CN118860406A - Vulnerability detection method, device, computer equipment and readable storage medium - Google Patents

Abstract

Translated fromChinese

本申请实施例提供了一种漏洞检测方法、装置、计算机设备及可读存储介质，属于区块链技术领域。获取待测智能合约的待测源码；通过对待测源码进行语法结构的解析，得到待测源码对应的抽象语法树；获取待测智能合约的控制流向图，并根据抽象语法树对控制流向图进行调用关系的补全，得到跨合约控制流向图；基于跨合约控制流向图中各语句节点的依赖关系，构建全局状态依赖图；基于全局状态依赖图对待测智能合约进行漏洞污点分析，得到待测智能合约的漏洞检测结果。以此，能够提高漏洞检测的全面性和准确性。

The embodiments of the present application provide a vulnerability detection method, device, computer equipment and readable storage medium, which belong to the field of blockchain technology. Obtain the source code to be tested of the smart contract to be tested; obtain the abstract syntax tree corresponding to the source code to be tested by parsing the syntax structure of the source code to be tested; obtain the control flow graph of the smart contract to be tested, and complete the call relationship of the control flow graph according to the abstract syntax tree to obtain a cross-contract control flow graph; based on the dependency relationship of each statement node in the cross-contract control flow graph, construct a global state dependency graph; perform vulnerability taint analysis on the smart contract to be tested based on the global state dependency graph to obtain the vulnerability detection result of the smart contract to be tested. In this way, the comprehensiveness and accuracy of vulnerability detection can be improved.

Description

Translated fromChinese

漏洞检测方法、装置、计算机设备及可读存储介质Vulnerability detection method, device, computer equipment and readable storage medium

技术领域Technical Field

本申请涉及区块链技术领域，尤其涉及一种漏洞检测方法、装置、计算机设备及可读存储介质。The present application relates to the field of blockchain technology, and in particular to a vulnerability detection method, device, computer equipment, and readable storage medium.

背景技术Background Art

智能合约是一种去中心化、事件驱动的分布式执行验证程序，其可以由一组代码(合约的函数)和数据(合约的状态)组成，并运行在区块链上。由于区块链上的业务场景不断丰富，合约的逻辑也变得更加复杂，智能合约可能产生重入攻击、整数溢出漏洞、拒绝服务攻击漏洞和时间戳依赖漏洞等。A smart contract is a decentralized, event-driven, distributed execution verification program that can be composed of a set of code (contract functions) and data (contract status) and run on the blockchain. As the business scenarios on the blockchain continue to enrich, the logic of the contract has become more complex, and smart contracts may generate reentrancy attacks, integer overflow vulnerabilities, denial of service attack vulnerabilities, and timestamp dependency vulnerabilities.

因此，为了保障数据的安全，防止恶意攻击，提高合约的可靠性，需要对智能合约的漏洞进行检测。Therefore, in order to ensure data security, prevent malicious attacks, and improve the reliability of contracts, it is necessary to detect vulnerabilities in smart contracts.

相关技术中，通常使用中间语言或模式匹配来检测智能合约中的漏洞，虽然检测的速度较快，但是实际攻击往往涉及复杂的合约代码逻辑和语义，仅依靠模式匹配来检测漏洞，会导致检测不全面和不准确的问题。In related technologies, intermediate languages or pattern matching are usually used to detect vulnerabilities in smart contracts. Although the detection speed is fast, actual attacks often involve complex contract code logic and semantics. Relying solely on pattern matching to detect vulnerabilities will lead to incomplete and inaccurate detection.

发明内容Summary of the invention

本申请实施例的主要目的在于提出一种漏洞检测方法、装置、计算机设备及可读存储介质，能够提高漏洞检测的全面性和准确性。The main purpose of the embodiments of the present application is to propose a vulnerability detection method, apparatus, computer equipment and readable storage medium, which can improve the comprehensiveness and accuracy of vulnerability detection.

为实现上述目的，本申请实施例的第一方面提出了一种漏洞检测方法，所述方法包括：To achieve the above object, a first aspect of an embodiment of the present application provides a vulnerability detection method, the method comprising:

获取待测智能合约的待测源码；Get the source code of the smart contract to be tested;

对所述待测源码进行语法结构的解析，得到所述待测源码对应的抽象语法树；Parsing the syntax structure of the source code to be tested to obtain an abstract syntax tree corresponding to the source code to be tested;

获取所述待测智能合约的控制流向图，并根据所述抽象语法树对所述控制流向图进行调用关系的补全，得到跨合约控制流向图；Obtaining a control flow graph of the smart contract to be tested, and completing the call relationship of the control flow graph according to the abstract syntax tree to obtain a cross-contract control flow graph;

基于所述跨合约控制流向图中各语句节点的依赖关系，构建全局状态依赖图；Based on the dependency relationship between the statement nodes in the cross-contract control flow graph, a global state dependency graph is constructed;

基于所述全局状态依赖图对所述待测智能合约进行漏洞污点分析，得到所述待测智能合约的漏洞检测结果。Based on the global state dependency graph, a vulnerability taint analysis is performed on the smart contract to be tested to obtain a vulnerability detection result of the smart contract to be tested.

相应的，本申请实施例的第二方面提出了一种漏洞检测装置，所述装置包括：Accordingly, a second aspect of an embodiment of the present application provides a vulnerability detection device, the device comprising:

获取模块，用于获取待测智能合约的待测源码；The acquisition module is used to obtain the source code of the smart contract to be tested;

解析模块，用于对所述待测源码进行语法结构的解析，得到所述待测源码对应的抽象语法树；A parsing module, used for parsing the syntax structure of the source code to be tested to obtain an abstract syntax tree corresponding to the source code to be tested;

补全模块，用于获取所述待测智能合约的控制流向图，并根据所述抽象语法树对所述控制流向图进行调用关系的补全，得到跨合约控制流向图；A completion module, used to obtain the control flow graph of the smart contract to be tested, and complete the call relationship of the control flow graph according to the abstract syntax tree to obtain a cross-contract control flow graph;

构建模块，用于基于所述跨合约控制流向图中各语句节点的依赖关系，构建全局状态依赖图；A construction module, used to construct a global state dependency graph based on the dependency relationship between the statement nodes in the cross-contract control flow graph;

分析模块，用于基于所述全局状态依赖图对所述待测智能合约进行漏洞污点分析，得到所述待测智能合约的漏洞检测结果。The analysis module is used to perform vulnerability and taint analysis on the smart contract to be tested based on the global state dependency graph to obtain a vulnerability detection result of the smart contract to be tested.

在一些实施方式中，所述分析模块，还用于：In some embodiments, the analysis module is further used to:

根据所述全局状态依赖图，确定所述待测智能合约具备的至少一个漏洞特点；Determining at least one vulnerability feature of the smart contract to be tested according to the global state dependency graph;

分别为每个所述漏洞特点匹配对应的污点分析规则，并基于所述污点分析规则从所述全局状态依赖图中提取多个关键代码节点；Matching corresponding taint analysis rules for each vulnerability feature respectively, and extracting multiple key code nodes from the global state dependency graph based on the taint analysis rules;

基于所述多个关键代码节点进行漏洞分析，得到所述待测智能合约的漏洞检测结果。Vulnerability analysis is performed based on the multiple key code nodes to obtain vulnerability detection results of the smart contract to be tested.

在一些实施方式中，所述分析模块，还用于：In some embodiments, the analysis module is further used to:

基于所述污点分析规则，从所述全局状态依赖图中确定所述漏洞特点对应的污点源和污点汇集点；Based on the taint analysis rule, determining the taint source and taint sink corresponding to the vulnerability characteristics from the global state dependency graph;

基于所述污点源和所述污点汇集点，从所述全局状态依赖图中确定污点信息的传播路径；Based on the taint source and the taint sink, determining a propagation path of taint information from the global state dependency graph;

根据所述传播路径提取对应的多个关键代码节点。A plurality of corresponding key code nodes are extracted according to the propagation path.

在一些实施方式中，所述分析模块，还用于：In some embodiments, the analysis module is further used to:

分析每个所述关键代码节点的语句序列和变量赋值，得到分析结果；Analyze the statement sequence and variable assignment of each of the key code nodes to obtain analysis results;

获取预设漏洞条件，并根据所述预设漏洞条件对每个所述关键代码节点的所述分析结果进行漏洞检测，得到所述待测智能合约的漏洞检测结果。Obtain preset vulnerability conditions, and perform vulnerability detection on the analysis results of each of the key code nodes according to the preset vulnerability conditions to obtain vulnerability detection results of the smart contract to be tested.

在一些实施方式中，所述补全模块，还用于：In some embodiments, the completion module is further used to:

基于所述抽象语法树确定所述待测源码中存在跨合约调用的目标节点，并对所述目标节点进行标记；Determine, based on the abstract syntax tree, a target node where a cross-contract call exists in the source code to be tested, and mark the target node;

基于已标记的所述目标节点，确定所述目标节点跨合约调用的第一智能合约；Based on the marked target node, determine a first smart contract that the target node calls across contracts;

获取所述第一智能合约的第一控制流向图，并根据所述第一控制流向图与所述待测智能合约的所述控制流向图进行所述目标节点的边连接，得到跨合约控制流向图。A first control flow graph of the first smart contract is obtained, and an edge connection of the target node is performed according to the first control flow graph and the control flow graph of the smart contract to be tested, so as to obtain a cross-contract control flow graph.

在一些实施方式中，所述漏洞检测装置还包括更新模块，用于：In some implementations, the vulnerability detection device further includes an update module, configured to:

根据所述抽象语法树，确定所述跨合约控制流向图中各语句节点的函数名和变量名；Determine, according to the abstract syntax tree, the function name and variable name of each statement node in the cross-contract control flow graph;

将所述函数名和所述变量名注入所述跨合约控制流向图中，得到更新后的跨合约控制流向图。Inject the function name and the variable name into the cross-contract control flow graph to obtain an updated cross-contract control flow graph.

在一些实施方式中，所述依赖关系包括数据依赖关系和控制依赖关系；所述构建模块，还用于：In some implementations, the dependency relationship includes a data dependency relationship and a control dependency relationship; the building module is further used to:

基于所述跨合约控制流向图，对各语句节点执行数据流动的检测，得到检测结果；Based on the cross-contract control flow graph, perform data flow detection on each statement node to obtain a detection result;

当所述检测结果表征任意两个所述语句节点存在所述数据依赖关系时，在所述跨合约控制流向图中对所述数据依赖关系进行标注，得到全局状态依赖图；或者，当所述检测结果表征任意两个所述语句节点存在所述控制依赖关系时，在所述跨合约控制流向图中对所述控制依赖关系进行标注，得到全局状态依赖图。When the detection result indicates that there is a data dependency between any two of the statement nodes, the data dependency is marked in the cross-contract control flow graph to obtain a global state dependency graph; or, when the detection result indicates that there is a control dependency between any two of the statement nodes, the control dependency is marked in the cross-contract control flow graph to obtain a global state dependency graph.

相应的，本申请实施例的第三方面提出了一种计算机设备，所述计算机设备包括存储器和处理器，所述存储器存储有计算机程序，所述处理器执行所述计算机程序时实现本申请第一方面实施例任一项所述的漏洞检测方法。Correspondingly, the third aspect of the embodiments of the present application proposes a computer device, which includes a memory and a processor, the memory stores a computer program, and the processor implements the vulnerability detection method described in any one of the embodiments of the first aspect of the present application when executing the computer program.

相应的，本申请实施例的第四方面提出了一种计算机可读存储介质，所述存储介质存储有计算机程序，所述计算机程序被处理器执行时实现本申请第一方面实施例任一项所述的漏洞检测方法。Correspondingly, the fourth aspect of the embodiments of the present application proposes a computer-readable storage medium, which stores a computer program. When the computer program is executed by a processor, it implements the vulnerability detection method described in any one of the embodiments of the first aspect of the present application.

