區(qū)塊鏈GO鏈碼的安全漏洞檢測及審計(jì)

區(qū)塊鏈GO鏈碼的安全漏洞檢測及審計(jì)

區(qū)塊鏈中，智能合約的安全檢測和驗(yàn)證具有?分重要的意義。通過歷史的合約漏洞導(dǎo)致的多個(gè)區(qū)塊鏈龐?的損失就能看出其重要性。?前區(qū)塊鏈平

臺眾多如ETH、EOS、ONT、TRON、FISCO-BCOS、Fabric，但是從智能合約的?度來看，對于?前安全漏洞及功能邏輯缺陷的檢測主要包括

以下?個(gè)??。（初步?門，個(gè)?總結(jié)，僅供參考）

代碼規(guī)范問題

代碼規(guī)范問題產(chǎn)?的問題，通常是由于代碼不規(guī)范，?如多余的代碼、多余的參數(shù)變量等，為了合約的規(guī)范，也是推薦做代碼的審查的。這?基本

都是靜態(tài)審查問題。

編程語?漏洞

由于?些編程語?其??在做編譯的過程中產(chǎn)?的?些漏洞，如整型溢出、整數(shù)截?cái)唷⒌龋约?級點(diǎn)的GO的CVE-2018-6574漏洞、。

業(yè)務(wù)邏輯漏洞

業(yè)務(wù)邏輯漏洞主要是交易順序、業(yè)務(wù)流程等，這個(gè)更多的是需要通過??審計(jì)、合約模板?成來嚴(yán)格規(guī)定其業(yè)務(wù)邏輯。

區(qū)塊鏈特性漏洞

?如基于合約的重?漏洞、偽隨機(jī)數(shù)漏洞、塊參數(shù)依賴漏洞、時(shí)間依賴漏洞。多數(shù)是區(qū)塊鏈本?的漏洞，但是?如時(shí)間依賴這?種也是完全可以在

合約中進(jìn)?避免的。

本?針對Fabric，對GO的鏈碼審計(jì)進(jìn)??前常見的開源?具介紹，僅僅涉及到代碼規(guī)范問題和編程語?漏洞兩個(gè)??。后期隨著對審計(jì)的深?了

解將再進(jìn)?步探討。

?前，找到的審查?具?較靠譜的有三個(gè)GoReporter、GoMetaLinter、golangci-lint。

（以下信息針對lint的英?描述不翻譯，避免因??異的理解偏差。）

GoReporter

主要?持的檢測有：

· gofmt - Checks if the code is properly formatted and could not be further simplified.

· govet - Reports variables that may have been unintentionally shadowed.

· golint - Golint is a linter for Go source code.

· unittest - Golang unit test status.

· deadcode - Finds unud code.

· gocyclo - Computes the cyclomatic complexity of functions.

· varcheck - Find unud global variables and constants.

· structcheck - Find unud struct fields.

· aligncheck - Warn about un-optimally aligned structures.

· errcheck - Check that error return values are ud.

· copycode(dupl) - Reports potentially duplicated code.

· gosimple - Report simplifications in code.

· staticcheck - Statically detect bugs, both obvious and subtle ones.

· godepgraph - Godepgraph is a program for generating a dependency graph of Go packages.

· misspell - Correct commonly misspelled quickly.

· countcode - Count lines and files of project.

· interfacer - Suggest narrower interfaces that can be ud.

· depth - Count the maxdepth of go functions.

· flen - Flen provides stats on functions/methods lengths in a Golang package.

