最新区块链论文速读--CCF A会议 CCS 2023 共25篇 附pdf下载(3/4)

图片

Conference:ACM Conference on Computer and Communications Security (CCS)

CCF level:CCF A

Categories:network and information security

Year:2023

Num:25

第1~7篇区块链文章请点击此处查看

第8~13篇区块链文章请点击此处查看

14

Title: 

Fuzz on the Beach: Fuzzing Solana Smart Contracts

海滩上的模糊:模糊测试Solana智能合约

Authors

图片

Key words:

Blockchain Security, Solana, Fuzzing

区块链安全、Solana、模糊测试

Abstract

Solana has quickly emerged as a popular platform for building decentralized applications (DApps), such as marketplaces for non-fungible tokens (NFTs). A key reason for its success are Solana's low transaction fees and high performance, which is achieved in part due to its stateless programming model. Although the literature features extensive tooling support for smart contract security, current solutions are largely tailored for the Ethereum Virtual Machine. Unfortunately, the very stateless nature of Solana's execution environment introduces novel attack patterns specific to Solana requiring a rethinking for building vulnerability analysis methods. In this paper, we address this gap and propose FuzzDelSol, the first binary-only coverage-guided fuzzing architecture for Solana smart contracts. FuzzDelSol faithfully models runtime specifics such as smart contract interactions. Moreover, since source code is not available for the large majority of Solana contracts, FuzzDelSol operates on the contract's binary code. Hence, due to the lack of semantic information, we carefully extracted low-level program and state information to develop a diverse set of bug oracles covering all major bug classes in Solana. Our extensive evaluation on 6049 smart contracts shows that FuzzDelSol's bug oracles finds impactful vulnerabilities with a high precision and recall. To the best of our knowledge, this is the largest evaluation of the security landscape on the Solana mainnet.

Solana 已迅速成为构建去中心化应用程序 (DApp) 的流行平台,例如非同质化代币 (NFT) 的市场。其成功的一个关键原因是 Solana 的低交易费和高性能,这在一定程度上得益于其无状态编程模型。尽管文献中介绍了对智能合约安全的广泛工具支持,但当前的解决方案主要是针对以太坊虚拟机量身定制的。不幸的是,Solana 执行环境的无状态特性引入了 Solana 特有的新攻击模式,需要重新考虑构建漏洞分析方法。在本文中,我们解决了这一差距并提出了 FuzzDelSol,这是第一个仅针对二进制的覆盖引导式 Solana 智能合约模糊测试架构。FuzzDelSol 忠实地模拟了运行时细节,例如智能合约交互。此外,由于大多数 Solana 合约都没有源代码,因此 FuzzDelSol 会对合约的二进制代码进行操作。因此,由于缺乏语义信息,我们仔细提取了低级程序和状态信息,以开发一组多样化的漏洞预言机,涵盖 Solana 中所有主要漏洞类别。我们对 6049 个智能合约进行了广泛的评估,结果表明 FuzzDelSol 的漏洞预言机能够以较高的准确率和召回率发现重大漏洞。据我们所知,这是对 Solana 主网安全状况的最大规模评估。

图片

图片

图片

图片

Pdf link:

https://dl.acm.org/doi/10.1145/3576915.3623178

15

Title: 

Lanturn: Measuring Economic Security of Smart Contracts Through Adaptive Learning

Lanturn:通过自适应学习衡量智能合约的经济安全

Authors

图片

Key words:

MEV; Machine Learning; Optimization; Decentralized Finance; Cryptoeconomics; Smart Contract Security Tool