本申请实施例通过获取待测智能合约的待测源码；通过对待测源码进行语法结构的解析，得到待测源码对应的抽象语法树；获取待测智能合约的控制流向图，并根据抽象语法树对控制流向图进行调用关系的补全，得到跨合约控制流向图；基于跨合约控制流向图中各语句节点的依赖关系，构建全局状态依赖图；基于全局状态依赖图对待测智能合约进行漏洞污点分析，得到待测智能合约的漏洞检测结果；以此，能够对待测智能合约的调用关系进行补全，也即对跨合约关系进行补全，考虑了多个智能合约之间的协同作用，由此能够实现对待测智能合约的更全面和更准确的分析；并且，通过考虑各语句节点的依赖关系，能够分析合约中的漏洞和污点传播情况，进一步提高对待测智能合约进行检测的全面性和准确性。The embodiment of the present application obtains the source code to be tested of the smart contract to be tested; obtains the abstract syntax tree corresponding to the source code to be tested by parsing the grammatical structure of the source code to be tested; obtains the control flow graph of the smart contract to be tested, and completes the call relationship of the control flow graph according to the abstract syntax tree to obtain a cross-contract control flow graph; constructs a global state dependency graph based on the dependency relationship of each statement node in the cross-contract control flow graph; performs vulnerability and taint analysis on the smart contract to be tested based on the global state dependency graph to obtain the vulnerability detection result of the smart contract to be tested; thereby, the call relationship of the smart contract to be tested can be completed, that is, the cross-contract relationship can be completed, and the synergy between multiple smart contracts is taken into account, thereby achieving a more comprehensive and accurate analysis of the smart contract to be tested; and, by considering the dependency relationship of each statement node, the propagation of vulnerabilities and taints in the contract can be analyzed, further improving the comprehensiveness and accuracy of the detection of the smart contract to be tested.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

图1是本申请实施例提供的漏洞检测系统的架构示意图；FIG1 is a schematic diagram of the architecture of a vulnerability detection system provided in an embodiment of the present application;

图2是本申请实施例提供的漏洞检测方法的流程图；FIG2 is a flow chart of a vulnerability detection method provided in an embodiment of the present application;

图3是本申请实施例提供的生成跨合约控制流向图的流程图；FIG3 is a flow chart of generating a cross-contract control flow graph provided in an embodiment of the present application;

图4是本申请实施例提供的生成全局状态依赖图的流程图；FIG4 is a flow chart of generating a global state dependency graph provided by an embodiment of the present application;

图5是本申请实施例提供的根据漏洞特点匹配对应的污点分析规则进行漏洞检测的流程图；5 is a flowchart of performing vulnerability detection according to vulnerability characteristics matching corresponding taint analysis rules provided in an embodiment of the present application;

图6是本申请实施例提供的漏洞检测方法的总体流程图；FIG6 is an overall flow chart of a vulnerability detection method provided in an embodiment of the present application;

图7是本申请实施例提供的漏洞检测装置的功能模块示意图；FIG7 is a schematic diagram of functional modules of a vulnerability detection device provided in an embodiment of the present application;

图8是本申请实施例提供的计算机设备的硬件结构示意图。FIG8 is a schematic diagram of the hardware structure of a computer device provided in an embodiment of the present application.

具体实施方式DETAILED DESCRIPTION

为了使本申请的目的、技术方案及优点更加清楚明白，以下结合附图及实施例，对本申请进行进一步详细说明。应当理解，此处所描述的具体实施例仅用以解释本申请，并不用于限定本申请。In order to make the purpose, technical solution and advantages of the present application more clearly understood, the present application is further described in detail below in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are only used to explain the present application and are not used to limit the present application.

需要说明的是，虽然在装置示意图中进行了功能模块划分，在流程图中示出了逻辑顺序，但是在某些情况下，可以以不同于装置中的模块划分，或流程图中的顺序执行所示出或描述的步骤。说明书和权利要求书及上述附图中的术语“第一”、“第二”等是用于区别类似的对象，而不必用于描述特定的顺序或先后次序。It should be noted that, although the functional modules are divided in the device schematic diagram and the logical order is shown in the flowchart, in some cases, the steps shown or described may be performed in a different order than the module division in the device or the order in the flowchart. The terms "first", "second", etc. in the specification, claims and the above drawings are used to distinguish similar objects, and are not necessarily used to describe a specific order or sequence.

除非另有定义，本文所使用的所有的技术和科学术语与属于本申请的技术领域的技术人员通常理解的含义相同。本文中所使用的术语只是为了描述本申请实施例的目的，不是旨在限制本申请。Unless otherwise defined, all technical and scientific terms used herein have the same meaning as those commonly understood by those skilled in the art to which this application belongs. The terms used herein are only for the purpose of describing the embodiments of this application and are not intended to limit this application.

智能合约是一种去中心化、事件驱动的分布式执行验证程序，其可以由一组代码(合约的函数)和数据(合约的状态)组成，并运行在区块链上。由于区块链上的业务场景不断丰富，合约的逻辑也变得更加复杂，智能合约可能产生重入攻击、整数溢出漏洞、拒绝服务攻击漏洞和时间戳依赖漏洞等。A smart contract is a decentralized, event-driven, distributed execution verification program that can be composed of a set of code (contract functions) and data (contract status) and run on the blockchain. As the business scenarios on the blockchain continue to enrich, the logic of the contract has become more complex, and smart contracts may generate reentrancy attacks, integer overflow vulnerabilities, denial of service attack vulnerabilities, and timestamp dependency vulnerabilities.

因此，为了保障数据的安全，防止恶意攻击，提高合约的可靠性，需要对智能合约的漏洞进行检测。Therefore, in order to ensure data security, prevent malicious attacks, and improve the reliability of contracts, it is necessary to detect vulnerabilities in smart contracts.

相关技术中，通常使用中间语言或模式匹配来检测智能合约中的漏洞，虽然检测的速度较快，但是实际攻击往往涉及复杂的合约代码逻辑和语义，仅依靠模式匹配来检测漏洞，会导致检测不全面和不准确的问题。In related technologies, intermediate languages or pattern matching are usually used to detect vulnerabilities in smart contracts. Although the detection speed is fast, actual attacks often involve complex contract code logic and semantics. Relying solely on pattern matching to detect vulnerabilities will lead to incomplete and inaccurate detection.

基于此，本申请实施例提供了一种漏洞检测方法、装置、计算机设备及可读存储介质，能够提高漏洞检测的全面性和准确性。Based on this, the embodiments of the present application provide a vulnerability detection method, apparatus, computer device and readable storage medium, which can improve the comprehensiveness and accuracy of vulnerability detection.

本申请实施例提供的漏洞检测方法、装置、计算机设备及可读存储介质，具体通过如下实施例进行说明，首先描述本申请实施例中的漏洞检测系统。The vulnerability detection method, apparatus, computer device, and readable storage medium provided in the embodiments of the present application are specifically described through the following embodiments. First, the vulnerability detection system in the embodiments of the present application is described.

请参照图1，在一些实施方式中，本申请实施例提供一种漏洞检测系统。具体的，漏洞检测系统包括客户端11和服务器端12。Referring to FIG. 1 , in some implementations, the present application provides a vulnerability detection system, which includes a client 11 and a server 12 .

示例性的，客户端11可以是个人计算机、移动设备或专用检测设备，具备适量的处理能力、内存和存储空间。客户端11可以提供一个友好的用户界面，允许用户输入或上传待测的智能合约源码。并且，客户端11还可以进行智能合约源码的初步解析，例如语法检查，以确保源码的基本可解析性和完整性，并将处理后的数据(如源码)加密并安全地传输到服务器端12。Exemplarily, the client 11 can be a personal computer, a mobile device or a dedicated testing device, with an appropriate amount of processing power, memory and storage space. The client 11 can provide a user-friendly interface, allowing the user to input or upload the smart contract source code to be tested. In addition, the client 11 can also perform preliminary parsing of the smart contract source code, such as syntax checking, to ensure the basic parsability and integrity of the source code, and encrypt and securely transmit the processed data (such as the source code) to the server 12.

具体的，服务器端12可以配置为高性能的服务器集群，包括多核处理器和高速存储系统，以支持数据密集型的处理任务。服务器端12还可以是云服务器或者专用安全检测服务器。服务器端12可以对客户端11发送的智能合约源码进行深入的语法结构解析，生成抽象语法树，并基于抽象语法树，生成和完善智能合约的控制流向图，包括跨合约的控制流向图。进一步的，服务器端12可以利用控制流向图构建全局状态依赖图，基于这些图形进行污点分析，识别潜在的安全漏洞。之后将漏洞检测的结果处理并反馈给客户端11，还可以包括漏洞的详细信息、修复建议等一并传输至客户端11。Specifically, the server side 12 can be configured as a high-performance server cluster, including a multi-core processor and a high-speed storage system to support data-intensive processing tasks. The server side 12 can also be a cloud server or a dedicated security detection server. The server side 12 can perform in-depth grammatical structure analysis on the smart contract source code sent by the client 11, generate an abstract syntax tree, and based on the abstract syntax tree, generate and improve the control flow graph of the smart contract, including the cross-contract control flow graph. Furthermore, the server side 12 can use the control flow graph to construct a global state dependency graph, perform taint analysis based on these graphs, and identify potential security vulnerabilities. The results of the vulnerability detection are then processed and fed back to the client 11, and detailed information on the vulnerability, repair suggestions, etc. can also be transmitted to the client 11.

本申请实施例中的漏洞检测方法可以通过如下实施例进行说明。The vulnerability detection method in the embodiments of the present application can be illustrated by the following embodiments.

需要说明的是，在本申请的各个具体实施方式中，当涉及到需要根据用户信息、用户行为数据，用户历史数据以及用户位置信息等与用户身份或特性相关的数据进行相关处理时，都会先获得用户的许可或者同意。而且，对这些数据的收集、使用和处理等，都会遵守相关法律法规和标准。此外，当本申请实施例需要获取用户的敏感个人信息时，会通过弹窗或者跳转到确认页面等方式获得用户的单独许可或者单独同意，在明确获得用户的单独许可或者单独同意之后，再获取用于使本申请实施例能够正常运行的必要的用户相关数据。It should be noted that in each specific implementation of the present application, when it comes to the need to perform relevant processing based on data related to user identity or characteristics such as user information, user behavior data, user historical data, and user location information, the user's permission or consent will be obtained first. Moreover, the collection, use, and processing of these data will comply with relevant laws, regulations, and standards. In addition, when the embodiment of the present application needs to obtain the user's sensitive personal information, the user's separate permission or separate consent will be obtained through a pop-up window or by jumping to a confirmation page. After clearly obtaining the user's separate permission or separate consent, the necessary user-related data for enabling the normal operation of the embodiment of the present application will be obtained.

在本申请实施例中，将从漏洞检测装置的维度进行描述，该漏洞检测装置具体可以集成在计算机设备中。参见图2，图2为本申请实施例提供的漏洞检测方法的步骤流程图，本申请实施例以漏洞检测装置具体集成在如终端或服务器上为例，终端或服务器上的处理器执行漏洞检测方法对应的程序指令时，具体流程如下：In the embodiment of the present application, the vulnerability detection device will be described from the perspective of the vulnerability detection device, which can be specifically integrated in a computer device. Referring to FIG. 2 , FIG. 2 is a flowchart of the steps of the vulnerability detection method provided in the embodiment of the present application. The embodiment of the present application takes the vulnerability detection device as an example of being specifically integrated in a terminal or a server. When the processor on the terminal or the server executes the program instructions corresponding to the vulnerability detection method, the specific process is as follows:

步骤101，获取待测智能合约的待测源码。Step 101, obtain the source code of the smart contract to be tested.

在一些实施方式中，由于智能合约通常涉及数据交互或者其他重要的业务逻辑，如果智能合约的代码存在漏洞，可能会导致资金损失、数据泄露或者其他安全问题，因此，为了确保智能合约的安全、可靠和高效运行，可以获取待测智能合约的待测源码，以便于后序对智能合约进行漏洞检测。In some embodiments, since smart contracts usually involve data interaction or other important business logic, if there are vulnerabilities in the code of the smart contract, it may lead to financial losses, data leakage or other security issues. Therefore, in order to ensure the safe, reliable and efficient operation of the smart contract, the source code of the smart contract to be tested can be obtained to facilitate subsequent vulnerability detection of the smart contract.

其中，待检测智能合约可以是尚未部署到区块链上，或者已经部署但需要定期进行安全检查的智能合约代码。智能合约可以是用高级编程语言编写的，其包含了一系列的规则和条件，这些规则和条件在满足特定条件时会在区块链上自动执行。Among them, the smart contract to be tested can be a smart contract code that has not yet been deployed on the blockchain, or has been deployed but needs regular security checks. Smart contracts can be written in a high-level programming language, which contains a series of rules and conditions that are automatically executed on the blockchain when specific conditions are met.

