CN119397544A - Smart contract static analysis method and device - Google Patents
Smart contract static analysis method and device Download PDFInfo
- Publication number
- CN119397544A CN119397544A CN202411388503.0A CN202411388503A CN119397544A CN 119397544 A CN119397544 A CN 119397544A CN 202411388503 A CN202411388503 A CN 202411388503A CN 119397544 A CN119397544 A CN 119397544A
- Authority
- CN
- China
- Prior art keywords
- syntax tree
- abstract syntax
- static analysis
- target
- intelligent contract
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Prevention of errors by analysis, debugging or testing of software
- G06F11/3604—Analysis of software for verifying properties of programs
- G06F11/3608—Analysis of software for verifying properties of programs using formal methods, e.g. model checking, abstract interpretation
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Quality & Reliability (AREA)
- Computing Systems (AREA)
- Stored Programmes (AREA)
Abstract
The embodiment of the application discloses an intelligent analysis method and an intelligent analysis device for static contracts, which are used for analyzing source codes of intelligent contracts into a unified abstract syntax tree and carrying out static analysis based on the unified abstract syntax tree so as to realize unified conversion and wide compatibility of multiple intelligent contract languages. In addition, the method allows the user to develop a custom static analysis strategy for the nodes of the unified abstract grammar number according to specific requirements, so that variables can be positioned and tracked more accurately, and the requirements of the user on the refinement and the inspiration of the detection rules are met. The intelligent contract static analysis device disclosed by the embodiment of the specification also has the beneficial effects.
Description
Technical Field
The invention relates to the technical field of computers, in particular to an intelligent contract static analysis method and device.
Background
Currently, there are a variety of analysis tools for analysis of potential vulnerabilities and code quality problems in smart contracts. However, these analysis tools mostly build their core analysis capabilities around a single or a few smart contract programming languages, which means that the analysis scheme needs to be rebuilt for each emerging smart contract language, which is costly to implement technically. In addition, these analysis tools do not support rule customization, are difficult to meet the requirements of users for refinement and dexterity of detection rules, and limit the scope of supporting detection vulnerabilities.
Disclosure of Invention
One or more embodiments of the present disclosure provide a static analysis method and apparatus for intelligent contracts, which can be suitable for analysis requirements of multi-language intelligent contracts, and simultaneously provide functions of user-defined configuration of scanning and analysis rules, so as to satisfy requirements of users for refinement and flexibility of detection rules.
In a first aspect, an intelligent contract static analysis method is provided, including:
Acquiring a target intelligent contract;
carrying out grammar analysis on the target intelligent contract to generate a unified abstract grammar tree of the target intelligent contract;
According to user-defined operation of a user, matching a static analysis strategy for a target node of the unified abstract syntax tree;
And performing simulation execution on the target intelligent contract according to the unified abstract syntax tree, and calling a static analysis strategy of the target node to perform static analysis on the target intelligent contract when the simulation execution reaches the target node.
As an optional implementation manner of the method of the first aspect, the parsing the target smart contract to generate a unified abstract syntax tree of the target smart contract specifically includes:
acquiring an abstract syntax tree constructed according to the programming language type of the target intelligent contract;
and converting the abstract syntax tree into the unified abstract syntax tree.
As an optional implementation manner of the method of the first aspect, according to a user-defined operation of a user, the matching static analysis policy for the target node of the unified abstract syntax tree specifically includes:
determining rule injection points according to user-defined operation, and configuring a static analysis strategy for the rule injection points;
And carrying out association matching on the rule injection points and the target nodes of the unified abstract syntax tree.
Specifically, the method further comprises the following steps:
After the static analysis strategy is configured for the rule injection points, the rule injection points are constructed as API interfaces.
Specifically, according to the unified abstract syntax tree, performing simulation execution on the target intelligent contract, and when the simulation execution reaches the target node, invoking a static analysis strategy of the target node to perform static analysis on the target intelligent contract, including:
and when the simulation execution is carried out to the target node, calling the rule injection point, injecting a static analysis strategy of the rule injection point in a thread of the simulation execution, and executing the static analysis strategy.
As an optional implementation manner of the method of the first aspect, according to the unified abstract syntax tree, performing simulation execution on the target intelligent contract specifically includes:
And based on the selection operation of the user, performing simulation execution on all or part of the target intelligent contract according to the unified abstract syntax tree.
