摘要:区块链应用有去中心化、可追溯、不可篡改等优点，但现有的区块链系统难以满足在大数据量下数据的查 询、访问需求。针对以上问题，结合ETL 流程与区块链自身特点，提出一种区块链应用查询优化流程模型ETLVQ （Extract-Transform-Load-Validation-Query）。模型分为三个阶段：在第一阶段将区块链应用中异构数据源的数据进 行抽取、转换并加载到查询优化数据仓库中；在验证阶段对加载后数据进行一致性校验；在查询阶段对外提供查询 访问服务。该模型在保证区块链数据安全性的前提下，显著提升了区块链应用的查询访问效率与并发能力。

摘要:Blockchain systems (more precisely Distributed Ledger Technologies (DLTs)) represent a different digital ecosystem compared with traditional computer systems. One major difference are the performance and scalability factors which will be discussed and analytically investigated in this paper. In doing so, we provide guidance for defining a research agenda focusing on the investigation of the crucial role of scalability for blockchain systems. System performance – measured in terms of (1) consensus response time (blockchain network latency or time to convergence/agreement); (2) number of transactions per second or throughput, and (3) computing (and power) resources consumed – can be understood by considering the design dimensions of a blockchain system, namely: (i) the type of blockchain system needed from a requirements perspective which in turn determines; (ii) the complexity of the consensus protocol used; (iii) the topography of the traffic flow on the network; (iv) the performance and complexity of the domain-specific language that implements smart contracts; and (v) by the anticipated growth in size and complexity of the distributed ledger itself.

摘要:区块链技术作为分布式账本的关键技术之一，其在不依赖于任何第三方可信机构的前提下， 解决开放网络中的信任问题，去中心化的特点使其有着广泛的应用前景，但面临着可扩展性不足的瓶 颈．目前，区块链可扩展性的瓶颈主要体现在２个方面：性能效率低下、功能难以扩展．以比特币为例，从 性能上讲，当前仅支持７笔?秒的交易吞吐量，显然无法满足现今数字支付的场景，也无法承载在数字支 付领域外的其他应用．从功能上讲，当前不同区块链系统之间的资产或数据难以交互．在现实情况中， 不同的区块链系统承载着不同的业务和需求．为此，需要实现链与链之间的交互，才能打通不同区块链 之间的信息或价值通道，避免每一区块链成为信息或价值孤岛，并在此基础上实现价值互联网．区块链 可扩展性的研究已经引起了学术界及产业界越来越多的关注，将从区块链性能提升及功能扩展２个角 度出发，分别介绍区块链可扩展性领域的相关技术和研究进展，其中包括３类当前主流的、提升区块链 交易吞吐量的方案：链下支付网络、Ｂｉｔｃｏｉｎ－ＮＧ和分片机制；以及４类代表性的、实现区块链功能扩展 的跨链互通技术．分析对比不同方案的特性、适合场景及可能存在的不足之处，并在此基础上给出进一 步研究方向

摘要:近年来，区块链作为一门新兴技术得到了广泛关注。但是，区块链技术离真正的投入使用 还有相当长的一段路程需要走。目前，区块链无法投入生产的一个重要因素，是现存的区块链系统 的低吞吐率无法满足现实生产的需要。例如，理论上，比特币是7 TPS，以太坊是15 TPS，而传统 的中心化系统如VISA，支持上千的TPS。因此，分析限制区块链扩展性的主要因素，抽离出提高 吞吐率的模型，并且针对每个方面进行具体分析，为以后的研究奠定基础。

摘要:Blockchain is a new technology for data sharing between untrusted peers. However, it does not work well with massive transactions. Besides, there are high barriers between heterogeneous blockchain systems. In this paper, we proposed an innovative component-based framework for exchanging information across arbitrary blockchain system called interactive multiple blockchain architecture. In our architecture, a dynamic network of multi-chain is created for inter-blockchain communication. We propose the inter-blockchain connection model for routing management and messages transferring. Additionally, our proposed protocols provide transactions with atomicity and consistency in crossing-chain scene. In the end, our experiment results based on a network of private multiple blockchain systems show that the throughput is increased by a number of chains parallel running.

