Understanding and Detecting Privacy Leakage Vulnerabilities in Hyperledger Fabric Chaincodes

doi:10.1109/ISSRE62328.2024.00060

科研成果详情

题名	Understanding and Detecting Privacy Leakage Vulnerabilities in Hyperledger Fabric Chaincodes
作者	Chen，Ziming 1; Li，Yue 2; Gao，Jianbo 3,4; Zhang，Jiashuo 1; Wang，Ke 1; Hu，Jianbin 1; Guan，Zhi 5; Chen，Zhong 1,4
发表日期	2024
会议名称	35th IEEE International Symposium on Software Reliability Engineering, ISSRE 2024
会议录名称	Proceedings - International Symposium on Software Reliability Engineering, ISSRE
ISSN	1071-9458
页码	570-581
会议日期	2024-10-28——2024-10-28
会议地点	jpn,Tsukuba
摘要	The application on a blockchain cannot maintain secrecy because its data is replicated across all peers in the network. To remedy this problem, Hyperledger Fabric introduces private data collection (PDC) into its smart contract (i.e. chaincode) to facilitate applications that require privacy. However, recent studies have revealed that PDC is too complex for chaincode developers to fully understand and use correctly, leading to privacy leaks vulnerabilities. In this paper, we present an empirical study on the prevalence of PDC misuse in chaincodes by extracting privacy leakage cases from StackOverflow posts and Hyperledger Fabric repositories on GitHub. Subsequently, we systematically categorize the misuse of PDC into three categories of vulnerabilities resulting in the leakage of private data and provide formal definitions for them. Furthermore, we develop PDChecker, an automated security analysis framework for identifying the privacy and security vulnerabilities in Fabric chaincodes. We evaluated PDChecker on 956 real-world chaincodes applying PDC and found that 67.78% of them contain at least one privacy leakage vulnerability. In addition, PDChecker uncovered 10 zero-day vulnerabilities documented by the China National Vulnerability Database.
关键词	chaincode Hyperledger Fabric privacy private data collection smart contract vulnerability detection
DOI	10.1109/ISSRE62328.2024.00060
URL	查看来源
语种	英语English
Scopus入藏号	2-s2.0-85214577147
引用统计
文献类型	会议论文
条目标识符	https://repository.uic.edu.cn/handle/39GCC9TT/13453
专题	个人在本单位外知识产出
通讯作者	Li，Yue; Guan，Zhi
作者单位	1.Peking University,School of Computer Science,Beijing,China 2.Taiyuan University of Technology,College of Computer Science and Technology,Taiyuan,China 3.Beijing Jiaotong University,Beijing Key Laboratory of Security and Privacy in Intelligent Transportation,Beijing,China 4.Peking University Chongqing Research Institute of Big Data,Chongqing,China 5.Peking University,National Engineering Research Center for Software Engineering,Beijing,China
推荐引用方式 GB/T 7714	Chen，Ziming,Li，Yue,Gao，Jianboet al. Understanding and Detecting Privacy Leakage Vulnerabilities in Hyperledger Fabric Chaincodes[C], 2024: 570-581.