In a second aspect, there is provided an intelligent contract static analysis apparatus, comprising:
The data acquisition module is configured to acquire a target intelligent contract;
the contract normalization module is configured to parse the target intelligent contract to generate a unified abstract syntax tree of the target intelligent contract;
the rule self-defining module is configured to match a static analysis strategy for the target node of the unified abstract syntax tree according to self-defining operation of a user;
And the analysis module is configured to perform simulation execution on the target intelligent contract according to the unified abstract syntax tree, and call a static analysis strategy of the target node to perform static analysis on the target intelligent contract when the simulation execution reaches the target node.
As an optional implementation manner of the apparatus of the second aspect, the contract normalization module is specifically configured to obtain an abstract syntax tree constructed according to a programming language type of the target smart contract, and convert the abstract syntax tree into the unified abstract syntax tree.
As an optional implementation manner of the apparatus of the second aspect, the rule customization module is specifically configured to determine a rule injection point according to a user's customization operation, configure a static analysis policy for the rule injection point, and perform association matching on the rule injection point and a target node of the unified abstract syntax tree.
Specifically, the rule custom module is further specifically configured to construct the rule injection point as an API interface after configuring a static analysis policy for the rule injection point.
Specifically, the analysis module is specifically configured to call the rule injection point when the simulation is executed to the target node, inject a static analysis policy of the rule injection point in a thread of the simulation execution, and execute the static analysis policy.
As an optional implementation manner of the apparatus of the second aspect, the analysis module is specifically configured to perform simulation execution on all or part of the target smart contract according to the unified abstract syntax tree based on a selection operation of a user.
In a third aspect, a computer readable storage medium is provided, on which a computer program is stored, which when executed by a processor causes the processor to perform the above-described intelligent contract static analysis method.
In a fourth aspect, there is provided an electronic device comprising:
and a memory associated with the one or more processors for storing program instructions that, when read for execution by the one or more processors, cause the electronic device to perform the intelligent contract static analysis method described above.
The static contract intelligent analysis method disclosed by one or more embodiments of the present disclosure has the beneficial effects that the method analyzes the source codes of intelligent contracts into a Unified Abstract Syntax Tree (UAST), and performs static analysis based on the Unified Abstract Syntax Tree (UAST), thereby realizing unified conversion and wide compatibility of multiple intelligent contract languages. In addition, the method allows the user to develop a custom static analysis strategy for the nodes of the unified abstract grammar number according to specific requirements, so that variables can be positioned and tracked more accurately, and the requirements of the user on the refinement and the inspiration of the detection rules are met. The intelligent contract static analysis device disclosed by the embodiment of the specification also has the beneficial effects.
Drawings
In order to more clearly illustrate the embodiments of the present description or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, and it is obvious that the drawings in the following description are some embodiments of the present description, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flow diagram of a static analysis method for intelligent contracts according to one or more embodiments of the present disclosure.
FIG. 2 is a schematic diagram of a unified abstract syntax tree generation flow provided by one or more embodiments of the present disclosure.
Fig. 3 is a schematic structural diagram of a static contract intelligent analysis device according to one or more embodiments of the present disclosure.
Fig. 4 is a schematic structural diagram of an electronic device provided in one or more embodiments of the present disclosure.
Detailed Description
In order to make the technical solutions in the present specification better understood by those skilled in the art, the technical solutions in the embodiments of the present specification will be clearly and completely described below with reference to the drawings in the embodiments of the present specification, and it is obvious that the described embodiments are only some embodiments of the present specification, not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are intended to be within the scope of the present disclosure.
It should be noted that in other embodiments, the steps of the corresponding method are not necessarily performed in the order shown and described in this specification. In some other embodiments, the method may include more or fewer steps than described in this specification. Furthermore, a single step described in this specification may be described as being split into multiple steps in other embodiments, while multiple steps described in this specification may be described as being combined into a single step in other embodiments.
It will be appreciated by those skilled in the art that the terminology used in the embodiments of the invention is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in this application and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
Smart contracts play a vital role in decentralised applications and smart contract platforms (e.g., ethernet) as an important component of blockchain technology. However, due to the non-tamper-ability of smart contracts, security and reliability issues are increasingly becoming industry difficulties. The intelligent contract loopholes which are frequently emerged not only cause serious economic loss and data leakage, but also influence the operation of the whole blockchain network.