其中，待测源码称为源代码，可以是编码待测智能合约的原始代码，其定义了待测智能合约的所有逻辑和功能。Among them, the source code to be tested is called source code, which can be the original code encoding the smart contract to be tested, which defines all the logic and functions of the smart contract to be tested.

示例性的，待测智能合约的待测源码可以从区块链浏览器、代码库、智能合约部署工具等渠道获取。Exemplarily, the source code of the smart contract to be tested can be obtained from channels such as blockchain browsers, code libraries, and smart contract deployment tools.

通过以上方式，可以获取待测智能合约的待测源码，以便于后续对待测源码进行语法结构的分析，进而实现对待测智能合约的漏洞检测。Through the above method, the source code of the smart contract to be tested can be obtained, so as to facilitate the subsequent grammatical structure analysis of the source code to be tested, and then realize the vulnerability detection of the smart contract to be tested.

步骤102，对待测源码进行语法结构的解析，得到待测源码对应的抽象语法树。Step 102: parse the syntax structure of the source code to be tested to obtain an abstract syntax tree corresponding to the source code to be tested.

在一些实施方式中，为了更好地理解待测智能合约的逻辑，发现和修复潜在的漏洞，可以通过对待测源码进行语法结构的解析，生成保留了待测源码的语法结构信息的抽象语法树，以为后续的代码分析提供便利。In some implementations, in order to better understand the logic of the smart contract to be tested and discover and repair potential vulnerabilities, the grammatical structure of the source code to be tested can be parsed to generate an abstract syntax tree that retains the grammatical structure information of the source code to be tested, so as to facilitate subsequent code analysis.

其中，抽象语法树(Abstract Syntax Tree,AST)可以是一种树形的数据结构，用于表示待测智能合约的待测源码的抽象语法结构，其比待测源码更易于分析和处理。抽象语法树的每个节点代表待测源码中的一个构造，如函数声明、变量声明、表达式等，每个节点还可以包括该节点相关的元数据，以提高抽象语法树的可读性，便于后续分析。Among them, the Abstract Syntax Tree (AST) can be a tree-shaped data structure used to represent the abstract syntax structure of the source code to be tested of the smart contract to be tested, which is easier to analyze and process than the source code to be tested. Each node of the abstract syntax tree represents a structure in the source code to be tested, such as function declaration, variable declaration, expression, etc. Each node can also include metadata related to the node to improve the readability of the abstract syntax tree and facilitate subsequent analysis.

示例性的，可以通过编译器进行词法分析，将待测源码分解成一系列的词法单元，词法单元是待测源码中最小的可识别部分，如关键字、标识符、字面量等。在词法分析之后，编译器进入语法分析阶段。在语法分析阶段，编译器根据编程语言的语法规则确认待测源码的语法结构是否符合语言规则，并生成相应的AST节点，编译器在语法分析过程中不断创建节点，并将这些节点组织成树形结构。For example, the compiler can perform lexical analysis to decompose the source code to be tested into a series of lexical units, which are the smallest recognizable parts of the source code to be tested, such as keywords, identifiers, literals, etc. After lexical analysis, the compiler enters the syntax analysis stage. In the syntax analysis stage, the compiler confirms whether the syntax structure of the source code to be tested conforms to the language rules according to the syntax rules of the programming language, and generates corresponding AST nodes. The compiler continuously creates nodes during the syntax analysis process and organizes these nodes into a tree structure.

可以理解的是，每个节点可以用于表征待测源码中的一个语法构造，例如，一个if语句会生成一个包含条件表达式和一个then子句的抽象语法树节点。It can be understood that each node can be used to represent a grammatical structure in the source code to be tested. For example, an if statement will generate an abstract syntax tree node including a conditional expression and a then clause.

进一步的，在抽象语法树中，除了待测源码的结构信息，还可以加入额外的元数据，以捕获更多的语法、数据和控制信息。添加在抽象语法树的节点的元数据可以提供更丰富的上下文信息和增强代码的可读性和可维护性，便于后续进行调用关系的分析。Furthermore, in addition to the structural information of the source code to be tested, additional metadata can be added to the abstract syntax tree to capture more syntax, data, and control information. The metadata added to the nodes of the abstract syntax tree can provide richer context information and enhance the readability and maintainability of the code, facilitating subsequent analysis of call relationships.

通过生成抽象语法树，可以以树状结构表示待测源码的语法结构，以此可以在不需要待测源码的情况下分析并保留完整的语法结构信息，使得分析更加准确，并且可以插入源代码的元数据以提高可读性。以此，可以助于后续恢复智能合约间的程序依赖信息以及定位源代码漏洞位置等。By generating an abstract syntax tree, the syntax structure of the source code to be tested can be represented in a tree structure, so that the complete syntax structure information can be analyzed and retained without the source code to be tested, making the analysis more accurate, and the metadata of the source code can be inserted to improve readability. This can help to restore the program dependency information between smart contracts and locate the source code vulnerability.

步骤103，获取待测智能合约的控制流向图，并根据抽象语法树对控制流向图进行调用关系的补全，得到跨合约控制流向图。Step 103, obtain the control flow graph of the smart contract to be tested, and complete the call relationship of the control flow graph according to the abstract syntax tree to obtain a cross-contract control flow graph.

在一些实施方式中，为了避免出现控制流向图只关注函数之间的调用关系，对于复杂合约中的跨合约调用语义缺乏支持的情况，可以基于抽象语法树和控制流向图生成跨合约控制流向图，以完成跨合约之间的调用关系的补全，从而实现更全面的跨合约漏洞检测和验证。In some implementations, in order to avoid the situation where the control flow graph only focuses on the calling relationship between functions and lacks support for cross-contract calling semantics in complex contracts, a cross-contract control flow graph can be generated based on the abstract syntax tree and the control flow graph to complete the calling relationship between cross-contracts, thereby achieving more comprehensive cross-contract vulnerability detection and verification.

其中，控制流向图用于表示智能合约执行流程的图结构，可以展示待测智能合约的执行路径、分支条件、循环结构等控制信息。Among them, the control flow graph is used to represent the graph structure of the smart contract execution process, which can display the execution path, branch conditions, loop structure and other control information of the smart contract to be tested.

其中，跨合约控制流向图是控制流向图的扩展，跨合约控制流向图可以通过利用智能合约的抽象语法树对控制流向图的跨合约调用关系进行补全得到，可以展示合约之间的调用关系，实现更全面的跨合约漏洞检测和验证。Among them, the cross-contract control flow graph is an extension of the control flow graph. The cross-contract control flow graph can be obtained by using the abstract syntax tree of the smart contract to complete the cross-contract call relationship of the control flow graph. It can display the call relationship between contracts and achieve more comprehensive cross-contract vulnerability detection and verification.

示例性的，通过分析抽象语法树，可以构建每个智能合约内部的控制流图，并标识出跨合约调用点。通过识别跨合约调用点并将具有调用关系的跨合约调用点用边连接，可以得到跨合约控制流向图。跨合约控制流向图通过捕获跨合约调用的语义信息，为跨合约漏洞检测和全局验证等分析提供基础。For example, by analyzing the abstract syntax tree, a control flow graph inside each smart contract can be constructed and cross-contract call points can be identified. By identifying cross-contract call points and connecting cross-contract call points with call relationships with edges, a cross-contract control flow graph can be obtained. The cross-contract control flow graph captures the semantic information of cross-contract calls, providing a basis for cross-contract vulnerability detection and global verification analysis.

进一步的，可以根据抽象语法树恢复出相关的源代码信息，可以将函数名、变量名等元数据注入到跨合约控制流向图中进行完善，以便于更精确地理解智能合约的执行流程，提高智能合约的可读性。Furthermore, relevant source code information can be recovered based on the abstract syntax tree, and metadata such as function names and variable names can be injected into the cross-contract control flow graph for improvement, so as to more accurately understand the execution process of the smart contract and improve the readability of the smart contract.

通过利用待测智能合约的抽象语法树对控制流向图进行调用关系的补全，能够捕获跨合约调用的语义信息，展示合约之间的调用关系，从而实现更全面的跨合约漏洞检测和验证。By using the abstract syntax tree of the smart contract to be tested to complete the call relationship of the control flow graph, it is possible to capture the semantic information of cross-contract calls and display the call relationship between contracts, thereby achieving more comprehensive cross-contract vulnerability detection and verification.

在一些实施方式中，为了准确发现潜在的安全隐患，可以确定与待测智能合约存在调用关系的第一智能合约，以识别潜在的数据泄露、篡改或不一致性等问题。例如，步骤103中的“根据抽象语法树对控制流向图进行调用关系的补全，得到跨合约控制流向图”可以包括：In some implementations, in order to accurately discover potential security risks, the first smart contract that has a call relationship with the smart contract to be tested can be determined to identify potential data leakage, tampering, or inconsistency issues. For example, "completing the call relationship of the control flow graph according to the abstract syntax tree to obtain a cross-contract control flow graph" in step 103 may include:

(103.1)基于抽象语法树确定待测源码中存在跨合约调用的目标节点，并对目标节点进行标记；(103.1) Determine the target node of the cross-contract call in the source code to be tested based on the abstract syntax tree, and mark the target node;

(103.2)基于已标记的目标节点，确定目标节点跨合约调用的第一智能合约；(103.2) Based on the marked target node, determine the first smart contract that the target node calls across contracts;

(103.3)获取第一智能合约的第一控制流向图，并根据第一控制流向图与待测智能合约的控制流向图进行目标节点的边连接，得到跨合约控制流向图。(103.3) Obtain a first control flow graph of the first smart contract, and connect the edges of the target nodes based on the first control flow graph and the control flow graph of the smart contract to be tested to obtain a cross-contract control flow graph.

其中，目标节点可以是跨合约控制流向图中用于执行跨合约调用的特定节点。目标节点可以在抽象语法树中表现为特定的代码元素，如函数调用或跳转指令，是智能合约与外部合约交互的关键点，通过结合抽象语法树可以准确识别目标节点。Among them, the target node can be a specific node in the cross-contract control flow graph used to execute cross-contract calls. The target node can be represented as a specific code element in the abstract syntax tree, such as a function call or jump instruction. It is the key point for the interaction between the smart contract and the external contract. The target node can be accurately identified by combining the abstract syntax tree.

其中，第一智能合约可以是与待测智能合约存在跨合约交互的其他智能合约。The first smart contract may be another smart contract that has cross-contract interaction with the smart contract to be tested.

示例性的，请参照图3，在生成跨合约控制流向图的过程中，通过抽象语法树，可以定位到具体涉及跨合约调用的目标节点。例如，若待测智能合约为智能合约A，通过对抽象语法树的分析，可以识别出智能合约A中对valueStore函数的跨合约调用节点，并将该跨合约调用节点作为目标节点进行标记，以便于进行进一步分析和处理。For example, please refer to Figure 3. In the process of generating a cross-contract control flow graph, the target node that specifically involves the cross-contract call can be located through the abstract syntax tree. For example, if the smart contract to be tested is smart contract A, the cross-contract call node for the valueStore function in smart contract A can be identified through the analysis of the abstract syntax tree, and the cross-contract call node can be marked as the target node for further analysis and processing.

进一步的，基于已标记的目标节点，可以识别目标节点跨合约调用的第一智能合约，并获取第一智能合约的第一控制流向图，得到第一智能合约的执行路径、分支条件和循环结构等控制流信息。Furthermore, based on the marked target node, the first smart contract called by the target node across contracts can be identified, and the first control flow graph of the first smart contract can be obtained to obtain control flow information such as the execution path, branch conditions and loop structure of the first smart contract.

进一步的，可以将目标节点作为控制转移，以待测智能合约的控制流向图为中心，将与目标节点存在调用关系的其他智能合约的相应函数通过目标节点进行边连接，形成跨合约控制流向图。Furthermore, the target node can be used as a control transfer, with the control flow graph of the smart contract to be tested as the center, and the corresponding functions of other smart contracts that have a calling relationship with the target node can be connected through the target node to form a cross-contract control flow graph.

