Home > Blockchain >  Those are a line of code evaporation $1 smart contracts, understand the formal test? | characters
Those are a line of code evaporation $1 smart contracts, understand the formal test? | characters

Time:09-17



(characters) for block chain base (ID: blockchain_camp) on the characters of the column, in order to (fun without being professional, can read and do not break the depth) for the purpose of invitation for each block chain top experts and developers in the field of industry, investment and financing, development, case studies, such as project practices,

As the etheric lane, the core of ecological intelligent contract has developed rapidly in recent years, the earliest intelligent contract, can be traced back to 1995, by cryptographers Nick saab is put forward for the first time, smart in participating contract, complex transactions have obvious advantages in the scene,


Recently, however, as the intelligent safety problems of frequent contract, the disadvantage of intelligent contract also increasingly obvious, how to control physical assets, including smart contracts to ensure its effective to perform the contract; And how to ensure the code fully reflect counterparty will not fail, etc., these problems caused by the hole, make the DAO, Parity, BEC famous projects such as the market value of almost zero overnight,


Plus smart contract once the upload is open and cannot be changed, so the block chain project, demand for security is more urgent,


According to these security issues, chengdu chain Ann in the field of science and technology to try to apply original military-industrial complex (formal verification) method, is applied to intelligent security audit contract, formal verification (formal verification) is based on the mathematical modeling method of system is described, through formal verification, developers can the safety of the procedure, a review in advance and eliminate logic bugs and security holes, so as to ensure the safety of the contract,

More details about the formal verification, recently, we had an interview with chain Ann technology founder/CEO Yang xia, the status in quo of formal verification principle and probes into the market situation,


The following is a dialogue with Yang xia memoir,


Accident that opens the door to block chain new world

Block chain base: I learned that your main identity is a professor at the university of electronic science and technology, and how life experiences before engaged in block chain?

Yang xia: I'm from undergraduate to graduate to Dr, has always been at the university of electronic science and technology, and walked all the way, someone said I this is (by plane) (smile), then I would stay in when the teacher, in September, 2012, began to do formal verification; A university in the United States in 2013, my international safety lab as a visiting scholar to work and study for a year,

Formal verification why should I do? The reason is that I had been study of embedded operating system security technology, someone asked me how do you prove that your system is safe? Have to find a way to prove? So I began to explore to prove the method of system security and functionality, and found the formal verification methods, formal verification was actually a very unpopular, audience range was not so widespread, so basic it is in the study in university and research institute, I will also be the technology applied in aerospace, aviation, military and other fields of safety critical software,

Block chain home: as a teacher, work from education to a block of chain enterprises entrepreneurs, is from what kind of opportunity?

Yang xia: I contact block chain is 2016 famous DAO system security events, there really isn't too care about actually at that time, but I have a friend in block chain, formal verification, he told me that you can go to verify the security of intelligent contract, such as for DAO system security incident, I think it was interesting to try, then we have no automation tools, can only rely on artificial to the formal description of the code, then go to prove, and finally found that formal verification method to be applied to intelligent security audit contract effect is good,

Then I looking for donations to an IBM intelligent contract (the contract is not much), validation and also found a (Unchecked Send return value), so we thought, in the field of chain blocks, formal verification is very big, in September last year, wanxiang group of the third world block chain summit, the organizers invited me to do a formal verification (smart contracts) the theme of the speech, caught the attention of the people at that time,

But at that time, we haven't made automation tools, want to rely on human to do, but people will make mistakes, I was thinking about how to improve the ability of automation, reduce artificial participation, and compatibility with more block chain platform, this is the reason why VaaS platform to build,

Block chain base: please make a brief introduction of VaaS this platform,

Yang xia: VaaS (Verification as a service) as the first support both EOS and etheric fang block chain of formal Verification platform, highly automated Verification with high efficiency, high degree of automation, artificial participation is low, easy to use, and support multiple advantages of contract development language,

Is mainly used for intelligent contract for security audit, through the security verification of this (military), in order to improve the block chain ecosystem security, at the same time, achieve the purpose of effectively control the risks, VaaS platform "one-click" formal verification tools, can accurate positioning to risky position code and the reason of risk, effective verification of the intelligent application of conventional security vulnerabilities, contracts or block chain security properties and functional correctness, so as to improve their level of security, related research has applied software 5 invention patents,

Reveal formal verification techniques

Block chain base: formal verification with traditional Internet security companies have to differ?

Yang xia: traditional Internet security company is (to promote prevention), and we are directly from the code itself security perspective, to prevent unsafe events occur, for example, is just like a western medicine, treating you sick, and one is the traditional Chinese medicine, emphasize their resistance to ascend, your body more healthy, it is difficult to sick,

Block chain base: the principle of formal verification, exactly?