In order to effectively identify and repair potential vulnerabilities and code quality problems in intelligent contracts, various analysis tools appear in the industry, and the analysis tools can deeply analyze and check source codes or byte codes of the intelligent contracts through static analysis, stain analysis and other technologies, discover the potential vulnerabilities and code quality problems in the intelligent contracts, and guarantee the safety and reliability of the intelligent contracts.
However, the smart contracts may be written in a variety of programming languages, such as Solidity, vyper (ethernet), move (Libra), rust, go, and the like. This diversity, while enriching the developer's choices, also makes static analysis tools for single language designs difficult to meet in multi-language environments. Many existing static analysis tools often only support specific languages, which means that developers need to rely on different analysis tools when writing intelligent contracts in different languages, which brings additional learning cost and complexity. Meanwhile, for a common static analysis tool in the market, every time a new language is supported, an analysis engine of the static analysis tool needs to be redeveloped or modified, a great amount of technical resources and funds are needed to be input, and the difficulty and development cost of technical implementation are increased.
Furthermore, while some analysis tools provide vulnerability detection and code quality analysis functionality, they do not support rule customization, e.g., oyente, or rule customization capabilities are limited, e.g., SMARTCHECK, SECURIFY, MYTHRIL, MYTHX, which makes it difficult to meet the user's requirements for detection rule refinement and dexterity, and limits the scope of support for detecting vulnerabilities.
Therefore, there is a need in the industry for a static analysis scheme that is oriented to unified multilingual. In view of this, one or more embodiments of the present disclosure provide a static analysis method and device for intelligent contracts, which can be suitable for analysis requirements of multi-language intelligent contracts, and simultaneously provide functions of user-defined configuration of scanning and analysis rules, so as to meet requirements of users for refinement and flexibility of detection rules.
The method and apparatus for intelligent contract static analysis described in one or more embodiments of the present specification will be further described in detail below with reference to the accompanying drawings and specific embodiments, but the detailed description is not intended to limit the embodiments of the present specification.
First, terms involved in the embodiments of the present specification will be explained.
Static analysis refers to a class of techniques that infer program behavior by analyzing program code and its associated resources (e.g., configuration files, documents, etc.) without running the program. Static analysis relies primarily on analysis of code structure, control flow, and data flow to identify potential programming errors, security vulnerabilities, performance bottlenecks, and code quality issues. Static analysis tools are typically used in the compilation phase to provide immediate feedback to help developers discover and fix problems at an early stage. Its broad applications include type checking, code auditing, security analysis, complexity metrics, optimization suggestions, and the like.
Stain analysis, a static analysis technique focused on tracking an untrusted data flow path in a procedure. The core idea is to mark the input data as "blobs" (taint), and then track the propagation of these blobs in the program by data flow analysis to determine if there are paths to propagate untrusted input to critical points (e.g., database queries, system commands, file operations, etc.). Taint analysis is often used to discover potential security vulnerabilities, such as SQL injection, cross site scripting attack (XSS), etc., to promote program security by identifying and blocking illegitimate use paths for untrusted data.
Control flow analysis and data flow analysis control flow analysis aims to build a model of the program execution path, describe possible control transfer relationships between parts of the program, and generate control flow graphs (Control Flow Graph, CFG) to understand the program execution order, find dead code and potential loops. The Data Flow analysis focuses on the values and states of variables at different program points, and a Data Flow Graph (DFG) is constructed by tracking the definition, use and assignment of the variables so as to perform constant propagation, dead code elimination, data dependency analysis, optimization and the like. The two are combined to provide comprehensive support for program optimization, security analysis and error detection.
Unified abstract syntax tree (UAST, unified Abstract Syntax Tree) a unified Abstract Syntax Tree (AST) representation intended to provide a high-level (higher-level) generic intermediate representation for a program language. Through UAST, unified processing and analysis can be performed on codes of multiple programming languages, and consistent operation on source codes is supported by static analysis tools, code inspection tools, integrated Development Environments (IDEs) and the like.
Referring to fig. 1, fig. 1 is a flowchart illustrating a static analysis method of an intelligent contract according to one or more embodiments of the present disclosure. As shown in fig. 1, the smart contract static analysis method may include steps S100 to S106.
S100, acquiring a target intelligent contract.