进一步的，可以根据抽象语法树恢复相关的源代码信息，将函数名、变量名等元数据注入到跨合约控制流向图，形成更完整、解释性更强的跨合约控制流向图。Furthermore, relevant source code information can be restored based on the abstract syntax tree, and metadata such as function names and variable names can be injected into the cross-contract control flow graph to form a more complete and more explanatory cross-contract control flow graph.

在一些实施方式中，跨合约控制流向图可以作为基础与其他分析技术相结合，实现更全面的跨合约漏洞检测和验证。示例性的，跨合约控制流向图可以和符号执行、模糊测试等分析技术相结合。In some implementations, the cross-contract control flow graph can be used as a basis to combine with other analysis techniques to achieve more comprehensive cross-contract vulnerability detection and verification. For example, the cross-contract control flow graph can be combined with analysis techniques such as symbolic execution and fuzz testing.

以符号执行为例，可以在跨合约控制流向图的入口点为所有输入变量分配符号值，并基于跨合约控制流向图的控制流，为每条控制路径生成对应的路径条件，使用符号值遍历跨合约控制流向图，评估各路径条件是否满足，以检测智能合约的漏洞。通过将符号执行与跨合约控制流向图结合，符号执行可以跟踪跨合约调用中的数据流和控制流转移，实现更精确的路径探索和漏洞检测。Taking symbolic execution as an example, symbolic values can be assigned to all input variables at the entry point of the cross-contract control flow graph, and corresponding path conditions can be generated for each control path based on the control flow of the cross-contract control flow graph. The cross-contract control flow graph is traversed using symbolic values to evaluate whether each path condition is satisfied in order to detect vulnerabilities in smart contracts. By combining symbolic execution with the cross-contract control flow graph, symbolic execution can track the data flow and control flow transfer in cross-contract calls, achieving more accurate path exploration and vulnerability detection.

通过以上方式，可以通过抽象语法树对控制流向图进行调用关系的补全，能够准确识别待测智能合约中的跨合约调用的目标节点，并确定与之存在调用关系的第一智能合约，以此，可以生成跨合约控制流向图，以便于后续进行进一步分析。Through the above method, the call relationship of the control flow graph can be completed through the abstract syntax tree, the target node of the cross-contract call in the smart contract to be tested can be accurately identified, and the first smart contract with which there is a call relationship can be determined. In this way, a cross-contract control flow graph can be generated for further analysis later.

步骤104，基于跨合约控制流向图中各语句节点的依赖关系，构建全局状态依赖图。Step 104: construct a global state dependency graph based on the dependency relationship between the statement nodes in the cross-contract control flow graph.

在一些实施方式中，为了更全面和准确地理解待测智能合约的执行流程，可以基于跨合约控制流向图中各语句间的控制依赖关系进行全局控制流分析，以检测跨合约漏洞和验证合约的逻辑完整性。In some embodiments, in order to more comprehensively and accurately understand the execution process of the smart contract to be tested, a global control flow analysis can be performed based on the control dependencies between statements in the cross-contract control flow graph to detect cross-contract vulnerabilities and verify the logical integrity of the contract.

其中，语句节点可以是跨合约控制流向图的基本单元，每个语句节点对应于合约代码中的一个可执行的基本操作，如赋值、条件判断、循环开始或结束等，语句节点可以用于反映待测智能合约执行流程中的关键步骤和控制转移。Among them, the statement node can be the basic unit of the cross-contract control flow graph. Each statement node corresponds to an executable basic operation in the contract code, such as assignment, conditional judgment, loop start or end, etc. The statement node can be used to reflect the key steps and control transfer in the execution process of the smart contract to be tested.

其中，全局状态依赖图(Inter-contract State Dependency Graph,I-SDG)可以是一种图结构，用于表示智能合约执行过程中不同语句节点之间的依赖关系。依赖关系包括数据依赖和控制依赖，数据依赖指的是一个变量的值依赖于另一个变量的值，而控制依赖则指的是程序执行的顺序依赖于某些语句的执行结果。Among them, the global state dependency graph (Inter-contract State Dependency Graph, I-SDG) can be a graph structure used to represent the dependency relationship between different statement nodes during the execution of a smart contract. Dependencies include data dependency and control dependency. Data dependency means that the value of one variable depends on the value of another variable, while control dependency means that the order of program execution depends on the execution results of certain statements.

可以理解的是，全局状态依赖图可以通过分析智能合约的跨合约控制流向图中的语句节点之间的依赖关系生成，从而检测合约中的潜在漏洞，如数据不一致、控制流错误等，同时也可以基于依赖关系对合约逻辑进行全面验证。It can be understood that the global state dependency graph can be generated by analyzing the dependencies between statement nodes in the cross-contract control flow graph of the smart contract, thereby detecting potential vulnerabilities in the contract, such as data inconsistency, control flow errors, etc., and can also comprehensively verify the contract logic based on the dependencies.

请参照图4，示例性的，可以遍历跨合约控制流向图中的每个语句节点(也称为基本块)，分析语句节点间的控制依赖和数据依赖关系，并记录这些依赖关系。之后，将跨合约控制流向图中的语句节点和依赖关系的分析结果进行合并，构建全局状态依赖图。全局状态依赖图的节点即为跨合约控制流向图的语句节点，边为控制依赖关系或者数据依赖关系。Please refer to Figure 4. For example, each statement node (also called basic block) in the cross-contract control flow graph can be traversed to analyze the control dependency and data dependency between statement nodes and record these dependencies. Afterwards, the analysis results of the statement nodes and dependencies in the cross-contract control flow graph are merged to construct a global state dependency graph. The nodes of the global state dependency graph are the statement nodes of the cross-contract control flow graph, and the edges are control dependencies or data dependencies.

进一步的，可以将待测源码中的函数名、变量名等元数据注入到全局状态依赖图中，提高全局状态依赖图的可读性。Furthermore, metadata such as function names and variable names in the source code to be tested can be injected into the global state dependency graph to improve the readability of the global state dependency graph.

通过基于跨合约控制流向图中的语句节点间的控制依赖关系进行全局控制流分析，能够更全面和准确地理解待测智能合约的执行流程。以此，不仅能够检测跨合约漏洞，还能验证待测智能合约的逻辑完整性，以便于后续进行高效、准确的漏洞污点分析。By performing global control flow analysis based on the control dependency relationship between statement nodes in the cross-contract control flow graph, we can more comprehensively and accurately understand the execution process of the smart contract under test. In this way, we can not only detect cross-contract vulnerabilities, but also verify the logical integrity of the smart contract under test, so as to facilitate efficient and accurate vulnerability and taint analysis in the future.

在一些实施方式中，依赖关系包括数据依赖关系和控制依赖关系，数据依赖关系可以帮助检测数据处理过程中的错误，如未初始化的变量、不当的数据依赖等。控制依赖关系则有助于检测控制流错误，如未处理的异常、错误的分支条件等。为了更全面地理解和分析智能合约的行为，可以对各语句节点的依赖关系进行分析，以清晰地表示合约的执行流程。例如，步骤104可以包括：In some embodiments, the dependency relationship includes data dependency and control dependency. Data dependency can help detect errors in data processing, such as uninitialized variables, improper data dependencies, etc. Control dependency helps detect control flow errors, such as unhandled exceptions, incorrect branch conditions, etc. In order to more comprehensively understand and analyze the behavior of smart contracts, the dependency relationship of each statement node can be analyzed to clearly represent the execution process of the contract. For example, step 104 can include:

(104.1)基于跨合约控制流向图，对各语句节点执行数据流动的检测，得到检测结果；(104.1) Based on the cross-contract control flow graph, perform data flow detection on each statement node to obtain the detection result;

(104.2)当检测结果表征任意两个语句节点存在数据依赖关系时，在跨合约控制流向图中对数据依赖关系进行标注，得到全局状态依赖图；或者，当检测结果表征任意两个语句节点存在控制依赖关系时，在跨合约控制流向图中对控制依赖关系进行标注，得到全局状态依赖图。(104.2) When the detection result indicates that there is a data dependency between any two statement nodes, the data dependency is marked in the cross-contract control flow graph to obtain a global state dependency graph; or, when the detection result indicates that there is a control dependency between any two statement nodes, the control dependency is marked in the cross-contract control flow graph to obtain a global state dependency graph.

其中，检测结果可以是对跨合约控制流向图进行依赖关系的检测得到的结果。检测结果反映了智能合约代码中各语句节点之间的关系，特别是数据依赖关系和控制依赖关系。The detection result can be the result of detecting the dependency relationship of the cross-contract control flow graph. The detection result reflects the relationship between the statement nodes in the smart contract code, especially the data dependency and control dependency.

在一些实施方式中，检测结果还可以表征跨合约状态流向图存在部分语句节点存在数据依赖关系，部分语句节点存在控制依赖关系，只需要在相应位置对存在数据依赖关系或者控制依赖关系的语句节点进行边连接即可得到全局状态依赖图。In some embodiments, the detection results can also characterize that some statement nodes in the cross-contract state flow graph have data dependencies, and some statement nodes have control dependencies. The global state dependency graph can be obtained by simply connecting the statement nodes with data dependencies or control dependencies at the corresponding positions.

示例性的，可以使用跨合约控制流向图(Inter-contract Control Flow Graph，I-CFG)作为基本框架，遍历每个语句节点(基本块)，并确定一个语句节点中语句的执行是否依赖于另一个语句节点中的语句的执行结果，如果是，则两个语句节点之间存在控制依赖关系。同时，确定一个语句节点中变量或数据元素的值是否依赖于另一个语句节点中变量或数据元素的值，如果是，则两个语句节点之间存在数据依赖关系。Exemplarily, an inter-contract control flow graph (I-CFG) can be used as a basic framework to traverse each statement node (basic block) and determine whether the execution of a statement in one statement node depends on the execution result of a statement in another statement node. If so, there is a control dependency between the two statement nodes. At the same time, determine whether the value of a variable or data element in one statement node depends on the value of a variable or data element in another statement node. If so, there is a data dependency between the two statement nodes.

具体的，数据依赖可以分为真数据依赖、输出数据依赖和反数据依赖。当一个变量的定义直接影响到另一个变量的使用时发生真数据依赖，例如，B＝A+1，这里B的计算依赖于A的值。当两个语句写同一个变量时发生输出数据依赖，例如，A＝1和A＝2，这两个语句都写入变量A。当一个变量的定义影响到另一个变量的定义时发生反数据依赖，例如，A＝B+1和B＝2，如果B的赋值在A之后，那么B的新值会影响到A的结果。Specifically, data dependency can be divided into true data dependency, output data dependency, and anti-data dependency. True data dependency occurs when the definition of one variable directly affects the use of another variable, for example, B = A + 1, where the calculation of B depends on the value of A. Output data dependency occurs when two statements write to the same variable, for example, A = 1 and A = 2, both of which write to variable A. Anti-data dependency occurs when the definition of one variable affects the definition of another variable, for example, A = B + 1 and B = 2, if B is assigned after A, then the new value of B will affect the result of A.

具体的，控制依赖发生在一条语句的执行是否发生取决于另一条语句的执行结果时。控制依赖一般与条件语句(如if、while等)相关。如果一个语句节点的语句的执行路径取决于某个语句节点的条件的结果，那么这两个语句节点之间存在控制依赖。例如：Specifically, control dependency occurs when the execution of one statement depends on the result of the execution of another statement. Control dependency is generally related to conditional statements (such as if, while, etc.). If the execution path of a statement node depends on the result of the condition of a statement node, then there is a control dependency between the two statement nodes. For example:

if(condition){if(condition){

statement1；statement1;

}else{}else{

statement2；statement2;

}}

此处，statement1和statement2的执行取决于condition的结果。因此，statement1和statement2都与condition的评估存在控制依赖。Here, the execution of statement1 and statement2 depends on the result of condition. Therefore, both statement1 and statement2 have a control dependency on the evaluation of condition.

示例性的，在确定了整个跨合约控制流向图中各语句节点的依赖关系之后，可以合并从跨合约控制流向图中提取的语句节点和检测结果，形成全局状态依赖图，也可以在原跨合约控制流向图的基础上形成全局状态依赖图。在全局状态依赖图中，每个语句节点表示具体的语句或操作，边表示这些语句间的控制依赖或数据依赖关系。Exemplarily, after determining the dependency relationship of each statement node in the entire cross-contract control flow graph, the statement nodes and detection results extracted from the cross-contract control flow graph can be merged to form a global state dependency graph, or a global state dependency graph can be formed based on the original cross-contract control flow graph. In the global state dependency graph, each statement node represents a specific statement or operation, and the edge represents the control dependency or data dependency relationship between these statements.

