CN-121997342-A - Evaluation method for authenticity of intelligent contract transaction sequence dependence vulnerability variation generation result

Abstract

The invention provides an evaluation method for the authenticity of a generated result of intelligent contract transaction sequence dependent vulnerability variation. The method first finds a function containing transfer in the contract and a function that indirectly affects transfer amount or transfer object. The function where the TOD vulnerability is located is found by executing locally the transaction sequence containing the two functions. Secondly, setting a global variable as a lock, and utilizing an assertion mechanism of the intelligent contract to fix the execution sequence of tFun and cFun so as to achieve the effect of repairing the transaction sequence dependence vulnerability. And delivering the repaired loopholes to a mutation tool for mutation to obtain a loophole data set after mutation. And finally, calculating the Jacquard similarity coefficient of the mutated vulnerability and the vulnerability of the original contract to obtain the authenticity of the mutated vulnerability of the mutated tool.

Inventors

• WANG XINGYA
• LIU LINWEI
• ZHANG YIBO

Assignees

• 南京工业大学

Dates

Publication Date

20260508

Application Date

20260129

Claims (4)

1. 1. TOD vulnerability positioning, TOD vulnerability repairing and authenticity assessment of TOD vulnerability variation results; firstly, translating an input contract into a three-address code, wherein a transfer function plays a function of transferring contracts in an intelligent contract, so that a plurality of transaction sequences are generated through static analysis of the three-address code, the function of calling the transfer function internally is found and marked as tFun, the amount and the object of transferring the transfer statement in tFun are analyzed, if more than one global variable exists, all the functions which can change the global variable are found and marked as cFun, the functions are marked as the aggregate CFUN= { cFun1, cFun2, & gt, then, a plurality of transaction sequences with tFun and cFun are generated through a method of symbol execution, the transaction sequences are deployed on a local private chain, compared with the execution results of the exchange sequences, tFun and cFun of the results are marked as unequal, the execution sequence of the two functions is limited through the global variable, a global variable gl initial value is set as 0, a second step is added as a value in the global variable, a value in the glad tFun is marked as cFun, the value is placed in the glad, if the three-step is placed as a constraint value, the loophole is achieved, then, the loophole is placed as a value is compared with the glad 35, and the loophole is placed as a value of the true, and the loophole is compared with the true position of the three-world, if the loophole is detected, and the loophole is placed as a position of the loophole is 37, and the loophole is determined as a result of the loophole is, and the loophole is 37, and the value is compared with the positions is 37 when the true when the value is compared with the position is 35 and is 37 and is placed when the position and is compared with the true when the value and is 35 and is 3, finally, the statistical mutation tool mutates the vulnerability and the Jacquard similarity coefficient of the vulnerability of the original contract, and specifically, the method comprises the following steps: TOD vulnerability localization, namely taking a target contract tc as input, and outputting to generate a function pair set TM=MAP < tFun, CFUN > containing TOD vulnerabilities; firstly, converting an input contract into a three-address code, finding a function tFun of transferring in the contract through the three-address code, then extracting transfer amount amountand receiving transfer account receiver in the transfer, analyzing whether the transfer amount amountand receiving transfer account receiver are influenced by global variables through the three-address code, storing all global variables which are influenced into a set G= { G1, G2, }, analyzing whether elements in the G can be assigned by other functions, if the other functions can assign the elements in the G, then recording the function as cFun, forming a set CFUN_c= { cFun, cFun2,., then generating a plurality of transaction sequences containing tFun and cFun through a symbol execution technology, recording the execution sequence in the transaction sequences as an exchange sequence, wherein each of the generated transaction sequences and the exchange sequence form a transaction sequence comparison group; 1) TOD vulnerability repair, namely inputting a function pair set TM which is generated in the last step and contains TOD vulnerabilities, wherein TM=MAP < tFun, CFUN > and outputting a repaired TOD vulnerability function pair set TMR and a repaired contract tcR, wherein TMR=MAP < tfonn R, CFUNR >; firstly, initializing an empty MAP and storing a result TMR, then traversing elements in the TM, creating a unique global variable gl for each element, marking the initial value of the unique global variable gl as 