學術產出-學位論文

文章檢視/開啟

書目匯出

Google ScholarTM

政大圖書館

引文資訊

TAIR相關學術產出

題名 動態監控區塊鏈系統
Runtime Hook on Blockchain Systems
作者 林韋廷
Lin, Wei-Ting
貢獻者 郁方<br>蕭舜文
Yu, Fang<br>Hsiao, Shun-Wen
林韋廷
Lin, Wei-Ting
關鍵詞 區塊鏈
智能合約
以太坊
動態監控
Blockchain
Ethereum
Smart contract
Runtime hook
日期 2020
上傳時間 2-九月-2020 11:44:45 (UTC+8)
摘要 在區塊鏈上使用硬叉機制來恢復攻擊造成的損失與區塊鏈系統的不變性相矛盾。為了防止惡意交易提前進入區塊鏈,我們提出了一種Runtime Hook技術,以同步和分析暴露在以太坊交易池中的正在進行的交易。全面了解過去和正在進行的交易,我們可以識別並強制中止惡意交易,並防止由於執行和記錄在區塊鏈中的攻擊而造成的損失。具體來說,我們修改以太坊源代碼以檢測節點的入口點,以同步從以太坊P2P網絡接收的數據,並系統地掃描交易中的可疑模式以識別潛在的攻擊。作為概念驗證,我們演示瞭如何在私有區塊鏈系統上部署建議的Runtime Hook系統,以便我們可以檢測和防止智能合約的51%攻擊中的雙花交易和重入攻擊。
Using hard-fork mechanism on the blockchain to recover the losses caused by attacks contradicts the immutable characteristic of a blockchain system. To prevent malicious transactions from getting into blockchains in advance, we propose a runtime hook technique to synchronize and analyze the ongoing transactions exposed to the Ethereum transaction pool. Having a complete view of the past and the ongoing transactions, we can identify and enforce abortion of malicious transactions and prevent losses due to attacks being executed and recorded in the blockchain. Specifically, we modify the Ethereum source code to instrument the entry point of a node to synchronize data received from the Ethereum P2P network and systematically scan suspicious patterns in transactions to identify potential attacks. As a proof-of-the-concept, we show how to deploy the proposed runtime hook system on a private blockchain system, such that we can detect and prevent transactions of double spending on the 51% attack and reentrancy attack of smart contracts.
參考文獻 [1] S. Nakamoto et al., “Bitcoin: A peer-to-peer electronic cash system,” 2008.
[2] M. Swan, Blockchain : blueprint for a new economy. Sebastopol, Calif.: O’Reilly Media, 2015.
[3] “Fidelity investments - retirement plans, investing, brokerage, wealth management, finacial planning and advice, online trading..” https://www.fidelity.com/.
[4] “Nyse: The new york stock exchange.” https://www.nyse.com/index.
[5] “Intercontinental exchange.” https://www.intercontinentalexchange.com/index.
[6] R. Zhang, R. Xue, and L. Liu, “Security and privacy on blockchain,” arXiv preprint arXiv:1903.07602, 2019.
[7] “Zcash counterfeiting vulnerability successfully remediated.” https://z.cash/
blog/zcash-counterfeiting-vulnerability-successfully-remediated/.
[8] “Deep chain reorganization detected on ethereum classic (etc).” https://blog.
coinbase.com/ethereum-classic-etc-is-currently-being-51-attacked-33be13ce32de.
[9] “Pow 51% attack cost.” https://www.crypto51.app/.
[10] “Fundamentals of proof of work.” https://blog.sia.tech/
fundamentals-of-proof-of-work-beaa68093d2b.
[11] “web3.js - ethereum javascript api.” https://web3js.readthedocs.io/en/1.0/.
[12] “Json rpc.” https://github.com/ethereum/wiki/wiki/JSON-RPC.
[13] A. Baliga, “Understanding blockchain consensus models,” in Persistent, 2017.
[14] S. King and S. Nadal, “Ppcoin: Peer-to-peer crypto-currency with proof-of-stake,”
[15] P. Vasin, “Blackcoins proof-of-stake protocol v2,”
[16] “Introducing casper the friendly ghost.” https://blog.ethereum.org/2015/08/
01/introducing-casper-friendly-ghost/, 2015.
[17] G. Wood et al., “Ethereum: A secure decentralised generalised transaction ledger,”
Ethereum project yellow paper, vol. 151, pp. 1–32, 2014.