The target smart contracts described above refer to smart contracts that need to be analyzed. Specifically, in this step, it is necessary to acquire the source code of the target smart contract, or directly acquire an abstract syntax tree constructed according to the programming language type of the target smart contract.
S102, carrying out grammar analysis on the target intelligent contract to generate a unified abstract grammar tree of the target intelligent contract.
In some embodiments, the source code of the target smart contract is obtained in step S100, and then in step S102, the source code of the target smart contract may be directly parsed, thereby generating a unified abstract syntax tree of the target smart contract.
In some embodiments, in step S100, an abstract syntax tree constructed according to the programming language type of the target smart contract is directly obtained, and in step S102, only the abstract syntax tree of the target smart contract needs to be converted into a unified abstract syntax tree.
Taking the unified abstract syntax tree generation flow shown in fig. 2 as an example, according to the programming language type of the target intelligent contract, for example Solidity, java or Other (Other), the abstract syntax tree of the programming language type of the target intelligent contract, for example Solidity AST, java AST or Other AST, can be obtained first, and then these abstract syntax trees AST are normalized into a general intermediate expression form, so as to obtain the unified abstract syntax tree of the target intelligent contract.
S104, matching static analysis strategies for target nodes of the unified abstract syntax tree according to user-defined operation of the user.
In conventional static analysis based on abstract syntax trees, analysis based on preset purposes, such as checking for contract vulnerabilities, checking for code errors, optimizing codes, etc., is typically performed by traversing the abstract syntax tree. The analysis method employed in traversing the abstract syntax tree is typically unitary.
However, since the types of smart contracts are different, their characteristics are also different, and different details often need to be paid attention to at different locations in actual operation for different types of smart contracts, or for different parts in the same smart contract. Based on this, in step S104, a scheme of user-defining a static analysis rule is provided. The user can select the target node in the unified abstract syntax tree according to analysis requirements, and then customize a static analysis strategy for the target node to flexibly configure analysis modes of different target nodes of the unified abstract syntax tree.
In some embodiments, a rule injection point may be constructed according to a user-defined operation, a user-defined static analysis policy, such as a data flow analysis policy, a control flow analysis policy, a stain tracking policy, etc., is configured at the rule injection point, and then the rule injection point is associated and matched with a target node of the unified abstract syntax tree.
Taking the unified abstract syntax tree shown in fig. 2 as an example, the unified abstract syntax tree includes function definition nodes ContractDef, functionDef, assign, TBranch, FBranch and if statement nodes. When configuring the customized static analysis strategy, the control flow analysis and data flow analysis strategy can be configured for the whole unified abstract syntax tree, while at some target nodes, such as function definition nodes (FunctionDef), other static analysis strategies can be customized according to requirements, for example, the current data flow, control flow and node information can be obtained, and the corresponding vulnerability inspection strategy or warning strategy can be configured.
The rule injection points can be presented in the form of API interfaces, and the user is allowed to inject and add self-defined static analysis and analysis strategies such as vulnerability checking strategies, code checking strategies and the like by calling the rules in a unified abstract syntax tree, so that the flexibility and the functionality of the whole static analysis scheme are enhanced.
S106, performing simulation execution on the target intelligent contract according to the unified abstract syntax tree, and calling a static analysis strategy of the target node to perform static analysis on the target intelligent contract when the simulation execution is performed to the target node.
Specifically, when the target intelligent contract is simulated according to the unified abstract syntax tree, all nodes of the unified abstract syntax tree may be simulated, or a part of nodes of the unified abstract syntax tree may be simulated, for example, a certain subtree in the unified abstract syntax tree may be simulated, which is not limited in this embodiment. The mode of analog execution may be adaptively selected according to the requirement, for example, the symbol execution mode may be selected, which is not limited in this embodiment.
In the process of performing simulation execution on the target intelligent contract according to the unified abstract syntax tree, when the simulation execution is performed on the target node, the corresponding rule injection point can be called according to the matching relation between the target node and the rule injection point, and a static analysis strategy configured by the rule injection point is injected into a thread of the simulation execution, so that the analysis purpose is realized by executing the static analysis strategy.
The above is a specific implementation procedure of the intelligent contract analysis method shown in fig. 1. The method is based on a Unified Abstract Syntax Tree (UAST) for static analysis, so that unified conversion and wide compatibility of multiple intelligent contract languages are realized. And has the advantages of no need of compiling and no consideration of construction environment, thereby achieving rapid analysis of contracts. For the newly added intelligent contract language, only the UAST analytic support is needed to be realized, and the analysis engine is not needed to be redeveloped.
