区块链GO链码的安全漏洞检测及审计

区块链GO链码的安全漏洞检测及审计

区块链中，智能合约的安全检测和验证具有⼗分重要的意义。通过历史的合约漏洞导致的多个区块链庞⼤的损失就能看出其重要性。⽬前区块链平

台众多如ETH、EOS、ONT、TRON、FISCO-BCOS、Fabric，但是从智能合约的⾓度来看，对于⽬前安全漏洞及功能逻辑缺陷的检测主要包括

以下⼏个⽅⾯。（初步⼊门，个⼈总结，仅供参考）

代码规范问题

代码规范问题产⽣的问题，通常是由于代码不规范，⽐如多余的代码、多余的参数变量等，为了合约的规范，也是推荐做代码的审查的。这⾥基本

都是静态审查问题。

编程语⾔漏洞

由于⼀些编程语⾔其⾃⾝在做编译的过程中产⽣的⼀些漏洞，如整型溢出、整数截断、等，以及⾼级点的GO的CVE-2018-6574漏洞、。

业务逻辑漏洞

业务逻辑漏洞主要是交易顺序、业务流程等，这个更多的是需要通过⼈⼯审计、合约模板⽣成来严格规定其业务逻辑。

区块链特性漏洞

⽐如基于合约的重⼊漏洞、伪随机数漏洞、块参数依赖漏洞、时间依赖漏洞。多数是区块链本⾝的漏洞，但是⽐如时间依赖这⼀种也是完全可以在

合约中进⾏避免的。

本⽂针对Fabric，对GO的链码审计进⾏⽬前常见的开源⼯具介绍，仅仅涉及到代码规范问题和编程语⾔漏洞两个⽅⾯。后期随着对审计的深⼊了

解将再进⼀步探讨。

⽬前，找到的审查⼯具⽐较靠谱的有三个GoReporter、GoMetaLinter、golangci-lint。

（以下信息针对lint的英⽂描述不翻译，避免因⼈⽽异的理解偏差。）

GoReporter

主要⽀持的检测有：

· gofmt - Checks if the code is properly formatted and could not be further simplified.

· govet - Reports variables that may have been unintentionally shadowed.

· golint - Golint is a linter for Go source code.

· unittest - Golang unit test status.

· deadcode - Finds unud code.

· gocyclo - Computes the cyclomatic complexity of functions.

· varcheck - Find unud global variables and constants.

· structcheck - Find unud struct fields.

· aligncheck - Warn about un-optimally aligned structures.

· errcheck - Check that error return values are ud.

· copycode(dupl) - Reports potentially duplicated code.

· gosimple - Report simplifications in code.

· staticcheck - Statically detect bugs, both obvious and subtle ones.

· godepgraph - Godepgraph is a program for generating a dependency graph of Go packages.

· misspell - Correct commonly misspelled quickly.

· countcode - Count lines and files of project.

· interfacer - Suggest narrower interfaces that can be ud.

· depth - Count the maxdepth of go functions.

· flen - Flen provides stats on functions/methods lengths in a Golang package.

GoMetaLinter

golangci-lint

默认开启的linters:

deadcode: Finds unud code [fast: fal, auto-fix: fal]

errcheck: Errcheck is a program for checking for unchecked errors in go programs. The unchecked errors can be critical

bugs in some cas [fast: fal, auto-fix: fal]

gosimple (megacheck): Linter for Go source code that specializes in simplifying a code [fast: fal, auto-fix: fal]

govet (vet, vetshadow): Vet examines Go source code and reports suspicious constructs, such as Printf calls who

arguments do not align with the format string [fast: fal, auto-fix: fal]

ineffassign: Detects when assignments to existing variables are not ud [fast: true, auto-fix: fal]

staticcheck (megacheck): Staticcheck is a go vet on steroids, applying a ton of static analysis checks [fast: fal, auto-fix:

fal]

structcheck: Finds unud struct fields [fast: fal, auto-fix: fal]

typecheck: Like the front-end of a Go compiler, pars and type-checks Go code [fast: fal, auto-fix: fal]

unud (megacheck): Checks Go code for unud constants, variables, functions and types [fast: fal, auto-fix: fal]

varcheck: Finds unud global variables and constants [fast: fal, auto-fix: fal]

