题名

Predicting Smart Contract Vulnerabilities by Explainable Machine Learning Approach

DOI

10.6919/ICJE.202205_8(5).0078

作者

Jianing Liu;Cuifeng Gao

关键词

Smart Contract ; Vulnerability Prediction ; Machine Learning

期刊名称

International Core Journal of Engineering

卷期/出版年月

8卷5期(2022 / 05 / 01)

页次

606 - 624

内容语文

英文
中文摘要

Smart contracts are computing transaction programs running on the block-chain platform automatically, with Turing-completeness and immutability. The practice of smart contracts has brought great convenience to modern transactions and computing. However, the security problems have attracted the attention of researchers due to enormous financial losses caused by vulnerabilities in smart contracts. The existing tools increase the probability of exploring a common set of vulnerabilities using various static and dynamic methods, but they may rely on manually-defined rules. Thus they possess weak robustness due to the biased rules. In this work, we propose a vulnerability prediction approach based on machine learning, called SmartPredictor, which predicts five different types of vulnerabilities in smart contracts with explainable machine learning models. By learning the characteristics of vulnerable contracts according to features extracted from source codes and opcodes, SmartPredictor can effectively identify vulnerable functions with the well-trained XGBoost classifier instead of predefined rules. We compare SmartPredictor with three state-of-the-art tools on the dataset composed of 100 smart contract files. The evaluation results show that SmartPredictor performs better than the three baseline methods in terms of effectiveness in predicting smart contracts vulnerabilities. Furthermore, our approach is shown to outperform the vulnerability prediction methods based on machine learning, which improves an average of 11.05% and 8.09% on evaluation metric accuracy and F1-Measure respectively, and reduces 63.64% on prediction time on average.
主题分类 工程學 > 工程學綜合
参考文献
  1. Atzei, N., Bartoletti, M., Cimoli, T.: A survey of attacks on ethereum smart contracts (sok). In: POST (2017).
    連結:
  2. Mehar, M.I., Shier, C.L., Giambattista, A., Gong, E., Fletcher, G., Sanayhie, R., Kim, H.M., Laskowski, M.: Understanding a revolutionary and flawed grand experiment in blockchain: The dao attack. J. Cases Inf. Technol. 21, 19–32 (2019).
    連結:
  3. Luu, L., Chu, D.-H., Olickel, H., Saxena, P., Hobor, A.: Making smart contracts smarter. Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (2016).
    連結:
  4. Feist, J., Grieco, G., Groce, A.: Slither: A static analysis framework for smart contracts. 2019 IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB), 8–15 (2019).
    連結:
  5. Tsankov, P., Dan, A.M., Drachsler-Cohen, D., Gervais, A., Buenzli, F., Vechev, M.T.: Securify: Practical security analysis of smart contracts. Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, 67–82 (2018).
    連結:
  6. Xue, Y., Ma, M., Lin, Y., Sui, Y., Ye, J., Peng, T.: Cross-contract static analysis for detecting practical reentrancy vulnerabilities in smart contracts. 2020 35th IEEE/ACM International Conference on Automated Software Engineering (ASE), 1029–1040 (2020).
    連結:
  7. Nguyen, T.D., Pham, L.H., Sun, J., Lin, Y., Minh, Q.T.: sfuzz: An efficient adaptive fuzzer for solidity smart contracts. 2020 IEEE/ACM 42nd International Conference on Software Engineering (ICSE), 778–788 (2020).
    連結:
  8. Liu, C., Liu, H., Cao, Z., Chen, Z., Chen, B., Roscoe, A.W.: Reguard: Finding reentrancy bugs in smart contracts. 2018 IEEE/ACM 40th International Conference on Software Engineering: Companion (ICSE-Companion), 65–68 (2018).
    連結:
  9. Zhuang, Y., Liu, Z., Qian, P., Liu, Q., Wang, X., He, Q.: Smart contract vulnerability detection using graph neural network. In: IJCAI, pp. 3283–3290 (2020).
    連結:
  10. Chen, J., Xia, X., Lo, D., Grundy, J.C., Luo, X., Chen, T.: Defining smart contract defects on ethereum. IEEE Transactions on Software Engineering 48, 327–345 (2022).
