon-NFT-marketplace
    [54] Lobo K. AuthentiFi. 2022. https://github.com/kylelobo/AuthentiFi
    [55] Atraura Blockchain. scts. 2017. https://github.com/AtrauraBlockchain/scts
    [56] yashverma9. AI blockchain electronic health records management system. 2020. https://github.com/yashverma9/AI-Blockchain-Electronic-Health-Records-Management-System
    Cited by
    Comments
    Comments
    分享到微博
    Submit
Get Citation

陈锦富,冯乔伟,蔡赛华,施登洲,Rexford Nii Ayitey SOSU.基于形式化方法的区块链系统漏洞检测模型.软件学报,2024,35(9):4193-4217

Copy
Share
Article Metrics
  • Abstract:920
  • PDF: 3119
  • HTML: 1002
  • Cited by: 0
History
  • Received:September 11,2023
  • Revised:October 30,2023
  • Online: January 05,2024
  • Published: September 06,2024
Links:Institute of Software, CASChina Computer FederationCASNSFC
You are the first2037990Visitors
Copyright: Institute of Software, Chinese Academy of Sciences Beijing ICP No. 05046678-4
Address:4# South Fourth Street, Zhong Guan Cun, Beijing 100190,Postal Code:100190
Phone:010-62562563 Fax:010-62562533 Email:jos@iscas.ac.cn
Technical Support:Beijing Qinyun Technology Development Co., Ltd.

Beijing Public Network Security No. 11040202500063