默认不⽀持的linters，可以通过 -E/--enable 来开启⽀持:

asciicheck: Simple linter to check that your code does not contain non-ASCII identifiers [fast: true, auto-fix: fal]

bidichk: Checks for dangerous unicode character quences [fast: true, auto-fix: fal]

bodyclo: checks whether HTTP respon body is clod successfully [fast: fal, auto-fix: fal]

contextcheck: check the function whether u a non-inherited context [fast: fal, auto-fix: fal]

cyclop: checks function and package cyclomatic complexity [fast: fal, auto-fix: fal]

depguard: Go linter that checks if package imports are in a list of acceptable packages [fast: fal, auto-fix: fal]

dogsled: Checks assignments with too many blank identifiers (e.g. x, _, _, _, := f()) [fast: true, auto-fix: fal]

dupl: Tool for code clone detection [fast: true, auto-fix: fal]

durationcheck: check for two durations multiplied together [fast: fal, auto-fix: fal]

errname: Checks that ntinel errors are prefixed with the and error types are suffixed with the . [fast: fal, auto-fix:

ErrError

fal]

errorlint: errorlint is a linter for that can be ud to find code that will cau problems with the error wrapping scheme

introduced in Go 1.13. [fast: fal, auto-fix: fal]

exhaustive: check exhaustiveness of enum switch statements [fast: fal, auto-fix: fal]

exhaustivestruct: Checks if all struct's fields are initialized [fast: fal, auto-fix: fal]

exportloopref: checks for pointers to enclosing loop variables [fast: fal, auto-fix: fal]

forbidigo: Forbids identifiers [fast: true, auto-fix: fal]

forcetypeasrt: finds forced type asrtions [fast: true, auto-fix: fal]

funlen: Tool for detection of long functions [fast: true, auto-fix: fal]

gci: Gci control golang package import order and make it always deterministic. [fast: true, auto-fix: true]

gochecknoglobals: check that no global variables exist [fast: true, auto-fix: fal]

gochecknoinits: Checks that no init functions are prent in Go code [fast: true, auto-fix: fal]

gocognit: Computes and checks the cognitive complexity of functions [fast: true, auto-fix: fal]

goconst: Finds repeated strings that could be replaced by a constant [fast: true, auto-fix: fal]

gocritic: Provides diagnostics that check for bugs, performance and style issues. [fast: fal, auto-fix: fal]

gocyclo: Computes and checks the cyclomatic complexity of functions [fast: true, auto-fix: fal]

godot: Check if comments end in a period [fast: true, auto-fix: true]

godox: Tool for detection of FIXME, TODO and other comment keywords [fast: true, auto-fix: fal]

goerr113: Golang linter to check the errors handling expressions [fast: fal, auto-fix: fal]

gofmt: Gofmt checks whether code was gofmt-ed. By default this tool runs with -s option to check for code simplification

[fast: true, auto-fix: true]

gofumpt: Gofumpt checks whether code was gofumpt-ed. [fast: true, auto-fix: true]

goheader: Checks is file header matches to pattern [fast: true, auto-fix: fal]

goimports: In addition to fixing imports, goimports also formats your code in the same style as gofmt. [fast: true, auto-fix:

true]

golint: Golint differs from gofmt. Gofmt reformats Go source code, whereas golint prints out style mistakes [fast: fal, auto-

fix: fal]

gomnd: An analyzer to detect magic numbers. [fast: true, auto-fix: fal]

gomoddirectives: Manage the u of 'replace', 'retract', and 'excludes' directives in . [fast: true, auto-fix: fal]