进一步的，可以将待测源码中的函数名、变量名等元数据注入到全局状态依赖图中，以提高图形的可读性和理解。Furthermore, metadata such as function names and variable names in the source code to be tested can be injected into the global state dependency graph to improve the readability and understanding of the graph.

通过构建出跨合约控制流向图，可以进一步分析各语句节点的依赖关系，构建全局状态依赖图，以帮助识别潜在的安全问题和漏洞。例如，如果一个智能合约的某个函数依赖于外部调用返回的数据，而这个外部调用可能被攻击者控制，那么就存在潜在的安全风险，以此，能够便于后续实现更加全面、准确的漏洞检测。By constructing a cross-contract control flow graph, we can further analyze the dependencies of each statement node and build a global state dependency graph to help identify potential security issues and vulnerabilities. For example, if a function of a smart contract depends on data returned by an external call, and this external call may be controlled by an attacker, then there is a potential security risk, which can facilitate more comprehensive and accurate vulnerability detection in the future.

步骤105，基于全局状态依赖图对待测智能合约进行漏洞污点分析，得到待测智能合约的漏洞检测结果。Step 105: Perform vulnerability taint analysis on the smart contract to be tested based on the global state dependency graph to obtain a vulnerability detection result of the smart contract to be tested.

在一些实施方式中，由于全局状态依赖图有助于分析跨合约调用地址和输入变量的依赖关系，以及对跨合约交互数据流动等，能够实现对漏洞的组合性分析，因此，为了深入分析待测智能合约中各语句节点之间的复杂关系，提高漏洞检测的准确性和全面性，可以基于全局状态依赖图对待测智能合约进行漏洞污点分析，以优化漏洞检测的过程和效率。In some embodiments, since the global state dependency graph helps to analyze the dependencies between cross-contract call addresses and input variables, as well as the flow of cross-contract interaction data, etc., it can achieve combinatorial analysis of vulnerabilities. Therefore, in order to deeply analyze the complex relationship between each statement node in the smart contract to be tested and improve the accuracy and comprehensiveness of vulnerability detection, vulnerability taint analysis can be performed on the smart contract to be tested based on the global state dependency graph to optimize the process and efficiency of vulnerability detection.

其中，漏洞检测结果可以是在智能合约漏洞检测过程中，得到的关于合约潜在安全问题的信息，漏洞检测结果可以包括漏洞的位置、类型、描述等等。Among them, the vulnerability detection result can be the information about potential security issues of the contract obtained during the smart contract vulnerability detection process. The vulnerability detection result can include the location, type, description, etc. of the vulnerability.

在一些实施方式中，可以基于全局状态依赖图，判断待测智能合约中的语句节点是否满足漏洞模式。具体的，可以通过分析语句节点的语句序列、变量赋值等，判断是否符合漏洞利用条件，如满足，则得到待测智能合约存在对应类型的漏洞检测结果。In some implementations, it is possible to determine whether a statement node in the smart contract to be tested satisfies a vulnerability pattern based on a global state dependency graph. Specifically, it is possible to determine whether the vulnerability exploitation conditions are met by analyzing the statement sequence, variable assignment, etc. of the statement node. If so, a vulnerability detection result of the corresponding type of vulnerability in the smart contract to be tested is obtained.

例如，对某个语句节点进行语句序列分析，具体可以检查外部合约调用(如call或delegatecall)之后是否有进一步的状态变化(state-changing)操作。如果在外部调用之后还有代码执行，且这些代码可以访问或修改合约状态，那么可能存在重入风险。For example, when performing statement sequence analysis on a certain statement node, you can specifically check whether there are further state-changing operations after an external contract call (such as call or delegatecall). If there is code execution after the external call, and this code can access or modify the contract state, there may be a reentrancy risk.

通过全局状态依赖图分析跨合约调用地址和输入变量的依赖关系，能够实现对待测智能合约的漏洞的组合性分析，有助于深入分析待测智能合约中各语句节点之间的复杂关系，提高漏洞检测的准确性和全面性。By analyzing the dependencies between cross-contract call addresses and input variables through the global state dependency graph, it is possible to perform combinatorial analysis of the vulnerabilities of the smart contract under test, which helps to deeply analyze the complex relationships between the statement nodes in the smart contract under test and improve the accuracy and comprehensiveness of vulnerability detection.

在一些实施方式中，为了聚焦于最优可能包含漏洞的代码部分，避免将所有依赖关系都视为潜在的安全问题，可以通过提取关键代码节点进行分析，以缩小分析的范围，使得漏洞检测更加高效。例如，步骤105可以包括：In some implementations, in order to focus on the code portion that is most likely to contain vulnerabilities and avoid treating all dependencies as potential security issues, key code nodes may be extracted for analysis to narrow the scope of analysis and make vulnerability detection more efficient. For example, step 105 may include:

(105.1)根据全局状态依赖图，确定待测智能合约具备的至少一个漏洞特点；(105.1) Determine at least one vulnerability feature of the smart contract to be tested based on the global state dependency graph;

(105.2)分别为每个漏洞特点匹配对应的污点分析规则，并基于污点分析规则从全局状态依赖图中提取多个关键代码节点；(105.2) Match the corresponding taint analysis rules for each vulnerability feature, and extract multiple key code nodes from the global state dependency graph based on the taint analysis rules;

(105.3)基于多个关键代码节点进行漏洞分析，得到待测智能合约的漏洞检测结果。(105.3) Perform vulnerability analysis based on multiple key code nodes to obtain vulnerability detection results of the smart contract to be tested.

其中，漏洞特点可以是特定类型的安全漏洞在代码中的表现特征。例如，整数溢出的漏洞特点可能包括未经检查的数学运算，可能导致变量超出其允许的范围。Among them, vulnerability characteristics can be the manifestation characteristics of a specific type of security vulnerability in the code. For example, the vulnerability characteristics of integer overflow may include unchecked mathematical operations that may cause variables to exceed their allowed range.

其中，污点分析规则可以是用于指导分析过程的逻辑准则，污点分析规则基于漏洞特点设计，用于识别代码中可能存在漏洞的位置。规则通常定义了污点源、污点的传播(Sanitizer)和污点汇集点(Sink)。Among them, the taint analysis rules can be logical criteria used to guide the analysis process. The taint analysis rules are designed based on the characteristics of vulnerabilities and are used to identify the locations where vulnerabilities may exist in the code. The rules usually define the taint source, the propagation of the taint (Sanitizer) and the taint sink (Sink).

其中，关键代码节点可以是用于进行漏洞分析的语句节点。关键代码节点可以聚焦于最有可能包含漏洞的代码，通过对全局状态依赖图的关键代码节点进行分析，可以减少分析的工作量，提高分析的针对性。Among them, the key code node can be a statement node used for vulnerability analysis. The key code node can focus on the code that is most likely to contain vulnerabilities. By analyzing the key code nodes of the global state dependency graph, the workload of the analysis can be reduced and the pertinence of the analysis can be improved.

示例性的，可以在全局状态依赖图中，确定可能的漏洞出发点，漏洞出发点可以是待测智能合约与外部交互的部分，如外部函数调用以及人喝可以接收外部输入的函数等。进一步的，可以通过全局状态依赖图分析待测智能合约中的数据流和控制流，并根据已知的漏洞模式，如重入攻击、整数溢出、未检查的发送等问题，检查全局状态依赖图中是否存在这些模式，例如，查找外部调用之后直接进行状态改变的操作，确认是否存在重入漏洞。Exemplarily, possible vulnerability starting points can be determined in the global state dependency graph, and the vulnerability starting points can be the part of the smart contract to be tested that interacts with the outside, such as external function calls and functions that can receive external inputs. Furthermore, the data flow and control flow in the smart contract to be tested can be analyzed through the global state dependency graph, and based on known vulnerability patterns, such as reentrancy attacks, integer overflows, unchecked sends, etc., check whether these patterns exist in the global state dependency graph. For example, look for operations that change the state directly after external calls to confirm whether there are reentrancy vulnerabilities.

进一步的，当确认漏洞模式后，可以确定待测智能合约具备的至少一个漏洞特点，漏洞特点可以包括不安全的外部调用、缺乏输入验证、不正确的错误处理等。Furthermore, after confirming the vulnerability pattern, at least one vulnerability feature of the smart contract to be tested can be determined. The vulnerability feature may include insecure external calls, lack of input validation, incorrect error handling, etc.

请参照图5，示例性的，根据漏洞特点匹配对应的污点分析规则，可以有效地识别出关键代码节点。例如，在检测整数溢出的污点分析过程中，分析待测智能合约的全局状态依赖图可以快速定位执行加减运算的语句，并将这些操作点作为污点源。然后，通过逆向程序分析，追踪从污点源到污点汇集点的变量使用，保留涉及相关控制依赖和数据依赖的语义节点，并将对应的语义节点作为关键代码节点。Please refer to Figure 5. For example, by matching the corresponding taint analysis rules according to the characteristics of the vulnerability, the key code nodes can be effectively identified. For example, in the taint analysis process of detecting integer overflow, analyzing the global state dependency graph of the smart contract to be tested can quickly locate the statements that perform addition and subtraction operations, and use these operation points as taint sources. Then, through reverse program analysis, the use of variables from the taint source to the taint collection point is tracked, the semantic nodes involving relevant control dependencies and data dependencies are retained, and the corresponding semantic nodes are used as key code nodes.

进一步的，确定关键代码节点之后，可以分析关键代码节点中的语句序列、变量赋值等，验证是否符合漏洞利用条件。若符合，则可以得到待测智能合约存在对应类型的漏洞检测结果，并结合污点分析有效定位与漏洞相关的关键语句，提高了漏洞检测的针对性和准确性；若均不符合，则可以得到待测智能合约不存在对应类型的漏洞检测结果。Furthermore, after determining the key code nodes, the statement sequences and variable assignments in the key code nodes can be analyzed to verify whether they meet the vulnerability exploitation conditions. If they meet the conditions, the corresponding vulnerability detection results of the smart contract under test can be obtained, and the key statements related to the vulnerability can be effectively located in combination with the taint analysis, which improves the pertinence and accuracy of the vulnerability detection; if they do not meet the conditions, the corresponding vulnerability detection results of the smart contract under test can be obtained.

示例性的，一个待测智能合约对应的全局状态依赖图可以涉及多个漏洞特点，例如2个、3个漏洞特点，只需根据每个漏洞特点确定对应的关键代码节点进行分析即可。For example, the global state dependency graph corresponding to a smart contract to be tested may involve multiple vulnerability characteristics, such as 2 or 3 vulnerability characteristics. It is only necessary to determine the corresponding key code nodes for analysis based on each vulnerability characteristic.

通过以上方式，可以不必对整个全局状态依赖图进行分析，只需要根据漏洞特点确定对应的关键代码节点并进行漏洞污点检测，减少了不相关的路径分析，有效缓解了复杂合约中的路径爆炸等问题。Through the above method, there is no need to analyze the entire global state dependency graph. It is only necessary to determine the corresponding key code nodes according to the characteristics of the vulnerability and perform vulnerability taint detection, which reduces irrelevant path analysis and effectively alleviates problems such as path explosion in complex contracts.

在一些实施方式中，为了精准确定关键代码节点，以便于后续根据据关键代码节点对待测智能合约进行准确分析，减少冗余分析操作，可以根据不同的污点分析规则从全局状态依赖图中提取关键代码节点，以实现对待测智能合约的准确分析。例如，(105.2)可以包括：In some implementations, in order to accurately determine the key code nodes, so as to facilitate the subsequent accurate analysis of the smart contract to be tested based on the key code nodes and reduce redundant analysis operations, the key code nodes can be extracted from the global state dependency graph according to different taint analysis rules to achieve accurate analysis of the smart contract to be tested. For example, (105.2) may include:

(105.2.1)基于污点分析规则，从全局状态依赖图中确定漏洞特点对应的污点源和污点汇集点；(105.2.1) Based on the taint analysis rules, determine the taint sources and taint sinks corresponding to the vulnerability characteristics from the global state dependency graph;

(105.2.2)基于污点源和污点汇集点，从全局状态依赖图中确定污点信息的传播路径；(105.2.2) Based on the taint source and taint sink, determine the propagation path of taint information from the global state dependency graph;

(105.2.3)根据传播路径提取对应的多个关键代码节点。(105.2.3) Extract multiple corresponding key code nodes according to the propagation path.