摘要:智能合约是区块链核心技术之一，其安全可靠性至关重要。随着区块链技术的应用推广，智能合约的数量呈现爆 发式增长，但智能合约的漏洞将给用户带来巨大损失。在分析以太坊智能合约运行机制和常见漏洞原理的基础上，利用符号 执行技术检测智能合约漏洞。首先以太坊字节码构建智能合约执行控制流图，再根据智能合约漏洞特点设计相应的约束条件， 利用约束求解器生成软件测试用例，检测常见的整型溢出，权限控制，Call 注入，重入攻击等智能合约漏洞。实验结果表明， 检测方案具有良好的检测效果，智能合约漏洞检测正确率达 85%

摘要:A smart contract is hard to patch for bugs once it is deployed, irrespective of the money it holds. A recent bug caused losses worth around $50 million of cryptocurrency. We present ZEUS—a framework to verify the correctness and validate the fairness of smart contracts. We consider correctness as adherence to safe programming practices, while fairness is adherence to agreed upon higher-level business logic. ZEUS leverages both abstract interpretation and symbolic model checking, along with the power of constrained horn clauses to quickly verify contracts for safety. We have built a prototype of ZEUS for Ethereum and Fabric blockchain platforms, and evaluated it with over 22.4K smart contracts. Our evaluation indicates that about 94.6% of contracts (containing cryptocurrency worth more than $0.5 billion) are vulnerable. ZEUS is sound with zero false negatives and has a low false positive rate, with an order of magnitude improvement in analysis time as compared to prior art.

摘要:Smart contracts are full-fledged programs that run on blockchains (e.g., Ethereum, one of the most popular blockchains). In Ethereum, gas (in Ether, a cryptographic curren- cy like Bitcoin) is the execution fee compensating the computing resources of miners for running smart contracts. However, we find that under-optimized smart contracts cost more gas than necessary, and therefore the creators or users will be overcharged. In this work, we conduct the first investigation on Solidity, the recommended compiler, and reveal that it fails to optimize gas- costly programming patterns. In particular, we identify 7 gas- costly patterns and group them to 2 categories. Then, we propose and develop GASPER, a new tool for automatically locating gas- costly patterns by analyzing smart contracts’ bytecodes. The preliminary results on discovering 3 representative patterns from 4,240 real smart contracts show that 93.5%, 90.1% and 80% contracts suffer from these 3 patterns, respectively.

摘要:Finding and exploiting vulnerabilities in binary code is a challenging task. The lack of high-level, semantically rich information about data structures and control constructs makes the analysis of program properties harder to scale. However, the importance of binary analysis is on the rise. In many situations binary analysis is the only possible way to prove (or disprove) properties about the code that is actually executed. In this paper, we present a binary analysis framework that implements a number of analysis techniques that have been proposed in the past. We present a systematized implementation of these techniques, which allows other researchers to compose them and develop new approaches. In addition, the implementation of these techniques in a unifying framework allows for the direct comparison of these approaches and the identification of their advantages and disadvantages. The evaluation included in this paper is performed using a recent dataset created by DARPA for evaluating the effectiveness of binary vulnerability analysis techniques. Our framework has been open-sourced and is available to the security community.

摘要:Solidity is a language used for smart contracts on the Ethereum blockchain. Smart contracts are embedded procedures stored with the data they act upon. Debugging smart contracts is a really difficult task since once deployed, the code cannot be re- executed and inspecting a simple attribute is not easily possible because data is encoded. In this paper, we address the lack of inspectability of a deployed contract by analyzing contract state using decompilation techniques driven by the contract structure definition. Our solution, SmartInspect, also uses a mirror-based architecture to represent locally object responsible for the in- terpretation of the contract state. SmartInspect allows contract developers to better visualize and understand the contract stored state without needing to redeploy, nor develop any ad-hoc code.

摘要:Permissionless blockchains allow the execution of arbitrary pro- grams (called smart contracts), enabling mutually untrusted entities to interact without relying on trusted third parties. Despite their potential, repeated security concerns have shaken the trust in han- dling billions of USD by smart contracts. To address this problem, we present Securify, a security ana- lyzer for Ethereum smart contracts that is scalable, fully automated, and able to prove contract behaviors as safe/unsafe with respect to a given property. Securify’s analysis consists of two steps. First, it symbolically analyzes the contract’s dependency graph to extract precise semantic information from the code. Then, it checks com- pliance and violation patterns that capture sufficient conditions for proving if a property holds or not. To enable extensibility, all patterns are specified in a designated domain-specific language. Securify is publicly released, it has analyzed > 18K contracts submitted by its users, and is regularly used to conduct security audits by experts. We present an extensive evaluation of Securify over real-world Ethereum smart contracts and demonstrate that it can effectively prove the correctness of smart contracts and discover critical violations.