GoMetaLinter

golangci-lint

默認(rèn)開啟的linters:

deadcode: Finds unud code [fast: fal, auto-fix: fal]

errcheck: Errcheck is a program for checking for unchecked errors in go programs. The unchecked errors can be critical

bugs in some cas [fast: fal, auto-fix: fal]

gosimple (megacheck): Linter for Go source code that specializes in simplifying a code [fast: fal, auto-fix: fal]

govet (vet, vetshadow): Vet examines Go source code and reports suspicious constructs, such as Printf calls who

arguments do not align with the format string [fast: fal, auto-fix: fal]

ineffassign: Detects when assignments to existing variables are not ud [fast: true, auto-fix: fal]

staticcheck (megacheck): Staticcheck is a go vet on steroids, applying a ton of static analysis checks [fast: fal, auto-fix:

fal]

structcheck: Finds unud struct fields [fast: fal, auto-fix: fal]

typecheck: Like the front-end of a Go compiler, pars and type-checks Go code [fast: fal, auto-fix: fal]

unud (megacheck): Checks Go code for unud constants, variables, functions and types [fast: fal, auto-fix: fal]

varcheck: Finds unud global variables and constants [fast: fal, auto-fix: fal]

默認(rèn)不?持的linters，可以通過 -E/--enable 來開啟?持:

asciicheck: Simple linter to check that your code does not contain non-ASCII identifiers [fast: true, auto-fix: fal]

bidichk: Checks for dangerous unicode character quences [fast: true, auto-fix: fal]

bodyclo: checks whether HTTP respon body is clod successfully [fast: fal, auto-fix: fal]

contextcheck: check the function whether u a non-inherited context [fast: fal, auto-fix: fal]

cyclop: checks function and package cyclomatic complexity [fast: fal, auto-fix: fal]

depguard: Go linter that checks if package imports are in a list of acceptable packages [fast: fal, auto-fix: fal]

dogsled: Checks assignments with too many blank identifiers (e.g. x, _, _, _, := f()) [fast: true, auto-fix: fal]

dupl: Tool for code clone detection [fast: true, auto-fix: fal]

durationcheck: check for two durations multiplied together [fast: fal, auto-fix: fal]

errname: Checks that ntinel errors are prefixed with the and error types are suffixed with the . [fast: fal, auto-fix:

ErrError

fal]

errorlint: errorlint is a linter for that can be ud to find code that will cau problems with the error wrapping scheme

introduced in Go 1.13. [fast: fal, auto-fix: fal]

exhaustive: check exhaustiveness of enum switch statements [fast: fal, auto-fix: fal]

exhaustivestruct: Checks if all struct's fields are initialized [fast: fal, auto-fix: fal]

exportloopref: checks for pointers to enclosing loop variables [fast: fal, auto-fix: fal]

forbidigo: Forbids identifiers [fast: true, auto-fix: fal]

forcetypeasrt: finds forced type asrtions [fast: true, auto-fix: fal]

funlen: Tool for detection of long functions [fast: true, auto-fix: fal]

gci: Gci control golang package import order and make it always deterministic. [fast: true, auto-fix: true]

gochecknoglobals: check that no global variables exist [fast: true, auto-fix: fal]

gochecknoinits: Checks that no init functions are prent in Go code [fast: true, auto-fix: fal]

gocognit: Computes and checks the cognitive complexity of functions [fast: true, auto-fix: fal]

goconst: Finds repeated strings that could be replaced by a constant [fast: true, auto-fix: fal]

gocritic: Provides diagnostics that check for bugs, performance and style issues. [fast: fal, auto-fix: fal]

gocyclo: Computes and checks the cyclomatic complexity of functions [fast: true, auto-fix: fal]

godot: Check if comments end in a period [fast: true, auto-fix: true]

godox: Tool for detection of FIXME, TODO and other comment keywords [fast: true, auto-fix: fal]

goerr113: Golang linter to check the errors handling expressions [fast: fal, auto-fix: fal]

gofmt: Gofmt checks whether code was gofmt-ed. By default this tool runs with -s option to check for code simplification