[18] “Dpos.” https://en.bitcoinwiki.org/wiki/DPoS.
[19] “Bitshares.org - home for the bitshares blockchain.” https://bitshares.org/.
[20] “Introduction sawtooth latest documentation - hyperledger sawtooth.”
https://sawtooth.hyperledger.org/docs/core/nightly/0-8/introduction.html#proof-of-elapsed-time-poet.
[21] M. Castro, B. Liskov, et al., “Practical byzantine fault tolerance,” in OSDI, vol. 99, pp. 173–186, 1999.
[22] “Hyperledger open source blockchain technologies.” https://www.hyperledger.org/.
[23] “Etherscan api.” https://etherscan.io/apis.
[24] G. Ateniese, B. Magri, D. Venturi, and E. Andrade, “Redactable blockchain–or–
rewriting history in bitcoin and friends,” in 2017 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 111–126, IEEE, 2017.
[25] D. Deuber, B. Magri, and S. A. K. Thyagarajan, “Redactable blockchain in the
permissionless setting,” arXiv preprint arXiv:1901.03206, 2019.
[26] I. Puddu, A. Dmitrienko, and S. Capkun, “µchain: How to forget without hard forks.,”
[27] S. Anderson and B. Q. Nguyen, “Filtering and redacting blockchain transactions,” 2018. US Patent App. 15/348,581.
[28] M. Florian, S. Beaucamp, S. A. Henningsen, and B. Scheuermann, “Erasing data from blockchain nodes,” CoRR, vol. abs/1904.08901, 2019.
[29] S. Zhou, Z. Yang, J. Xiang, Y. Cao, M. Yang, and Y. Zhang, “An ever-evolving game: Evaluation of real-world attacks and defenses in ethereum ecosystem,”
[30] P. Zheng, Z. Zheng, X. Luo, X. Chen, and X. Liu, “A detailed and real-time performance monitoring framework for blockchain systems,” in 2018 IEEE/ACM 40th
International Conference on Software Engineering: Software Engineering in Practice Track (ICSE-SEIP), pp. 134–143, May 2018.
[31] B. Jiang, Y. Liu, and W. Chan, “Contractfuzzer: Fuzzing smart contracts for vulnerability detection,” in Proceedings of the 33rd ACM/IEEE International Conference
on Automated Software Engineering, pp. 259–269, ACM, 2018.
[32] “Contract abi specification.” https://solidity.readthedocs.io/en/develop/abi-spec.html.
[33] I. Nikoli´c, A. Kolluri, I. Sergey, P. Saxena, and A. Hobor, “Finding the greedy, prodigal, and suicidal contracts at scale,” in Proceedings of the 34th Annual Computer Security Applications Conference, pp. 653–663, ACM, 2018.
[34] P. Tsankov, A. Dan, D. Drachsler-Cohen, A. Gervais, F. Buenzli, and M. Vechev, “Securify: Practical security analysis of smart contracts,” in Proceedings of the 2018
ACM SIGSAC Conference on Computer and Communications Security, pp. 67–82, ACM, 2018.
[35] X. Li, P. Jiang, T. Chen, X. Luo, and Q. Wen, “A survey on the security of blockchain systems,” Future Generation Computer Systems, 2017.
[36] I.-C. Lin and T.-C. Liao, “A survey of blockchain security issues and challenges.,” IJ Network Security, vol. 19, no. 5, pp. 653–659, 2017.
[37] I. Eyal and E. G. Sirer, “Majority is not enough: Bitcoin mining is vulnerable,” Commun. ACM, vol. 61, pp. 95–102, June 2018.
[38] G. O. Karame, “Two bitcoins at the price of one? double-spending attacks on fast payments in bitcoin,” in In Proc. of Conference on Computer and Communication Security, 2012.
[39] G. O. Karame, E. Androulaki, M. Roeschlin, A. Gervais, and S. Capkun, “Misbehav- ior in bitcoin: A study of double-spending and accountability,” ACM Transactions on Information and System Security (TISSEC), vol. 18, no. 1, p. 2, 2015.
[40] H. Mayer, “Ecdsa security in bitcoin and ethereum: a research survey,” CoinFaabrik, 2016.
[41] “Wannacry ransomware attack.” https://en.wikipedia.org/wiki/WannaCry_ransomware_attack
[42] N. Christin, “Traveling the silk road: A measurement analysis of a large anonymous online marketplace,” in Proceedings of the 22nd international conference on World
Wide Web, pp. 213–224, ACM, 2013.