MEV、机器学习、优化、去中心化金融、加密经济学、智能合约安全工具

Abstract

We introduce Lanturn: a general purpose adaptive learning-based framework for measuring the cryptoeconomic security of composed decentralized-finance (DeFi) smart contracts. Lanturn discovers strategies comprising of concrete transactions for extracting economic value from smart contracts interacting with a particular transaction environment. We formulate the strategy discovery as a black-box optimization problem and leverage a novel adaptive learning-based algorithm to address it. Lanturn features three key properties. First, it needs no contract-specific heuristics or reasoning, due to our black-box formulation of cryptoeconomic security. Second, it utilizes a simulation framework that operates natively on blockchain state and smart contract machine code, such that transactions returned by Lanturn's learning-based optimization engine can be executed on-chain without modification. Finally, Lanturn is scalable in that it can explore strategies comprising a large number of transactions that can be reordered or subject to insertion of new transactions. We evaluate Lanturn on the historical data of the biggest and most active DeFi Applications: Sushiswap, UniswapV2, UniswapV3, and AaveV2. Our results show that Lanturn not only rediscovers existing, well-known strategies for extracting value from smart contracts, but also discovers new strategies that are previously undocumented. Lanturn also consistently discovers higher value than evidenced in the wild, surpassing a natural baseline computed using value extracted by bots and other strategic agents.

我们介绍 Lanturn:一种基于自适应学习的通用框架,用于测量由去中心化金融(DeFi)智能合约组成的加密经济安全性。Lanturn 会发现由具体交易组成的策略,以便从与特定交易环境交互的智能合约中提取经济价值。我们将策略发现表述为一个黑盒优化问题,并利用一种新颖的基于自适应学习的算法来解决该问题。Lanturn 具有三个关键特性。首先,由于我们对加密经济安全性进行了黑箱表述,因此它不需要特定于合约的启发式或推理。其次,它利用了一个模拟框架,该框架可在区块链状态和智能合约机器代码上进行原生操作,因此,Lanturn 基于学习的优化引擎返回的交易可以在链上执行,无需修改。最后,Lanturn 具有可扩展性,它可以探索包含大量交易的策略,这些交易可以重新排序或插入新的交易。我们在最大、最活跃的 DeFi 应用程序的历史数据上对 Lanturn 进行了评估:Sushiswap、UniswapV2、UniswapV3 和 AaveV2。我们的研究结果表明,Lanturn 不仅能重新发现现有的、众所周知的从智能合约中提取价值的策略,还能发现以前未记录的新策略。Lanturn 还能持续发现比野生状态下更高的价值,超过使用机器人和其他策略代理提取的价值计算出的自然基线。

图片

图片

注:maximal (previously miner) extractable value (MEV)

图片

图片

图片

图片

Pdf link:

https://dl.acm.org/doi/10.1145/3576915.3623204

16

Title: 

Riggs: Decentralized Sealed-Bid Auctions

Riggs:去中心化密封投标拍卖

Authors

图片

Key words:

timed commitments, auctions, blockchains, range proofs

定时承诺、拍卖、区块链、范围证明

Abstract

We introduce the first practical protocols for fully decentralized sealed-bid auctions using timed commitments. Timed commitments ensure that the auction is finalized fairly even if all participants drop out after posting bids or if n-1 bidders collude to try to learn the nth bidder's bid value. Our protocols rely on a novel non-malleable timed commitment scheme which efficiently supports range proofs to establish that bidders have sufficient funds to cover a hidden bid value. This allows us to penalize users who abandon bids for exactly the bid value, while supporting simultaneous bidding in multiple auctions with a shared collateral pool. Our protocols are concretely efficient and we have implemented them in an Ethereum-compatible smart contract which automatically enforces payment and delivery of an auctioned digital asset.

