1524                                     Journal of Software  软件学报 Vol.32, No.5,  May 2021

                [93]    Fang WD, Zhang WX, Pan T, Chen W, Yang Y. Cyber security in blockchain: Threats and countermeasures. Journal of Cyber
                     Security, 2018,3(2):87−104 (in Chinese with English abstract).
                [94]    Wikipedia. The DAO. 2020. https://en.wikipedia.org/wiki/Decentralized_autonomous_organization
                [95]    Zhao HQ, Zhang YY, Yang K, Kim T. Breaking turtles all the way down: An exploitation chain to break out of VMware ESXi. In:
                     Proc. of the USENIX Security. 2019. 1−9.
                [96]    Xu Y, Li WX, Wang DY. Web security attack and defense: A practical guide to penetration testing. Beijing: Publishing House of
                     Electronics Industry, 2018 (in Chinese).
                [97]    Chen HS,  Pendleton M, Njilla L, Xu  SH. A  survey  on Ethereum systems  security: Vulnerabilities, attacks and  defenses. ACM
                     Computing Surveys, 2020,53(3):1−43.
                [98]    Vogelsteller F, Buterin V. EIP 20: ERC-20 token standard. 2015. https://eips.ethereum.org/EIPS/eip-20
                [99]    Daniel P, Benjamin L. Broken metre: Attacking resource metering in EVM. In: Proc. of the NDSS. 2020. https://dx.doi.org/10.
                     14722/ndss.2020.24267
                [100]    Kalra S, Goel S, Dhawan M, Sharma S. ZEUS: Analyzing safety of smart contracts. In: Proc. of the NDSS. 2018. http://dx.doi.org/
                     10.14722/ndss.2018.23082
                [101]    Weidman G. Penetration Testing: A Hands-on Introduction to Hacking. No Starch Press, 2014.
                [102]    Zhang R, Xue R, Liu L. Security and privacy on blockchain. ACM Computing Surveys, 2019,52(3):1−34.
                [103]    McCorry P, Hicks A, Meiklejohn S. Smart contracts for bribing miners. In: Proc. of the Financial Cryptography and Data Security
                     (FC). 2018. 3−18.
                [104]    Charlie H, Squir RL. Automating attack discovery on blockchain incentive mechanisms with deep reinforcement learning. arXiv
                     Preprint arXiv:1912.01798, 2019.
                [105]    Dasgupta D. A survey of blockchain from security perspective. Journal of Banking and Financial Technology, 2019,3:1−17.
                [106]    Weber JE,  Guster  D, Safonov P, Schmidt  MB. Weak  password security:  An  empirical  study. Information Security Journal:  A
                     Global Perspective, 2008,17:45−54.
                [107]    Wu YM, Cao P, Withers A, Kalbarczyk ZT, Iyer RK. Mining threat intelligence from billion-scale SSH brute-force attacks. In:
                     Proc. of the NDSS. 2020. https://dx.doi.org/10.14722/diss.2020.23007
                [108]    Anderson R. Security Engineering. 2nd ed., Wiley Publishing, Inc., 2008.
                [109]    Whittaker Z, Shu C. Binance says more than $40 million in Bitcoin stolen in ‘large scale’ hack. 2019. https://techcrunch.com/2019/
                     05/07/binance-breach/
                [110]    Ghasemisharif M, Ramesh A, Checkoway S, Kanich C, Polakis J. O single sign-off, where art thou? An empirical analysis of single
                     sign-on account hijacking and session management on the Web. In: Proc. of the USENIX Security. 2018. 1475−1492.
                [111]    Gao A. Chinese Bitcoin exchange OKEx hacked for $3 Mln, police not interested. 2017. https://cointelegraph.com/news/chinese-
                     bitcoin-exchange-okex-hacked-for-3-mln-police-not-interested
                [112]    Jin C,  Wang XY, Tan HY. Dynamic attack tree and  its applications  on Trojan  horse  detection.  In:  Proc.  of the  Int’l Conf.  on
                     Multimedia and Information Technology. 2010. 56−59.
                [113]    Cimpanu C. Banking Trojan now targets coinbase users, not just banking portals. 2017. https://www.bleepingcomputer.com/news/
                     security/banking-trojan-now-targets-coinbase-users-not-just-banking-portals/
                [114]    Karapanos N,  Capkun S.  On the  effective prevention  of  TLS  man-in-the-middle  attacks  in Web  applications. In: Proc. of the
                     USENIX Security. 2014. 671−686.
                [115]    MacKenzie P, Reiter MK. Networked cryptographic devices resilient to capture. In: Proc. of the IEEE S&P. 2001. 12−25.
                [116]    Schroeder S.  Wallet bug freezes  more than $150  million worth of  Ethereum. 2017. https://mashable.com/2017/11/08/ethereum-
                     parity-bug/
                [117]    Kelso CE. $45,000,000 worth of BCH & BTC claimed stolen in SIM attack: Doubts linger about veracity. 2020. https://coinspice.
                     io/news/45000000-worth-of-bch-btc-claimed-stolen-in-sim-attack-doubts-linger-about-veracity/
                [118]    Bamert T, Decker C, Wattenhofer R, Welten S. Bluewallet: The secure bitcoin wallet. In: Proc. of the Int’l Workshop on Security
                     and Trust Management. 2014. 65−80.