跳到主要內容

簡易檢索 / 詳目顯示

研究生: 林韋廷
Lin, Wei-Ting
論文名稱: 動態監控區塊鏈系統
Runtime Hook on Blockchain Systems
指導教授: 郁方
Yu, Fang
蕭舜文
Hsiao, Shun-Wen
口試委員: 楊建民
Yang, Chien-Min
陳郁方
Chen, Yu-Fang
江介宏
Jiang, Jie-Hong
學位類別: 碩士
Master
系所名稱: 商學院 - 資訊管理學系
Department of Management Information System
論文出版年: 2020
畢業學年度: 108
語文別: 英文
論文頁數: 43
中文關鍵詞: 區塊鏈智能合約以太坊動態監控
外文關鍵詞: Blockchain, Ethereum, Smart contract, Runtime hook
DOI URL: http://doi.org/10.6814/NCCU202001239
相關次數: 點閱:265下載:1
分享至:
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報
  • 在區塊鏈上使用硬叉機制來恢復攻擊造成的損失與區塊鏈系統的不變性相矛盾。為了防止惡意交易提前進入區塊鏈,我們提出了一種Runtime Hook技術,以同步和分析暴露在以太坊交易池中的正在進行的交易。全面了解過去和正在進行的交易,我們可以識別並強制中止惡意交易,並防止由於執行和記錄在區塊鏈中的攻擊而造成的損失。具體來說,我們修改以太坊源代碼以檢測節點的入口點,以同步從以太坊P2P網絡接收的數據,並系統地掃描交易中的可疑模式以識別潛在的攻擊。作為概念驗證,我們演示瞭如何在私有區塊鏈系統上部署建議的Runtime Hook系統,以便我們可以檢測和防止智能合約的51%攻擊中的雙花交易和重入攻擊。


    Using hard-fork mechanism on the blockchain to recover the losses caused by attacks contradicts the immutable characteristic of a blockchain system. To prevent malicious transactions from getting into blockchains in advance, we propose a runtime hook technique to synchronize and analyze the ongoing transactions exposed to the Ethereum transaction pool. Having a complete view of the past and the ongoing transactions, we can identify and enforce abortion of malicious transactions and prevent losses due to attacks being executed and recorded in the blockchain. Specifically, we modify the Ethereum source code to instrument the entry point of a node to synchronize data received from the Ethereum P2P network and systematically scan suspicious patterns in transactions to identify potential attacks. As a proof-of-the-concept, we show how to deploy the proposed runtime hook system on a private blockchain system, such that we can detect and prevent transactions of double spending on the 51% attack and reentrancy attack of smart contracts.

    1. Introduction 1
    2. Related Works 4
    2.1 Blockchain consensus 4
    2.2 Blockchain monitoring 5
    2.3 Smart contract monitor 6
    2.4 Blockchain attacks 6
    2.5 Case: Double spending 8
    2.6 Case: The DAO 9
    3 Research Method 11
    3.1 Ethereum: Transaction-based 11
    3.2 Entry point searching 16
    3.2.1 Sync procession 16
    3.2.2 Transaction pool 16
    3.2.3 EVM 18
    3.3 Data introduction 19
    3.3.1 Block 19
    3.3.2 Transaction 19
    3.3.3 Receipt 20
    3.4 Property Check 20
    3.4.1 Double spending 20
    3.4.2 Reentrancy 24
    4. Experiments and Discussion 27
    4.1 Experiments 27
    4.1.1 Double spending 27
    4.1.2 Reentrancy 32
    4.2 Discussion 35
    4.2.1 Overhead 35
    4.2.2 Consensus 38
    5. Conclusion 39
    References 39