The method adopts a framework that an analysis engine is separated from a scanning rule, namely a rule injection point is provided, and a user is allowed to develop the analysis rule and a scanner of a custom rule injection point according to specific requirements so as to adapt to an intelligent contract ecological system which is continuously developed. By setting the rule injection points, the method can support different analysis strategies to different parts of the unified abstract syntax tree in one analysis process, for example, support the whole of the unified abstract syntax tree to carry out data flow analysis and control flow analysis and support the local of the unified abstract syntax tree to carry out spot analysis. The method can locate and track variables more accurately than conventional static analysis schemes.
The method supports simulated execution of smart contract code. Such as symbolic execution. Compared with a common static analysis scheme, the method is more accurate in simulating the execution states of intelligent contracts, sentences and functions.
Corresponding to the above-mentioned intelligent contract static analysis method, one or more embodiments of the present specification further provide an intelligent contract static analysis apparatus. Referring to fig. 3, fig. 3 is a schematic structural diagram of an intelligent contract static analysis device according to one or more embodiments of the present disclosure. The device can be used for realizing the intelligent contract static analysis method. It should be noted that the intelligent contract static analysis method according to one or more embodiments of the present application may be implemented by, but is not limited to, the intelligent contract static analysis apparatus shown in fig. 3.
As shown in fig. 3, the static contract intelligent analysis apparatus includes:
The data acquisition module 301 is configured to acquire a target smart contract.
The contract normalization module 302 is configured to parse the target smart contract to generate a unified abstract syntax tree of the target smart contract.
The rule custom module 303 is configured to match the static analysis policy for the target node of the unified abstract syntax tree according to the custom operation of the user.
The analysis module 304 is configured to perform simulation execution on the target intelligent contract according to the unified abstract syntax tree, and call a static analysis policy of the target node to perform static analysis on the target intelligent contract when the simulation execution is performed to the target node.
For the above-mentioned data acquisition module 301, the target smart contract acquired by the data acquisition module 301 refers to a smart contract that needs to be analyzed. Specifically, the data acquisition module 301 needs to acquire the source code of the target smart contract or directly acquire an abstract syntax tree constructed according to the programming language type of the target smart contract.
For the above-mentioned contract normalization module 302, the contract normalization module 302 is specifically configured to normalize an abstract syntax tree constructed by the source code of the target smart contract or the programming language type of the target smart contract acquired by the data acquisition module 301, so as to obtain a unified abstract syntax tree.
Specifically, if the source code of the target smart contract is obtained by the data obtaining module 301, the contract normalizing module 302 may directly parse the source code of the target smart contract, thereby generating a unified abstract syntax tree of the target smart contract.
If the data acquisition module 301 directly acquires the abstract syntax tree constructed according to the programming language type of the target smart contract, the contract normalization module 302 only needs to convert the abstract syntax tree of the target smart contract into a unified abstract syntax tree. For example, the data obtaining module 301 may first obtain an abstract syntax tree of a programming language type of the target smart contract, such as Solidity AST, java AST, or Other AST, and then the contract normalizing module 302 normalizes the abstract syntax tree AST into a general intermediate expression form, so as to obtain a unified abstract syntax tree of the target smart contract.
For the rule customization module 303, the rule customization module 303 provides the user with the function of customizing the static analysis rule. The user can select the target node in the unified abstract syntax tree according to analysis requirements, and then customize a static analysis strategy for the target node to flexibly configure analysis modes of different target nodes of the unified abstract syntax tree.
Specifically, the rule customization module 303 may construct rule injection points according to user-defined operations, configure user-defined static analysis policies, such as a data flow analysis policy, a control flow analysis policy, a stain tracking policy, and the like, at the rule injection points, and then perform association matching on the rule injection points and the target nodes of the unified abstract syntax tree.
The rule injection points can be presented in the form of API interfaces, and the user is allowed to inject and add self-defined static analysis and analysis strategies such as vulnerability checking strategies, code checking strategies and the like by calling the rules in a unified abstract syntax tree, so that the flexibility and the functionality of the whole static analysis scheme are enhanced.