gomodguard: Allow and block list linter for direct Go module dependencies. This is different from depguard where there are

different block types for example version constraints and module recommendations. [fast: true, auto-fix: fal]

goprintffuncname: Checks that printf-like functions are named with at the end [fast: true, auto-fix: fal]

f

goc (gas): Inspects source code for curity problems [fast: fal, auto-fix: fal]

ifshort: Checks that your code us short syntax for if-statements whenever possible [fast: true, auto-fix: fal]

importas: Enforces consistent import alias [fast: fal, auto-fix: fal]

interfacer: Linter that suggests narrower interface types [fast: fal, auto-fix: fal]

ireturn: Accept Interfaces, Return Concrete Types [fast: fal, auto-fix: fal]

lll: Reports long lines [fast: true, auto-fix: fal]

makezero: Finds slice declarations with non-zero initial length [fast: fal, auto-fix: fal]

maligned: Tool to detect Go structs that would take less memory if their fields were sorted [fast: fal, auto-fix: fal]

misspell: Finds commonly misspelled English words in comments [fast: true, auto-fix: true]

nakedret: Finds naked returns in functions greater than a specified function length [fast: true, auto-fix: fal]

nestif: Reports deeply nested if statements [fast: true, auto-fix: fal]

nilerr: Finds the code that returns nil even if it checks that the error is not nil. [fast: fal, auto-fix: fal]

nilnil: Checks that there is no simultaneous return of error and an invalid value. [fast: fal, auto-fix: fal]

nil

nlreturn: nlreturn checks for a new line before return and branch statements to increa code clarity [fast: true, auto-fix: fal]

noctx: noctx finds nding http request without t [fast: fal, auto-fix: fal]

nolintlint: Reports ill-formed or insufficient nolint directives [fast: true, auto-fix: fal]

paralleltest: paralleltest detects missing usage of el() method in your Go test [fast: true, auto-fix: fal]

prealloc: Finds slice declarations that could potentially be preallocated [fast: true, auto-fix: fal]

predeclared: find code that shadows one of Go's predeclared identifiers [fast: true, auto-fix: fal]

promlinter: Check Prometheus metrics naming via promlint [fast: true, auto-fix: fal]

revive: Fast, configurable, extensible, flexible, and beautiful linter for Go. Drop-in replacement of golint. [fast: fal, auto-fix:

fal]

rowrrcheck: checks whether Err of rows is checked successfully [fast: fal, auto-fix: fal]

scopelint: Scopelint checks for unpinned variables in go programs [fast: true, auto-fix: fal]

sqlclocheck: Checks that and are clod. [fast: fal, auto-fix: fal]

stylecheck: Stylecheck is a replacement for golint [fast: fal, auto-fix: fal]

tagliatelle: Checks the struct tags. [fast: true, auto-fix: fal]

tenv: tenv is analyzer that detects using instead of since Go1.17 [fast: fal, auto-fix: fal]

testpackage: linter that makes you u a parate _test package [fast: true, auto-fix: fal]

thelper: thelper detects golang test helpers without () call and checks the consistency of test helpers [fast: fal, auto-

fix: fal]

tparallel: tparallel detects inappropriate usage of el() method in your Go test codes [fast: fal, auto-fix: fal]

unconvert: Remove unnecessary type conversions [fast: fal, auto-fix: fal]

unparam: Reports unud function parameters [fast: fal, auto-fix: fal]

varnamelen: checks that the length of a variable's name matches its scope [fast: fal, auto-fix: fal]

wastedassign: wastedassign finds wasted assignment statements. [fast: fal, auto-fix: fal]

whitespace: Tool for detection of leading and trailing whitespace [fast: true, auto-fix: true]

wrapcheck: Checks that errors returned from external packages are wrapped [fast: fal, auto-fix: fal]

wsl: Whitespace Linter - Forces you to u empty lines! [fast: true, auto-fix: fal]