    [1] S. Nakamoto et al., “Bitcoin: A peer-to-peer electronic cash system,” 2008.
    [2] M. Swan, Blockchain : blueprint for a new economy. Sebastopol, Calif.: O’Reilly Media, 2015.
    [3] “Fidelity investments - retirement plans, investing, brokerage, wealth management, finacial planning and advice, online trading..” https://www.fidelity.com/.
    [4] “Nyse: The new york stock exchange.” https://www.nyse.com/index.
    [5] “Intercontinental exchange.” https://www.intercontinentalexchange.com/index.
    [6] R. Zhang, R. Xue, and L. Liu, “Security and privacy on blockchain,” arXiv preprint arXiv:1903.07602, 2019.
    [7] “Zcash counterfeiting vulnerability successfully remediated.” https://z.cash/blog/zcash-counterfeiting-vulnerability-successfully-remediated/.
    [8] “Deep chain reorganization detected on ethereum classic (etc).” https://blog.coinbase.com/ethereum-classic-etc-is-currently-being-51-attacked-33be13ce32de.
    [9] “Pow 51% attack cost.” https://www.crypto51.app/.
    [10] “Fundamentals of proof of work.” https://blog.sia.tech/fundamentals-of-proof-of-work-beaa68093d2b.
    [11] “web3.js - ethereum javascript api.” https://web3js.readthedocs.io/en/1.0/.
    [12] “Json rpc.” https://github.com/ethereum/wiki/wiki/JSON-RPC.
    [13] A. Baliga, “Understanding blockchain consensus models,” in Persistent, 2017.
    [14] S. King and S. Nadal, “Ppcoin: Peer-to-peer crypto-currency with proof-of-stake,”
    [15] P. Vasin, “Blackcoins proof-of-stake protocol v2,”
    [16] “Introducing casper the friendly ghost.” https://blog.ethereum.org/2015/08/01/introducing-casper-friendly-ghost/, 2015.
    [17] G. Wood et al., “Ethereum: A secure decentralised generalised transaction ledger,”Ethereum project yellow paper, vol. 151, pp. 1–32, 2014.
    [18] “Dpos.” https://en.bitcoinwiki.org/wiki/DPoS.
    [19] “Bitshares.org - home for the bitshares blockchain.” https://bitshares.org/.
    [20] “Introduction sawtooth latest documentation - hyperledger sawtooth.”https://sawtooth.hyperledger.org/docs/core/nightly/0-8/introduction.html#proof-of-elapsed-time-poet.
    [21] M. Castro, B. Liskov, et al., “Practical byzantine fault tolerance,” in OSDI, vol. 99, pp. 173–186, 1999.
    [22] “Hyperledger open source blockchain technologies.” https://www.hyperledger.org/.
    [23] “Etherscan api.” https://etherscan.io/apis.
    [24] G. Ateniese, B. Magri, D. Venturi, and E. Andrade, “Redactable blockchain–or–rewriting history in bitcoin and friends,” in 2017 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 111–126, IEEE, 2017.
    [25] D. Deuber, B. Magri, and S. A. K. Thyagarajan, “Redactable blockchain in the permissionless setting,” arXiv preprint arXiv:1901.03206, 2019.
    [26] I. Puddu, A. Dmitrienko, and S. Capkun, “µchain: How to forget without hard forks.,”
    [27] S. Anderson and B. Q. Nguyen, “Filtering and redacting blockchain transactions,” 2018. US Patent App. 15/348,581.
    [28] M. Florian, S. Beaucamp, S. A. Henningsen, and B. Scheuermann, “Erasing data from blockchain nodes,” CoRR, vol. abs/1904.08901, 2019.
    [29] S. Zhou, Z. Yang, J. Xiang, Y. Cao, M. Yang, and Y. Zhang, “An ever-evolving game: Evaluation of real-world attacks and defenses in ethereum ecosystem,”
    [30] P. Zheng, Z. Zheng, X. Luo, X. Chen, and X. Liu, “A detailed and real-time performance monitoring framework for blockchain systems,” in 2018 IEEE/ACM 40th International Conference on Software Engineering: Software Engineering in Practice Track (ICSE-SEIP), pp. 134–143, May 2018.
    [31] B. Jiang, Y. Liu, and W. Chan, “Contractfuzzer: Fuzzing smart contracts for vulnerability detection,” in Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering, pp. 259–269, ACM, 2018.
    [32] “Contract abi specification.” https://solidity.readthedocs.io/en/develop/abi-spec.html.
    [33] I. Nikoli´c, A. Kolluri, I. Sergey, P. Saxena, and A. Hobor, “Finding the greedy, prodigal, and suicidal contracts at scale,” in Proceedings of the 34th Annual Computer Security Applications Conference, pp. 653–663, ACM, 2018.
    [34] P. Tsankov, A. Dan, D. Drachsler-Cohen, A. Gervais, F. Buenzli, and M. Vechev, “Securify: Practical security analysis of smart contracts,” in Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 67–82, ACM, 2018.
    [35] X. Li, P. Jiang, T. Chen, X. Luo, and Q. Wen, “A survey on the security of blockchain systems,” Future Generation Computer Systems, 2017.
    [36] I.-C. Lin and T.-C. Liao, “A survey of blockchain security issues and challenges.,” IJ Network Security, vol. 19, no. 5, pp. 653–659, 2017.
    [37] I. Eyal and E. G. Sirer, “Majority is not enough: Bitcoin mining is vulnerable,” Commun. ACM, vol. 61, pp. 95–102, June 2018.
    [38] G. O. Karame, “Two bitcoins at the price of one? double-spending attacks on fast payments in bitcoin,” in In Proc. of Conference on Computer and Communication Security, 2012.
    [39] G. O. Karame, E. Androulaki, M. Roeschlin, A. Gervais, and S. Capkun, “Misbehav- ior in bitcoin: A study of double-spending and accountability,” ACM Transactions on Information and System Security (TISSEC), vol. 18, no. 1, p. 2, 2015.
    [40] H. Mayer, “Ecdsa security in bitcoin and ethereum: a research survey,” CoinFaabrik, 2016.
    [41] “Wannacry ransomware attack.” https://en.wikipedia.org/wiki/WannaCry_ransomware_attack
    [42] N. Christin, “Traveling the silk road: A measurement analysis of a large anonymous online marketplace,” in Proceedings of the 22nd international conference on World Wide Web, pp. 213–224, ACM, 2013.
    [43] “Uk national risk assessment of money laundering and terrorist financing.”https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/468210/UK_NRA_October_2015_final_web.pdf.
    [44] N. Atzei, M. Bartoletti, and T. Cimoli, “A survey of attacks on ethereum smart contracts.,” IACR Cryptology ePrint Archive.
    [45] “The dao (organization).” https://en.wikipedia.org/wiki/The_DAO_(organization).
    [46] C. Pinz´on and C. Rocha, “Double-spend attack models with time advantange for bitcoin,” Electronic Notes in Theoretical Computer Science, vol. 329, pp. 79–103, 2016.
    [47] V. Buterin et al., “Ethereum white paper,” GitHub repository, pp. 22–23, 2013.

    QR CODE
    :::