For the above analysis module 304, the analysis module 304 is mainly configured to perform simulation execution on the whole object intelligent contract or a part of functions, sentences, and other parts thereof based on the unified abstract syntax tree according to the selection operation of the user.
The analysis module 304 may perform simulation execution on all nodes of the unified abstract syntax tree or perform simulation execution on some nodes of the unified abstract syntax tree, for example, perform simulation execution on a subtree in the unified abstract syntax tree, which is not limited in this embodiment. The mode of analog execution may be adaptively selected according to the requirement, for example, the symbol execution mode may be selected, which is not limited in this embodiment.
In the process that the analysis module 304 performs simulation execution on the target intelligent contract according to the unified abstract syntax tree, when the simulation execution is performed on the target node, the corresponding rule injection point can be called according to the matching relation between the target node and the rule injection point, and a static analysis strategy configured by the rule injection point is injected into a thread of the simulation execution, so that the analysis purpose is realized by executing the static analysis strategy.
For an intelligent contract analysis device as described above, with a module as an example of a software functional unit, the data acquisition module 301 may include code that runs on a computing instance. The computing instance may include at least one of a physical host (computing device), a virtual machine, and a container, among others. Further, the above-described computing examples may be one or more. For example, the data acquisition module 301 may include code running on multiple hosts/virtual machines/containers. Multiple hosts/virtual machines/containers for running the code may be distributed in the same region (region) or may be distributed in different regions. Further, multiple hosts/virtual machines/containers for running the code may be distributed in the same availability zone (availability zone, AZ) or may be distributed in different AZs, each AZ comprising one data center or multiple geographically close data centers. Wherein typically a region may comprise a plurality of AZs.
Also, multiple hosts/virtual machines/containers for running the code may be distributed in the same virtual private cloud (virtual private cloud, VPC) or may be distributed in multiple VPCs. In general, one VPC is disposed in one region, and a communication gateway is disposed in each VPC for implementing inter-connection between VPCs in the same region and between VPCs in different regions.
Module as an example of a hardware functional unit, the data acquisition module 301 may include at least one computing device, such as a server or the like. Alternatively, the data acquisition module 301 may be a device implemented using an application-specific integrated circuit (ASIC), a programmable logic device (programmable logic device, PLD), or the like. The PLD may be implemented as a complex program logic device (complex programmable logical device, CPLD), a field-programmable gate array (FPGA) GATE ARRAY, a general-purpose array logic (GENERIC ARRAY logic, GAL), or any combination thereof.
The multiple computing devices included in the data acquisition module 301 may be distributed in the same region or may be distributed in different regions. The plurality of computing devices included in the data acquisition module 301 may be distributed in the same AZ or may be distributed in different AZ. Likewise, multiple computing devices included in the data acquisition module 301 may be distributed in the same VPC or may be distributed among multiple VPCs. Wherein the plurality of computing devices may be any combination of computing devices such as servers, ASIC, PLD, CPLD, FPGA, and GAL.
In other embodiments, the data acquisition module 301 may be configured to perform any of the above-described smart contract static analysis methods, the contract normalization module 302 may be configured to perform any of the above-described smart contract static analysis methods, the rule customization module 303 may be configured to perform any of the above-described smart contract static analysis methods, and the analysis module 304 may be configured to perform any of the above-described smart contract static analysis methods. The steps of the data acquisition module 301, the contract normalization module 302, the rule customization module 303 and the analysis module 304 responsible for implementation can be specified according to needs, and all the functions of the intelligent contract static analysis device are realized by respectively implementing different steps in the intelligent contract static analysis method through the data acquisition module 301, the contract normalization module 302, the rule customization module 303 and the analysis module 304.
In this implementation manner, the intelligent contract static analysis apparatus may also be applied to a computing device such as a computer, a server, or a computing device cluster including at least one computing device, so as to implement a specific function of the intelligent contract static analysis apparatus.
In some embodiments, an electronic device is also provided for implementing the gateway server 31 described above. Referring to fig. 4, the electronic device includes a bus 401, a processor 402, a memory 403, and a communication interface 404. Communication between processor 402, memory 403 and communication interface 404 is via bus 401. The electronic device may be a server or a terminal device. It should be understood that the present application is not limited to the number of processors, memories in an electronic device.