[43] “Uk national risk assessment of money laundering and terrorist financing.”
https://assets.publishing.service.gov.uk/government/uploads/system/
uploads/attachment_data/file/468210/UK_NRA_October_2015_final_web.pdf.
[44] N. Atzei, M. Bartoletti, and T. Cimoli, “A survey of attacks on ethereum smart contracts.,” IACR Cryptology ePrint Archive.
[45] “The dao (organization).” https://en.wikipedia.org/wiki/The_DAO_(organization).
[46] C. Pinz´on and C. Rocha, “Double-spend attack models with time advantange for bitcoin,” Electronic Notes in Theoretical Computer Science, vol. 329, pp. 79–103,
2016.
[47] V. Buterin et al., “Ethereum white paper,” GitHub repository, pp. 22–23, 2013.
描述 碩士
國立政治大學
資訊管理學系
106356001
資料來源 http://thesis.lib.nccu.edu.tw/record/#G0106356001
資料類型 thesis
dc.contributor.advisor 郁方<br>蕭舜文zh_TW
dc.contributor.advisor Yu, Fang<br>Hsiao, Shun-Wenen_US
dc.contributor.author (作者) 林韋廷zh_TW
dc.contributor.author (作者) Lin, Wei-Tingen_US
dc.creator (作者) 林韋廷zh_TW
dc.creator (作者) Lin, Wei-Tingen_US
dc.date (日期) 2020en_US
dc.date.accessioned 2-九月-2020 11:44:45 (UTC+8)-
dc.date.available 2-九月-2020 11:44:45 (UTC+8)-
dc.date.issued (上傳時間) 2-九月-2020 11:44:45 (UTC+8)-
dc.identifier (其他 識別碼) G0106356001en_US
dc.identifier.uri (URI) http://nccur.lib.nccu.edu.tw/handle/140.119/131486-
dc.description (描述) 碩士zh_TW
dc.description (描述) 國立政治大學zh_TW
dc.description (描述) 資訊管理學系zh_TW
dc.description (描述) 106356001zh_TW
dc.description.abstract (摘要) 在區塊鏈上使用硬叉機制來恢復攻擊造成的損失與區塊鏈系統的不變性相矛盾。為了防止惡意交易提前進入區塊鏈,我們提出了一種Runtime Hook技術,以同步和分析暴露在以太坊交易池中的正在進行的交易。全面了解過去和正在進行的交易,我們可以識別並強制中止惡意交易,並防止由於執行和記錄在區塊鏈中的攻擊而造成的損失。具體來說,我們修改以太坊源代碼以檢測節點的入口點,以同步從以太坊P2P網絡接收的數據,並系統地掃描交易中的可疑模式以識別潛在的攻擊。作為概念驗證,我們演示瞭如何在私有區塊鏈系統上部署建議的Runtime Hook系統,以便我們可以檢測和防止智能合約的51%攻擊中的雙花交易和重入攻擊。zh_TW
dc.description.abstract (摘要) Using hard-fork mechanism on the blockchain to recover the losses caused by attacks contradicts the immutable characteristic of a blockchain system. To prevent malicious transactions from getting into blockchains in advance, we propose a runtime hook technique to synchronize and analyze the ongoing transactions exposed to the Ethereum transaction pool. Having a complete view of the past and the ongoing transactions, we can identify and enforce abortion of malicious transactions and prevent losses due to attacks being executed and recorded in the blockchain. Specifically, we modify the Ethereum source code to instrument the entry point of a node to synchronize data received from the Ethereum P2P network and systematically scan suspicious patterns in transactions to identify potential attacks. As a proof-of-the-concept, we show how to deploy the proposed runtime hook system on a private blockchain system, such that we can detect and prevent transactions of double spending on the 51% attack and reentrancy attack of smart contracts.en_US
dc.description.tableofcontents 1. Introduction 1
2. Related Works 4
2.1 Blockchain consensus 4
2.2 Blockchain monitoring 5
2.3 Smart contract monitor 6
2.4 Blockchain attacks 6
2.5 Case: Double spending 8
2.6 Case: The DAO 9
3 Research Method 11
3.1 Ethereum: Transaction-based 11
3.2 Entry point searching 16
3.2.1 Sync procession 16
3.2.2 Transaction pool 16
3.2.3 EVM 18
3.3 Data introduction 19
3.3.1 Block 19
3.3.2 Transaction 19
