WASMOD:检测Wasm智能合约中的漏洞

IET Blockchain Pub Date : 2023-05-15 DOI:10.1049/blc2.12029

Jianfei Zhou, Ting Chen

{"title":"WASMOD:检测Wasm智能合约中的漏洞","authors":"Jianfei Zhou, Ting Chen","doi":"10.1049/blc2.12029","DOIUrl":null,"url":null,"abstract":"Over the past few years, blockchain platforms supporting WebAssembly (Wasm) smart contracts are gaining popularity. However, Wasm smart contracts are often compiled from memory-unsafe languages (e.g. C and C++). And there is a lack of effective defense against integer overflow and stack overflow at the compiler and virtual machine (VM) layers, making Wasm smart contracts even more exploitable than native C and C++ programs. In this paper, the authors propose wasm overflow detector (WASMOD) to address the integer overflow and stack overflow vulnerabilities. The authors’ approach combines bytecode instrumentation, run-time validation, and grey-box fuzzing to detect these vulnerabilities. The authors applied their approach to the popular EOSIO blockchain and evaluated it on 4616 deployed Wasm smart contracts. The authors’ approach detected 13 real-world vulnerable smart contracts.","PeriodicalId":100650,"journal":{"name":"IET Blockchain","volume":"3 4","pages":"172-181"},"PeriodicalIF":0.0000,"publicationDate":"2023-05-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://ietresearch.onlinelibrary.wiley.com/doi/epdf/10.1049/blc2.12029","citationCount":"1","resultStr":"{\"title\":\"WASMOD: Detecting vulnerabilities in Wasm smart contracts\",\"authors\":\"Jianfei Zhou, Ting Chen\",\"doi\":\"10.1049/blc2.12029\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Over the past few years, blockchain platforms supporting WebAssembly (Wasm) smart contracts are gaining popularity. However, Wasm smart contracts are often compiled from memory-unsafe languages (e.g. C and C++). And there is a lack of effective defense against integer overflow and stack overflow at the compiler and virtual machine (VM) layers, making Wasm smart contracts even more exploitable than native C and C++ programs. In this paper, the authors propose wasm overflow detector (WASMOD) to address the integer overflow and stack overflow vulnerabilities. The authors’ approach combines bytecode instrumentation, run-time validation, and grey-box fuzzing to detect these vulnerabilities. The authors applied their approach to the popular EOSIO blockchain and evaluated it on 4616 deployed Wasm smart contracts. The authors’ approach detected 13 real-world vulnerable smart contracts.\",\"PeriodicalId\":100650,\"journal\":{\"name\":\"IET Blockchain\",\"volume\":\"3 4\",\"pages\":\"172-181\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2023-05-15\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"https://ietresearch.onlinelibrary.wiley.com/doi/epdf/10.1049/blc2.12029\",\"citationCount\":\"1\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"IET Blockchain\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://onlinelibrary.wiley.com/doi/10.1049/blc2.12029\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"IET Blockchain","FirstCategoryId":"1085","ListUrlMain":"https://onlinelibrary.wiley.com/doi/10.1049/blc2.12029","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 1

摘要

在过去的几年里，支持WebAssembly (Wasm)智能合约的区块链平台越来越受欢迎。然而，Wasm智能合约通常是用内存不安全的语言(例如C和c++)编译的。而且，在编译器和虚拟机(VM)层缺乏对整数溢出和堆栈溢出的有效防御，这使得Wasm智能合约比本地C和c++程序更容易被利用。在本文中，作者提出了asm溢出检测器(WASMOD)来解决整数溢出和堆栈溢出漏洞。作者的方法结合了字节码检测、运行时验证和灰盒模糊测试来检测这些漏洞。作者将他们的方法应用于流行的EOSIO区块链，并在4616个部署的Wasm智能合约上进行了评估。作者的方法检测了13个现实世界中易受攻击的智能合约。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

WASMOD: Detecting vulnerabilities in Wasm smart contracts

查看原文本刊更多论文

WASMOD: Detecting vulnerabilities in Wasm smart contracts

Over the past few years, blockchain platforms supporting WebAssembly (Wasm) smart contracts are gaining popularity. However, Wasm smart contracts are often compiled from memory-unsafe languages (e.g. C and C++). And there is a lack of effective defense against integer overflow and stack overflow at the compiler and virtual machine (VM) layers, making Wasm smart contracts even more exploitable than native C and C++ programs. In this paper, the authors propose wasm overflow detector (WASMOD) to address the integer overflow and stack overflow vulnerabilities. The authors’ approach combines bytecode instrumentation, run-time validation, and grey-box fuzzing to detect these vulnerabilities. The authors applied their approach to the popular EOSIO blockchain and evaluated it on 4616 deployed Wasm smart contracts. The authors’ approach detected 13 real-world vulnerable smart contracts.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

IET Blockchain

CiteScore

1.80

自引率

0.00%

发文量