其中，污点源可以是用户输入、外部合约的返回值或其他合约发送的数据。污点源是分析中关注的起点，污点源可能引入恶意或不可预期的数据。Among them, the taint source can be user input, the return value of an external contract, or data sent by other contracts. The taint source is the starting point of attention in the analysis, and the taint source may introduce malicious or unexpected data.

其中，污点汇集点可以是指向外部合约的调用、合约状态的改变或对关键合约逻辑的输入。Among them, the taint collection point can be a call to an external contract, a change in contract status, or an input to key contract logic.

其中，污点信息的传播路径可以是数据从污点源到污点汇集点在程序中的流动路径。污点信息的传播路径包括了所有数据的传递和处理，包括变量赋值、函数调用和返回等。The propagation path of the taint information can be the flow path of data from the taint source to the taint sink in the program. The propagation path of the taint information includes the transmission and processing of all data, including variable assignment, function call and return, etc.

示例性的，在检测整数溢出的污点分析过程中，分析待测智能合约的全局状态依赖图可以快速定位执行加减运算的语句，并将这些操作点作为污点源。然后，通过逆向程序分析，追踪从污点源到污点汇集点的变量使用，保留涉及相关控制依赖和数据依赖的语义节点，并将对应的语义节点作为关键代码节点。For example, in the process of taint analysis for integer overflow detection, analyzing the global state dependency graph of the smart contract to be tested can quickly locate the statements that perform addition and subtraction operations, and use these operation points as taint sources. Then, through reverse program analysis, the use of variables from the taint source to the taint sink is traced, the semantic nodes involving relevant control dependencies and data dependencies are retained, and the corresponding semantic nodes are used as key code nodes.

通过精确识别和提取待测智能合约对应的全局状态依赖图中的关键代码节点，可以显著提高对潜在安全漏洞的检测效率、全面性和准确性。By accurately identifying and extracting key code nodes in the global state dependency graph corresponding to the smart contract under test, the efficiency, comprehensiveness and accuracy of detecting potential security vulnerabilities can be significantly improved.

在一些实施方式中，为了识别待测智能合约中可能被攻击者利用的安全缺陷，以便于合约的开发者或审计者能够及时修复这些漏洞，防止潜在的数据丢失或者合约功能被滥用，可以针对关键代码节点的关键代码节点进行分析，以更精确、快速地判断待检测合约中是否存在危险的漏洞模式。例如，(105.3)可以包括：In some implementations, in order to identify security flaws in the smart contract to be tested that may be exploited by attackers, so that the contract developer or auditor can promptly fix these vulnerabilities and prevent potential data loss or abuse of contract functions, key code nodes may be analyzed to more accurately and quickly determine whether there are dangerous vulnerability patterns in the contract to be tested. For example, (105.3) may include:

(105.3.1)分析每个关键代码节点的语句序列和变量赋值，得到分析结果；(105.3.1) Analyze the statement sequence and variable assignment of each key code node to obtain the analysis results;

(105.3.2)获取预设漏洞条件，并根据预设漏洞条件对每个关键代码节点的分析结果进行漏洞检测，得到待测智能合约的漏洞检测结果。(105.3.2) Obtain preset vulnerability conditions, and perform vulnerability detection on the analysis results of each key code node according to the preset vulnerability conditions to obtain the vulnerability detection results of the smart contract to be tested.

其中，语句序列可以是在待测智能合约对应的全局状态依赖图中的关键代码节点中按顺序执行的代码行。语句序列包括变量声明、赋值操作、条件判断、循环结构等，分析语句序列有助于了解代码的执行流程和逻辑。The statement sequence can be the code lines executed in sequence in the key code nodes in the global state dependency graph corresponding to the smart contract under test. The statement sequence includes variable declaration, assignment operation, conditional judgment, loop structure, etc. Analyzing the statement sequence helps to understand the execution process and logic of the code.

其中，变量赋值可以是在代码中将特定的值赋予变量的操作。通过追踪和分析变量赋值，可以识别变量在不同代码节点间的依赖关系，以及其在待测智能合约执行过程中的变化情况。Among them, variable assignment can be an operation that assigns a specific value to a variable in the code. By tracking and analyzing variable assignments, it is possible to identify the dependencies between variables in different code nodes and their changes during the execution of the smart contract under test.

其中，分析结果可以是通过对语句序列和变量赋值进行分析后得出的结论。分析结果可以包括代码的执行路径、变量状态的变化、可能的异常情况等。分析结果为漏洞检测提供了基础数据。The analysis result can be a conclusion drawn after analyzing the statement sequence and variable assignment. The analysis result can include the execution path of the code, the change of variable status, possible abnormal conditions, etc. The analysis result provides basic data for vulnerability detection.

其中，预设漏洞条件可以是根据已知的安全漏洞模式和攻击手法，预先定义的一组条件。预设漏洞条件用于检测智能合约中是否存在潜在的安全缺陷。例如，重入攻击模式、整数溢出、未检查的发送、不正确的权限管理等。The preset vulnerability conditions can be a set of predefined conditions based on known security vulnerability patterns and attack methods. The preset vulnerability conditions are used to detect whether there are potential security flaws in the smart contract. For example, reentrancy attack patterns, integer overflows, unchecked sending, incorrect permission management, etc.

示例性的，当待测智能合约的关键代码节点的语句序列为：For example, when the statement sequence of the key code node of the smart contract to be tested is:

require(balances[msg.sender]>＝amount,"Insufficientbalance")；require(balances[msg.sender]>=amount,"Insufficientbalance");

balances[msg.sender]-＝amount；balances[msg.sender]-=amount;

balances[to]+＝amount；balances[to]+=amount;

变量赋值为：The variable is assigned:

balances[msg.sender]、balances[to]、amountbalances[msg.sender], balances[to],amount

对语句序列和变量赋值进行分析，可以得到语句序列分析结果：检查require条件是否满足；变量赋值分析结果：更新balances数组的值。By analyzing the statement sequence and variable assignment, we can get the statement sequence analysis result: check whether the require condition is met; variable assignment analysis result: update the value of the balances array.

进一步的，若预设漏洞条件为：balances[msg.sender]是否存在负值，则可以进行漏洞检测，检查require条件是否充分防止溢出，以及检查balances[msg.sender]和balances[to]的更新逻辑。如果发现预设漏洞条件匹配，则在报告中注明该漏洞及其位置作为漏洞检测结果。Furthermore, if the preset vulnerability condition is: whether balances[msg.sender] has a negative value, then vulnerability detection can be performed to check whether the require condition is sufficient to prevent overflow, and to check the update logic of balances[msg.sender] and balances[to]. If the preset vulnerability condition is found to match, the vulnerability and its location are noted in the report as the vulnerability detection result.

在一些实施方式中，除了对关键代码节点的语句序列和变量赋值进行分析，还可以进行控制流分析，例如分析代码执行的路径，包括条件分至、循环和异常处理等，以及进行数据流分析，例如发现未加密传输的敏感信息或未经适当验证的输入等等。In some embodiments, in addition to analyzing the statement sequence and variable assignments of key code nodes, control flow analysis can also be performed, such as analyzing the code execution path, including conditional branching, loops, and exception handling, and data flow analysis, such as discovering sensitive information transmitted unencrypted or input that has not been properly verified, etc.

通过对智能合约的关键代码节点进行深入分析，包括对语句序列和变量赋值的详细审查，能够更有效地识别和修复潜在的安全漏洞，提高了漏洞检测的精确性和速度，确保了合约的安全性和功能性，防止了数据丢失和合约功能被滥用的情况，保障了用户的数据安全和合约的可靠运行。By conducting in-depth analysis of key code nodes of smart contracts, including detailed review of statement sequences and variable assignments, potential security vulnerabilities can be identified and fixed more effectively, improving the accuracy and speed of vulnerability detection, ensuring the security and functionality of the contract, preventing data loss and abuse of contract functions, and protecting user data security and reliable operation of the contract.

在一些实施方式中，为了提高分析的精度和全面性，可以通过将元数据注入跨合约控制流向图中，增加跨合约控制流向图的信息的完整性。例如，在得到跨合约控制流向图之后，还可以执行以下步骤：In some implementations, in order to improve the accuracy and comprehensiveness of the analysis, metadata may be injected into the cross-contract control flow graph to increase the completeness of the information in the cross-contract control flow graph. For example, after obtaining the cross-contract control flow graph, the following steps may be performed:

(A.1)根据抽象语法树，确定跨合约控制流向图中各语句节点的函数名和变量名；(A.1) Determine the function name and variable name of each statement node in the cross-contract control flow graph based on the abstract syntax tree;

(A.2)将函数名和变量名注入跨合约控制流向图中，得到更新后的跨合约控制流向图。(A.2) Inject the function name and variable name into the cross-contract control flow graph to obtain an updated cross-contract control flow graph.

其中，函数名和变量名程序设计中使用的标识符，用于表示函数和变量的名称及其作用域。Among them, function names and variable names are identifiers used in programming to indicate the names of functions and variables and their scopes.

可以理解的是，除了将函数名和变量名注入跨合约控制流向图，还可以将数据类型信息、调用关系、敏感函数或变量等元数据注入跨合约控制流向图中，以更全面地分析待测智能合约与其他跨合约调用地行为，从而增强漏洞检测、全局验证的能力。It is understandable that in addition to injecting function names and variable names into the cross-contract control flow graph, metadata such as data type information, call relationships, sensitive functions or variables, etc. can also be injected into the cross-contract control flow graph to more comprehensively analyze the behavior of the smart contract under test and other cross-contract calls, thereby enhancing the ability of vulnerability detection and global verification.

在一些实施方式中，除了将函数名和变量名注入跨合约控制流向图中，还可以将函数名和变量名等元数据注入全局状态依赖图中，以生成具备更加完整的信息的全局状态依赖图，有利于进行更加快速、准确的漏洞检测。In some implementations, in addition to injecting function names and variable names into the cross-contract control flow graph, metadata such as function names and variable names can also be injected into the global state dependency graph to generate a global state dependency graph with more complete information, which is conducive to faster and more accurate vulnerability detection.

请参照图6，下面结合图6对本申请的总体实施例进行介绍。Please refer to FIG. 6 . The overall embodiment of the present application will be introduced below in conjunction with FIG. 6 .

本申请以待测智能合约的待测源码为输入，输出漏洞的位置及类型等检测结果。具体的，通过输入待测智能合约的待测源码，并进行待测源码的编译，得到抽象语法树。之后，基于抽象语法树对待测智能合约的控制流图进行补全，得到包含了跨合约函数调用以及内部程序关系的跨合约控制流图，通过智能合约间的继承和依赖关系，基于跨合约控制流向图生成全局状态依赖图，以便于后续进行更加全面、准确地分析。This application takes the source code of the smart contract to be tested as input and outputs the detection results such as the location and type of the vulnerability. Specifically, by inputting the source code of the smart contract to be tested and compiling the source code to be tested, an abstract syntax tree is obtained. After that, the control flow graph of the smart contract to be tested is completed based on the abstract syntax tree to obtain a cross-contract control flow graph containing cross-contract function calls and internal program relationships. Through the inheritance and dependency relationships between smart contracts, a global state dependency graph is generated based on the cross-contract control flow graph to facilitate a more comprehensive and accurate analysis in the future.

进一步的，可以基于漏洞特征对全局状态依赖图进行污点分析。具体可以通过全局状态依赖图提取与漏洞相关的关键代码节点，从而减少分析范围。最后，通过分析代码中的控制流和数据流关系进行合约语义建模，判断是否满足漏洞利用模式，并报告相关函数及其位置等信息。综上所述，本申请通过充分利用合约全局状态依赖分析，帮助进行路径剪枝，在保证高可靠分析的同时，提高了检测效率。Furthermore, the global state dependency graph can be subjected to taint analysis based on vulnerability features. Specifically, the key code nodes related to the vulnerability can be extracted through the global state dependency graph, thereby reducing the scope of analysis. Finally, the contract semantics modeling is performed by analyzing the control flow and data flow relationships in the code to determine whether the vulnerability exploitation pattern is met, and report related functions and their locations and other information. In summary, this application improves detection efficiency while ensuring highly reliable analysis by making full use of the global state dependency analysis of the contract to assist in path pruning.