3.3.3 Receipt 20
3.4 Property Check 20
3.4.1 Double spending 20
3.4.2 Reentrancy 24
4. Experiments and Discussion 27
4.1 Experiments 27
4.1.1 Double spending 27
4.1.2 Reentrancy 32
4.2 Discussion 35
4.2.1 Overhead 35
4.2.2 Consensus 38
5. Conclusion 39
References 39
zh_TW
dc.format.extent 1182893 bytes-
dc.format.mimetype application/pdf-
dc.source.uri (資料來源) http://thesis.lib.nccu.edu.tw/record/#G0106356001en_US
dc.subject (關鍵詞) 區塊鏈zh_TW
dc.subject (關鍵詞) 智能合約zh_TW
dc.subject (關鍵詞) 以太坊zh_TW
dc.subject (關鍵詞) 動態監控zh_TW
dc.subject (關鍵詞) Blockchainen_US
dc.subject (關鍵詞) Ethereumen_US
dc.subject (關鍵詞) Smart contracten_US
dc.subject (關鍵詞) Runtime hooken_US
dc.title (題名) 動態監控區塊鏈系統zh_TW
dc.title (題名) Runtime Hook on Blockchain Systemsen_US
dc.type (資料類型) thesisen_US
dc.relation.reference (參考文獻) [1] S. Nakamoto et al., “Bitcoin: A peer-to-peer electronic cash system,” 2008.
[2] M. Swan, Blockchain : blueprint for a new economy. Sebastopol, Calif.: O’Reilly Media, 2015.
[3] “Fidelity investments - retirement plans, investing, brokerage, wealth management, finacial planning and advice, online trading..” https://www.fidelity.com/.
[4] “Nyse: The new york stock exchange.” https://www.nyse.com/index.
[5] “Intercontinental exchange.” https://www.intercontinentalexchange.com/index.
[6] R. Zhang, R. Xue, and L. Liu, “Security and privacy on blockchain,” arXiv preprint arXiv:1903.07602, 2019.
[7] “Zcash counterfeiting vulnerability successfully remediated.” https://z.cash/
blog/zcash-counterfeiting-vulnerability-successfully-remediated/.
[8] “Deep chain reorganization detected on ethereum classic (etc).” https://blog.
coinbase.com/ethereum-classic-etc-is-currently-being-51-attacked-33be13ce32de.
[9] “Pow 51% attack cost.” https://www.crypto51.app/.
[10] “Fundamentals of proof of work.” https://blog.sia.tech/
fundamentals-of-proof-of-work-beaa68093d2b.
[11] “web3.js - ethereum javascript api.” https://web3js.readthedocs.io/en/1.0/.
[12] “Json rpc.” https://github.com/ethereum/wiki/wiki/JSON-RPC.
[13] A. Baliga, “Understanding blockchain consensus models,” in Persistent, 2017.
[14] S. King and S. Nadal, “Ppcoin: Peer-to-peer crypto-currency with proof-of-stake,”
[15] P. Vasin, “Blackcoins proof-of-stake protocol v2,”
[16] “Introducing casper the friendly ghost.” https://blog.ethereum.org/2015/08/
01/introducing-casper-friendly-ghost/, 2015.
[17] G. Wood et al., “Ethereum: A secure decentralised generalised transaction ledger,”
Ethereum project yellow paper, vol. 151, pp. 1–32, 2014.
[18] “Dpos.” https://en.bitcoinwiki.org/wiki/DPoS.
[19] “Bitshares.org - home for the bitshares blockchain.” https://bitshares.org/.
[20] “Introduction sawtooth latest documentation - hyperledger sawtooth.”
https://sawtooth.hyperledger.org/docs/core/nightly/0-8/introduction.html#proof-of-elapsed-time-poet.
[21] M. Castro, B. Liskov, et al., “Practical byzantine fault tolerance,” in OSDI, vol. 99, pp. 173–186, 1999.
[22] “Hyperledger open source blockchain technologies.” https://www.hyperledger.org/.
[23] “Etherscan api.” https://etherscan.io/apis.
[24] G. Ateniese, B. Magri, D. Venturi, and E. Andrade, “Redactable blockchain–or–
rewriting history in bitcoin and friends,” in 2017 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 111–126, IEEE, 2017.