0, adding an assertion statement at the beginning of each cFun function to judge gl, continuing to execute the transaction when judging gl as 0 and indicating that no transaction is executed before the cFun function, limiting that the operation of changing transaction amp or the transaction must be completed before the transfer if the transaction order dependency bug is to be repaired, namely limiting that all cFun must be executed before tFun, adding an assignment statement before any branch is not entered in the tFun function, creating a unique global variable gl as 1, marking the changed global variable gl as tFunR, adding an assertion statement at the beginning of each cFun function, judging gl to be executed when judging gl as 0, indicating that the transaction is executed before the cFun function, and finally rolling out the assertion statement before cFun function, adding back to the transaction to the TMP as well as adding the result of the TMP as being completed as the result of the TMP is the result of combining the result of the TMP with the result of the TMP of being completed and being the TMP of the result being manufactured by the method of combining the result of the TMP with the result of the TMP of being obtained by adding the result of the TMP and being the result of the TMP and being obtained by the result of the method of the combined; 3) The authenticity evaluation of TOD loophole mutation results comprises the steps of taking TMR and tcR generated in the previous step as input, outputting A Jacquard similarity coefficient of the original contract with TOD loopholes and TOD loophole mutation tools to mutate loopholes, firstly, recording A TOD loophole set mutated by the mutation tools as A, taking the TOD loophole set of the original contract as B, creating three int-type variables M1, M2 and M3, wherein the initial value is 0, M1=A and B, M2=A-B, M3=B-A, the Jacquard similarity coefficient calculation formulA is JSC= |A and B|/|A/(M1+M2+M3), secondly, inputting tcR into mutation tools to obtain mutation results tcM, traversing elements in TMR, for each cFun in the TMR, creating three int-type variables M1, M2 and M3, wherein if the assertion statement is mutated in tcM or is damaged in 3835 glm 24, the graph is written in the TMR, and M is considered as M+M 2, if the number is not damaged in the TMR, and the error is considered to be completely bad, and the value is not satisfied by the TMR is calculated by the conventional method, and if the value is calculated by the value M1 and the value is not satisfied, and the value M is calculated by the value M1+M+M2+M3, and the value is not satisfied, and the value is calculated by the value of the value M1 and the value M is calculated by the value and the value.
2. 2. The method according to claim 1, wherein in step 1), all functions tFun including transfer operations are identified with a target contract tc as input, the set is denoted TFUN, a set of TFUN is traversed, an amount and a receiver related to transfer in tFun are extracted, global variable sets g= { G1, G2, & gt, which affect amount and receiver are found, all cFun corresponding to functions cFun, tFun which change elements in G are found to form a set CFUN, the set of CFUN is traversed, an original sequence including tFun and cFun is generated by using a symbol execution technique, the exchange sequence is sequentially obtained by exchanging tFun and cFun, two sets of sequences are executed respectively, if the result of the original sequence is inconsistent with the result of the exchange sequence, TOD is considered to exist in cFun and tFun, cFun corresponding to tFun is added to the associated un, one element [ tFun, CFUN ] forming TM with tFun is found, and all the result of traverse are finished, and all the results of traverse are output.
3. 3. The method of claim 1, wherein in step 2), each < tFun, CFUN > pair is traversed with a set TM of pairs of functions containing TOD holes as input, a unique global variable gl is created for each pair of pairs of functions containing TOD holes [ tFun, cFun ], and its initial value is set to 0, gl = 1 is added at tFun function start position, the modified function is tFunR, the repaired cFun is added to CFUNR, and the original cFun code segment in tcR is replaced with cFun, when CFUN traversal is completed, [ tfun r, CFUN r ] is added to the output set TMR, and the original tFun code segment in tcR is replaced with tFunR, when TM traversal is completed, the results TMR and tcR are output.
4. 4. The method for analyzing mutation test tool mutation results according to claim 1, wherein in the step 3), TMR and tcR are taken as input, M1, M2, M3=0 are initialized, M1 represents the real loophole number successfully recognized by the tool, M2 represents the loophole number spontaneously mutated by the mutation tool, M3 represents the real TOD loophole number not mutated by the mutation tool, the respective numbers of M1, M2 and M3 are obtained by comparing cFun and tFun parts in the tcR and TMR, the Jacquard similarity coefficient JSC=M1/(M1+M2+M3) of the mutation loophole of the mutation tool and the original contract is calculated, and finally Jacquard similarity coefficient JSC is output.

Description

Evaluation method for authenticity of intelligent contract transaction sequence dependence vulnerability variation generation result Technical Field The invention belongs to the field of information security, focuses on the security of intelligent contracts, and is particularly suitable for an authenticity assessment scene of a result generated by a Transaction sequence dependent (TOD) vulnerability variation tool. The core idea is that the real world TOD vulnerability contract is repaired and then is submitted to a mutation tool for mutation, the result is compared with the TOD vulnerability of the original real contract, and whether the generated vulnerability can truly simulate the real world TOD vulnerability is judged. The authenticity of the loopholes is generated by detecting the TOD loophole mutation tool, and reliable data support is provided for the evaluation and optimization of the TOD loophole mutation tool. Background Intelligent contracts, which are key components for decentralised applications, control a large number of digital assets, and their security issues have been of great concern. TOD vulnerability is one of the vulnerabilities with highest occurrence frequency in intelligent contracts, and is derived from uncertainty of transaction packing and execution sequence in a blockchain environment, wherein the initiation sequence of the transaction does not necessarily represent the execution sequence of the transaction, and the execution sequence of the transaction is determined by miners, so that the initiation sequence and the execution sequence may not be consistent. The participator of a certain transaction of the intelligent contract can become a malicious miner, and the best execution condition is achieved by exchanging the execution sequence of one transaction in the transaction pool, so that an unfair execution result is caused. At present, a plurality of tools for detecting TOD vulnerabilities exist in the market, but a large number of TOD vulnerabilities are needed by an evaluation test tool, and because the manual creation of TOD vulnerability data sets is time-consuming and labor-consuming, some mutation tools are used for automatically generating the TOD vulnerabilities so as to provide the evaluation test tool with sufficient data sets. Mutation refers to the modification of a part of codes to enable a contract without a vulnerability to generate the vulnerability, so that the effect of injecting the vulnerability into the contract is achieved. However, the loopholes generated by mutation cannot prove whether the loopholes are similar to the real contracts or not, namely, whether the effects of the real-world loopholes can be simulated or not, rather than the toy contracts which are constructed by manpower without midwifery for constructing the loophole data set. The real world contracts are far greater in number of lines of code and logic complexity than the toy contracts, and the test performance of the test tool on the toy contracts is far different from the test performance on the real contracts. Therefore, there is a need for a method that can evaluate the authenticity of vulnerability data sets that have had TOD vulnerabilities mutated. In contrast, the invention provides an evaluation method for the authenticity of the generated result of the intelligent contract transaction sequence dependent vulnerability variation. The method first finds a function containing transfer in the contract and a function that indirectly affects transfer amount or transfer object. The function where the TOD vulnerability is located is found by executing locally the transaction sequence containing the two functions. Secondly, setting a global variable as a lock, and utilizing an assertion mechanism of the intelligent contract to fix the execution sequence of tFun and cFun so as to achieve the effect of repairing the transaction sequence dependence vulnerability. And delivering the repaired loopholes to a mutation tool for mutation to obtain a loophole data set after mutation. The Jacquard similarity coefficient is an index for measuring the similarity of two sets, so that the Jacquard similarity coefficient is regarded as an index for quantifying the authenticity of a generated result of the transaction sequence dependent vulnerability variation. And finally, calculating the Jacquard similarity coefficient of the mutated vulnerability and the vulnerability of the original contract to obtain the authenticity of the mutated vulnerability of the mutated tool. Disclosure of Invention The method comprises the following 3 main steps of TOD vulnerability positioning, TOD vulnerability repairing and authenticity assessment of TOD vulnerability variation results. Firstly, the input contract is translated into three-address codes, and the transfer function plays a role of transferring the contract in the intelligent contract, so that a function for calling the transfer function internally is found th