本申请实施例通过获取待测智能合约的待测源码；通过对待测源码进行语法结构的解析，得到待测源码对应的抽象语法树；获取待测智能合约的控制流向图，并根据抽象语法树对控制流向图进行调用关系的补全，得到跨合约控制流向图；基于跨合约控制流向图中各语句节点的依赖关系，构建全局状态依赖图；基于全局状态依赖图对待测智能合约进行漏洞污点分析，得到待测智能合约的漏洞检测结果；以此，能够对待测智能合约的调用关系进行补全，也即对跨合约关系进行补全，考虑了多个智能合约之间的协同作用，由此能够实现对待测智能合约的更全面和更准确的分析；并且，通过考虑各语句节点的依赖关系，能够分析合约中的漏洞和污点传播情况，进一步提高对待测智能合约进行检测的全面性和准确性。The embodiment of the present application obtains the source code to be tested of the smart contract to be tested; obtains the abstract syntax tree corresponding to the source code to be tested by parsing the grammatical structure of the source code to be tested; obtains the control flow graph of the smart contract to be tested, and completes the call relationship of the control flow graph according to the abstract syntax tree to obtain a cross-contract control flow graph; constructs a global state dependency graph based on the dependency relationship of each statement node in the cross-contract control flow graph; performs vulnerability and taint analysis on the smart contract to be tested based on the global state dependency graph to obtain the vulnerability detection result of the smart contract to be tested; thereby, the call relationship of the smart contract to be tested can be completed, that is, the cross-contract relationship can be completed, and the synergy between multiple smart contracts is taken into account, thereby achieving a more comprehensive and accurate analysis of the smart contract to be tested; and, by considering the dependency relationship of each statement node, the propagation of vulnerabilities and taints in the contract can be analyzed, further improving the comprehensiveness and accuracy of the detection of the smart contract to be tested.

请参阅图7，本申请实施例还提供一种漏洞检测装置，可以实现上述漏洞检测方法，漏洞检测装置包括：Referring to FIG. 7 , the present application embodiment further provides a vulnerability detection device, which can implement the above-mentioned vulnerability detection method. The vulnerability detection device includes:

获取模块71，用于获取待测智能合约的待测源码；An acquisition module 71 is used to acquire the source code of the smart contract to be tested;

解析模块72，用于对待测源码进行语法结构的解析，得到待测源码对应的抽象语法树；The parsing module 72 is used to parse the syntax structure of the source code to be tested and obtain an abstract syntax tree corresponding to the source code to be tested;

补全模块73，用于获取待测智能合约的控制流向图，并根据抽象语法树对控制流向图进行调用关系的补全，得到跨合约控制流向图；The completion module 73 is used to obtain the control flow graph of the smart contract to be tested, and complete the call relationship of the control flow graph according to the abstract syntax tree to obtain a cross-contract control flow graph;

构建模块74，用于基于跨合约控制流向图中各语句节点的依赖关系，构建全局状态依赖图；A construction module 74, used to construct a global state dependency graph based on the dependency relationship between the statement nodes in the cross-contract control flow graph;

分析模块75，用于基于全局状态依赖图对待测智能合约进行漏洞污点分析，得到待测智能合约的漏洞检测结果。The analysis module 75 is used to perform vulnerability and taint analysis on the smart contract to be tested based on the global state dependency graph to obtain the vulnerability detection result of the smart contract to be tested.

该漏洞检测装置的具体实施方式与上述漏洞检测方法的具体实施例基本相同，在此不再赘述。在满足本申请实施例要求的前提下，漏洞检测装置还可以设置其他功能模块，以实现上述实施例中的漏洞检测方法。The specific implementation of the vulnerability detection device is basically the same as the specific implementation of the vulnerability detection method described above, and will not be repeated here. On the premise of meeting the requirements of the embodiments of this application, the vulnerability detection device can also be provided with other functional modules to implement the vulnerability detection method in the above embodiments.

本申请实施例还提供了一种计算机设备，计算机设备包括存储器和处理器，存储器存储有计算机程序，处理器执行计算机程序时实现上述漏洞检测方法。该计算机设备可以为包括平板电脑、车载电脑等任意智能终端。The embodiment of the present application also provides a computer device, the computer device includes a memory and a processor, the memory stores a computer program, and the processor implements the above vulnerability detection method when executing the computer program. The computer device can be any intelligent terminal including a tablet computer, a car computer, etc.

请参阅图8，图8示意了另一实施例的计算机设备的硬件结构，计算机设备包括：Please refer to FIG8 , which illustrates a hardware structure of a computer device according to another embodiment. The computer device includes:

处理器81，可以采用通用的CPU(CentralProcessingUnit，中央处理器)、微处理器、应用专用集成电路(ApplicationSpecificIntegratedCircuit，ASIC)、或者一个或多个集成电路等方式实现，用于执行相关程序，以实现本申请实施例所提供的技术方案；The processor 81 may be implemented by a general-purpose CPU (Central Processing Unit), a microprocessor, an application-specific integrated circuit (Application Specific Integrated Circuit, ASIC), or one or more integrated circuits, and is used to execute relevant programs to implement the technical solutions provided in the embodiments of the present application;

存储器82，可以采用只读存储器(ReadOnlyMemory，ROM)、静态存储设备、动态存储设备或者随机存取存储器(RandomAccessMemory，RAM)等形式实现。存储器82可以存储操作系统和其他应用程序，在通过软件或者固件来实现本说明书实施例所提供的技术方案时，相关的程序代码保存在存储器82中，并由处理器81来调用执行本申请实施例的漏洞检测方法；The memory 82 can be implemented in the form of a read-only memory (ROM), a static storage device, a dynamic storage device, or a random access memory (RAM). The memory 82 can store an operating system and other application programs. When the technical solution provided in the embodiment of this specification is implemented by software or firmware, the relevant program code is stored in the memory 82, and the processor 81 calls and executes the vulnerability detection method of the embodiment of this application;

输入/输出接口83，用于实现信息输入及输出；Input/output interface 83, used to implement information input and output;

通信接口84，用于实现本设备与其他设备的通信交互，可以通过有线方式(例如USB、网线等)实现通信，也可以通过无线方式(例如移动网络、WIFI、蓝牙等)实现通信；Communication interface 84, used to realize communication interaction between the device and other devices, which can be realized by wired means (such as USB, network cable, etc.) or wireless means (such as mobile network, WIFI, Bluetooth, etc.);

总线85，在设备的各个组件(例如处理器81、存储器82、输入/输出接口83和通信接口84)之间传输信息；A bus 85 that transmits information between the various components of the device (e.g., the processor 81, the memory 82, the input/output interface 83, and the communication interface 84);

其中处理器81、存储器82、输入/输出接口83和通信接口84通过总线85实现彼此之间在设备内部的通信连接。The processor 81 , the memory 82 , the input/output interface 83 and the communication interface 84 are connected to each other in communication within the device via a bus 85 .

本申请实施例还提供了一种计算机可读存储介质，该计算机可读存储介质存储有计算机程序，该计算机程序被处理器执行时实现上述漏洞检测方法。An embodiment of the present application also provides a computer-readable storage medium, which stores a computer program, and when the computer program is executed by a processor, the above-mentioned vulnerability detection method is implemented.

存储器作为一种非暂态计算机可读存储介质，可用于存储非暂态软件程序以及非暂态性计算机可执行程序。此外，存储器可以包括高速随机存取存储器，还可以包括非暂态存储器，例如至少一个磁盘存储器件、闪存器件、或其他非暂态固态存储器件。在一些实施方式中，存储器可选包括相对于处理器远程设置的存储器，这些远程存储器可以通过网络连接至该处理器。上述网络的实例包括但不限于互联网、企业内部网、局域网、移动通信网及其组合。The memory, as a non-transient computer-readable storage medium, can be used to store non-transient software programs and non-transient computer executable programs. In addition, the memory may include a high-speed random access memory, and may also include a non-transient memory, such as at least one disk storage device, a flash memory device, or other non-transient solid-state storage device. In some embodiments, the memory may optionally include a memory remotely disposed relative to the processor, and these remote memories may be connected to the processor via a network. Examples of the above-mentioned network include, but are not limited to, the Internet, an intranet, a local area network, a mobile communication network, and combinations thereof.

本申请实施例描述的实施例是为了更加清楚的说明本申请实施例的技术方案，并不构成对于本申请实施例提供的技术方案的限定，本领域技术人员可知，随着技术的演变和新应用场景的出现，本申请实施例提供的技术方案对于类似的技术问题，同样适用。The embodiments described in the embodiments of the present application are intended to more clearly illustrate the technical solutions of the embodiments of the present application and do not constitute a limitation on the technical solutions provided in the embodiments of the present application. Those skilled in the art will appreciate that with the evolution of technology and the emergence of new application scenarios, the technical solutions provided in the embodiments of the present application are also applicable to similar technical problems.

本领域技术人员可以理解的是，图中示出的技术方案并不构成对本申请实施例的限定，可以包括比图示更多或更少的步骤，或者组合某些步骤，或者不同的步骤。Those skilled in the art will appreciate that the technical solutions shown in the figures do not constitute a limitation on the embodiments of the present application, and may include more or fewer steps than shown in the figures, or a combination of certain steps, or different steps.

以上所描述的装置实施例仅仅是示意性的，其中作为分离部件说明的单元可以是或者也可以不是物理上分开的，即可以位于一个地方，或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部模块来实现本实施例方案的目的。The device embodiments described above are merely illustrative, and the units described as separate components may or may not be physically separated, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

本领域普通技术人员可以理解，上文中所公开方法中的全部或某些步骤、系统、设备中的功能模块/单元可以被实施为软件、固件、硬件及其适当的组合。Those skilled in the art will appreciate that all or some of the steps in the methods disclosed above, and the functional modules/units in the systems and devices may be implemented as software, firmware, hardware, or a suitable combination thereof.

本申请的说明书及上述附图中的术语“第一”、“第二”、“第三”、“第四”等(如果存在)是用于区别类似的对象，而不必用于描述特定的顺序或先后次序。应该理解这样使用的数据在适当情况下可以互换，以便这里描述的本申请的实施例能够以除了在这里图示或描述的那些以外的顺序实施。此外，术语“包括”和“具有”以及他们的任何变形，意图在于覆盖不排他的包含，例如，包含了一系列步骤或单元的过程、方法、系统、产品或设备不必限于清楚地列出的那些步骤或单元，而是可包括没有清楚地列出的或对于这些过程、方法、产品或设备固有的其它步骤或单元。The terms "first", "second", "third", "fourth", etc. (if any) in the specification of the present application and the above-mentioned drawings are used to distinguish similar objects, and are not necessarily used to describe a specific order or sequence. It should be understood that the data used in this way can be interchangeable where appropriate, so that the embodiments of the present application described herein can be implemented in an order other than those illustrated or described herein. In addition, the terms "including" and "having" and any of their variations are intended to cover non-exclusive inclusions, for example, a process, method, system, product or device comprising a series of steps or units is not necessarily limited to those steps or units clearly listed, but may include other steps or units that are not clearly listed or inherent to these processes, methods, products or devices.

应当理解，在本申请中，“至少一个(项)”和“若干”是指一个或者多个，“多个”是指两个或两个以上。“和/或”，用于描述关联对象的关联关系，表示可以存在三种关系，例如，“A和/或B”可以表示：只存在A，只存在B以及同时存在A和B三种情况，其中A，B可以是单数或者复数。字符“/”一般表示前后关联对象是一种“或”的关系。“以下至少一项(个)”或其类似表达，是指这些项中的任意组合，包括单项(个)或复数项(个)的任意组合。例如，a，b或c中的至少一项(个)，可以表示：a，b，c，“a和b”，“a和c”，“b和c”，或“a和b和c”，其中a，b，c可以是单个，也可以是多个。It should be understood that in the present application, "at least one (item)" and "several" refer to one or more, and "plurality" refers to two or more. "And/or" is used to describe the association relationship of associated objects, indicating that three relationships may exist. For example, "A and/or B" can mean: only A exists, only B exists, and A and B exist at the same time, where A and B can be singular or plural. The character "/" generally indicates that the previous and subsequent associated objects are in an "or" relationship. "At least one of the following" or similar expressions refers to any combination of these items, including any combination of single or plural items. For example, at least one of a, b or c can mean: a, b, c, "a and b", "a and c", "b and c", or "a and b and c", where a, b, c can be single or multiple.