Bus 401 may be a peripheral component interconnect standard (PERIPHERAL COMPONENT INTERCONNECT, PCI) bus, or an extended industry standard architecture (extended industry standard architecture, EISA) bus, or the like. The buses may be divided into address buses, data buses, control buses, etc. For ease of illustration, fig. 4 is shown with only one line, but does not represent only one bus or one type of bus. Bus 401 may include a path to transfer information between various components of the electronic device (e.g., processor 402, memory 403, and communication interface 404).
The processor 402 may include any one or more of a processor CPU, a graphics processor (graphics processing unit, GPU), a Microprocessor (MP), or a digital signal processor (DIGITAL SIGNAL processor, DSP).
Memory 403 may include volatile memory (RAM), such as random access memory (random access memory). The memory 403 may also include a non-volatile memory (non-volatile memory), such as a read-only memory (ROM), a flash memory, a mechanical hard disk (HARD DISK DRIVE, HDD) or a solid state disk (SSD STATE DRIVE).
The memory 403 has stored therein executable program code that the processor 402 executes to implement the aforementioned functions of the gateway server 31, i.e., to implement the aforementioned access method of the third party large language model.
Communication interface 404 enables communication between an electronic device and other devices or communication networks using a transceiver module such as, but not limited to, a network interface card, transceiver, or the like.
In some embodiments, a computer readable storage medium is also provided, on which a computer program is stored, which when executed by a processor causes the processor to perform the above-described smart contract static analysis method.
Computer readable storage media can be any available media that can be stored by an electronic device or data storage device such as a data center that contains one or more available media. Usable media may be magnetic media (e.g., floppy disks, hard disks, magnetic tape), optical media (e.g., DVD), or semiconductor media (e.g., solid state disk), among others. The computer-readable storage medium includes instructions that instruct an electronic device to perform the intelligent contract static analysis method described above.
It should be understood that the structures illustrated in the embodiments of the present specification do not constitute a particular limitation on the systems of the embodiments of the present specification. In other embodiments of the specification, the system may include more or fewer components than shown, or certain components may be combined, or certain components may be separated, or different arrangements of components. The illustrated components may be implemented in hardware, software, or a combination of software and hardware.
In this specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for the device embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, and reference is made to the description of the method embodiments in part.
The foregoing describes specific embodiments of the present disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.
It should be noted that the above-mentioned embodiments are merely examples of the present invention, and it is obvious that the present invention is not limited to the above-mentioned embodiments, and many similar variations are possible. All modifications attainable or obvious from the present disclosure set forth herein should be deemed to be within the scope of the present disclosure.
Claims (14)
1. A method of intelligent contract static analysis, comprising:
Acquiring a target intelligent contract;
carrying out grammar analysis on the target intelligent contract to generate a unified abstract grammar tree of the target intelligent contract;
According to user-defined operation of a user, matching a static analysis strategy for a target node of the unified abstract syntax tree;
And performing simulation execution on the target intelligent contract according to the unified abstract syntax tree, and calling a static analysis strategy of the target node to perform static analysis on the target intelligent contract when the simulation execution reaches the target node.
2. The method of claim 1, wherein parsing the target smart contract generates a unified abstract syntax tree of the target smart contract, comprising:
acquiring an abstract syntax tree constructed according to the programming language type of the target intelligent contract;
and converting the abstract syntax tree into the unified abstract syntax tree.
3. The method of claim 1, according to user-defined operations, matching static analysis policies for target nodes of the unified abstract syntax tree, specifically comprising:
determining rule injection points according to user-defined operation, and configuring a static analysis strategy for the rule injection points;
And carrying out association matching on the rule injection points and the target nodes of the unified abstract syntax tree.
4. A method as claimed in claim 3, the method further comprising:
After the static analysis strategy is configured for the rule injection points, the rule injection points are constructed as API interfaces.
5. The method of claim 3, performing simulation execution on the target intelligent contract according to the unified abstract syntax tree, and calling a static analysis strategy of the target node to perform static analysis on the target intelligent contract when simulation execution reaches the target node, wherein the method specifically comprises the following steps:
and when the simulation execution is carried out to the target node, calling the rule injection point, injecting a static analysis strategy of the rule injection point in a thread of the simulation execution, and executing the static analysis strategy.
6. The method of claim 1, wherein the simulating the target smart contract according to the unified abstract syntax tree comprises:
And based on the selection operation of the user, performing simulation execution on all or part of the target intelligent contract according to the unified abstract syntax tree.