[fast: true, auto-fix: true]

gofumpt: Gofumpt checks whether code was gofumpt-ed. [fast: true, auto-fix: true]

goheader: Checks is file header matches to pattern [fast: true, auto-fix: fal]

goimports: In addition to fixing imports, goimports also formats your code in the same style as gofmt. [fast: true, auto-fix:

true]

golint: Golint differs from gofmt. Gofmt reformats Go source code, whereas golint prints out style mistakes [fast: fal, auto-

fix: fal]

gomnd: An analyzer to detect magic numbers. [fast: true, auto-fix: fal]

gomoddirectives: Manage the u of 'replace', 'retract', and 'excludes' directives in . [fast: true, auto-fix: fal]

gomodguard: Allow and block list linter for direct Go module dependencies. This is different from depguard where there are

different block types for example version constraints and module recommendations. [fast: true, auto-fix: fal]

goprintffuncname: Checks that printf-like functions are named with at the end [fast: true, auto-fix: fal]

f

goc (gas): Inspects source code for curity problems [fast: fal, auto-fix: fal]

ifshort: Checks that your code us short syntax for if-statements whenever possible [fast: true, auto-fix: fal]

importas: Enforces consistent import alias [fast: fal, auto-fix: fal]

interfacer: Linter that suggests narrower interface types [fast: fal, auto-fix: fal]

ireturn: Accept Interfaces, Return Concrete Types [fast: fal, auto-fix: fal]

lll: Reports long lines [fast: true, auto-fix: fal]

makezero: Finds slice declarations with non-zero initial length [fast: fal, auto-fix: fal]

maligned: Tool to detect Go structs that would take less memory if their fields were sorted [fast: fal, auto-fix: fal]

misspell: Finds commonly misspelled English words in comments [fast: true, auto-fix: true]

nakedret: Finds naked returns in functions greater than a specified function length [fast: true, auto-fix: fal]

nestif: Reports deeply nested if statements [fast: true, auto-fix: fal]

nilerr: Finds the code that returns nil even if it checks that the error is not nil. [fast: fal, auto-fix: fal]

nilnil: Checks that there is no simultaneous return of error and an invalid value. [fast: fal, auto-fix: fal]

nil

nlreturn: nlreturn checks for a new line before return and branch statements to increa code clarity [fast: true, auto-fix: fal]

noctx: noctx finds nding http request without t [fast: fal, auto-fix: fal]

nolintlint: Reports ill-formed or insufficient nolint directives [fast: true, auto-fix: fal]

paralleltest: paralleltest detects missing usage of el() method in your Go test [fast: true, auto-fix: fal]

prealloc: Finds slice declarations that could potentially be preallocated [fast: true, auto-fix: fal]

predeclared: find code that shadows one of Go's predeclared identifiers [fast: true, auto-fix: fal]

promlinter: Check Prometheus metrics naming via promlint [fast: true, auto-fix: fal]

revive: Fast, configurable, extensible, flexible, and beautiful linter for Go. Drop-in replacement of golint. [fast: fal, auto-fix:

fal]

rowrrcheck: checks whether Err of rows is checked successfully [fast: fal, auto-fix: fal]

scopelint: Scopelint checks for unpinned variables in go programs [fast: true, auto-fix: fal]

sqlclocheck: Checks that and are clod. [fast: fal, auto-fix: fal]

stylecheck: Stylecheck is a replacement for golint [fast: fal, auto-fix: fal]

tagliatelle: Checks the struct tags. [fast: true, auto-fix: fal]

tenv: tenv is analyzer that detects using instead of since Go1.17 [fast: fal, auto-fix: fal]

testpackage: linter that makes you u a parate _test package [fast: true, auto-fix: fal]

thelper: thelper detects golang test helpers without () call and checks the consistency of test helpers [fast: fal, auto-

fix: fal]

tparallel: tparallel detects inappropriate usage of el() method in your Go test codes [fast: fal, auto-fix: fal]

unconvert: Remove unnecessary type conversions [fast: fal, auto-fix: fal]

unparam: Reports unud function parameters [fast: fal, auto-fix: fal]

varnamelen: checks that the length of a variable's name matches its scope [fast: fal, auto-fix: fal]

wastedassign: wastedassign finds wasted assignment statements. [fast: fal, auto-fix: fal]

whitespace: Tool for detection of leading and trailing whitespace [fast: true, auto-fix: true]

wrapcheck: Checks that errors returned from external packages are wrapped [fast: fal, auto-fix: fal]

wsl: Whitespace Linter - Forces you to u empty lines! [fast: true, auto-fix: fal]