在本申请所提供的几个实施例中，应该理解到，所揭露的系统和方法，可以通过其它的方式实现。例如，以上所描述的系统实施例仅仅是示意性的，例如，上述单元的划分，仅仅为一种逻辑功能划分，实际实现时可以有另外的划分方式，例如多个单元或组件可以结合或者可以集成到另一个系统，或一些特征可以忽略，或不执行。另一点，所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口，装置或单元的间接耦合或通信连接，可以是电性，机械或其它的形式。In the several embodiments provided in the present application, it should be understood that the disclosed systems and methods can be implemented in other ways. For example, the system embodiments described above are merely schematic. For example, the division of the above units is only a logical function division. There may be other division methods in actual implementation, such as multiple units or components can be combined or integrated into another system, or some features can be ignored or not executed. Another point is that the mutual coupling or direct coupling or communication connection shown or discussed can be an indirect coupling or communication connection through some interfaces, devices or units, which can be electrical, mechanical or other forms.

上述作为分离部件说明的单元可以是或者也可以不是物理上分开的，作为单元显示的部件可以是或者也可以不是物理单元，即可以位于一个地方，或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described above as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place or distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

另外，在本申请各个实施例中的各功能单元可以集成在一个处理单元中，也可以是各个单元单独物理存在，也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现，也可以采用软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit. The above-mentioned integrated unit may be implemented in the form of hardware or in the form of software functional units.

集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时，可以存储在一个计算机可读取存储介质中。基于这样的理解，本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来，该计算机软件产品存储在一个存储介质中，包括多指令用以使得一台计算机设备(可以是个人计算机，服务器，或者网络设备等)执行本申请各个实施例的方法的全部或部分步骤。而前述的存储介质包括：U盘、移动硬盘、只读存储器(Read-Only Memory，简称ROM)、随机存取存储器(Random Access Memory，简称RAM)、磁碟或者光盘等各种可以存储程序的介质。If the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application, or the part that contributes to the prior art, or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including multiple instructions to enable a computer device (which can be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods of various embodiments of the present application. The aforementioned storage medium includes: U disk, mobile hard disk, read-only memory (Read-Only Memory, referred to as ROM), random access memory (Random Access Memory, referred to as RAM), disk or optical disk and other media that can store programs.

以上参照附图说明了本申请实施例的优选实施例，并非因此局限本申请实施例的权利范围。本领域技术人员不脱离本申请实施例的范围和实质内所作的任何修改、等同替换和改进，均应在本申请实施例的权利范围之内。The preferred embodiments of the present invention are described above with reference to the accompanying drawings, but the scope of the rights of the present invention is not limited thereto. Any modification, equivalent substitution and improvement made by a person skilled in the art without departing from the scope and essence of the present invention should be within the scope of the rights of the present invention.

Claims (10)

Translated fromChinese

1.一种漏洞检测方法，其特征在于，所述方法包括：1. A vulnerability detection method, characterized in that the method comprises:获取待测智能合约的待测源码；Get the source code of the smart contract to be tested;对所述待测源码进行语法结构的解析，得到所述待测源码对应的抽象语法树；Parsing the syntax structure of the source code to be tested to obtain an abstract syntax tree corresponding to the source code to be tested;获取所述待测智能合约的控制流向图，并根据所述抽象语法树对所述控制流向图进行调用关系的补全，得到跨合约控制流向图；Obtaining a control flow graph of the smart contract to be tested, and completing the call relationship of the control flow graph according to the abstract syntax tree to obtain a cross-contract control flow graph;基于所述跨合约控制流向图中各语句节点的依赖关系，构建全局状态依赖图；Based on the dependency relationship between the statement nodes in the cross-contract control flow graph, a global state dependency graph is constructed;基于所述全局状态依赖图对所述待测智能合约进行漏洞污点分析，得到所述待测智能合约的漏洞检测结果。Based on the global state dependency graph, a vulnerability taint analysis is performed on the smart contract to be tested to obtain a vulnerability detection result of the smart contract to be tested.2.根据权利要求1所述的漏洞检测方法，其特征在于，所述基于所述全局状态依赖图对所述待测智能合约进行漏洞污点分析，得到所述待测智能合约的漏洞检测结果，包括：2. The vulnerability detection method according to claim 1, characterized in that the vulnerability taint analysis of the smart contract to be tested is performed based on the global state dependency graph to obtain the vulnerability detection result of the smart contract to be tested, comprising:根据所述全局状态依赖图，确定所述待测智能合约具备的至少一个漏洞特点；Determining at least one vulnerability feature of the smart contract to be tested according to the global state dependency graph;分别为每个所述漏洞特点匹配对应的污点分析规则，并基于所述污点分析规则从所述全局状态依赖图中提取多个关键代码节点；Matching corresponding taint analysis rules for each vulnerability feature respectively, and extracting multiple key code nodes from the global state dependency graph based on the taint analysis rules;基于所述多个关键代码节点进行漏洞分析，得到所述待测智能合约的漏洞检测结果。Vulnerability analysis is performed based on the multiple key code nodes to obtain vulnerability detection results of the smart contract to be tested.3.根据权利要求2所述的漏洞检测方法，其特征在于，所述基于所述污点分析规则从所述全局状态依赖图中提取多个关键代码节点，包括：3. The vulnerability detection method according to claim 2, characterized in that the step of extracting a plurality of key code nodes from the global state dependency graph based on the taint analysis rule comprises:基于所述污点分析规则，从所述全局状态依赖图中确定所述漏洞特点对应的污点源和污点汇集点；Based on the taint analysis rule, determining the taint source and taint sink corresponding to the vulnerability characteristics from the global state dependency graph;基于所述污点源和所述污点汇集点，从所述全局状态依赖图中确定污点信息的传播路径；Based on the taint source and the taint sink, determining a propagation path of taint information from the global state dependency graph;根据所述传播路径提取对应的多个关键代码节点。A plurality of corresponding key code nodes are extracted according to the propagation path.4.根据权利要求2所述的漏洞检测方法，其特征在于，所述基于所述多个关键代码节点进行漏洞分析，得到所述待测智能合约的漏洞检测结果，包括：4. The vulnerability detection method according to claim 2, characterized in that the vulnerability analysis based on the multiple key code nodes to obtain the vulnerability detection result of the smart contract to be tested includes:分析每个所述关键代码节点的语句序列和变量赋值，得到分析结果；Analyze the statement sequence and variable assignment of each of the key code nodes to obtain analysis results;获取预设漏洞条件，并根据所述预设漏洞条件对每个所述关键代码节点的所述分析结果进行漏洞检测，得到所述待测智能合约的漏洞检测结果。Obtain preset vulnerability conditions, and perform vulnerability detection on the analysis results of each of the key code nodes according to the preset vulnerability conditions to obtain vulnerability detection results of the smart contract to be tested.5.根据权利要求1所述的漏洞检测方法，其特征在于，所述根据所述抽象语法树对所述控制流向图进行调用关系的补全，得到跨合约控制流向图，包括：5. The vulnerability detection method according to claim 1, characterized in that the step of completing the call relationship of the control flow graph according to the abstract syntax tree to obtain a cross-contract control flow graph comprises:基于所述抽象语法树确定所述待测源码中存在跨合约调用的目标节点，并对所述目标节点进行标记；Determine, based on the abstract syntax tree, a target node where a cross-contract call exists in the source code to be tested, and mark the target node;基于已标记的所述目标节点，确定所述目标节点跨合约调用的第一智能合约；Based on the marked target node, determine a first smart contract that the target node calls across contracts;获取所述第一智能合约的第一控制流向图，并根据所述第一控制流向图与所述待测智能合约的所述控制流向图进行所述目标节点的边连接，得到跨合约控制流向图。Obtain a first control flow graph of the first smart contract, and perform edge connection of the target node according to the first control flow graph and the control flow graph of the smart contract to be tested, so as to obtain a cross-contract control flow graph.6.根据权利要求5所述的漏洞检测方法，其特征在于，所述方法还包括：6. The vulnerability detection method according to claim 5, characterized in that the method further comprises:根据所述抽象语法树，确定所述跨合约控制流向图中各语句节点的函数名和变量名；Determine, according to the abstract syntax tree, the function name and variable name of each statement node in the cross-contract control flow graph;将所述函数名和所述变量名注入所述跨合约控制流向图中，得到更新后的跨合约控制流向图。Inject the function name and the variable name into the cross-contract control flow graph to obtain an updated cross-contract control flow graph.7.根据权利要求1所述的漏洞检测方法，其特征在于，所述依赖关系包括数据依赖关系和控制依赖关系；所述基于所述跨合约控制流向图中各语句节点的依赖关系，构建全局状态依赖图，包括：7. The vulnerability detection method according to claim 1, characterized in that the dependency relationship includes a data dependency relationship and a control dependency relationship; the global state dependency graph is constructed based on the dependency relationship of each statement node in the cross-contract control flow graph, comprising:基于所述跨合约控制流向图，对各语句节点执行数据流动的检测，得到检测结果；Based on the cross-contract control flow graph, perform data flow detection on each statement node to obtain a detection result;当所述检测结果表征任意两个所述语句节点存在所述数据依赖关系时，在所述跨合约控制流向图中对所述数据依赖关系进行标注，得到全局状态依赖图；或者，当所述检测结果表征任意两个所述语句节点存在所述控制依赖关系时，在所述跨合约控制流向图中对所述控制依赖关系进行标注，得到全局状态依赖图。When the detection result indicates that there is a data dependency between any two of the statement nodes, the data dependency is marked in the cross-contract control flow graph to obtain a global state dependency graph; or, when the detection result indicates that there is a control dependency between any two of the statement nodes, the control dependency is marked in the cross-contract control flow graph to obtain a global state dependency graph.8.一种漏洞检测装置，其特征在于，所述装置包括：8. A vulnerability detection device, characterized in that the device comprises:获取模块，用于获取待测智能合约的待测源码；The acquisition module is used to obtain the source code of the smart contract to be tested;解析模块，用于对所述待测源码进行语法结构的解析，得到所述待测源码对应的抽象语法树；A parsing module, used for parsing the syntax structure of the source code to be tested to obtain an abstract syntax tree corresponding to the source code to be tested;补全模块，用于获取所述待测智能合约的控制流向图，并根据所述抽象语法树对所述控制流向图进行调用关系的补全，得到跨合约控制流向图；A completion module, used to obtain the control flow graph of the smart contract to be tested, and complete the call relationship of the control flow graph according to the abstract syntax tree to obtain a cross-contract control flow graph;构建模块，用于基于所述跨合约控制流向图中各语句节点的依赖关系，构建全局状态依赖图；A construction module, used to construct a global state dependency graph based on the dependency relationship between the statement nodes in the cross-contract control flow graph;分析模块，用于基于所述全局状态依赖图对所述待测智能合约进行漏洞污点分析，得到所述待测智能合约的漏洞检测结果。The analysis module is used to perform vulnerability and taint analysis on the smart contract to be tested based on the global state dependency graph to obtain a vulnerability detection result of the smart contract to be tested.9.一种计算机设备，其特征在于，所述计算机设备包括存储器和处理器，所述存储器存储有计算机程序，所述处理器执行所述计算机程序时实现权利要求1至7任一项所述的漏洞检测方法。9. A computer device, characterized in that the computer device comprises a memory and a processor, the memory stores a computer program, and the processor implements the vulnerability detection method according to any one of claims 1 to 7 when executing the computer program.10.一种计算机可读存储介质，所述存储介质存储有计算机程序，其特征在于，所述计算机程序被处理器执行时实现权利要求1至7任一项所述的漏洞检测方法。10. A computer-readable storage medium storing a computer program, wherein the computer program implements the vulnerability detection method according to any one of claims 1 to 7 when executed by a processor.