Zaɓi Harshe

Satar Aminci: Bayyana Hare-haren Saƙon Makaho a cikin Tabbatar da Web3

Binciken wani sabon lahani na 'hare-haren saƙon makaho' a cikin tabbatar da Web3, gano shi ta hanyar Web3AuthChecker, da kuma magance shi tare da Web3AuthGuard don MetaMask.
tokens-market.com | PDF Size: 0.6 MB
Kima: 4.5/5
Kimarku
Kun riga kun ƙididdige wannan takarda
Murfin Takardar PDF - Satar Aminci: Bayyana Hare-haren Saƙon Makaho a cikin Tabbatar da Web3
Duba Takardar PDF Zazzage PDF Fassara PDF
Gida » Takaddun » Satar Aminci: Bayyana Hare-haren Saƙon Makaho a cikin Tabbatar da Web3

1. Gabatarwa & Bayyani

Web3, wanda aka gina akan fasahar blockchain mara tsari, ya ga girma mai ƙarfi a fagage kamar DeFi, NFTs, da wasanni, tare da biliyoyin daloli a cikin jimlar ƙimar da aka kulle. Wani muhimmin sashi na wannan yanayin shine tabbatar da Web3, ƙa'idar amsa-kalubale inda ake gano masu amfani ta hanyar maɓallinsu na jama'a (adireshin walat). Aikace-aikace suna aika saƙo zuwa walat ɗin mai amfani na sirri (misali, MetaMask), mai amfani ya sanya hannu da shi tare da maɓallinsa na sirri, sannan aikace-aikacen ya tabbatar da sa hannun don ba da damar shiga.

Duk da rawar da yake takawa a matsayin ƙofar shiga aikace-aikacen Web3 da kadarori, tsaron wannan tsarin tabbatarwa an yi watsi da shi sosai. Yayin da binciken da ya gabata ya mai da hankali kan kurakuran kwangilar wayo da cin zarafi na DeFi, wannan takarda ta gano wani lahani na tsarin a cikin matakin tabbatarwa da kansa, wanda ta kira shi "hare-haren saƙon makaho."

Muhimman Ƙididdiga a Sauƙi

  • 75.8% na gwajin ayyukan tabbatar da Web3 sun kasance masu rauni.
  • 22 daga cikin 29 aikace-aikacen gaske sun kasance cikin haɗari.
  • 80% nasarar gano hare-hare tare da Web3AuthGuard.
  • An ba da ID guda biyu na CVE don lahani da aka gano.

2. Hare-haren Saƙon Makaho

2.1 Tsarin Kai Hari & Lahani

Babban lahani yana cikin rashin iyawar mai amfani don tabbatar da ainihin tushe da manufar buƙatar sanya hannu. A cikin madaidaicin tafiyar tabbatar da Web3, walat yana nuna saƙo (sau da yawa lamba bazuwar) don mai amfani ya sanya hannu. Hare-haren yana amfani da gaskiyar cewa wannan saƙon ba shi da bayyanawa kuma ana iya yaudarar asalinsa.

Yanayin Kai Hari: Mai kai hari ya ƙirƙiri gidan yanar gizo mai mugunta wanda yake kwaikwayon shafin shiga na halaltaccen aikace-aikacen Web3. Lokacin da mai amfani ya haɗa walat ɗinsa, wurin mara kyau yana tura buƙatar tabbatarwa (saƙo) daga halaltaccen aikace-aikacen da aka yi niyya zuwa walat ɗin mai amfani. Mai amfani, yana ganin buƙatar sanya hannu gabaɗaya a cikin mu'amalar walat ɗinsa, ya sanya hannu a makance. Ana aika sa hannun zuwa halaltaccen aikace-aikacen ta hanyar mai kai hari, wanda ke ba mai kai hari damar shiga asusun mai amfani akan wannan aikace-aikacen ba tare da izini ba.

2.2 Tsarin Fasaha

Hare-haren wani nau'i ne na Hare-haren Mutum-a-Tsakiya (MitM) a matakin aikace-aikace, amma ana sauƙaƙe shi ta hanyar kurakuran ƙira a cikin ƙa'idar mu'amala tsakanin walat da aikace-aikace. API na walat (misali, eth_requestAccounts, personal_sign) ba ya tilastawa ko nuna bayanan mahallin bayanai game da yankin da ake buƙata don duk nau'ikan saƙon, yana haifar da "makafin ido" ga mai amfani.

3. Gano & Magancewa

3.1 Kayan Aikin Web3AuthChecker

Marubutan sun haɓaka Web3AuthChecker, kayan aikin bincike mai ƙarfi wanda ke mu'amala ta atomatik tare da APIs na aikace-aikacen Web3 masu alaƙa da tabbatarwa. Yana bincika don lahani ta hanyar ƙoƙarin kwaikwayon hanyar kai hari na saƙon makaho—kama da kuma mika buƙatun sanya hannu—kuma yana duba idan sarrafa zaman aikace-aikacen zai iya lalacewa ta hanyar sa hannun da aka samu daga wani asali daban.

3.2 Web3AuthGuard don MetaMask

A matsayin tsaro na ɓangaren abokin ciniki, marubutan sun aiwatar da Web3AuthGuard, samfurin ƙari na burauza wanda ya haɗa tare da walat ɗin MetaMask mai buɗe tushe. Aikinsa shine nazarin mahallin buƙatun sanya hannu. Yana kwatanta yankin da ya fara buƙatar da yankin da aka yi niyya da aka haɗa a ciki ko ke da alaƙa da saƙon. Idan aka gano rashin daidaituwa ko tsarin mika saƙo mai shakku, yana ɗaga faɗakarwa ga mai amfani kafin ya sanya hannu.

4. Kimantawa & Sakamako

4.1 Tsarin Gwaji

Binciken ya kimanta 29 sanannun aikace-aikacen Web3 a cikin rukuni ciki har da dandamalin DeFi (misali, Uniswap, Aave), kasuwannin NFT (misali, OpenSea), da wasannin Web3. An tura Web3AuthChecker don gwada ƙarshen ƙarshen tabbatar da su ta atomatik.

4.2 Babban Bincike & Ƙididdiga

Sakamakon ya kasance mai ban tsoro: 22 daga cikin 29 (75.8%) na aikace-aikacen sun kasance masu rauni ga hare-haren saƙon makaho. Wannan yawan yawan yana nuna lahani yana tsarin kuma ba wani yanayi na gefe ba ne. Kimantawar da ta biyo baya na Web3AuthGuard ta nuna zai iya haifar da faɗakarwa cikin nasara a cikin 80% na tafiyar tabbatarwa masu rauni da aka gwada, yana nuna yuwuwar kariyar mai amfani na ainihin lokaci.

Bayanin Jadawali (Tunani): Jadawali na sandar zai nuna "Aikace-aikacen Masu Rauni (22)" ya fi tsayi sosai fiye da "Aikace-aikacen Tsaro (7)". Jadawali na biyu zai nuna "Faɗakarwar Nasara" na Web3AuthGuard ya rufe 80% na "Tafiyar Masu Rauni da aka Gwada".

5. Zurfin Binciken Fasaha

5.1 Tushen Lissafi

Tabbatar da Web3 ya dogara da sa hannun dijital ta amfani da Lissafin Sirri na Elliptic Curve, yawanci lanƙwasa secp256k1 da Ethereum ke amfani da ita. Babban tabbatarwa don sa hannu $(r, s)$ akan saƙo $m$ don maɓalli na jama'a $Q$ (wanda aka samo daga adireshi) shine:

$ \text{Verify}(m, (r, s), Q) = \text{true} \quad \text{if} \quad s^{-1} \cdot (eG + rQ)_x \equiv r \ (\text{mod}\ n) $

inda $e$ shine hash na saƙon $m$, $G$ shine ma'anar janareta, kuma $n$ shine tsari na lanƙwasa. Hare-haren bai karya wannan lissafin sirri ba. A maimakon haka, yana karya ƙa'idar ƙa'ida cewa $m$ yana daure ga takamaiman asali/mahalli. Gazawar tsaro ita ce $ \text{Mahalli}(m) \neq \text{Mahalli}_{mai amfani} $.

5.2 Misalin Tsarin Bincike

Nazarin Shari'a: Nazarin Shiga Dashboard na DeFi.

  1. Mataki na 1 - Bincike: Yi amfani da Web3AuthChecker don kira ƙarshen ƙarshen API na shiga dashboard kuma a kama saƙon kalubale $C_d$.
  2. Mataki na 2 - Kwaikwayon Mika Saƙo: Haɗa $C_d$ cikin buƙatar sanya hannu da wani wuri na ƙarya mai mugunta $M$ ya haifar.
  3. Mataki na 3 - Ƙaddamar da Sa Hannu: Ƙaddamar da sa hannun $\sigma$, wanda aka haifar ta hanyar sanya hannu $C_d$ a cikin mahallin $M$, komawa zuwa ƙarshen ƙarshen tabbatarwa na dashboard na asali.
  4. Mataki na 4 - Tabbatar da Lahani: Idan dashboard ya karɓi $\sigma$ kuma ya kafa zaman, an tabbatar da hare-haren saƙon makaho. Laifin shine cewa dashboard kawai yana tabbatar da $\text{Verify}(C_d, \sigma, Q)$, ba $\text{Asali}(\sigma) == \text{Dashboard}$ ba.

6. Ra'ayin Mai Bincike

Babban Fahimta: Takardar Yan et al. ta ba da bugun ciki ga rashin kulawar masana'antar Web3 game da tsaron UX. Ta bayyana cewa ainihin tsarin da ake yabawa don ikon mallakar mai amfani—sanya hannun sirri—yana da aibi na UX wanda ya sa ya zama ƙasa da tsaro fiye da kalmar sirri ta al'ada a cikin yanayin satar bayanai. Mai amfani zai iya gano filin kalmar sirri na ƙarya; ba za su iya gane buƙatar sanya hannu na ƙarya ba. Wannan ba kurakuren kwangilar wayo ba ne; yana da gazawar ƙira na matakin ƙa'ida na asali a cikin musafaha tsakanin walat da aikace-aikace, mai tunawa da rashin TLS na farkon yanar gizo da manufar asali ɗaya.

Madaidaicin Tafiya: Dabaru na bincike ba su da aibi. Fara da hasashe (ana iya mika saƙon tabbatarwa cikin mugunta), gina kayan aiki (Web3AuthChecker) don gwaji a sikeli, gano yawan yawa mai ban mamaki (75.8%), sannan ƙirƙira maganin aiki (Web3AuthGuard) don tabbatar da yuwuwar magancewa. Ba da CVEs yana tsara barazanar, yana motsa shi daga ra'ayin ilimi zuwa lahani da dole ne a gyara.

Ƙarfi & Kurakurai: Ƙarfin yana cikin hanyar kai hari mai sauƙi, amma da aka yi watsi da shi a baya, da tasirin sa na gaske na duniya. Samfurin tsaro yana da aiki. Laifin, kamar yadda yake da yawancin binciken tsaron tsarin, shine Web3AuthGuard taimako ne. Yana ƙara dubawa inda ƙa'idar da kanta ya kamata ta tilasta tsaro. Gyaran dogon lokaci yana buƙatar masu samar da walat (kamar MetaMask) da hukumomin ƙa'ida (kamar EIP-712) su tilasta haɗin mahallin yanki da saƙon da za a iya sanya hannu. Dogaro da masu amfani don kula da faɗakarwa an tabbatar da gazawa, kamar yadda binciken satar bayanai na shekaru da yawa ya tabbatar.

Fahimta Mai Aiki: Ga masu haɓakawa: Nan da nan ku bincika tafiyar tabbatarwar ku. Kada ku tabbatar da sa hannun kawai; ku tabbatar da asalin sa hannun ya dace da yankin ku ta hanyar ɗaurin zaman. Ga masu gina walat: Wannan wuta ce ta ƙararrawa biyar. Aiwatar da sanya hannu na bayanan tsarin EIP-712 tare da tilasta rabuwar yanki kuma ku sanya shi a matsayin tsoho don duk buƙatun tabbatarwa. Nuna buƙatun personal_sign maras amana, maras kyau, tare da UI mai haske, ja-tuta. Ga hukumomin ƙa'ida: Yi sauri don ƙa'idodin da ke sa hare-haren mika saƙi ya zama ba zai yiwu ba ta hanyar sirri, ba kawai a faɗakar da su ta gani ba. Lokacin shawarwari na ladabi ya ƙare; tsarin DeFi na $52B yana buƙatar ingantattun abubuwan tsaro na farko.

7. Aikace-aikace na Gaba & Jagorori

Tasirin ya wuce shiga. Duk wani buƙatar sanya hannu na Web3—don ma'amala, amincewar alama, zaɓen DAO—yana iya zama mai rauni ga irin wannan hare-haren mika saƙo na makaho. Bincike da haɓakawa na gaba dole ne su mai da hankali kan:

  1. Magani na Matakin Ƙa'ida: Yaduwar karɓa da tilastawa EIP-712 da magadanta, waɗanda ke ba da damar saƙonni su zama masu rubutu da tsari tare da sigogin yanki masu tabbatarwa, waɗanda ba za a iya mika su ba.
  2. Haɗin Walat na Kayan Aiki: Tsawaita tabbatar da mahalli zuwa allunan walat na kayan aiki, waɗanda a halin yanzu suma suna nuna ƙaramin bayanin saƙo.
  3. Tabbatar da Tafiyar Tabbatarwa na Ƙa'ida: Yin amfani da hanyoyin ƙa'ida, kamar waɗanda aka yi amfani da su don kwangilolin wayo (misali, a cikin tsarin KEVM), don tabbatar da kaddarorin tsaro na ƙa'idar tabbatarwa ta kashe layi da kanta.
  4. Masu Gano Na'urar Koyo: Gina akan kayan aiki kamar Web3AuthChecker don ƙirƙirar tsarin sa ido na ci gaba don shagunan dApp ko masu binciken tsaro waɗanda ke yiwa ayyukan tabbatarwa masu rauni alama ta atomatik.
  5. Haɗuwar Asalin Rarraba (DID): Wannan aikin yana jaddada buƙatar ƙarin ƙa'idodin tabbatar da DID masu ƙarfi (kamar Takaddun Tabbacin W3C) waɗanda aka ƙera tare da waɗannan hanyoyin kai hari a farkon farko.

8. Nassoshi

  1. Yan, K., Zhang, X., & Diao, W. (2024). Satar Aminci: Bayyana Hare-haren Saƙon Makaho a cikin Tabbatar da Web3. Proceedings of the 2024 ACM SIGSAC Conference on Computer and Communications Security (CCS’24).
  2. Nakamoto, S. (2008). Bitcoin: Tsarin Kuɗin Lantarki na Peer-to-Peer.
  3. MetaMask. https://metamask.io
  4. EIP-712: Ethereum Typed Structured Data Hashing and Signing. https://eips.ethereum.org/EIPS/eip-712
  5. Atzei, N., Bartoletti, M., & Cimoli, T. (2017). Binciken hare-hare akan kwangilolin wayo na Ethereum (SoK). Ka'idojin Tsaro da Aminci.
  6. Zhuang, Y., et al. (2020). Kayan aiki da ma'auni don rarraba log ɗin ta atomatik. IEEE International Conference on Software Engineering (ICSE). (Misali na ingantaccen tsarin kimanta kayan aiki).
  7. DeFi Llama. Jimlar Ƙimar Ƙididdiga da aka Kulle. https://defillama.com