摘要:Ethereum smart contracts are an innovation built on top of the blockchain technology, which provides a platform for automatically executing contracts in an anonymous, distributed, and trusted way. The problem is magnified by the fact that smart contracts, unlike ordinary programs, cannot be patched easily once deployed. It is important for smart contracts to be checked against potential vulnerabilities. In this work, we propose an alternative approach to automatically identify critical program paths (with multiple function calls including inter-contract function calls) in a smart contract, rank the paths according to their criticalness, discard them if they are infeasible or otherwise present them with user friendly warnings for user inspection. We identify paths which involve monetary transaction as critical paths, and prioritize those which potentially violate important properties. For scalability, symbolic execution techniques are only applied to top ranked critical paths. Our approach has been implemented in a tool called sCompile, which has been applied to 36,099 smart contracts. The experiment results show that sCompile is efficient, i.e., 5 seconds on average for one smart contract. Furthermore, we show that many known vulnerabilities can be captured if user inspects as few as 10 program paths generated by sCompile. Lastly, sCompile discovered 224 unknown vulnerabilities with a false positive rate of 15.4% before user inspection.

摘要:Ethereum is gaining a significant popularity in the blockchain com- munity, mainly due to fact that it is design in a way that enables devel- opers to write decentralized applications (Dapps) and smart-contract using blockchain technology. This new paradigm of applications opens the door to many possibilities and opportunities. Blockchain is often referred as secure by design, but now that blockchains can embed ap- plications this raise multiple questions regarding architecture, design, attack vectors and patch deployments. In this paper I will discuss the architecture of the core component of Ethereum (Ethereum Virtual Machine), its vulnerabilities as well as my open-source tool “Poros- ity”. A decompiler for EVM bytecode that generates readable Solid- ity syntax contracts. Enabling static and dynamic analysis of such compiled contracts.

摘要:Researchers have proposed many optimizations to improve the effi- ciency of fuzzing, and most optimized strategies work very well on their targets when running in single mode with instantiating one fuzzer instance. However, in real industrial practice, most fuzzers run in parallel mode with instantiating multiple fuzzer instances, and those optimizations unfortunately fail to maintain the effi- ciency improvements. In this paper, we present PAFL, a framework that utilizes ef- ficient guiding information synchronization and task division to extend those existing fuzzing optimizations of single mode to in- dustrial parallel mode. With an additional data structure to store the guiding information, the synchronization ensures the informa- tion is shared and updated among different fuzzer instances timely. Then, the task division promotes the diversity of fuzzer instances by splitting the fuzzing task into several sub-tasks based on branch bitmap. We first evaluate PAFL using 12 different real-world pro- grams from Google fuzzer-test-suite. Results show that in parallel mode, two AFL improvers–AFLFast and FairFuzz do not outperform AFL, which is different from the case in single mode. However, when augmented with PAFL, the performance of AFLFast and FairFuzz in parallel mode improves. They cover 8% and 17% more branches, trigger 79% and 52% more unique crashes. For further evaluation on more widely-used software systems from GitHub, optimized fuzzers augmented with PAFL find more real bugs, and 25 of which are security-critical vulnerabilities registered as CVEs in the US National Vulnerability Database.

摘要:Blockchain-driven technologies are considered disruptive because of the availability of dis-intermediated, censorship-resistant and tamper-proof digital platforms of distributed trust. Among these technologies, smart contract platforms have the potential to take over functions usually done by intermediaries like banks, escrow or legal services. In this paper, we introduce a novel protocol aiming to execute smart contracts as part of a blockchain transaction valida- tion. We enable extensions in the execution of smart contracts while guaranteeing their privacy, correctness and verifiability. Man-in- the-middle attacks are prevented, since no communication between participants is requested, and contract validations do not imply the re-execution of the code by all the nodes in the network. However, proofs of correct execution are stored on the blockchain and can be verified by multiple parties. Our solution is based on programming tools which optimize the time execution and the required memory while preserving the embedded functionality.