[25] D. Deuber, B. Magri, and S. A. K. Thyagarajan, “Redactable blockchain in the
permissionless setting,” arXiv preprint arXiv:1901.03206, 2019.
[26] I. Puddu, A. Dmitrienko, and S. Capkun, “µchain: How to forget without hard forks.,”
[27] S. Anderson and B. Q. Nguyen, “Filtering and redacting blockchain transactions,” 2018. US Patent App. 15/348,581.
[28] M. Florian, S. Beaucamp, S. A. Henningsen, and B. Scheuermann, “Erasing data from blockchain nodes,” CoRR, vol. abs/1904.08901, 2019.
[29] S. Zhou, Z. Yang, J. Xiang, Y. Cao, M. Yang, and Y. Zhang, “An ever-evolving game: Evaluation of real-world attacks and defenses in ethereum ecosystem,”
[30] P. Zheng, Z. Zheng, X. Luo, X. Chen, and X. Liu, “A detailed and real-time performance monitoring framework for blockchain systems,” in 2018 IEEE/ACM 40th
International Conference on Software Engineering: Software Engineering in Practice Track (ICSE-SEIP), pp. 134–143, May 2018.
[31] B. Jiang, Y. Liu, and W. Chan, “Contractfuzzer: Fuzzing smart contracts for vulnerability detection,” in Proceedings of the 33rd ACM/IEEE International Conference
on Automated Software Engineering, pp. 259–269, ACM, 2018.
[32] “Contract abi specification.” https://solidity.readthedocs.io/en/develop/abi-spec.html.
[33] I. Nikoli´c, A. Kolluri, I. Sergey, P. Saxena, and A. Hobor, “Finding the greedy, prodigal, and suicidal contracts at scale,” in Proceedings of the 34th Annual Computer Security Applications Conference, pp. 653–663, ACM, 2018.
[34] P. Tsankov, A. Dan, D. Drachsler-Cohen, A. Gervais, F. Buenzli, and M. Vechev, “Securify: Practical security analysis of smart contracts,” in Proceedings of the 2018
ACM SIGSAC Conference on Computer and Communications Security, pp. 67–82, ACM, 2018.
[35] X. Li, P. Jiang, T. Chen, X. Luo, and Q. Wen, “A survey on the security of blockchain systems,” Future Generation Computer Systems, 2017.
[36] I.-C. Lin and T.-C. Liao, “A survey of blockchain security issues and challenges.,” IJ Network Security, vol. 19, no. 5, pp. 653–659, 2017.
[37] I. Eyal and E. G. Sirer, “Majority is not enough: Bitcoin mining is vulnerable,” Commun. ACM, vol. 61, pp. 95–102, June 2018.
[38] G. O. Karame, “Two bitcoins at the price of one? double-spending attacks on fast payments in bitcoin,” in In Proc. of Conference on Computer and Communication Security, 2012.
[39] G. O. Karame, E. Androulaki, M. Roeschlin, A. Gervais, and S. Capkun, “Misbehav- ior in bitcoin: A study of double-spending and accountability,” ACM Transactions on Information and System Security (TISSEC), vol. 18, no. 1, p. 2, 2015.
[40] H. Mayer, “Ecdsa security in bitcoin and ethereum: a research survey,” CoinFaabrik, 2016.
[41] “Wannacry ransomware attack.” https://en.wikipedia.org/wiki/WannaCry_ransomware_attack
[42] N. Christin, “Traveling the silk road: A measurement analysis of a large anonymous online marketplace,” in Proceedings of the 22nd international conference on World
Wide Web, pp. 213–224, ACM, 2013.
[43] “Uk national risk assessment of money laundering and terrorist financing.”
https://assets.publishing.service.gov.uk/government/uploads/system/
uploads/attachment_data/file/468210/UK_NRA_October_2015_final_web.pdf.
[44] N. Atzei, M. Bartoletti, and T. Cimoli, “A survey of attacks on ethereum smart contracts.,” IACR Cryptology ePrint Archive.
[45] “The dao (organization).” https://en.wikipedia.org/wiki/The_DAO_(organization).
[46] C. Pinz´on and C. Rocha, “Double-spend attack models with time advantange for bitcoin,” Electronic Notes in Theoretical Computer Science, vol. 329, pp. 79–103,
2016.
[47] V. Buterin et al., “Ethereum white paper,” GitHub repository, pp. 22–23, 2013.
zh_TW
dc.identifier.doi (DOI) 10.6814/NCCU202001239en_US