Yang xia: formal verification is a kind of method based on mathematics and logic, in particular, in the smart contract before deployment, a formal model of its code and documentation, and then by mathematical means to code the safety and functional correctness of strict proof, and can effectively detect the intelligent contract if there is a security hole and logical loopholes, this method can effectively make up for the traditional experience by artificial lookup code logic defects, the vulnerability of the formal verification technique has the advantage that with the traditional test methods cannot exhaust all possible input, and we use the perspective of mathematical proof, we can overcome this problem,

Can block chain base: give an example to further explain?

Yang xia: based on the contract documents and code for the formal modeling and verification by means of mathematical reasoning and prove the function of the intelligent contract validity and security properties, can find the code of logic bugs and security holes, make up for the inadequacy of artificial way of logical loopholes lookup,


With frequent recent overflow such checks security vulnerabilities attributes, for example, such as checking code

Int8 c=a + b

Whether there is overflow vulnerabilities, shown below for the correctness and security properties of the function of lines of code certificate process,


First of all, we modeling to integer types, define the formal rules:

Int8. Repr: Z - & gt; Int8

The rule by intercepting pure mathematics integer (values range from the infinitesimal to the infinite) of low 8-bit values get an 8-bit integer the length of the machine, and then write the formal specification of an addition operation, are as follows:

{a: int8, b: int8}//

The premise condition of setting code execution, to ensure that the a and b type is 8-bit signed integer machine;


{c=a + b; }//

Addition of source programs;


{(int8 repr (a + b))/\ [(int8, repr (a + b))=(a + b))};//

Set the post-condition of code executed correctly,


Among them, (int8 repr (a + b)),

Is to prove the functional correctness of code meets, namely the need to prove the source code is the sum of a and b, rather than for poor or any other operation logic, and the computing results are converted into int8 type, in addition, need to prove whether overflow of security attributes, so adding postconditions:

((Int8 repr (a + b))=(a + b))

Because once

A + b> Int8. Max_singed or

A + b
(Int8 repr (a + b)) indicates (a + b),


Finally, according to the precondition that code execution whether meet the above postconditions, if produce a cannot prove that as a result, the program function is incorrect, or there is overflow vulnerabilities, then according to the result of that, analyze the source program modification, then to prove, until proved by so far, we adopt this way of mathematical proof of the code formally described as a formula, and its properties were also to prove other logic bugs and security holes, based on this principle, we realized the automation of verification tools, can be convenient, quickly verify the function of code correctness and security properties,


Giant to copy? Not afraid!


Block chain base: formal verification platform competition threshold is what? How to prevent being giant plagiarism?

Yang xia, a threshold is high, while others want to come in May is not short-term can come in, in the field of formal verification, needs to have many years of accumulation,

In addition, I don't think rejection of industry more and more people come in, everyone find their place in it, the market is not can be done alone, who do better, faster, who do who can occupy more share of the venue, we have developed a highly automated chain block formal verification platform, apply for patents, also with well-known enterprises to carry out the cooperation, such as compared to the original chain, cloth, fire COINS, etc., we have confidence in their products, only highly automated intelligent security audit contract can guarantee the accuracy and efficiency of the audit,


Block chain base: in this area, now what is the company has a competitive relationship with you, is the difference?

Yang xia: at present, the domestic has not adopt the method of formal verification of intelligent security audit contract, we are the first, because we start early,


Block chain base: do you think from a technical perspective, formal verification in domestic and overseas differences exist?

Yang xia: technically, the difference is not big, is the advantage of Chinese spell things well, the whole block chain field, our technology development level differences with abroad is not large, but in terms of safety, our company aimed at earlier than abroad, accumulate more also, for example, we first made at the same time support the etheric fang and EOS automation contract audit tools,


Block chain base: in the process of research and development of the system, you have the greatest technical challenge and is what? How do you deal with?

Yang xia: for us, the most troublesome is the validation with traditional block chain operating system software, such as formal verification is different, the problems existing in the block chain, chain platform, multiple blocks and contract development language exists in a variety of intelligence, and even some block chain platform, offers a variety of contract development language, this is the biggest challenge,


About coping, is only a hole to fill a hole, although we also do a layer in the middle of the frame, can be more rapid support for each platform, but there are still some technical work to one by one to complete, such as in a platform, to platform to adaptation, in order to make our tools into more platforms, there are still a lot of work to do,


Developers, don't let the mistake ruin the big business


Block chain base: take over your project, is a typical security vulnerabilities have?

Yang xia: so far, or small white magnitude of errors, such as BEC that exploit, and came out of the etheric fang platform before senior holes, such as short address attacks, and denial of service attacks, etc., can find out these holes through the formal verification,


Block chain base: since platforms are not safe, how do we think about these questions?

Yang xia: there are a variety of security, intelligent without the contract, 80% have safety issues; And DApp level, such as earlier reported BiYong loophole, with clear transfer of user information, a platform is its own security holes left,


Like Windows, use the more people, of the hole, the more is up, but actually means behind the platform gradually become safer, like the etheric, everyone every day scold not safe, but everyone still use,


Block chain base: what are you going to the next step?

nullnullnullnullnullnull
  • Related