我们引入了第一个使用定时承诺的完全去中心化密封投标拍卖的实用协议。定时承诺确保拍卖公平完成,即使所有参与者在发布投标后退出,或者 n-1 个投标人串通试图了解第 n 个投标人的出价。我们的协议依赖于一种新颖的不可延展的定时承诺方案,该方案有效地支持范围证明,以确定投标人有足够的资金来支付隐藏的出价。这使我们能够惩罚那些放弃出价的用户,同时支持在共享抵押品池的多个拍卖中同时出价。我们的协议非常高效,我们已经在与以太坊兼容的智能合约中实现了它们,该合约自动执行拍卖数字资产的支付和交付。

图片

Pdf link:

https://dl.acm.org/doi/10.1145/3576915.3623182

17

Title: 

Accio: Variable-Amount, Optimized-Unlinkable and NIZK-Free Off-Chain Payments via Hubs

Accio:通过 Hub 进行可变金额、优化不可链接且无需 NIZK 的链下支付

Authors

图片

Key words:

Payment Channel Hub, Variable Amount, Unlinkability, NIZK-free

支付渠道Hub、可变金额、不可链接、无需 NIZK

Abstract

Payment channel hubs (PCHs) serve as a promising solution to achieving quick off-chain payments between pairs of users. They work by using an untrusted tumbler to relay the payments between the payer and payee and enjoy the advantages of low cost and high scalability. However, the most recent privacy-preserving payment channel hub solution that supports variable payment amounts suffers from limited unlinkability, e.g., being vulnerable to the abort attack. Moreover, this solution utilizes zero-knowledge proofs, which bring huge costs on both computation time and communication overhead. Therefore, how to design PCHs that support variable amount payments and unlinkability, but reduce the use of huge-cost cryptographic tools as much as possible, is significant for the large-scale practical applications of off-chain payments. In this paper, we propose Accio, a variable amount payment channel hub solution with optimized unlinkability, by deepening research on unlinkability and constructing a new cryptographic tool. We provide the detailed Accio protocol and formally prove its security and privacy under the Universally Composable framework. Our prototype demonstrates its feasibility and the evaluation shows that Accio outperforms the other state-of-the-art works in both communication and computation costs.

支付通道hub (PCH) 是实现用户对之间快速链下支付的一种有前途的解决方案。它们通过使用无需信任的翻转器(tumbler)在付款人和收款人之间传递付款,具有成本低、可扩展性强等优势。然而,最新的支持可变支付金额的隐私保护支付通道hub解决方案存在有限的不可链接性问题,例如容易受到中止攻击。此外,该解决方案使用零知识证明,这在计算时间和通信开销上都带来了巨大的成本。因此,如何设计支持可变金额支付和不可链接性的 PCH,同时尽可能减少使用成本高昂的加密工具,对于链下支付的大规模实际应用具有重要意义。在本文中,我们通过深化对不可链接性的研究并构建新的加密工具,提出了一种具有优化不可链接性的可变金额支付通道枢纽解决方案 Accio。我们提供了详细的 Accio 协议,并在 Universally Composable 框架下正式证明了其安全性和隐私性。我们的原型证明了它的可行性,评估表明 Accio 在通信和计算成本方面都优于其他最先进的工作。

图片

图片

图片

Pdf link:

https://dl.acm.org/doi/10.1145/3576915.3616577

18

Title: 

CryptoConcurrency: (Almost) Consensusless Asset Transfer with Shared Accounts

CryptoConcurrency:通过共享账户实现(几乎)无共识资产转移

Authors

图片

Key words:

Asynchronous BFT; blockchain; consensus; crypt ocurrency

异步 BFT;区块链;共识;crypt ocurrency

Abstract

A typical blockchain protocol uses consensus to make sure that mutually mistrusting users agree on the order in which their operations on shared data are executed. However, it is known that asset transfer systems, by far the most popular application of blockchains, can be implemented without consensus. Assuming that no account can be accessed concurrently and every account belongs to a single owner, one can efficiently implement an asset transfer system in a purely asynchronous, consensus-free manner. It has also been shown that implementing asset transfer with shared accounts is impossible without consensus. In this paper, we propose CryptoConcurrency, an asset transfer protocol that allows concurrent accesses to be processed in parallel, without involving consensus, whenever possible. More precisely, if concurrent transfer operations on a given account do not lead to overspending, i.e. can all be applied without the account balance going below zero, they proceed in parallel. Otherwise, the account's owners may have to access an external consensus object. Notably, we avoid relying on a central, universally-trusted, consensus mechanism and allow each account to use its own consensus implementation, which only the owners of this account trust. This provides greater decentralization and flexibility.

典型的区块链协议使用共识来确保相互不信任的用户同意对共享数据执行操作的顺序。然而,众所周知,资产转移系统是区块链迄今为止最流行的应用,可以在没有共识的情况下实现。假设没有账户可以同时访问,并且每个账户都属于一个所有者,那么可以以纯异步、无共识的方式有效地实现资产转移系统。事实也表明,没有共识就不可能实现共享账户的资产转移。在本文中,我们提出了 CryptoConcurrency,这是一种资产转移协议,它允许在可能的情况下并行处理并发访问,而无需共识。更准确地说,如果给定帐户上的并发转移操作不会导致超支,即可以在帐户余额不低于零的情况下全部应用,则它们将并行进行。否则,帐户的所有者可能必须访问外部共识对象。值得注意的是,我们避免依赖中心的、普遍信任的共识机制,并允许每个帐户使用自己的共识实现,只有该帐户的所有者信任该实现。这提供了更大的去中心化和灵活性。

图片

图片

图片

图片

Pdf link:

https://dl.acm.org/doi/10.1145/3576915.3616587

19

Title: 

TrustBoost: Boosting Trust among Interoperable Blockchains

TrustBoost:增强互操作区块链之间的信任

Authors

图片

Key words:

cross-chain interoperability, smart contracts, consensus

跨链互操作性、智能合约、共识

Abstract

Currently there exist many blockchains with weak trust guarantees, limiting applications and participation. Existing solutions to boost the trust using a stronger blockchain, e.g., via checkpointing, requires the weaker blockchain to give up sovereignty. In this paper, we propose a family of protocols in which multiple blockchains interact to create a combined ledger with boosted trust. We show that even if several of the interacting blockchains cease to provide security guarantees, the combined ledger continues to be secure - our Trustboost protocols achieve the optimal threshold of tolerating the insecure blockchains. This optimality, along with the necessity of blockchain interactions, is formally shown within the classic shared memory model, tackling the long standing open challenge of solving consensus in the presence of both Byzantine objects and processes. Furthermore, our proposed construction of Trustboost simply operates via smart contracts and require no change to the underlying consensus protocols of the participating blockchains, a form of "consensus on top of consensus''. The protocols are lightweight and can be used on specific (e.g., high value) transactions; we demonstrate the practicality by implementing and deploying Trustboost as cross-chain smart contracts in the Cosmos ecosystem using approximately 3,000 lines of Rust code, made available as open source [52]. Our evaluation shows that using 10 Cosmos chains in a local testnet, Trustboost has a gas cost of roughly $2 with a latency of 2 minutes per request, which is in line with the cost on a high security chain such as Bitcoin or Ethereum.

目前,许多区块链的信任保证较弱,限制了应用和参与。使用较强的区块链(如通过检查点)增强信任的现有解决方案需要较弱的区块链放弃主权。在本文中,我们提出了一系列协议,在这些协议中,多个区块链相互作用,创建一个具有增强信任的组合账本。我们的研究表明,即使几个相互作用的区块链不再提供安全保证,组合账本仍然是安全的--我们的信任增强协议达到了容忍不安全区块链的最佳阈值。这种最优性以及区块链交互的必要性在经典共享内存模型中得到了正式证明,从而解决了在拜占庭对象和进程同时存在的情况下解决共识问题这一长期存在的挑战。此外,我们提出的 Trustboost 结构只需通过智能合约运行,无需更改参与区块链的底层共识协议,是一种 “共识之上的共识”。这些协议是轻量级的,可用于特定(如高价值)交易;我们在 Cosmos 生态系统中以跨链智能合约的形式实施和部署了 Trustboost,使用了约 3000 行 Rust 代码,并以开放源代码的形式提供[52],从而证明了其实用性。我们的评估显示,在本地测试网络中使用 10 个 Cosmos 链,Trustboost 的气体成本约为 2 美元,每个请求的延迟时间为 2 分钟,与比特币或以太坊等高安全性链上的成本一致。

图片

图片

图片

图片

Pdf link:

https://dl.acm.org/doi/10.1145/3576915.3623080

篇幅有限,下篇文章将继续分享剩余论文

图片

关注我们,持续接收区块链最新论文

洞察区块链技术发展趋势

Follow us to keep receiving the latest blockchain papers

Insight into Blockchain Technology Trends

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:/a/691548.html

如若内容造成侵权/违法违规/事实不符,请联系我们进行投诉反馈qq邮箱809451989@qq.com,一经查实,立即删除!

相关文章

【介绍下什么是Kubernetes编排系统】

🌈个人主页: 程序员不想敲代码啊 🏆CSDN优质创作者,CSDN实力新星,CSDN博客专家 👍点赞⭐评论⭐收藏 🤝希望本文对您有所裨益,如有不足之处,欢迎在评论区提出指正,让我们共…

java线程池介绍

在Java中,线程池是用来管理和复用线程的一种机制,它可以显著提升程序性能,特别是在大量短期异步任务的场景下。以下是创建和使用线程池的基本步骤: 1.创建线程池: 使用java.util.concurrent.Executors类的静态工厂方法创建线程池&…

【c语言】自定义类型----结构体

结构体是c语言的一种自定义类型,自定义类型对于开发者及其重要的类型,它可以随意由开发者进行谱写功能,而今天的结构体可以用来表示一种变量的单个或多种具体属性,再编写代码时有着不可替代的作用!!&#x…

编译原理-词法分析(实验 C语言)

编译原理-词法分析 1. 实验目的 设计、编写并调试一个词法分析程序,加深对词法分析原理的理解 2. 实验要求 2.1 待分析的简单语言的词法 关键字:begin,if,then,while,do,end 所有关键字都是…

Nginx(openresty) 查看连接数和并发送

1 通过浏览器查看 #修改nginx配置文件 location /status {stub_status on;access_log off;allow 192.168.50.0/24;deny all;} #重新加载 sudo /usr/local/openresty/nginx/sbin/nginx -s reloadActive connections //当前 Nginx 当前处理的活动连接数。 server accepts handl…

HPC: perf入门

如果你想查看你的程序在cpu上运行时,耗时时如何分布的,那么perf是一个合理的选择。 准备工作 为了支持使用perf,首先你要安装相关的库 sudo apt install linux-tools-5.15.0-67-generic此外,因为使用perf进行benchmark&#xf…

四种跨域解决方案

文章目录 1.引出跨域1.基本介绍2.具体演示1.启动之前学习过的springboot-furn项目2.浏览器直接访问 [localhost:8081/furns](http://localhost:8081/furns) 可以显示信息3.启动前端项目,取消请求拦截器,这样设置,就会出现跨域4.跨域原因 2.跨…

linux指令--sed

sed 主要用来自动编辑一个或多个文件、简化对文件的反复操作、编写转换程序等。 语法解析 sed [选项] 编辑命令 文件 选项: -n:只显示匹配处理的行-e:执行多个编辑命令时-i:在原文件中进行修改,不输出到屏幕-…

零基础入门学用Arduino 第二部分(一)

重要的内容写在前面: 该系列是以up主太极创客的零基础入门学用Arduino教程为基础制作的学习笔记。个人把这个教程学完之后,整体感觉是很好的,如果有条件的可以先学习一些相关课程,学起来会更加轻松,相关课程有数字电路…

系统思考—决策

为‮么什‬模型及‮式公‬通常比人‮决类‬策更有效?究‮是竟‬什么让‮些某‬模型和公‮表式‬现出色?事实上,我‮应们‬该探究的‮人是‬类在决策‮程过‬中的不足。关‮在键‬于人类‮策决‬中存在的“噪声”。尽‮模管‬型或公‮不式‬完…

【JavaScript】内置对象 - 字符串对象 ⑤ ( 判断对象中是否有某个属性 | 统计字符串中每个字符出现的次数 )

文章目录 一、判断对象中是否有某个属性1、获取对象属性2、判定对象是否有某个属性 二、统计字符串中每个字符出现的次数1、算法分析2、代码示例 String 字符串对象参考文档 : https://developer.mozilla.org/zh-CN/docs/Web/JavaScript/Reference/Global_Objects/String 一、判…

【NI国产替代】电池模拟器,快速模拟 3C 产品电池的充放电功能

电池模拟器 快速模拟 3C 产品电池的充放电功能输出灵活可调节的电压/电流内置双向 DC-DC 降压变换器为 3C 产品提供漏电检测 电池模拟器系列包含单节双通道(1S)、双节双通道(2S)、三节单通道(3S)三种规格&…

贪心(不相交的开区间、区间选点、带前导的拼接最小数问题)

目录 1.简单贪心 2.区间贪心 不相交的开区间 1.如何删除? 2.如何比较大小 区间选点问题 3.拼接最小数 1.简单贪心 比如:给你一堆数,你来构成最大的几位数 2.区间贪心 不相交的开区间 思路: 首先,如果有两个…

LeetCode刷题之HOT100之颜色分类

下午好呀,大家!昨天估计是喝了假酒,现在没有胃口,喝酒真的没有任何好处。以后尽量避免此活动。今天几乎没睡觉,准备做完这题回宿舍,把电脑也带回去。 1、题目描述 2、逻辑分析 对颜色排序,要求…

数字孪生技术体系和核心能力整理

最近对数字孪生技术进行了跟踪调研学习,整理形成了调研成果,供大家参考。通过学习,发现数字孪生技术的构建过程其实就是数字孪生体的构建与应用过程,数字孪生体的构建是一个体系化的系统工程,数字化转型的最终形态应该就是数实融合互动互联的终极状态。数实融合是每个行业…

自定义类型:结构体+结构体内存对齐+结构体实现位段

结构体内存对齐实现位段 一.结构体1.结构体的声明2.结构体变量成员访问操作符3.结构体传参4.匿名结构体5.结构的自引用 二.结构体内存对齐1.对齐规则2.为什么存在内存对齐?3.修改默认对齐数 三.结构体实现位段1.什么是位段2.位段的内存分配3.位段的跨平台问题4.位段…

flink读取hive写入http接口

目录 0、创建hive数据 1、pom.xml 2、flink代码 3、sink 4、提交任务jar 5、flink-conf.yaml 6、数据接收 flink-1.17.2jdk1.8hive-3.1.3hadoop3.3.6passwordhttp0、创建hive数据 /cluster/hive/bin/beeline !connect jdbc:hive2://ip:10000 create database demo; d…

2024 年最新 Python 基于百度智能云实现短语音识别详细教程

百度智能云语音识别 采用国际领先的流式端到端语音语言一体化建模算法,将语音快速准确识别为文字,支持手机应用语音交互、语音内容分析、机器人对话等场景。百度短语音识别可以将 60 秒以下的音频识别为文字。适用于语音对话、语音控制、语音输入等场景…

HTTP-web服务器

web服务器 web服务器实现了http和相关的tcp连接处理,负责管理web服务器提供的资源,以及对服务器的配置,控制以及拓展等方面的管理 web服务器逻辑实现了http协议,并负责提供web服务器的管理功能,web服务器逻辑和操作系…

skywalking基础使用

skywalking基础使用 找链路追踪Id将链路追踪Id拿到skywalking-ui中筛选对应链路补充说明例如, sql的打印能让我们了解到代码中对应的sql是否符合预期 找链路追踪Id 在接口响应header中复制x-trace-id 这个接口响应正常了, 异常没有暴露到前端, 且调用链路很长, 但我们借助s…