    連結:
  11. Angelo, M.D., Salzer, G.: A survey of tools for analyzing ethereum smart contracts. 2019 IEEE International Conference on Decentralized Applications and Infrastructures (DAPPCON), 69–78 (2019).
    連結:
  12. Ren, M., Yin, Z., Ma, F., Xu, Z., Jiang, Y., Sun, C., Li, H., Cai, Y.: Empirical evaluation of smart contract testing: what is the best choice? Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis, 566–579 (2021).
    連結:
  13. Ferreira, J.F., Cruz, P., Durieux, T., Abreu, R.: Smartbugs: A framework to analyze solidity smart contracts. 2020 35th IEEE/ACM International Conference on Automated Software Engineering (ASE), 1349–1352 (2020).
    連結:
  14. Gao, Z., Jiang, L., Xia, X., Lo, D., Grundy, J.C.: Checking smart contracts with structural code embedding. IEEE Transactions on Software Engineering 47, 2874–2891 (2021).
    連結:
  15. Nguyen, T.D., Pham, L.H., Sun, J.: Sguard: Towards fixing vulnerable smart contracts automatically. 2021 IEEE Symposium on Security and Privacy (SP), 1215–1229 (2021).
    連結:
  16. Liu, X.-Y., Wu, J., Zhou, Z.-H.: Exploratory undersampling for class-imbalance learning. IEEE Transactions on Systems, Man, and Cybernetics, Part B (Cybernetics) 39, 539–550 (2009).
    連結:
  17. Cover, T.M., Hart, P.E.: Nearest neighbor pattern classification. IEEE Trans. Inf. Theory 13, 21–27 (1967).
    連結:
  18. Cox, D.R.: The regression analysis of binary sequences. Journal of the royal statistical society series b-methodological 20, 215–232 (1958).
    連結:
  19. Herbold, S., Trautsch, A., Grabowski, J.: A comparative study to benchmark cross-project defect prediction approaches. IEEE Transactions on Software Engineering 44, 811–833 (2018).
    連結:
  20. Wang, J., Xue, Y., Liu, Y., Tan, T.H.: Jsdc: A hybrid approach for javascript malware detection and classification. Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, 109–120 (2015).
    連結:
  21. Azzopardi, S., Ellul, J., Pace, G.J.: Monitoring smart contracts: Contractlarva and open challenges beyond. In: RV (2018).
    連結:
  22. Norvill, R., Pontiveros, B.B.F., State, R., Cullen, A.J.: Visual emulation for ethereum’s virtual machine. NOMS 2018 - 2018 IEEE/IFIP Network Operations and Management Symposium, 1–4 (2018).
    連結:
  23. Mavridou, A., Laszka, A.: Tool demonstration: Fsolidm for designing secure ethereum smart contracts. In: POST (2018).
    連結:
  24. Hildenbrandt, E., Saxena, M., Rodrigues, N., Zhu, X., Daian, P., Guth, D., Moore, B.M., Park, D., Zhang, Y., Stefanescu, A., Rosu, G.: Kevm: A complete formal semantics of the ethereum virtual machine. 2018 IEEE 31st Computer Security Foundations Symposium (CSF), 204–217 (2018).
    連結:
  25. Heged˝us, P.: Towards analyzing the complexity landscape of solidity based ethereum smart contracts. 2018 IEEE/ACM 1st International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB), 35–39 (2018).
    連結:
  26. Schneidewind, C., Grishchenko, I., Scherer, M., Maffei, M.: ethor: Practical and provably sound static analysis of ethereum smart contracts. Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security (2020).
    連結:
  27. Liu, H., Liu, C., Zhao, W., Jiang, Y., Sun, J.: S-gram: Towards semantic-aware security auditing for ethereum smart contracts. 2018 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE), 814–819 (2018).
    連結:
  28. Chen, T., Li, X., Luo, X., Zhang, X.: Under-optimized smart contracts devour your money. 2017 IEEE 24th International Conference on Software Analysis, Evolution and Reengineering (SANER), 442–446 (2017).
    連結:
  29. Zhou, E., Hua, S., Pi, B., Sun, J., Nomura, Y., Yamashita, K., Kurihara, H.: Security assurance for smart contract. 2018 9th IFIP International Conference on New Technologies, Mobility and Security (NTMS), 1–5 (2018).
    連結:
  30. Chang, J., Gao, B., Xiao, H., Sun, J., Yang, Z.J.: scompile: Critical path identification and analysis for smart contracts. In: ICFEM (2019).
    連結:
  31. Kalra, S., Goel, S., Dhawan, M., Sharma, S.: Zeus: Analyzing safety of smart contracts. In: NDSS (2018).
    連結:
  32. Permenev, A., Dimitrov, D.I., Tsankov, P., Drachsler-Cohen, D., Vechev, M.T.: Verx: Safety verification of smart contracts. 2020 IEEE Symposium on Security and Privacy (SP), 1661–1677 (2020).
    連結:
  33. Grech, N., Kong, M., Jurisevic, A., Brent, L., Scholz, B., Smaragdakis, Y.: Madmax: surviving out-of-gas conditions in ethereum smart contracts. Proceedings of the ACM on Programming Languages 2, 1–27 (2018).
    連結:
  34. Albert, E., Gordillo, P., Livshits, B., Rubio, A., Sergey, I.: Ethir: A framework for high-level analysis of ethereum bytecode. In: ATVA (2018).
    連結:
  35. Nikolic, I., Kolluri, A., Sergey, I., Saxena, P., Hobor, A.: Finding the greedy, prodigal, and suicidal contracts at scale. Proceedings of the 34th Annual Computer Security Applications Conference (2018).
    連結:
  36. Torres, C.F., Sch¨utte, J., State, R.: Osiris: Hunting for integer bugs in ethereum smart contracts. Proceedings of the 34th Annual Computer Security Applications Conference (2018).
    連結:
  37. Tikhomirov, S., Voskresenskaya, E., Ivanitskiy, I., Takhaviev, R., Marchenko, E., Alexandrov, Y.: Smartcheck: Static analysis of ethereum smart contracts. 2018 IEEE/ACM 1st International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB), 9–16 (2018).
    連結:
  38. A hacker stole $31M of Ether - how it happened, and what it means for Ethereum (2017). https://www. freecodecamp.org/news/a-hacker-stole-31m-of-ether-how-it-happened-and-what-it-means-forethereum-9e5dc29e33ce/ Accessed Accessed 20 July 2017.
  39. Protofire: Solhint (2021). https://github.com/protofire/solhint Accessed Accessed 29 May 2021.
  40. Etherscan (2022). https://etherscan.io/.
  41. Allen Day, E.M.: Ethereum in BigQuery: a Public Dataset for smart contract analytics (2022). https://cloud.google.com/blog/products/data-analytics/ethereum-bigquery-public-dataset-smart-contractanalytics Accessed Accessed 30 Aug 2018.
  42. Mikolov, T., Chen, K., Corrado, G.S., Dean, J.: Efficient estimation of word representations in vector space. In: ICLR (2013).
  43. Chen, T., Guestrin, C.: Xgboost: A scalable tree boosting system. Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (2016).
  44. Russell, S.J., Norvig, P.: Artificial intelligence: A modern approach. (1995).
  45. SB Curated: A Curated Dataset of Vulnerable Solidity Smart Contracts (2020). https://github.com/ smartbugs/smartbugs/tree/master/dataset Accessed Accessed 12 Jan 2022.
  46. Smart Contract Weakness Classification and Test Cases (2019). https://swcregistry.io/ Accessed Accessed 30 Oct 2021.
  47. Common Vul-nerabilities and Exposures Library. https://cve.mitre.org/ Accessed Accessed 12 Jan 2022.
  48. Zhou, Y., Kumar, D., Bakshi, S., Mason, J., Miller, A.K., Bailey, M.: Erays: Reverse engineering ethereum’s opaque smart contracts. In: USENIX Security Symposium (2018).
  49. ethersplay (2018). https://github.com/crytic/ethersplay Accessed Accessed on 9 Jul 2021.
  50. Octopus (2018). https://github.com/quoscient/octopus Accessed Accessed on 17 Nov 2020.
  51. Suiche, M.: Porosity: A decompiler for blockchain-based smart contracts bytecode. DEF con 25(11) (2017).
  52. rattle (2018). https://github.com/crytic/rattle Accessed Accessed on 22 Apr 2020.
  53. solgraph (2018). https://github.com/raineorshine/solgraph Accessed Accessed on 30 Jan 2019.
  54. Remix Project (2018). https://github.com/ethereum/remix-project Accessed Accessed on 3 Mar 2022.
  55. Krupp, J., Rossow, C.: teether: Gnawing at ethereum to automatically exploit smart contracts. In: USENIX Security Symposium (2018).
  56. Brent, L., Jurisevic, A., Kong, M., Liu, E., Gauthier, F., Gramoli, V., Holz, R., Scholz, B.: Vandal: A scalable security analysis framework for smart contracts. ArXiv abs/1809.03981 (2018).
  57. Torres, C.F., Steichen, M.: The art of the scam: Demystifying honeypots in ethereum smart contracts. ArXiv abs/1902.06976 (2019).
print cancel