7. An intelligent contract static analysis device, comprising:
The data acquisition module is configured to acquire a target intelligent contract;
the contract normalization module is configured to parse the target intelligent contract to generate a unified abstract syntax tree of the target intelligent contract;
the rule self-defining module is configured to match a static analysis strategy for the target node of the unified abstract syntax tree according to self-defining operation of a user;
And the analysis module is configured to perform simulation execution on the target intelligent contract according to the unified abstract syntax tree, and call a static analysis strategy of the target node to perform static analysis on the target intelligent contract when the simulation execution reaches the target node.
8. The apparatus of claim 7, wherein the contract normalization module is operable to obtain an abstract syntax tree constructed from programming language types of the target smart contract, and to convert the abstract syntax tree into the unified abstract syntax tree.
9. The apparatus of claim 7, wherein the rule custom module is specifically configured to determine a rule injection point according to a user's custom operation, configure a static analysis policy for the rule injection point, and perform association matching on the rule injection point and a target node of the unified abstract syntax tree.
10. The apparatus of claim 9, wherein the rule customization module is further specifically configured to construct the rule injection point as an API interface after configuring a static analysis policy for the rule injection point.
11. The apparatus of claim 9, wherein the analysis module is specifically configured to invoke the rule injection point when the simulation is executed to the target node, inject a static analysis policy for the rule injection point in a thread of the simulation execution, and execute the static analysis policy.
12. The apparatus of claim 7, the analysis module is specifically configured to perform simulation execution of all or a portion of the target smart contract according to the unified abstract syntax tree based on a user selection operation.
13. A computer readable storage medium having stored thereon a computer program which, when executed by a processor, causes the processor to perform the method of any of claims 1 to 6.
14. An electronic device, comprising:
And a memory associated with the one or more processors for storing program instructions that, when read for execution by the one or more processors, cause the electronic device to perform the method of any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202411388503.0A CN119397544A (en) | 2024-09-30 | 2024-09-30 | Smart contract static analysis method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202411388503.0A CN119397544A (en) | 2024-09-30 | 2024-09-30 | Smart contract static analysis method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN119397544A true CN119397544A (en) | 2025-02-07 |
Family
ID=94423022
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202411388503.0A Pending CN119397544A (en) | 2024-09-30 | 2024-09-30 | Smart contract static analysis method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN119397544A (en) |
-
2024
- 2024-09-30 CN CN202411388503.0A patent/CN119397544A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11216256B2 (en) | Determining based on static compiler analysis that execution of compiler code would result in unacceptable program behavior | |
| CN114041117B (en) | Continuous annotation of grammar graphs for code optimization | |
| US11650905B2 (en) | Testing source code changes | |
| US11663110B2 (en) | Analysis to check web API code usage and specification | |
| US11675575B2 (en) | Checking source code validity at time of code update | |
| US8615750B1 (en) | Optimizing application compiling | |
| US9928042B2 (en) | Automatic classification of compilers | |
| EP3458953A1 (en) | Systems and methods for model-based analysis of software | |
| US9710370B2 (en) | Automated testing of shell scripts | |
| US20170220613A1 (en) | Systems and methods for database orientation transformation | |
| US9672015B2 (en) | Automatic determination of compiler configuration | |
| KR102273135B1 (en) | Apparatus and method for generating test input a software using symbolic execution | |
| Jahanshahi et al. | Minimalist: Semi-automated debloating of {php} web applications through static analysis | |
| WO2022127263A1 (en) | Code processing method and related device | |
| US11182272B2 (en) | Application state monitoring | |
| Rodrigues et al. | Aspect-oriented webassembly transformation | |
| Yan et al. | DFlow: a data flow analysis tool for C/C++ | |
| CN114174983B (en) | Method and system for optimized automatic verification of advanced constructs | |
| CN119397544A (en) | Smart contract static analysis method and device | |
| Wang et al. | Automatic mapping of configuration options in software using static analysis | |
| Liu et al. | Demystifying React Native Android Apps for Static Analysis | |
| US12417289B2 (en) | Systems and methods for detecting malware in obfuscated scripts | |
| CN118642937A (en) | A test case generation method and related system | |
| Ilg | CodeDetective: Enabling Isolated Code Execution | |
| WO2025066416A1 (en) | Processing method and processing apparatus for smart contract on blockchain |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |