基于信息融合的区块链系统隐匿安全补丁识别及迁移技术

郝偲成; 魏桂鹏; 肖煜铭; 南雨宏; 郑沛霖; 郑子彬

doi:10.12263/DZXB.20251003

您当前的位置：

首页 >

文章列表页 >

基于信息融合的区块链系统隐匿安全补丁识别及迁移技术

学术论文 | 更新时间：2026-05-28

- 基于信息融合的区块链系统隐匿安全补丁识别及迁移技术
- Identification and Migration of Silent Security Patches in Blockchain Systems via Information Fusion
- 电子学报 2026年54卷第2期页码：734-749
- 作者机构：
  
  1.中山大学软件工程学院，广东珠海 519082
  2.广东省区块链工程技术研究中心，广东珠海 519082
- 作者简介：
  
  [ "郝偲成男，1998年生。2021年获四川大学工学学士学位，现为中山大学博士研究生。主要研究方向为区块链和智能合约安全。E-mail: haosch@mail2.sysu.edu.cn" ]
  [ "魏桂鹏男，2002年生。2025年获中山大学工学学士学位，现为中山大学硕士研究生。主要研究方向为软件安全、区块链、数据挖掘。E-mail: weigp5@mail2.sysu.edu.cn" ]
  [ "肖煜铭男，2002年生。2025年获中山大学学士学位，现为中山大学软件工程学院博士研究生。主要研究方向为区块链安全与关键技术。E-mail: xiaoym23@mail2.sysu.edu.cn" ]
  [ "南雨宏男，1990年生。2018年于复旦大学获得博士学位，曾任美国普渡大学博士后研究员。现为中山大学软件工程学院副教授、博士生导师。主要研究方向为系统安全及隐私保护。E-mail: nanyh@mail.sysu.edu.cn" ]
  [ "郑沛霖男，1994年生。分别于2017年、2022年获中山大学学士、博士学位。现为中山大学软件工程学院博士后。主要研究方向为区块链及智能合约可靠性。E-mail: zhengplin@mail.sysu.edu.cn" ]
  [ "郑子彬男，1982年生。现为中山大学软件工程学院院长、中山大学人工智能研究院副院长、IEEE Fellow、IET Fellow、ACM杰出科学家、国家数字家庭工程技术研究中心副主任、广东省区块链工程技术研究中心主任。主要研究方向为区块链智能合约、软件可靠性和可信大模型。E-mail: zhzibin@mail.sysu.edu.cn" ]
- 基金信息：
  
  国家自然科学基金(62572497;62302538);国家自然科学基金委员会与香港研究资助局合作研究重点项目(62461160332);广东省自然科学基金(2025A1515010279);广东珠江人才计划(2023QN10X561)
- DOI：10.12263/DZXB.20251003
  中图分类号： TP311;
- 收稿：2026-01-28，
  
  录用：2026-02-09，
  
  纸质出版：2026-02-25
- 稿件说明：
移动端阅览
郝偲成, 魏桂鹏, 肖煜铭, 等. 基于信息融合的区块链系统隐匿安全补丁识别及迁移技术[J]. 电子学报, 2026, 54(02): 734-749.

HAO Sicheng, WEI Guipeng, XIAO Yuming, et al. Identification and Migration of Silent Security Patches in Blockchain Systems via Information Fusion[J]. Acta Electronica Sinica, 2026, 54(02): 734-749.
郝偲成, 魏桂鹏, 肖煜铭, 等. 基于信息融合的区块链系统隐匿安全补丁识别及迁移技术[J]. 电子学报, 2026, 54(02): 734-749. DOI：10.12263/DZXB.20251003

HAO Sicheng, WEI Guipeng, XIAO Yuming, et al. Identification and Migration of Silent Security Patches in Blockchain Systems via Information Fusion[J]. Acta Electronica Sinica, 2026, 54(02): 734-749. DOI：10.12263/DZXB.20251003

摘要

区块链是集成了密码学、智能合约的新型分布式系统，在金融交易、版权保护等领域已取得广泛应用。目前，全球共计运行着上千条不同的链，为了兼容性和便利性，许多开发者通过分叉或复用主流区块链系统的代码进行再开发。然而，这也导致安全缺陷快速传播。与此同时，隐匿安全补丁是指开源项目中未公开披露于漏洞数据库中的安全修复。当前，区块链系统项目中的安全补丁透明度不足，存在大量隐匿安全补丁，进一步加剧了下游软件系统的修复延迟，降低了整个区块链系统生态的可靠性。因此，亟需针对涵盖多种编程语言的区块链系统生态，设计自动化的隐匿安全补丁识别方法，及时发现和修复潜在的已知安全问题。为此，本文提出BlockPatch，首个面向区块链系统生态的通用隐匿安全补丁识别和迁移框架，通过大语言模型（Large Language Model，LLM）将多模态的变更信息进行融合，实现了多语言区块链系统安全补丁的准确识别。具体来说，BlockPatch以代码提交为输入，提取提交文本描述、变更代码块和抽象语法树（Abstract Syntax Tree，AST）编辑行为，得到多模态的变更表示，以捕获细粒度的变更内容和过程；随后利用大语言模型的强大表征能力对三类信息进行语义嵌入，并结合神经网络实现特征融合和学习，以提升对安全补丁的识别能力。为了验证方法的有效性，本文构建了包含主流公有链和联盟链项目的补丁数据集。实验结果表明，BlockPatch能够取得94.02%的精确率、94.58%的召回率和94.29%的F1值，在F1分数上较现有先进方法提升了5.03个百分点，并在不同类型的安全补丁识别上均取得了良好效果。消融实验进一步证明了多模态信息融合的有效性。最后，BlockPatch将识别到的安全补丁迁移至下游区块链系统中进行安全检查。基于近期比特币和以太坊仓库的代码提交，BlockPatch识别到16个隐匿安全补丁，并在下游项目中检测到了28个未修复的安全漏洞，突出了识别并运用隐匿安全补丁的重要性。

Abstract

Blockchain is a novel distributed system integrating cryptography and smart contracts. It has been widely applied in fields such as financial transactions and copyright protection. Currently

thousands of different blockchains are running worldwide. For compatibility and convenience

many developers fork or reuse the open-source code of mainstream blockchains for further development. However

such a practice also leads to the rapid propagation of security vulnerabilities. Meanwhile

silent security patches refer to security fixes in open-source projects that are not publicly disclosed in vulnerability databases. At present

the transparency of security patches in blockchain projects is insufficient

and there are a large number of silent security patches

further exacerbating the remediation delays in downstream software systems and reducing the reliability of the entire blockchain ecosystem. Therefore

it is urgent to design an automated method for identifying silent security patches targeting the blockchain ecosystem covering multiple programming languages

to promptly detect and fix potential known security issues. To this end

this paper proposes BlockPatch

the first framework for identifying and migrating general silent security patches in the blockchain ecosystem. By fusing multimodal change information through the large language model (LLM)

it achieves accurate identification of security patches in multilingual blockchain systems. Specifically

taking code commits as input

BlockPatch extracts commit messages

modified code blocks

and abstract syntax tree (AST) edit actions to obtain multimodal change representations

so as to capture fine-grained change contents and processes. Subsequently

it utilizes the advanced representation capabilities of LLMs to perform semantic embedding on the three types of information and combines neural networks to achieve feature fusion and learning

thereby enhancing the identification capability of security patches. To verify the effectiveness of the method

this paper constructs a patch dataset containing mainstream public and consortium blockchain projects. The experiments show that BlockPatch can achieve a precision of 94.02%

a recall of 94.58%

and an F1-score of 94.29%

outperforming existing state-of-the-art methods by 5.03 percentage points on the F1-score

and achieves good results in identifying different types of security patches. The ablation study further demonstrates the effectiveness of multimodal information fusion. Finally

BlockPatch migrates the identified security patches to downstream blockchain systems for security checks. Based on recent code commits from Bitcoin and Ethereum repositories

BlockPatch identified 16 silent security patches and discovered 28 unpatched security vulnerabilities in downstream projects

highlighting the importance of identifying and applying silent security patches.

关键词

Keywords

references

盖珂珂 , 陈思源 , 祝烈煌 . 基于区块链的可审计隐私保护机密交易 [J ] . 电子学报 , 2025 , 53 ( 2 ): 460 - 473 .

Gai Keke , Chen Siyuan , Zhu Liehuang . Blockchain-based privacy-preserving auditable confidential transaction scheme [J ] . Acta Electronica Sinica , 2025 , 53 ( 2 ): 460 - 473 . (in Chinese)

陆琪鹏 , 刘亚丽 , 刘长庚 , 等 . 基于区块链的RFID供应链产品所有权转移方案 [J ] . 电子学报 , 2025 , 53 ( 2 ): 451 - 459 .

Lu Qipeng , Liu Yali , Liu Changgeng , et al . Product ownership transfer scheme of RFID-enabled supply chain based on blockchain [J ] . Acta Electronica Sinica , 2025 , 53 ( 2 ): 451 - 459 . (in Chinese)

Munir S . How many blockchain networks are there in 2025 [EB/OL ] . [ 2026-03-01 ] . https://coinweb.com/trends/how-many-blockchain-networks-are-there/ https://coinweb.com/trends/how-many-blockchain-networks-are-there/ .

Wang Xinda , Sun Kun , Batcheller A , et al . Detecting “0-day” Vulnerability: An empirical study of secret security patch in OSS [C ] // 2019 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks . Piscataway : IEEE , 2019 : 485 - 492 . DOI: 10.1109/dsn.2019.00056 http://dx.doi.org/10.1109/dsn.2019.00056

Dong Jialiang , Chen Xinzhang , Susilo W , et al . What lies beneath: An empirical study of silent vulnerability fixes in open-source software [C ] // 2025 55th Annual IEEE/IFIP International Conference on Dependable Systems and Networks . Piscataway : IEEE , 2025 : 345 - 357 . DOI: 10.1109/dsn64029.2025.00043 http://dx.doi.org/10.1109/dsn64029.2025.00043

Cve . CVE [EB/OL ] . [ 2026-03-01 ] . https://www.cve.org/ https://www.cve.org/ .

Lin Ruyan , Fu Yulong , Yi Wei , et al . Vulnerabilities and security patches detection in OSS: A survey [J ] . ACM Computing Surveys , 2025 , 57 ( 1 ): 1 - 37 . DOI: 10.1145/3694782 http://dx.doi.org/10.1145/3694782

Yi Xiao , Wu Daoyuan , Jiang Lingxiao , et al . An empirical study of blockchain system vulnerabilities: Modules, types, and patterns [C ] // Proceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering . New York : ACM , 2022 : 709 - 721 . DOI: 10.1145/3540250.3549105 http://dx.doi.org/10.1145/3540250.3549105

周鹏 , 武延军 , 赵琛 . 一种Linux安全漏洞修复补丁自动识别方法 [J ] . 计算机研究与发展 , 2022 , 59 ( 1 ): 197 - 208 .

Zhou Peng , Wu Yanjun , Zhao Chen . Identify linux security vulnerability fix patches automatically [J ] . Journal of Computer Research and Development , 2022 , 59 ( 1 ): 197 - 208 . (in Chinese)

Zhou Yaqin , Siow J K , Wang Chenyu , et al . SPI: Automated identification of security patches via commits [J ] . ACM Transactions on Software Engineering and Methodology , 2022 , 31 ( 1 ): 1 - 27 . DOI: 10.1145/3468854 http://dx.doi.org/10.1145/3468854

Wang Xinda , Wang Shu , Feng Pengbin , et al . PatchRNN: A deep learning-based system for security patch identification [C ] // MILCOM 2021 - 2021 IEEE Military Communications Conference . Piscataway : IEEE , 2021 : 595 - 600 . DOI: 10.1109/milcom52596.2021.9652940 http://dx.doi.org/10.1109/milcom52596.2021.9652940

Han Mei , Wang Lulu , Chang Jianming , et al . Learning graph-based patch representations for identifying and assessing silent vulnerability fixes [C ] // 2024 IEEE 35th International Symposium on Software Reliability Engineering . Piscataway : IEEE , 2024 : 120 - 131 . DOI: 10.1109/ISSRE62328.2024.00022 http://dx.doi.org/10.1109/ISSRE62328.2024.00022

唐建平 , 魏书宁 , 王植 , 等 . 融合双重编码器和词注意力机制的安全补丁识别模型 [J ] . 小型微型计算机系统 , 2025 , 46 ( 12 ): 3055 - 3062 .

Tang Jianping , Wei Shuning , Wang Zhi , et al . Secure patch identification model integrating dual encoders and word attention mechanism [J ] . Journal of Chinese Computer Systems , 2025 , 46 ( 12 ): 3055 - 3062 . (in Chinese)

Wang Shu , Wang Xinda , Sun Kun , et al . GraphSPD: Graph-based security patch detection with enriched code semantics [C ] // 2023 IEEE Symposium on Security and Privacy . Piscataway : IEEE , 2023 : 2409 - 2426 . DOI: 10.1109/sp46215.2023.10179479 http://dx.doi.org/10.1109/sp46215.2023.10179479

Mikolov T , Sutskever I , Chen Kai , et al . Distributed representations of words and phrases and their compositionality [C ] // Proceedings of the 27th International Conference on Neural Information Processing Systems - Volume 2 . New York : ACM , 2013 : 3111 - 3119 .

Blockpatch . BlockPatch [EB/OL ] . [ 2026-03-01 ] . https:// github.com/0x0FOG/BlockPatch https://github.com/0x0FOG/BlockPatch .

Dunlap T , Thorn S , Enck W , et al . Finding fixed vulnerabilities with off-the-shelf static analysis [C ] // 2023 IEEE 8th European Symposium on Security and Privacy . Piscataway : IEEE , 2023 : 489 - 505 . DOI: 10.1109/eurosp57164.2023.00036 http://dx.doi.org/10.1109/eurosp57164.2023.00036

Wen Zhongzhen , Zhou Jiayuan , Pan Minxue , et al . Silent taint-style vulnerability fixes identification [C ] // Proceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis . New York : ACM , 2024 : 428 - 439 . DOI: 10.1145/3650212.3652139 http://dx.doi.org/10.1145/3650212.3652139

Zhou Jiayuan , Pacheco M , Wan Zhiyuan , et al . Finding a needle in a haystack: Automated mining of silent vulnerability fixes [C ] // 2021 36th IEEE/ACM International Conference on Automated Software Engineering . Piscataway : IEEE , 2021 : 705 - 716 . DOI: 10.1109/ase51524.2021.9678720 http://dx.doi.org/10.1109/ase51524.2021.9678720

刘敖迪 , 杜学绘 , 王娜 , 等 . 区块链系统安全防护技术研究进展 [J ] . 计算机学报 , 2024 , 47 ( 3 ): 608 - 646 . DOI: 10.11897/SP.J.1016.2024.00608 http://dx.doi.org/10.11897/SP.J.1016.2024.00608

Liu Aodi , Du Xuehui , Wang Na , et al . Research progress on blockchain system security technology [J ] . Chinese Journal of Computers , 2024 , 47 ( 3 ): 608 - 646 . (in Chinese) . DOI: 10.11897/SP.J.1016.2024.00608 http://dx.doi.org/10.11897/SP.J.1016.2024.00608

Zhang Ren , Preneel B . Lay down the common metrics: Evaluating proof-of-work consensus protocols’ security [C ] // 2019 IEEE Symposium on Security and Privacy . Piscataway : IEEE , 2019 : 175 - 192 . DOI: 10.1109/sp.2019.00086 http://dx.doi.org/10.1109/sp.2019.00086

Yang Y , Kim T , Chun B . Finding Consensus Bugs in Ethereum via Multi-transaction Differential Fuzzing . [C/OL ] // 15th USENIX Symposium on Operating Systems Design and Implementation , OSDI 2021 . 2021 : 349 - 365 . https://www.usenix.org/conference/osdi21/presentation/yang https://www.usenix.org/conference/osdi21/presentation/yang .

Kim S , Hwang S . EtherDiffer: Differential testing on RPC services of ethereum nodes [C ] // Proceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering . New York : ACM , 2023 : 1333 - 1344 . DOI: 10.1145/3611643.3616251 http://dx.doi.org/10.1145/3611643.3616251

Zhou Yuanhang , Yan Zhen , Chen Yuanliang , et al . Chord: Towards a unified detection of blockchain transaction parallelism bugs [C ] // 2025 IEEE/ACM 47th International Conference on Software Engineering . Piscataway : IEEE , 2025 : 3022 - 3034 . DOI: 10.1109/icse55347.2025.00205 http://dx.doi.org/10.1109/icse55347.2025.00205

Qingze Hum , Tan W J , Tey S Y , et al . CoinWatch: A clone-based approach for detecting vulnerabilities in cryptocurrencies [C ] // 2020 IEEE International Conference on Blockchain . Piscataway : IEEE , 2020 : 17 - 25 . DOI: 10.1109/blockchain50366.2020.00011 http://dx.doi.org/10.1109/blockchain50366.2020.00011

Yi Xiao , Fang Yuzhou , Wu Daoyuan , et al . BlockScope: Detecting and investigating propagated vulnerabilities in forked blockchain projects [C ] // Proceedings 2023 Network and Distributed System Security Symposium . Internet Society , 2023 .

Falleri J R , Martinez M . Fine-grained, accurate and scalable source differencing [C ] // Proceedings of the IEEE/ACM 46th International Conference on Software Engineering . New York : ACM , 2024 : 3639148 . DOI: 10.1145/3597503.3639148 http://dx.doi.org/10.1145/3597503.3639148

Afnanenayet . Diffsitter [EB/OL ] . [ 2026-03-01 ] . https://github.com/afnanenayet/diffsitter https://github.com/afnanenayet/diffsitter .

Zhao W X , Zhou Kun , Li Junyi , et al . A survey of large language models [PP/OL ] . V19. arXiv ( 2026-03-18 )[ 2026-01-28 ] . https://doi.org/10.48550/arXiv.2303.18223 https://doi.org/10.48550/arXiv.2303.18223 .

Khosla P , Teterwak P , Wang Chen , et al . Supervised contrastive learning [C ] // Proceedings of the 34th International Conference on Neural Information Processing Systems . New York : ACM , 2020 : 18661 - 18673 .

Wang Xinda , Wang Shu , Feng Pengbin , et al . PatchDB: A large-scale security patch dataset [C ] // 2021 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks . Piscataway : IEEE , 2021 : 149 - 160 . DOI: 10.1109/dsn48987.2021.00030 http://dx.doi.org/10.1109/dsn48987.2021.00030

Muennighoff N , Tazi N , Magne L , et al . MTEB: Massive text embedding benchmark [PP/OL ] . V3. arXiv ( 2023-03-19 )[ 2026-01-28 ] . https://doi.org/10.48550/arXiv.2210.07316 https://doi.org/10.48550/arXiv.2210.07316 .

Dunlap T , Lin E , Enck W , et al . VFCFinder: Pairing security advisories and patches [C ] // Proceedings of the 19th ACM Asia Conference on Computer and Communications Security . New York : ACM , 2024 : 1128 - 1142 . DOI: 10.1145/3634737.3657007 http://dx.doi.org/10.1145/3634737.3657007

Wen Xincheng , Lin Zirun , Gao Cuiyun , et al . Repository-level graph representation learning for enhanced security patch detection [C ] // 2025 IEEE/ACM 47th International Conference on Software Engineering . Piscataway : IEEE , 2025 : 00121 . DOI: 10.1109/icse55347.2025.00121 http://dx.doi.org/10.1109/icse55347.2025.00121

Chen Zhaoling , Tang R , Deng Gangda , et al . LocAgent: graph-guided LLM agents for code localization [C/OL ] // Proceedings of the 63rd Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers) , ACL 2025 . https://aclanthology.org/2025.acl-long.426/ https://aclanthology.org/2025.acl-long.426/ . DOI: 10.18653/v1/2025.acl-long.426 http://dx.doi.org/10.18653/v1/2025.acl-long.426

浏览量

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

基于大语言模型语义增强的多模态智能合约漏洞检测方法研究

基于大语言模型的Web文本输入组件测试方法

基于高阶M-HODLR算法的复合结构目标电磁响应高效求解

室内复杂电磁环境下人体局部比吸收率评估方法

宽带宽波束相控阵系统