Intelligent contract security auditing method based on symbol abstraction analysis

Abstract

The invention discloses an intelligent contract security auditing method based on symbol abstraction analysis, and the method comprises the following steps: S1, inputting a to-be-detected contract source code, and generating a static detection file through a contract compiler; s2, traversing the static detection file to generate a control flow chart (CFG) file and collecting contract information; s3, converting the CFG into a single assignment statement text SSA by using the contract information, performing modeling analysis on the single assignment statement text SSA, and traversing and collecting contract attribute information; s4, integrating the contract attribute information as input, executing vulnerability detection strategy search, and generating vulnerability types and vulnerability positions; s5, the vulnerability type and the vulnerability position serve as input of a symbolic analysis engine, a basic block where the vulnerability is located is inquired, the symbolic analysis engine analyzes the vulnerability type and the vulnerability position, traceability traversal is conducted on an execution path of the vulnerability, and the vulnerability is obtained. And completing verification and screening work of the generated vulnerability type and the vulnerability position.

Description

technical field [0001] The invention belongs to the field of smart contracts, and in particular relates to a smart contract security audit method based on symbol abstract analysis. Background technique [0002] In the field of automated security tools for smart contracts, there are not many existing symbolic execution vulnerability detection solutions, among which Oyente, WANA, etc. are more typical. The current automated detection tools often rely too much on a single technology, and the degree of automation is not high. It still needs a lot of work to be used in practice. Although it is useful in some cases, there are still some shortcomings and deficiencies. With the update and iteration of contract language and the increase of vulnerability types, due to the defects of detection mode or logic design, many key vulnerability verifications will be missing. ; Due to the inaccurate modeling of vulnerabilities, a large number of false positives and false positives will be cau...

AI Technical Summary

Problems solved by technology

The current automated detection tools are often too dependent on a single technology, and the degree of automation is not high. It still needs a lot of work to be used in practice.

Although it is useful in some cases, there are still some shortcomings and deficiencies. With the update and iteration of contract language and the increase of vulnerability types, due to the defects of detection mode or logic design, many key vulnerability verifications will be missing. ; Due to the inaccurate modeling of vulnerabilities, a large number of false positives and false positives will be caused; the coverage rate of the contract is not high, and the basic requirements can be met for some specific contracts, but the contract coverage rate in real production is low

Images